一個802.11n通訊協定以WPA2加密之有效結構及其實現

國

立

交

通

大

學

電信工程研究所

碩

士

論

文

一個 802.11n 通訊協定以 WPA2 加密之有效結構及其實現

Design and Implementation of an Efficient Structure of

802.11n with WPA2

研 究 生：邱鐙標

指導教授：李程輝 教授

一個 802.11n 通訊協定以 WPA2 加密之有效結構及其實現

Design and Implementation of an Efficient Structure of 802.11n with

WPA2

研 究 生：邱鐙標 Student：Teng -Piao Chiu

指導教授：李程輝 Advisor：Tsern-Huei Lee

國 立 交 通 大 學

電機學院電信工程研究所碩士班

碩 士 論 文

A Thesis

Submitted to College of Electrical and Computer Engineering National Chiao Tung University

for the Degree of Master

in

Institute of Communication Engineering

June 2013

Hsinchu, Taiwan, Republic of China

i

一個 802.11n 通訊協定以 WPA2 加密之有效結構及其實現

學生：邱鐙標

指導教授：李程輝

國立交通大學電信工程研究所

摘 要

在本篇論文中，我們提出運用分割式計數器模式密碼塊鏈消息完整碼協議的複合結 合式自動回覆請求 (Aggregated Hybrid Automatic Repeat Request Mechanism with Fragmentation Counter Mode with CBC-MAC Protocol, AH-FCCMP)使得用戶在保證安 全傳輸的情況下，也能有良好的傳輸品質。這個機制利用改變 CCMP 的運算方式，使得 資料傳輸與加解密運算可以同步運算，以達到整體運算時間的減少。模擬結果顯示我們 提出的 AH-FCCMP 機制能達到比傳統機制高的系統傳輸量，並保證資訊安全上的需求。

ii

Design and Implementation of an Efficient Structure

of 802.11n with WPA2

Student：

Advisors：Prof.

Institute of Communication Engineering

National Chiao Tung University

ABSTRACT

Since the spread of wireless communication, it is more and more important about

transmission rate and information safety. 802.11n is one of the famous technology in WLAN

(Wireless Local Area Network), which boosts its own transmission speed by frame

aggregation (FA) and other core technologies. Furthermore, it also contains WPA2(Wi-Fi

Protected Access 2), which provides secure mechanism for preventing data eavesdropped or

stolen during transmission. However, these two features are not taken into consideration

together. If users switch on WPA2 for secure purpose during 802.11n transmission, the

system throughput will nosedive.

In this thesis, we propose AH-FCCMP (Aggregated Hybrid Automatic Repeat Request

Mechanism with Fragmentation Counter Mode with CBC-MAC Protocol), which provides

high transmission speed under data transfer safety. This mechanism change the architecture of

CCMP for computing encryption/decryption and receiving data in parallel, so the total

service time can be reduced. The simulation result shows that AH-FCCMP provides higher

system throughput than the original one and the requirement of information security.

