802.11i – A New Generation of the Wireless Network Security

802.11i Overview

802.11i is standard that specifies security mechanisms for wireless networks. It is an amendment to the IEEE 802.11 with the full name IEEE 802.11i-2004. Practically is implemented as WPA2 also called RSN – Robust Security Network. Its main task is to replace security compromised WEP by the use of the AES – Advanced Encryption Standard.

What is WPA and WPA2 read on what is WPA.

Application to 802.11i

There are two points of the decision to allow the 802.11 access:

  • Access Point
  • Authentication Server (usually Radius)

The decision is decided by authentication and 802.11 Policy decision token is Master Key.

Master Key – MK

  • Symmetric key that represents client’s and Radius server’s decision during one session
  • Only the client and authentication server has it
  • Decision for authorization is based on the MK

Pairwise Master Key – PMK

  • Fresh symmetric key that controls client’s and access point’s access to the wireless network during the session
  • Only clients and access point can produce the PMK
  • Derived from MK
  • Radius server distributes PMK to the access point
  • PMK possession demonstrates authorization to access the wireless network during the session

Pairwise Transient Key – PTK

  • Generated from PMK
  • Temporal operation key used to secure multicast and broadcast traffic

Authentication Procedure

802.11i authentication procedure

802.11i authentication procedure

Both access point and client must make the same authentication decision to access the wireless network during the session.

802.11i Operational Phases

802.11i operation phases

802.11i operation phases

Security Capabilities Discovery

  • Access point advertises the network security capabilities

Client knows:

  • SSID
  • Authentication method

Access Point knows:

  • SSID
  • Authentication method

802.1x Authentication

  • Centralized network admission policy decisions at the access point
  • To mutually authenticate client and Radius server
  • Generation of Master Key
  • Generation of Pairwise Master Key as an access authorization token

More about the authentication you can read on wireless authentication.

At the end of successful authentication:

  • Radius server and client have established a session
  • Radius server and client have the master key
  • Radius server and client have derived pairwise master key
  • Radius has distributed pairwise master key to the access point

Radius-based Key Distribution

  • Radius server moves (not copies) Pairwise Master Key to access point

802.1x Key Management

  • Binds Pairwise Master Key to client and access point
  • Generate fresh PTK
  • Proving that each peer is live
  • Synchronization of PTK use
  • 4-way handshake used to derive, bind and verify PTK

802.11i Data Transfer

802.11i have 3 protocols for data protection:

1) CCMP – Counter Mode with Cipher Block Chaining Message Authentication Code Protocol

2) WRAP – Wireless Robust Authenticated Protocol

3) TKIP – Temporal Key Integrity Protocol – for legacy devices only

  • Unprotected packets are never send
  • The authenticity of message origin
  • Protection of source and destination address
  • Use of strong cryptographic mechanism

Detailed and more technical description of 802.11i you can find on IEEE 802.11i Overview.