CS 6823 NETWORK SECURITY

Wireless Network Security:

802.11i
Jackie Copeland
John Loughlin
12/12/2009

Wireless Network Security: 802.11i 2009

Table of Contents
802.11 Overview

802.11i: Wireless Network Security

Wireless Equivalent Privacy (WEP)

Temporal Key Integrity Protocol (TKIP)

Key hierarchy and automatic key management:

Per frame keying:
Sequence Counter
Improved Message Integrity Check:

4
4
4
4

Counter Mode with CBC-MAC (CCMP)

CCMP Processing

Robust Security Networks

Pairwise Keys
Group Keys
Key Derivation and Distribution

6
6
6

References

This report describes the efforts of the 802.11i specification to address weaknesses in encryption used in
wireless network security.

CS 6823 Network Security

Fall 2009

Page 2

Wireless Network Security: 802.11i 2009

802.11 Overview
802.11 is a group of specifications developed by the Institute of Electrical and Electronics Engineers Inc.
(IEEE) for wireless local area networks (WLANs). These specifications define an over-the-air interface
between a wireless client and a base station (or access point), or between two or more wireless clients.
The standards produced by this group were first released in 1997 and have come to include definitions
for communication in the 2.4, 3.6 and 5 GHz frequency bands. There are a variety of components,
typically defined by a lower case letter following 802.11. For example, the first widely accepted
standard was 802.11b, describing the use of the 2.4 GHz band to provide speeds up to 11 Mbps.
Subsequent standards include the 802.11g, which also uses the 2.4 GHz band but can provide speeds up
to 54 Mbps. There are several others, in various states of completion. The remainder of this paper is
concerned with the final release of the 802.11i specification dealing with wireless network security.

802.11i: Wireless Network Security

Problems with WEP motivated a reconsideration of how to handle wireless network security. Market
forces drove some design considerations in the new specification and the publication of intermediate
specifications by an industry consortium. Ultimately, 802.11i defines a Robust Secure Network, two link
level encryption protocols, key management techniques and integration with the 802.1X specification
for authentication.

Wireless Equivalent Privacy (WEP)

Wireless Equivalent Privacy was an inadequate attempt to secure wireless network communication.
There are various problems, including a failure to protect against forgery and replay attacks. The
encryption algorithm, RC4, was used with initialization vectors that lowered the complexity of
decrypting traffic and compromising security. Fluhrer, Mantin and Shamir describe these issues in their
paper Weaknesses in the Key Scheduling Algorithm of RC4.
An industry consortium, the WiFi Alliance, put together a marketing standard as an interim measure.
The first version of this, WPA 1, was based on a mid 2003 draft of the 802.11i specification while WPA 2
was based on the final, 2004 version of the specification.
The IEEE 802.11i specification introduced two new link level protocols:

Temporal Key Integrity Protocol(TKIP)

Counter mode with CBC-MAC (CCMP)

CS 6823 Network Security

Fall 2009

Page 3

Wireless Network Security: 802.11i 2009

Temporal Key Integrity Protocol (TKIP)

There was a large installed base wireless networking equipment that featured comparatively weak
processors (25 or 33 MHz ARM7 or i486 chips) which were estimated to be running at 90% capacity
before TKIP. TKIP was designed as a wrapper around WEP which would be implemented in firmware or
software and reuse existing processors with the intention of defending the known weaknesses of WEP.
Specifically, TKIP incorporates the following features to protect WEPs most vulnerable points:

Key hierarchy and automatic key management:

WEP uses a single master key, where TKIP uses multiple master keys and features key management
mechanisms that allow keys to be refreshed securely.

Per frame keying:

TKIP uses the RC4 based encryption mechanism but uses a unique key for each frame, making an attack
on the weak RC4 keys less attractive.

Sequence Counter
Each frame is numbered to protect against replay attacks.

Improved Message Integrity Check:

TKIP uses the Michael integrity hashing algorithm to better detect frame forgeries.
TKIP uses 802.1X key management to derive master keys.
It should be noted that while TKIP offers many improvements over WEP, the effectiveness of the
protection it provides is undermined by the design constraints placed upon it. Backward compatibility
with the old RC4 hardware ultimately limits TKIP and it is a stop-gap measure until new and more
powerful equipment can be put in place.

CS 6823 Network Security

Fall 2009

Page 4

Wireless Network Security: 802.11i 2009

Counter Mode with CBC-MAC (CCMP)

CCMP is intended to be a secure protocol, based on the AES block cipher, and unencumbered by
the design constraints that were imposed on TKIP. The link layer protocol based on AES is called
the Counter Mode with CBC-MAC Protocol (CCMP.) CCMP is specified in RFC 3610 and features
a combined mode of operations in which the same key is used for confidentiality as for creating a
secure integrity check.