iii

誌

謝

在完成這篇論文的過程中，我接受了許多人的幫忙與協助，在此我想

向他們致上最高的敬意。首先要感謝我的指導教授－李程輝教授。他總是

能點出問題的所在並不辭辛勞地教導著我許多作研究的方法以及該有的態

度，在這兩年的研究生活中，我學習到許多專業領域的知識和獨立研究的

能力，更重要的是，老師也教導了我許多對研究以及做事的正確態度。相

信這段經歷在未來的道路上，會是一股強大的助力。

也感謝我的父母及大哥－邱國濱先生、陳燕子女士與邱榮標先生。感

謝父母對我的養育之恩，並且在我的求學生涯裡，一路上對我的支持與鼓

勵。

再來也要感謝交大電信所 NTL 實驗室的各位同伴，在這兩年的研究生

涯裡，學長姐的熱心指導、同窗好友的互助合作及學弟妹們帶給實驗室的

活力與歡笑，都是支持我完成學業的最大推力。謝謝你們給我適時的鼓勵

與陪伴，讓我能夠順利的完成這兩年的學業。

最後也感謝我的好友們，在我煩惱焦慮時，陪我舒壓解悶，一直以來

給我精神上的支持與鼓勵。

最後謹將此論文獻給身邊所有愛我的人及我愛的人。

2013/08 邱鐙標

iv

Contents

Mandarin Abstract ... i

English Abstract ... ii

Acknowledgement ... iii

Contents ... iv

List of Figures ... v

List of Tables ... vi

Chapter 1 - Introduction ... 1

Chapter 2 - Related work ... 3

2.1 IEEE 802.11 family... 3

2.1.1 IEEE 802.11n ... 4

2.1.2 802.11i ... 7

2.2 Cryptography and Data Encryption ... 7

2.2.1 Block Cipher Mode ... 8

2.2.2 Advanced Encryption Standard ... 9

Chapter 3 - Proposed Algorithm ... 13

3.1 Aggregated Hybrid-ARQ ... 13

3.2 Fragmentation CCMP ... 17

3.2.1 Replay Attack in different packets in FCCMP ... 19

3.2.2 Replay Attack in the same packets in FCCMP ... 20

3.2.3 FCCMP Algorithm ... 22

3.3 AH-ARQ with FCCMP ... 23

Chapter 4 - Simulation ... 27

4.1 System configurations ... 27

4.2 Performance comparison under different numbers of MPDUs ... 28

4.3 Performance comparison under different RS-codec schemes ... 30

4.4 Performance comparison under different MCSs ... 33

Chapter 5 - Conclusion ... 37

v

List of Figures

FIG.1 DCF BASIC OPERATION ... 6

FIG.2 A-MSDU FRAME FORMAT ... 6

FIG.3 A-MPDU FRAME FORMAT ... 6

FIG.4 CCMPMICCALCULATION ... 11

FIG.5 CCMPCTR-MODE ENCRYPTION ... 12

FIG.6 AH-ARQ PACKET FORMAT ... 14

FIG.7 BLOCK CORRUPTION WITH AH-ARQ IN NOISY CHANNEL ... 14

FIG.8 STATE DIAGRAM FOR AH-ARQ SCHEME ... 15

FIG.9 REPLAY ATTACK IN DIFFERENT PACKETS ... 20

FIG.10 REPLAY ATTACK IN THE SAME PACKET -TYPE(A) ... 21

FIG.11 REPLAY ATTACK IN THE SAME PACKET -TYPE(B) ... 21

FIG.12 IVI CALCULATION ... 22

FIG.13 MICI CALCULATION ... 22

FIG.14 FRAGMENT-CBC-MAC ... 23

FIG.15 AH-CCMP EXAMPLE ... 24

FIG.16 AH-FCCMP EXAMPLE ... 24

FIG.17 LNUM UNDER DIFFERENT BE ... 25

FIG.18 RS BLOCK FORMAT IN AH-FCCMP ... 26

FIG.19 PERFORMANCE COMPARISON AMONG THREE ARCHITECTURES WHEN J=1 ... 28

FIG.20 PERFORMANCE COMPARISON AMONG THREE ARCHITECTURES WHEN J=10 ... 28

FIG.21 PERFORMANCE COMPARISON AMONG THREE ARCHITECTURES WHEN J=20 ... 29

FIG.22 PERFORMANCE COMPARISON UNDER DIFFERENT VALUE OF J WITH AH-FCCMP SCHEME ... 30

FIG.23 PERFORMANCE COMPARISON AMONG THREE ARCHITECTURES UNDER RS(255,223) ... 31

FIG.24 PERFORMANCE COMPARISON AMONG THREE ARCHITECTURES UNDER RS(255,239) ... 31

FIG.25 PERFORMANCE COMPARISON AMONG THREE ARCHITECTURES UNDER RS(255,247) ... 31

FIG.26 PERFORMANCE COMPARISON UNDER DIFFERENT RS-CODEC WITH AH-FCCMP SCHEME ... 32

FIG.27 PERFORMANCE COMPARISON UNDER DIFFERENT RS-CODEC WITH AH-ARQ SCHEME ... 32

FIG.28 PERFORMANCE COMPARISON AMONG THREE ARCHITECTURES UNDER MCS(QPSK,1/2,60MBPS) .. 34

FIG.29 PERFORMANCE COMPARISON AMONG THREE ARCHITECTURES UNDER MCS(16QAM,3/4,180MBPS) ... 34

FIG.30 PERFORMANCE COMPARISON AMONG THREE ARCHITECTURES UNDER MCS(64QAM,5/6,300MBPS) ... 34

FIG.31 PERFORMANCE COMPARISON UNDER DIFFERENT MCS WITH AH-FCCMP SCHEME ... 36

vi

List of Tables

TABLE.1 RELATIONSHIP BETWEEN MCS INDEX AND OTHER CONFIGURATION ... 5 TABLE.2 SIMULATION SYSTEM PARAMETERS ... 27

1

Chapter 1.

