Authentication and Security in Wireless LANs

References

https://www.youtube.com/watch?v=hLQ5rYNUwNg
https://www.youtube.com/watch?v=ntGA6V5EciE&t=396s

Data frames in wireless medium should be protected in order to ensure that data has not been tampered with while transmission in air.  Any wireless device or radio capable of receiving and decoding 802.11 frames can have access to the  data. So data has to be protected by proper encryption methods.

WEP ( Wired Equivalent Privacy) and WPA ( Wifi Protected Access ) are security protocols used to secure wireless networks by properly encrypting the data before transmission. WEP uses the same static key configured on on devices to encrypt the data. WPA generates different encryption keys for different devices using  4 way handshake. WPA uses TKIP to encrypt data while WPA2 uses AES-CCMP to encrypt data

Data Confidentiality is maintained by encrypting frame body of the data. A Message Integrity check is added as part of data. Receives validate the received data against this MIC to ensure that the data was not altered while in transit.

Authentication  is the  process in which the client's identity/credential is validated, whether the client device is who/what it claims to be.

In WEP , the WEP algorithms is responsible for both authentication and Data encryption. 

 802.11 authentication is the first step in network attachment. 

Two types of authentication

  • Open System

  • Shared Key

1) Open System Authentication

It consists of a simple authentication request containing the station ID and an authentication response containing success or failure data. Upon successful authentication, both stations are considered mutually authenticated.

Steps

1) Authentication request -From Client to AP

2) Authentication Response – From AP with success or failure message to Client

3) Association Request

4)Association Response

Any client can send its station ID in an attempt to associate with the AP. In effect, no authentication is actually done.

2) Shared Key Authentication

In  shared key authentication a static key or a passphrase is set on the client/mobile device and the router/AP

2a) In WEP, a static key is configured on both the client and AP.  The authentication process consists of a clear text challenge and response between the Client and the AP. The AP validates the response from the client. If the validation is successful, it means that both the client and  the AP have the same key and the authentication is successful. 

After this authentication, data is encrypted using the WEP key

2b) WPA/WPA2

In this, a pre-shared key/ passphrase,  not encryption key  is configured on both the client and server.  The   passphrase/pre shared key, along with the  SSID, is used to generate unique key called PMK (PairWise Master Key) . 

The authentication process derives the source key material (PMK) for creating the encryption keys.

This is used in the 4 way handshake to generate the encryption keys called PTK.( Pairwise Transient Key) This PTK is used to encrypt unicast data

In this case, all the clients that connect to the AP, gets the same PMK. So in enterprise network 802.1X authentication is used.

WPA uses TKIP  and WPA2 uses AES-CCMP for encryption.

3) 802.1X port based authentication

WPA and WPA2  Enterprise use port based authentication to authenticate the clients 802.X is an authentication protocol for wireless LANs. It is based on IETF's Extensible Authentication Protocol

Here , after 802.1X authentication , a PMK ( pairwise master key) very specific to client and AP is generated. 

This PMK is used in the 4 way handshake to generate the encryption keys 


                                Encryption                          Authentication

WPA-personal             TKIP                                          PSK

Wpa2-Personal            AES-ccmp                                 PSK

WPA -Enterprise          TKIP                                         802.1X/EAP

WPA2-enterprise          AES-ccmp                                802.1X/EAP








Comments

Post a Comment

Popular posts from this blog

Protection Mechansims in 802.11g

Need for Protection  In a WLan BSS with both 802.11b and 802.11g devices,  the AP ( 802.11g)  has to serve both 802.11g and 802.11b clients. Due the difference in chipset implementations of 802.11b and 802.11g devices, a 802.11b device cannot decode  high rate  transmissions from a 802.11g device.  Unaware of a 802.11g device's transmission, if a 802.11b client transmits at the same time, it will cause interference to 802.11g's transmission.  So 802.11g specifies certain protection mechanisms to ensure that 802.11g's transmissions are not interrupted by the legacy devices. These protection mechanisms  are there to make sure that the legacy devices are  aware when a 802.11g device is transmitting so that , legacy devices can defer their transmission. Types of Protection Mechanisms in 802.11g 802.11g specifies two types of protection mechanism.  1) cts-to-self protection mechanism: In this , when ever a 802.11g station has a ofdm data fram...
Read more

Protection Mechanism in 802.11n

Image
References: https://www.cwnp.com/802-11n-protection-mechanisms-part-2/ https://mrncciew.com/2014/11/04/cwap-ht-operations-ie/ 802.11n survival guide - Mathew Gast When ever a new wireless standard is introduced, the new devices' transmissions cannot be decoded by the older devices. When 802.11g came into existence, the OFDM transmissions by 802.11g devices cannot be decoded by the older 802.11b /802.11devices.  Hence in order to protect the newer 802.11g devices from older 802.11b devices,  protection mechanisms were introduced in 802.11g 's standard. In a ERP BSS where 802.11/802.11b coexist, protection mechanism has to be enabled.  This is indicated by setting the bits ' Use Protection ' and 'non Erp Present ' bits in the ERP information element of the beacon. ERP stations know that they need to use the protection frames prior to sending OFDM frames based on this. In the case of 802.11n, HT transmissions needs to be protected if there  are older stations ( b/a...
Read more

Basics of FDM and OFDM

Image
  Note : All figures/images taken from internet  Multiplexing Multiplexing is a technique used to share a Medium ( Cable, Wire, optical fiber, air). This allows simultaneous transfer of multiple signals in a single data link. The most simplest method of using the medium is to transmit one signal at a time. Multiplexing is a technique used to combine signals or information from different users/devices and transmit at the same time. Time Division multiplexing: Transmitting different users' digital signal over a single link by dividing the time into intervals called slots and allocating equal time slots to each user.       Statistical Time Division Multiplexing In this type of multiplexing, some users may have high priority or may have more data to transmit. Instead of allocating equal time slots to all users, depending on the priority, more time slots may be allotted to a particular use. Baseband systems can tranmsit on...
Read more