A. 802.11 Single Station Association
The IEEE 802.11 specifies that each STA may associate with a single AP at any given time. The single station association ensures that there is only one attachment point from the STA to the distribution system (DS) and prevents the path ambiguity problem. The IEEE 802.11f inter access-point protocol (IAPP) [12] has provided operations between the APs to
3
assistant the maintenance of the association relationship on APs during handoffs. When a STA changes its association from one AP to another by performing a re-association, the target AP should send an IAPP MOVE-notify packet to the old AP, Reception of the packet causes the old AP to remove the association state for the specified MAC address. Moreover, it forwards any stored context to the target AP to facilitate a fast context exchange. Therefore, the target AP can resume the previous communication settings without any advanced negotiation.
When a roaming STA performs an association rather than a reassociation, the target AP enforces the single station association by sending an IAPP ADD-notify packet to the multi-cast address. Reception of the packet causes the removal of the association state and any context information stored for the specified STA. However, the context forwarding is not required for the association case. Both the operations remove the stale association information according to the STA’s MAC address.
B. 802.11i: The MAC Security Enhancements
Due to the weakness of 802.11 wired equivalence private (WEP) and its authentication, the IEEE Task Group i (TGi) which has already finalized in 2004 aims to solve this problem.
The goal of TGi is to construct a robust wireless environment called robust security network (RSN), where the wireless transmission is protected with stronger cryptographic algorithms and keying materials which are dynamically produced by a key management protocol. The enhanced components of the IEEE 802.11i are categorized as follows:
1. Data confidentiality and integrity: In data privacy, there are two cryptographic algorithms developed for encryption enhancement: Temporal Key Integrity Protocol (TKIP) and Counter Mode/ CBC-MAC Protocol (CCMP). TKIP is an optional algorithm for backward compatible to pre-RSN equipments, and is an extension version of WEP which uses RC4 stream cipher. On the other hand, CCMP is a mandatory algorithm for
4
robust security network association (RSNA)-capable devices. It uses AES block cipher to provide a stronger encryption. Both TKIP and CCMP support data authentication for integrity confirmation.
2. 802.1x Authentication: The IEEE 802.11i utilizes the IEEE 802.1x as its authentication framework, which provides port-based network access control for the IEEE 802 LANs.
The purpose of the IEEE 802.1x is to provide compatible mechanisms for devices those request MAC layer authentication or authorization services. Port-based access control enforces an authentication each time while the devices are attached to a network. The port here means a logical attachment to the LAN, for example, a 802.11 association or an
ethernet port. In this architecture, three entities are introduced: supplicant, authenticator, and authentication server. Their definition and functionality are described as follows:
z Authenticator: An entity that facilitates the access control and authentication of any entities on the other end of the network segment. For example, wireless APs may act as an authenticator, which provides port-based access control for mobile STAs under the same basic service set (BSS).
z Supplicant: An entity at one end of a segment which is willing to access the resources on the other end. It should be authenticated by an authenticator, or the traffics will be blocked at the authenticator. For example, the mobile STAs.
z Authentication Server (AS): An entity that provides authentication services for the authenticator. The centralized architecture reduces the authentication overhead at the authenticator, and provides more flexibility to add new authentication methods.
For a supplicant that wants to access network resources, an extensible authentication is enforced at the authenticator just after it is attached to the LAN. Before a successful authentication is performed, any packet from the unauthorized supplicant will be discarded at the authenticator, except the authentication packets. During the
5
authentication, the authenticator acts as a bridge between the supplicant and AS. It blocks unauthorized packet and forward authentication packets to and from a preconfigured AS.
(Note: authenticator and AS may reside on the same machine, but they are always connected with network). After the AS proves the identity of the supplicant, it notifies the authenticator to open the authorized port for supplicant. Therefore, any packet from the supplicant can pass through the authenticator without port blocking.
In the IEEE 802.1x framework, there are two protocols used for transportation of authentication messages between supplicant and AS: the extensible authentication protocol (EAP) and remote authentication dial in user service (RADIUS). EAP is originally developed for authentication on point-to-point protocol (PPP) links. The LAN encapsulation of EAP packets, called EAP over LAN (EAPoL), is introduced to facilitate the transportation between supplicant and authenticator. RADIUS protocol is always used by Internet service providers (ISPs) to provide centralized authentication services. It is used by the IEEE 802.1x for the transportation between authenticator and AS. During the authentication, the authenticator is responsible for translating the encapsulation between EAPoL and RADIUS, accordingly. Both protocols provide flexibility for well-known authentication methods. Figure 1 shows the relationships and communication protocols between the supplicant, authenticator, and AS.
Figure 1. The relationship and trust model between the IEEE 802.1x entities. (Dotted line means implicit trust)
6
For each authentication, the authenticator maintains the authorization state for each supplicant for a while, which is identified by their MAC addresses After the state information expires, the supplicant is forced to perform a re-authentication again, even it resides under the same authenticator. Authorization status should be updated periodically due to a timeout of the authenticator or a RADIUS session-timeout of the AS.
3. Key management protocol: Due to the weakness of static keying in WEP, two protocols
for dynamic key management are proposed in the IEEE 802.11i: the four-way handshake and group key handshake. Both protocols use the pairwise master key (PMK) as a basic secret, which is produced by a master key (MK) from a successful 802.1x authentication, to construct the keying materials for wireless transmission. Handshake details are described as follows.
z Four-way handshake: Four-way handshake is a procedure to refresh the pairwise transient key (PTK) which is used for protecting unicast traffics. PTK is a set of keying materials containing the cryptographic keys for secure handshake and data transmissions, including the temporal key (TK), EAPOL-key confirmation key (KCK), and EAPoL-key encryption key (KEK). Handshaking messages are encapsulated using 802.1x EAPoL-Key format, and are protected against the Man-in-the-middle attack. Handshake massage flow is depicted below. Firstly, the authenticator starts to send a random nonce, called ANonce, to supplicant. After receiving the message, the supplicant produces another random nonce, called SNonce. The two random nonce and shared PMK are then used to produce the PTK.
After that, the supplicant replies message 2 with SNonce to the authenticator which is protected by MIC. The authenticator produces the PTK in the same way as the supplicant., and verifies the MIC. If it proves, the authenticator sends message 3 to notify the installation of PTK, otherwise, the handshake halts. Finally, the supplicant replies message 4 to confirm the installation of PTK. As a result, new
7
keying materials are synchronized and used by both the supplicant and authenticator.
z Group key handshake: Group key handshake is a procedure to refresh the
group transient key (GTK) which is used for protecting broadcast traffics. It utilizes the PTK for secure handshaking, so it should be performed after a four-way handshake. At the beginning, the GTK is generated by the authenticator, and then sent from the authenticator to supplicant encrypted using KEK After the receiving of the message, the supplicant checks its integrity. If it is really originated from the authenticator without any alternation, the supplicant uses the same KEK to decrypt it and get the GTK. Group key handshake is an optional procedure since the broadcast messages are always less important.
Figure 2. Key hierarchy of MK, PMK, and PTK
Dynamic key management protocols are performed based on a shared PMK between the supplicant and authenticator. However, not all of the authentication methods provide key derivation function to produce a shared secret. Therefore, the IEEE 802.11i has recommended that supplicants those are willing to create a robust security network
8
association (RSNA) should perform an authentication method that support key devirition.
(e.g. EAP-TLS, EAP-SIM, …). Figure 2 shows the PTK key hierarchy and its root secret.