Introduction

IEEE 802.11 Wireless Local Area Network(WLAN) provides wireless communication

over short distances. Many users have switched from using wired networks to using 802.11

WLAN as their primary network connection media because it is easily deployed and can be

used without the wire connection. Nevertheless, the open media in WLAN leads lots of

security vulnerabilities, the security requirement is more and more important nowadays.

The traditional 802.11 a/b/g WLANs use the DCF(Distributed Coordination Function)

for accessing the shared wireless medium, which employs the CSMA/CA(Carrier Sense

Multiple Accesses with Collision Avoidance) algorithm. However, researches have shown

that the MAC layer overhead is the main reason for their inefficiency. For increasing the

demand of data-intensive applications over WLAN, the IEEE 802.11n WLAN is being

standardized with new medium access control (MAC) and physical layer (PHY)

specifications[3]. This new design increases the WLAN throughput above 100Mbps,

comparable to 100Mbps Fast Ethernet. The backward compatibility with 802.11 a/b/g devices

is also a critical design requirement. These goals are aided by improvements in radio

technology, such as the OFDM(Orthogonal Frequency Division Multiplexing) modulation

method and the MIMO (Multiple Input Multiple Output) antenna, and the enhanced PHY

mode also works for the same purpose. 802.11n can provide a network with longer range and

2

600Mbps, compared to the 54Mbps data rate in the previous 802.11 a/b/g standards.

For reliable data transmission, we need to design lots of error-free methods. We use

strong and reliable error correction code in those services with strict delay requirements, such

as voice and video stream, and we apply ARQ(Automatic Repeat Request) protocol usually

for delay-tolerant wireless data transmission. Frame aggregation and block acknowledgement

are defined in 802.11n for reducing MAC layer overhead and boosting the total channel

utilities. Furthermore, Aggregated Selective Repeat ARQ (ASR-ARQ) and Aggregated

Hybrid ARQ(AH-ARQ)[7][8] are proposed to increase the tolerance of error occurrence.

However, those modification improves the throughput but not take account into security

issues. 802.11i[2] is an amendment which is raised for secure WLAN, and the Counter

Cipher Mode with Block Chaining Message Authentication Code Protocol(CCMP)[12] is the

main replacement for WEP and WPA, which are raised for WLAN security in 1997 and

2003 respectively. CCMP contains two parts, MIC(Message Integer Checksum) computation

and CTR-mode encryption, for different purposes of security. The cascade of AH-ARQ and

CCMP limits the speed of total throughput. But the transmitting/receiving chip and the

encrypt/decrypt chip usually work in different parts in one device, we propose a new structure

of CCMP, FCCMP(Fragmentation CCMP), which can reduce the processing time by using

both chips simultaneous. AH-FCCMP is an architecture that consider not only retransmission

mechanism but also security algorithm for less efficiency waste.

The reminder of this thesis is organized as follows. Chapter 2 describes the system

model and some related work. And Chapter 3 formulates the AH-ARQ and FCCMP

algorithms and the hybrid architecture, AH-FCCMP. Simulation results and discussions are

3

Chapter 2.

Related work

2.1 IEEE 802.11 family

In 1997, the IEEE(Institute of Electrical and Electronics Engineers) created the first

WLAN standard which is called it 802.11 after the name of the group formed to oversee its

development. The 802.11 family consist of a series of half-duplex over-the-air modula-

tion techniques that use the same basic protocol. The original version, 802.11-1997, was

released in 1997 but it was widely accepted by new amendment, 802.11b, which is applied

OFDM(orthogonal frequency-division multiplexing) technology until 1999. The following

amendment such as 802.11a and 802.11g were raised for higher throughput in 1999 and 2003

respectively.

