Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
11
An Introduction to the Wi-Fi Technology
Wen-Nung Tsai
tsaiwn@csie.nctu.edu.tw
OUTLINE
Wi-Fi Introduction
IEEE 802.11
IEEE 802.11x difference
WLAN architecture
WLAN transmission technology
WLAN Security and WEP
2
Wi-Fi Introduction
Wi-Fi Ethernet
Wi-FiIEEE 802.11
Wireless LAN
50 150
Transmission rate 11Mbps (802.11b)
Intended Use
Any Time Any Where
In 2001:
Wireless Ethernet
Compatibility Alliance (WECA)
Mission statementWECAs mission is to
certify interoperability of Wi-Fi (IEEE 802.11b)
products and to promote Wi-Fi as the global
wireless LAN standard across all market
segments
GoalProvide users with a comfort level
for interoperability
Presently over 150 different product certified
and growing
Wireless Growth
By 2003, 20% of B2B traffic
and 25% of B2C traffic will
be wireless.
By 2004 nearly 50% of business
applications will be wireless.
Meta Group Research
Competing
Short-Range Wireless Technologies
Wireless Standard
802.11g
*
2.4 GHz OFDM
54Mbps
802.11a Standard
5 GHz OFDM
54Mbps
802.11b Standard
2.4 GHz DSSS
11Mbps
Network
Radio
Speed
Proprietary
IEEE
802.11a/b
Ratified
1999
2000
2001
2002
2003
10
Flavors of 802.11x
802.11 (2 Mbps)
Current technology
Older standard
IEEE
802.11b
IEEE
802.11a
IEEE
802.11g
2.4G Hz
2.4G Hz
5 G Hz
2.4G Hz
Transmission
Rate
1~2 Mbps
1~11Mbps
Modulation
Technique
FHSS/DSSS FHSS/DSSS
Frequency
6~54
Mbps
22~54Mbps
OFDM
PBCC-22 +
CCK-OFDM
12
13
http://grouper.ieee.org/groups/802/11/Reports/tgi_update.htm
14
802.1
802.2 (LLC = Logical Link Control )
802.3 CSMA/CD (Carrier-Sense Multiple Access with Collision Detection)
802.4 (Token bus)
802.5 (Token ring)
802.6 (MANMetropolitan Area Network)
802.7 (Broadband LAN)
802.8 (Fiber Optic LAN)
802.9 (Multimedia traffic)
802.10 (Security)
802.11 (Wireless Network)
802.12 Demand Priority (100BaseVG-AnyLAN)
802.14
802.1x Port Based Network Access Control (Authentication)
15
SEC
Jim Carlo E-mail: jcarlo@ti.com
802.1
802.2
802.3
802.4
802.5
hibernation
802.6
Hibernation
802.7
Hibernation
hibernation
16
disbanded
802.9
hibernation
802.10
hibernation
802.11
802.12
hibernation
802.14
disbanded
802.15
802.16
17
Group
Label
Description
Status
IEEE 802.11
Working
Group
WG
Task Group
TG
MAC Task
Group
MAC
IEEE Std.
802.11-1997
PHY Task
Group
PHY
IEEE Std.
802.11-1997
Task Group a
TGa
IEEE Std.
802.11a-1999
18
Label
Description
Status
Task Group b
TGb
IEEE Std.
802.11b-1999
Task Group
b-cor1
TGbCor1
Ongoing
Task Group c
TGc
Part of IEEE
802.1D
Task Group d
TGd
Ongoing
Task Group e
TGe
Ongoing
19
Label
Description
Status
Task Group f
TGf
Task Group g
TGg
Ongoing
Task Group h
TGh
Ongoing
Task Group i
TGi
Ongoing
Study Group
SG
20
IEEE 802.11
(Wireless Ethernet)
C
B
21
IEEE 802.11
(Wireless Ethernet) vs. Ethernet
C
D
22
WLAN architecture
Ad-Hoc LAN
Independent Basic Service Set Network
23
Components of 802.11
.
