Wireless security: IEEE 802.11 and CCMP/AES
Tutorial: The wireless adoption rate is growing, making security a greater concern. The IEEE 802.11i task group has developed advanced methods of securing wireless networks like counter mode with cipher-block chaining message authentication protocol (CCMP) and the advanced encryption standard (AES). See 5 keys in IEEE 802.11i.
Legacy wireless security methods used with early wireless networks were designed to work on the older equipment available at the time and were merely stopgaps, as discussed in the last blog entry, "Wireless security legacy, background." Recognizing that the adoption of wireless technology was growing at an exponential rate, and that security was of paramount importance in supporting this growth, the IEEE 802.11i task group developed advanced methods of securing wireless networks.
Beginning with the 802.11i amendment, robust security networks (RSN) and robust security network associations (RSNA) were introduced to provide a framework for secure wireless networks. Generally, a successful authentication indicates that the parties to the transaction have mutually verified each other's identities and have generated dynamic encryption keys to be used for secure data transmission. Figure 1 shows the IEEE 802.11 security tree.
Wireless protected access, 2 areas
This segment will discuss wireless protected access 2 (WPA2), which reflects the 802.11i amendment. WPA2 is a complex security method that draws on the federal information processing standard (FIPS)-197, which introduced the advanced encryption standard (AES). The WPA/WPA2 designation was developed by the Wi-Fi Alliance and mirrors the IEEE standards, and is actually a certification, ensuring equipment adheres to a common standard of security. WPA2 defines two types of security: passphrase authentication for small and small office/home office (SOHO) networks, and 802.1X/EAP security for enterprise networks.
WPA2 mandates the use of a new protocol, counter mode with cipher-block chaining message authentication protocol (CCMP). CCMP uses the AES block cipher, replacing the RC4 cipher used in wired equivalent privacy (WEP) and temporal key integrity protocol (TKIP). A block cipher processes data in blocks, while a streaming cipher like rivest cipher 4 (RC4) processes data bit by bit, in a serial stream. The encryption method is commonly referred to as CCMP/AES. AES uses a 128-bit key and encrypts data in 128-bit blocks. CCMP/AES uses several enhancements, including temporal keys (TK), packet numbers (PN), nonce [number or bit string used only once], upper layer encryption, and additional authentication data (AAD).
It should be understood that AES is a standard and not a protocol. A protocol is a series of steps designed to achieve a specific end, while a standard is a set of rules and guidelines that define an overall design structure. The AES standard specifies the use of the Rijandel symmetric block cipher that can process data blocks of 128 bits, using cipher keys of 128, 192, and 256 bits.
CCMP is a security protocol. It follows carefully designed steps that include the use of the AES specified algorithm to encrypt sensitive data. It uses a block cipher, as previously noted. CCMP is made up of different specialized components providing specific functions. Counter-mode is used to provide data privacy, while cipher block chaining message integrity protocol is used for authentication and data integrity. CCMP uses one temporal key to accomplish all encryption processes; this can be a pairwise temporal key (PTK) or a group temporal key (GTK). A discussion of temporal keys follows the description of CCMP.
CCMP first produces a packet number. Packet numbers increment with each data frame. Data frames are called MAC protocol data units (MPDUs), and are the plaintext data payload in the medium access control sublayer in layer 2, the datalink layer, which is to be encrypted. After MAC encapsulation, it becomes a MAC Service Data Unit (MSDU). For simplicity, both will be referred to as a "data frame" or "frame." Parts of the frame are used to generate the AAD. The message integrity code (MIC) is appended to the frame.
Next, a nonce is created from the packet number (PN), transmit address (TA), and quality of service (QoS) data contained in the frame header. A nonce is a one-time value that is generated exclusively for the specific transaction. A CCMP header is created from the PN and the Key ID. The AAD, nonce, and 128-bit temporal key are then input into the AES block cipher, creating an encrypted data frame while performing a data integrity check. The TK, nonce, AAD, and plaintext are then processed to create the MIC. The plaintext and the MIC are then encrypted into 128-bit blocks. This process is called CCM originator processing. Finally, the original MAC header is appended to the CCMP header, the encrypted data and MIC, and a frame check sequence (FCS). A diagram of the encryption process is shown in Figure 2.
IEEE 802.11i describes a process for the generation and management of keys used in the authentication process. As described above and previously in the article about TKIP, temporal keys are an integral part of the authentication process.
With CCMP, one temporal key is used for all encryption and data integrity processes. The next segment will focus on port-based security and extensible authentication protocols (EAP), which use different types of keys during the authentication and encryption processes.
A temporal key is a key that exists for the duration of the transaction only. After the transaction is complete, temporal keys are discarded. This method of key generation makes the network very robust and secure. Used in conjunction with a user database such as a Remote Authentication Dial-In User Service (RADIUS) server, port-based or role-based security, and digital certificates, wireless networks can be made completely secure. For the following discussion, three new terms need to be understood: the supplicant, the authenticator, and the authentication server (AS). The supplicant is defined as any client device wishing access to network resources; the authenticator is the device where the supplicant applies for access—typically a wireless access point. The AS is a user database that contains information about approved supplicants, such as authentication data and access rights—not all supplicants have access to all network resources.
5 keys in IEEE 802.11i
Keys and key management are defined by several documents as found in the 802.11i amendment. The five specific types of keys to know about are:
- The authentication, authorization, and accounting (AAA) key: The AAA key is generated from the 4-way handshake that occurs between the supplicant and the authenticator. This key is typically used in enterprise level networks; the AAA key information resides in the AS. This key is called the master session key (MSK) in the 802.11i amendment.
- The pairwise master key (PMK): This key is derived from the AAA key (when used) or from a password. It is superior to all other keys.
- The pairwise transient key (PTK): This is the most common type of key and is used in all encryption protocols from TKIP forward. The PTK is derived from the PMK, the authenticator address, the supplicant address, the authenticator nonce, and the supplicant nonce, and can be split up into as many as five sub-keys: a temporal encryption key, two temporal MIC keys, an EAPOL-Key encryption key (KEK), and an EAPOL-Key confirmation Key (KCK). This key is used for unicast traffic only.
- Group master key (GMK): Similar to the PMK but used for broadcast/multicast traffic.
- Group temporal key (GTK): The GTK is derived from the GMK and is used for broadcast/multicast traffic. It is a random value assigned by the broadcast/multicast source.
Master keys, as a rule, are used to generate other keys, but are not used to encrypt data. Temporal keys are used to encrypt data and then discarded afterwards.
Devin Akin's white paper, "802.11i Authentication and Key Management," otherwise known as the "Chicken and Egg" white paper, provides additional insight on this wireless security topic.
- Daniel E. Capano, owner and president, Diversified Technical Services Inc. of Stamford, Conn., is a certified wireless network administrator (CWNA), email@example.com. Edited by Chris Vavra, production editor, CFE Media, Control Engineering, firstname.lastname@example.org.
www.controleng.com/blogs has other wireless tutorials from Capano on the following topics:
Wireless security legacy, background
Wireless security basics
Quality of service in wireless communication
www.controleng.com/webcasts has wireless webcasts, some for PDH credit.
Control Engineering has a wireless page.
Devin Akin's white paper: "802.11i Authentication and Key Management" provides additional insight on this wireless security topic.