Because these three protocol utilize different frequencies, 2.4 GHz band for 802.11b/g

and 5 GHz band for 802.11a, the 802.11a is incompatible with the other two. 802.11n is

developed in order to improve the data transmission rate to 600Mbps by

MIMO(Multiple-Input-Multiple-Output), a new multi-streaming modulation technique, and

is incompatible with 802.11a/b/g because of operating on both the 2.4 GHz and the 5 GHz

bands. Other standards in the family, such c, e, i, are service amendments and extensions or

4

2.1.1 IEEE 802.11n

IEEE 802.11n is an amendment to the IEEE 802.11-2007 wireless

networking standard[1][10].The main purpose is to improve network throughput over those

two previous standards, 802.11a and 802.11g. The significant incensement in the

maximum data rate from 54 Mbps to 600 Mbps in 4x4 MIMO configuration and 40 MHz

bandwidth.

In PHY layer, there are several modification for improvement. First, the OFDM's

subcarriers is increased from 48 to 52 which improves the maximum throughput from 54

Mbps to 58.5 Mbps. Second, the highly efficient FEC(Forward Error Correction) code,

LDPC(low-density-parity-check), is applied and this new puncturing mode makes the coding

rate rise from 3/4 to 5/6 boosting the data rate to 65Mbps. Third, the GI(guard-interval),

which is the interval between OFDM symbols, is reduced from 800ns to 400ns and the

throughput increased to 72.2Mbps. Forth, doubling bandwidth from 20MHz to 40 MHz gains

slightly more than double the rate from 72.2Mbps to 150Mbps. The last, the use of MIMO

SDM(Spatial Division Multiplexing), which spatially multiplexes multiple independent data

streams, can significantly increase data throughput as the number of resolved spatial data

streams is increased. 802.11n supports four spatial streams at most and the data rate grows up

to 600Mbps. Various modulation schemes and coding rates are represented by

MCS(Modulation Coding Scheme) index value and the configurations between the different

5

Table. 1 Relationship between MCS index and other configuration

In MAC layer, frame aggregation(FA) and block acknowledgement(BA) are applied for

reducing the cost due to the large amount of overhead compared to wired network protocol,

especially in the inter-frame spaces and control frames such as acknowledgements. Each

802.11 frame has fixed overhead in the radio preamble and MAC frame fields. Even that 802.11n supports high data rate, the fixed overhead restricts actual throughput. Frame

aggregation, in simple terms, puts more than one frame together into a single transmission

with the same header and declines the collision probability for less time loss to back-off.

802.11n includes two methods for frame aggregation: MAC Service Data Units

aggregation(A-MSDU) and Message Protocol Data Unit aggregation (A-MPDU). Both

aggregation methods reduce the overhead to only a single radio preamble and MAC headers

for each frame transmission. To compensate for the larger aggregated frame size, 802.11n

6

Fig. 1 DCF basic Operation

Fig. 2 A-MSDU frame format

Fig. 3 A-MPDU frame format

BA is designed within the same idea, which makes the overhead in Ack reduce. Rather

than sending an individual Ack following each data frame, 802.11n introduces the technique

of confirming a burst of up to 64 frames with a single BA frame. The Block ACK even

7

2.1.2 802.11i

802.11i is one of service amendments which is raised in 2004 for security propose.

WEP(Wired Equivalent Privacy) is the original security algorithm in 802.11-1997 standard

and ratified in September 1999. However, WEP has been demonstrated to have numerous

flaws and then the Wi-Fi Alliance announced that WEP had been superseded by WPA(Wi-Fi

Protected Access) in 2003. The Wi-Fi Alliance refers to their approved, interoperable

implementation of the full 802.11i as WPA2 in 2007, which is also called RSN(Robust

Security Network). 802.11i makes use of the AES(Advanced Encryption Standard) block

cipher, whereas WEP and WPA use the RC4 stream cipher.

RSN proposes the secure architecture with two new protocols, the 4-Way Handshake

and the Group Key Handshake. The authentication services and port access control

described in IEEE 802.1X are utilized to generate and exchange the cryptographic keys. The

RSN only allows the creation of RSNAs(robust security network associations), which are a

type of association used by a pair of STAs(stations) if the procedure to establish

authentication or association between them includes the 4-Way Handshake, to access this

secure network. RSN also provides two RSNA(Robust Security Network Association)

protocols, TKIP(Temporal Key Integrity Protocol) and CCMP(Counter Cipher Mode with

Block Chaining Message Authentication Code Protocol ), for ensuring data confidentiality

and integrity respectively.