BSS (1)
STA 1
What is mobile?
What is portable?
(AP)
DS
STA 2
(AP)
BSS (2)
25
Microwave ()
LAN
Spread Spectrum ()
Infrared ray ()
Difused,
Directed
26
26MHz
2.400 to 2.4835GHz
5.725 to 5.850GHz
125MHz
83.5MHz
3
4
FREQUENCY (GHz)
27
IEEE 802.11
Physical Layer
MAC Layer
Security
Authentication
WEP
28
29
Channel Assignment
30
31
32
Ch11
Ch 1
Ch6
Ch6
Ch11
Ch 1
Ch 1
Ch6
Ch11
33
34
AMPLITUDE
f3
f2
f1
1
10
11
FREQUENCY
12
TIME
AP96358 2-13
35
CW SIGNAL
AMPLITUDE
(dBm)
CHIP RATE
GP (dB) = 10LOG
)
DATA RATE
(
PN CORRELATION AT RECEIVER
PSK DATA MODULATION
1
DATA
CHIP
CLOCK
SPREAD SIGNAL
AMPLITUDE
(dBm)
18
1.2
15
1.0
12
0.8
0.6
0.4
0.2
0
2.43
2.44
2.45
2.46
2.47
FREQUENCY (MHz)
BARKER
CODE
SPREAD
DATA
AP96358 2-11
36
DSSS
83.5 MHZ(2.400G2.4835 G Hz)
1~11M bps
10~20
20~150
802.11
802.11/802.11b
37
DSSS in 802.11b
802.11(FHSS)(DSSS)
802.11b
(DSSS)
802.112Mbps11Mbps
2.4~2.4835GHz
802.111~2Mbps
802.11b4
(Mbps)
BPSK
2
5.5
QPSK
CCK
(gaussian
frequency shift
keyingGFSK)
11
Complementary Code
Keying (cck)
IEEE 38
DSSS in 802.11b
(amplitude)
(frequency)(phase)
()
802.11
(PSK)
(sequence)
BPSK(Binary PSK)QPSK(Quadrature PSK)
M-PSKM-ary PSK(Mn
M=2n
BPSK(symbol
states)QPSKMPSK(multilevel)M
M
39
Intermediate
Ultimate
Destination
Destination (E)
(AP1)
Control Duration Addr1 Addr2 Addr3 Control Addr4
Source
(A)
Data
CRC
Distribution System
A
E
AP1
B
AP2
AP3
D
RTS: Request-to-Send
CTS: Clear-to-Send
40
Duration
/ID
Addressing
1
Addressing
2
Addressing
3
Sequence
control
Addressing
4
Frame
body
CRC
IEEE 802.11
Frame format (cont)
Frame
control
Duration
/ID
Protocol
version
Type
Addressing
1
Subtype
Addressing
2
To DS
From
DS
Addressing
3
More
flag
Sequence
control
Retry
Pwr
mgt
Addressing
4
More
Data
Frame
body
WEP
CRC
Order
42
MAC LayerCSMA/CA
44
CTS
RTS
45
46
ESSID
Association
48
49
WEP (cont.)
50
Synopsis:
Products
Costs:
51
Auth: 802.1X
Synopsis:
Products:
Costs:
Deployment is intrusive
Maintenance is expensive
Can be a corporate wide solution
52
A port begins in an
unauthorized state, which
allows EAP traffic only.
Once the Authenticator has
received a Supplicants
request to connect (an
EAPOL-Start), the
Authenticator replies with
an EAP Request Identity
message.
The returning Response
Identity message is
delivered to the
Authentication Server.