CCMP Processing
CCMP takes as input the frame to be transmitted, a temporal key used to encrypt and authenticate the
frame, a key identifier and a packet number. When a frame is sent to CCMP, the following processing
occurs:
1. The frame is queued for transmission.
2. A 48 bit packet number is assigned. Packet numbers are increased for every transmission and
are used in replay protection.
3. An Additional Authentication Data field is created, consisting of those fields which must be
transmitted in the clear but authenticated.
4. The CCMP nonce is created using the packet number and the senders address.
5. The CCMP header is built using the packet number and the key identifier.
6. With all the prerequisites in place, all the data is authenticated and the frame data and MIC are
encrypted.
7. The original MAC header, CCMP header and encrypted data are combined and ready to be
transmitted.
The reception process is achieved by reversing the transmission process.

CS 6823 Network Security

Fall 2009

Page 5

Wireless Network Security: 802.11i 2009

Robust Security Networks

As well as defining encryption protocols, the 802.11i specification defines how keys are defined and
distributed in what it calls a Robust Security Network (RSN.) There are two types of keys used by the
link layer protocols TKIP and CCMP. The traffic between a client and an access point is protected using
Pairwise keys, while traffic broadcast from an access point to multiple clients is protected using Group
keys.

Pairwise Keys
Both encryption protocols described in 802.11i make use of a root secret key from which all subsequent
keys are derived. Key derivation makes it possible to refresh encryption keys without re-authenticating.
A 256 bit master key must be supplied. This is configured in the WPA mechanism, where in an
infrastructure with an authentication server, that server computes the master key and distributes it to
the access point. This is described in more detail in the 802.1X specification.
The pairwise master key (PMK) is expanded using a pseudorandom function to create a pairwise
transient key (PTK.) This is broken into two 128 bit pieces, each of which is used to protect the
distribution of the temporal keys.
Key hierarchies for both TKIP and CCMP start with two keys produced in the 802.1X mechanism. The
first of these is an EAPOL Key Confirmation Key (KCK). This is used to compute integrity checks on
the keying messages. The second, the EAPOL Key Encryption Key (KEK), is used to encrypt the keying
messages.
TKIP s key consists of the KCK, the KEK, the 128 bit temporal key, and a 128 bit key used by the Michael
integrity check. Recall that TKIP uses separate authentication and encryption steps and so requires two
keys. The transient key for CCMP is shorter because the same 128 bit temporal key is used for both
authentication and encryption.

Group Keys
Whether by configuration or calculation a Group Master Key is supplied, expanded using a pseudorandomizing function in combination with a nonce and the address of the authentication server,
and produces a 256 bit TKIP Group Transient Key, consisting of a group temporal key and a group
integrity key, or a CCMP Group Transient Key, which is identical to the group temporal key.

Key Derivation and Distribution

Pairwise keys are distributed through a protocol called a four-way handshake. In particular, the
parameters used in the derivation of temporal keys are exchanged as follows.

CS 6823 Network Security

Fall 2009

Page 6

Wireless Network Security: 802.11i 2009

1. The authenticator sends the supplicant (client) a nonce. The supplicant can now expand
the Pairwise Master Key, the nonce received, the nonce it generates and the MAC addresses
of the authenticator and supplicant to produce the temporal key.
2. The supplicant sends a message containing the nonce it generated and the security
parameters received in the initial interaction. This whole message is authenticated using
the KCK to calculate an integrity check.
3. Keys are now in place on both sides of the handshake. The authenticator confirms this by
sending a sequence number to the supplicant for which the pairwise key will be added. The
message also included the current group transient key to enable update of the group key.
The GTK is encrypted using the KEK and the entire message is authenticated with the KCK.
4. The supplicant sends a final confirmation message to the authenticator, which is
authenticated with the KCK.
The group key handshake is simplified by the four way handshake, but depends on the successful
interaction of this protocol.
1. The authenticator sends the GTK, encrypted with the KEK from the pairwise key hierarchy.
This message is authenticated with the KCK.
2. The supplicant sends an acknowledgement, which is also authenticated with the KCK.
Note that the group key exchange must be run once for each station as the KEK is used to protect
the data exchanged.

CS 6823 Network Security

Fall 2009

Page 7

Wireless Network Security: 802.11i 2009

References

802.11 Wireless Networks: The definitive guide. 2nd edition. Matthew Gast,
2005 O'Reilly Media

Network Security: Know it all James Joshi, Morgan Kaufmann 2008

The 802.11 Security Series, Jesse Walker, Intel Corp

802.11i from the IEEE, 2007

Wireless Standards 802.11b 802.11a 802.11g and 802.11n, http://

compnetworking.about.com/cs/wireless80211/a/aa80211standard.htm?p=1

MSTechNet How802-11Works.PDF, Microsoft Technet March 2003

How Wireless Networks Work, http://webopedia.com/DidYouKnow/

Computer_Science/2008/wireless_networks_explained.asp

CS 6823 Network Security

Fall 2009

Page 8