2.2 Cryptography and Data Encryption

Cryptography is the practice and study of techniques for secure communication in the

8

analyzing protocols that overcome the influence of adversaries and which are related to

various aspects in information security, such as data confidentiality, data

integrity, authentication, and non-repudiation. Cryptography was effectively synonymous

with encryption, the conversion of information from a readable state to apparent nonsense.

The originator of an encrypted message shared the decoding technique or the secret which is

needed to recover the original information only with intended recipients, thereby precluding

unwanted persons to do the same.

Modern cryptography is heavily based on mathematical theory and computer science

practice. The modern data encryption methods can be classified as two types, symmetric-key

cryptography and public-key cryptography. Symmetric-key cryptography refers to

encryption methods in which both the sender and receiver share the same key. Symmetric key

ciphers are implemented as either block ciphers or stream ciphers. A block cipher enciphers

input in blocks of plaintext as opposed to individual characters, the input form used by a

stream cipher. And stream ciphers, in contrast to the 'block' type, create an arbitrarily long

stream of key material, which is combined with the plaintext bit-by-bit or

character-by-character, somewhat like the one-time pad. In practical implement, block cipher

algorithms can be treated as stream cipher ones by applying different block cipher mode.

2.2.1 Block Cipher Mode

A block cipher by itself is only suitable for the secure cryptographic transformation

(encryption or decryption) of one fixed-length group of bits called a block. A mode of

operation describes how to repeatedly apply a cipher's single-block operation to securely

transform amounts of data larger than a block. Most modes require a unique binary sequence,

9

non-repeating and for some modes random as well. The initialization vector is used to ensure

distinct ciphertexts are produced even when the same plaintext is encrypted multiple times

independently with the same key. Block ciphers have one or more block size(s), but during

transformation the block size is always fixed. Block cipher modes operate on whole blocks

and require that the last part of the data be padded to a full block if it is smaller than the

current block size. There are, however, modes that do not require padding because they

effectively use a block cipher as a stream cipher.

2.2.2 Advanced Encryption Standard

The Advanced Encryption Standard (AES) is a specification for the encryption of

electronic data in 2001[11]. It is based on the Rijndael[6] cipher developed by

two Belgian cryptographers, Joan Daemen and Vincent Rijmen, who submitted a proposal

which was evaluated by the NIST during the AES selection process. In other words, the AES

standard is a variant of Rijndael under the restriction that the block size is 128 bits using

cipher key with lengths of 128,192,256 bits. AES now is available in many different

encryption packages, and is the first publicly accessible and open cipher approved by

the National Security Agency (NSA) for top secret information when used in an NSA

approved cryptographic module.

AES operates on a 4×4 column-major order matrix of bytes, termed the state, although

some versions of Rijndael have a larger block size and have additional columns in the state.

Most AES calculations are done in a special Galois field, GF(28). Different key sizes used for an AES cipher lead different numbers of repetitions of transformation rounds that convert the

plaintext into the ciphertext. For 128-AES, 192-AES, and 256-AES need 10, 12, 14 cycles of

10

four steps, such as SubBytes, ShiftRows, MixColumns, and AddRoundKey.

2.2.3 CCMP

The CCMP is an encryption protocol designed for WLAN products that implement the

standards of the IEEE 802.11i amendment to the original IEEE 802.11 standard[12]. CCMP

is based on AES encryption algorithm using the Counter(CTR) Mode with CBC–MAC mode

of operation to enhance data cryptographic encapsulation mechanism designed for data

confidentiality. It was created to address the flaws shown in WEP.

CCM also requires a unique nonce value for each frame protected by a given temporal

key(TK), and CCMP uses a 48-bit packet number(PN) for the same purpose. Reuse of a PN

with the same TK will make the mechanism insecure. CCMP contains two major parts: MIC

computation and CTR-mode encryption for authentication and data confidentiality

respectively. Therefore, each message block requires two block cipher encryption operations.

In hardware, for large packets, the speed achievable for CCM is roughly the same as that

achievable with the CBC encryption mode. Both the CCM encryption and CCM decryption

operations require only the block cipher encryption function. In AES, the encryption and

decryption algorithms have some significant differences. Thus, using only the encrypt

11

12

13

Chapter 3.

