802.11i is standard that specifies security mechanisms for wireless networks. Read more about this security standard.
It is an amendment to the IEEE 802.11 with the full name IEEE 802.11i-2004. Practically is implemented as WPA2 also called RSN – Robust Security Network. Its main task is to replace security compromised WEP by the use of the AES – Advanced Encryption Standard.
What is WPA and WPA2 read on what is WPA.
Application to 802.11i
There are two points of the decision to allow the 802.11 access:
- Access Point
- Authentication Server (usually Radius)
The decision is decided by authentication and 802.11 Policy decision token is Master Key.
Master Key – MK
- Symmetric key that represents client’s and Radius server’s decision during one session
- Only the client and authentication server has it
- Decision for authorization is based on the MK
Pairwise Master Key – PMK
- Fresh symmetric key that controls client’s and access point’s access to the wireless network during the session
- Only clients and access point can produce the PMK
- Derived from MK
- Radius server distributes PMK to the access point
- PMK possession demonstrates authorization to access the wireless network during the session
Pairwise Transient Key – PTK
- Generated from PMK
- Temporal operation key used to secure multicast and broadcast traffic
Both access point and client must make the same authentication decision to access the wireless network during the session.
802.11i Operational Phases
Security Capabilities Discovery
- Access point advertises the network security capabilities
- Authentication method
Access Point knows:
- Authentication method
- Centralized network admission policy decisions at the access point
- To mutually authenticate client and Radius server
- Generation of Master Key
- Generation of Pairwise Master Key as an access authorization token
More about the authentication you can read on wireless authentication.
At the end of successful authentication:
- Radius server and client have established a session
- Radius server and client have the master key
- Radius server and client have derived pairwise master key
- Radius has distributed pairwise master key to the access point
Radius-based Key Distribution
- Radius server moves (not copies) Pairwise Master Key to access point
802.1x Key Management
- Binds Pairwise Master Key to client and access point
- Generate fresh PTK
- Proving that each peer is live
- Synchronization of PTK use
- 4-way handshake used to derive, bind and verify PTK
802.11i Data Transfer
802.11i have 3 protocols for data protection:
1) CCMP – Counter Mode with Cipher Block Chaining Message Authentication Code Protocol
2) WRAP – Wireless Robust Authenticated Protocol
3) TKIP – Temporal Key Integrity Protocol – for legacy devices only
- Unprotected packets are never send
- The authenticity of message origin
- Protection of source and destination address
- Use of strong cryptographic mechanism
Detailed and more technical description of 802.11i you can find on IEEE 802.11i Overview.