53
Ek(PlainText) = CipherText
Dk ( CipherText) = Dk (Ek(PlainText) ) = PlainText
54
24
seed
64
WEP
PRNG
key sequence
40
plaintext
Integrity algorithm
ICV
cipher text
message
55
WEP Algorithm
WEP Process
Encryption
57
58
59
60
Sender encrypts
Receiver decrypts
CRC-32
xor
Keystream = RC4(v,k)
Cipher text
Cipher text
xor
Keystream = RC4(v,k)
Message
CRC-32
62
Cont
Algo
No
Seq
No
BS
SID
Seq
#
Status Elem
Code ID
Frame
Body
Len
FC
S
Challenge
Text
63
Initiator
Responder
Authentication Request (Status)
Seq #1
Authentication Challenge (Frame in Plain text)
Seq #2
64
Authentication Spoofing
65
66
67
69
6
2 packets 18300 sec 5hrs
packet 1byte 11Mbits 10 bits
Table-based Attack
2 24 1500 bytes 24 GB
71
http://www.cs.umd.edu/~waa/attack/v3dcmnt.htm
72
University of
Maryland
April 2001
University of
Maryland
February 2002
* In practice, most installations use a single key that is shared between all
mobile stations and access points. More sophisticated key management
techniques can be used to help defend from the attacks we describe
- University of California, Berkeley report on WEP security, http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
73
74
http://airsnort.shmoo.com/
AirSnort operates by passively monitoring transmissions, computing the
encryption key when enough packets have been gathered.
http://sourceforge.net/projects/wepcrack
WEPCrack is a tool that cracks 802.11 WEP encryption keys using the latest
http://www.netstumbler.com/
75
src addr
IV
encrypted data
ICV
WEP frame
76
WEP2
77
78
Access Blocked
802.11 Associate
EAPOL-Start
RADIUS
802.11
RADIUS
EAPOW
EAP-Request/Identity
Radius-Access-Request
EAP-Response/Identity
EAP-Request
EAP-Response (Credential)
EAP-Success
Radius-Access-Challenge
Radius-Access-Request
Radius-Access-Accept
EAPW-Key (WEP)
Access Allowed
79
References
http://www.personaltelco.net/index.cgi/WepCrack
http://sourceforge.net/projects/wepcrack
http://www.cs.rice.edu/~astubble/wep/wep_attack.pdf
Airsnort : http://airsnort.sourceforge.net/
http://airsnort.shmoo.com/
http://www.wlana.org/learn/80211.htm
http://www.cs.rice.edu/~astubble/wep/
http://www.isp-planet.com/technology/2001/wep.html
http://www.isp-planet.com/fixed_wireless/technology/2001/better_wep.html
http://www.ispplanet.com/fixed_wireless/technology/2001/wlan_primer_part2.html
http://rr.sans.org/wireless/equiv.php
http://rr.sans.org/wireless/wireless_sec.php
80
References (2)
http://www.cs.tamu.edu/course-info/cpsc463/PPT/
http://www.newwaveinstruments.com/resources/
http://vip.poly.edu/seminar/
http://www.ietf.org/rfc/rfc2284.txt
Nikita Borisov , Ian Goldberg , David Wagner,
Intercepting mobile communications, The
seventh annual international conference on Mobile
computing and networking, 2001 July 2001
N. Golmie, R. E. Van Dyck, and A. Soltanian,
Interference of bluetooth and IEEE 802.11:
simulation modeling and performance
evaluation, Proceedings of the 4th ACM
international workshop on Modeling, analysis and
simulation of wireless and mobile systems, 2001,
Rome, Italy
81
References (3)
http://www.ieee802.org/11/
http://standards.ieee.org/getieee802/
http://www.wi-fi.org
http://www.homerf.org
http://www.hiperlan2.com
http://www.commsdesign.com
http://www.80211-planet.com
http://www.cs.umd.edu/~waa/attack/v3dcmnt.htm
http://www.dgt.gov.tw
http://www.wirelesscorp.net/802.11_HACK.htm
82
References (4)
Cisco Aironet:
http://www.cisco.com/warp/public/cc/pd/witc/ao350ap/prodlit/1281_pp.htm
http://www.csie.nctu.edu.tw/~tsaiwn/802.11/
83
tsaiwn@csie.nctu.edu.tw