Proposed Algorithm

3.1 Aggregated Hybrid-ARQ

Compared with the causal ARQ protocol, Stop-and-Wait(SW), Go-back-N(GBN) and

Selective Repeat(SR), the most efficiency protocol is SR. SR avoid unnecessary

retransmissions by having the sender retransmit only those packets that it suspects were

received in error, however, some factors in telecommunication such as burst-error due to

fading and huge latency do not be taken into account.

For SR-ARQ, we need to retransmit whole the packet which can’t be recover by channel

code (such as Hamming, Reed-Solomon or turbo code). It waste lots of efficacious

information we have sent before. Aggregated Hybrid-ARQ (AH-ARQ)divide the packet

into several blocks with light overhead hb, which contains Forward Error Correction code

(FEC) , Cyclic Redundancy Check (CRC) and some identical patterns (ID), and an

14

Fig. 6 AH-ARQ packet format

Over a noisy fading channel, some blocks may be corrupted more severely than others.

More corruption leads to higher probability of having error bits. When a packet which is

recovered by correction code does not pass the CRC check , only those blocks which can’t be

recovered are selected for retransmission instead of whole packet.

15

Based on RS code, those blocks corrupted contain more than θ error symbols and SER

represents the symbol error rate of a RS symbol defined in GF(2n), i.e., SER = 1-(1-Pe)n

where the Pe is the bit error rate. Therefore,

Be

1

(1

)

Be

C SER

SER







Assume that we divide a data frame with length L into K blocks. R and TCSMA are the

transmitting rate and the expected time of latency for CSMA. The expected transmitting time

of AH-ARQ is: 1 1

( ) [

] [

](

)

L

P i

R T

h

K Be

h

K

T

R

 













16

where PK(i) represents the probability that the i-th retransmission contains at least one

error block science there are K blocks needed to be transmitted in the beginning, and PK(0) =

1 as the boundary condition. PK(i) can be considered as the summation of PK(i,j), the

probability that the i-th retransmission contains j error block(s) for transmitting K blocks as

0<j≦K, and can be formulated as :

1 1

( )

( , )

(

1, )

P

i

P

i j

P

P

i

t













where Pjt is the state probability that there is j error block(s) left after transmitting t

block(s). The two-dimensional Markov chain model can be adopted as the baseline model to

analyze this model.

00 01 0 10 0

( ,0)

0

( ,1)

0

,

0,1, 2

( ,

)

1

P

P

P

P i

P

P i

i

P

P

P i K





 









 









 









  











 









 









 

_{  }





_





and the transition probability Pjt can be calculated as

(1

)

,

0 ,

C

Be

Be

t

j

P

t

j

 

 





 





Now, we can estimate EK, where EK is the expected number of the transmitted packet

17 0 0 0

( )

(1

)

,

0

E

P i

E

P

where E















Combining (3.2) and (3.6), the expected transmitting time with K blocks can be obtained

as

(

)

[

]

1

L

K h

E

R T

h

Be

T

R

 

 





_



Therefore, the efficiency for AH-ARQ is shown below:

(

)

1

L

T

_R

L

L

K h

T

T

R T

h

E

Be









 

_

_

_

_



Moreover, we can find out that SR-ARQ is a special case with K = 1, hb = 0, and

Be = PER (Packet Error rate) :

1

(1

)

=

1 0

(

)

1

L

L

PER

L

_L

_{R T}

_h

R T

h

E

PER





 

 

_

_

_

_

_{ }

_



3.2

Fragmentation CCMP

18

secure than the WEP protocol and TKIP protocol of WPA. This protocol supports two main

secure service: data confidentiality and authentication.

Data confidentiality is guaranteed by using the encryption part of AES and XOR

operator. All data blocks can be decrypted respectively because all the cipher blocks are

constructed within CTR(Counter-Mode). But on the other hand, CBC-MAC is applied for

authentication in CCMP. Any data block which is needed for generating the MIC(Message

Integrity Check) depends on all block(s) in the past of this packet. Therefore, it is impossible

that calculating part of information in MIC before all data blocks are received.

In order to decrease the time consumption, we have modified some parts of the

CBC-MAC into FCBC-MAC(Fragment-CBC-MAC). The main difference is that we divide

a long CBC chain into several shorter ones. Each chain Ci operates the CBC-MAC protocol

and compute the result, MICi , and the final checksum, MIC, will be the XOR result of all

MICi.

Assume that the MIC is used to authenticate LB data blocks, we divide the chain into

several groups, G1 ... Gp, which are disjoint sets and whose union is the whole LB blocks. The

formula can be illustrated below:

1 , , 1 ,0 1

(

,

),

,

MI

MIC

AES MIC

M

t

NG

and

C

IV

   









and

MIC

MIC

MIC

MIC









(3.11)

19

propose and will be stated in the next two sections.

The best benefit is that we can compute some of the information of MIC before all the

messages are received or decoded successfully. But the penalty of this architecture is security

because of the shorter CBC block chain length. We replace some AES operations with faster

and exchangeable XOR operator for higher efficiency. Because of the using of XOR operator,

the calculation of MICi can be executed out of sequence. Therefore, we can calculate those

MICi , whose required elements are all received, first even if there are some groups are not

completely received.

In Chapter 3.3, each group is defined as all the encrypted block in a RS block, so we use

this configuration to explain the cases of replay attack scenario and its corresponding solution

in Chapter 3.2.1 and 3.2.1 .

3.2.1

Replay Attack in different packets in FCCMP

A replay attack is a form of network attack in which a valid data transmission is

maliciously or fraudulently repeated or delayed. This is carried out either by the originator or

by an adversary who intercepts the data and retransmits it. The common solutions are

one-time key/password or timestamp. In CCMP architecture, PN (packet number), which is

a 6-byte field, incorporated into the encryption and MIC calculations, provides replay

protection.

Because we separate the CBC-MAC into several fragments, the MICi must be generated

including the PN information. Otherwise, there will be a security vulnerability with simple

20

example, if there is a packet which contains N RS blocks, RS1... RSN, the adversary can insert

even block, RSK* , from another packet. Therefore, the new MIC value will be the same as the

original one.





...

...

....

MIC

MIC

MIC

MIC

MIC

MIC

MIC

MIC

MIC

 



 



 







_

_















Fig. 9 Replay Attack in Different Packets

Therefore, we can construct the IV with the PN:

(

(

(

_

)

_

1)

_

2)

IV



AES AES AES MIC IV



MIC HEADER



MIC HEADER

where MIC_IV includes the PN information (Fig. 4 CCMP MIC Calculation).

3.2.2

Replay Attack in the same packets in FCCMP

Because of the retransmission due to error occurrence, replay attack can be applied. The

adversary can transmit the packet with RS blocks within incorrect sequence or more than one

21

Fig. 10 Replay Attack in the Same Packet - Type(A)

Fig. 11 Replay Attack in the Same Packet - Type(B)

For the situation stated in Fig. 10, the adversary swaps the position of two RS blocks,

RS2 and RSK, and the MIC is identical to the primitive result.

1 2 1 2 1

...

....

...

....

MIC

MIC

MIC

MIC

MIC

MIC

MIC

MIC

MIC

MIC









 







 





(3.14)

And for the second case in Fig. 11, it is similar to the condition illustrated in

Section 3.2.1. The adversary retransmits one of the RS block within X more times, where X is

even, and then the information is different but the MIC is exactly the same.





...

MIC

MIC

MIC MIC

MIC

MIC

MIC

MIC

MIC

    









_

_

 











 





_

_{ }





_





_{ }

_

_

_









22

To prevent this two problems, we should make every RS block's checksum, MICi,

depends on its own sequence number.

(

)

i

IV



AES IV



i

(3.16)

3.2.3

FCCMP Algorithm

From what has been mentioned above, we can depict the MIC calculation process in the

next three figures and the encryption process is the same as original CCMP process.

Fig. 12 IVi calculation

23

Fig. 14 Fragment-CBC-MAC

3.3 AH-ARQ with FCCMP

Typically, we obtain whole packet which is encrypted in plaintext within the following

two phases: First, receive all the packet(s) and ensure that there is no errors after error

correcting. Second, decrypt the ciphertext into plaintext and check if this packet is

authenticated or not. Therefore, the time that the receiver obtains a packet successfully is:

total AH dec

T



T

 

K T

(3.17)

where K is the number of RS block in a packet, Tdec is the decryption time of a RS block, and

TAH is the expected time of AH-ARQ.

But we can reduce the total service time to almost TAH by applying AH-FCCMP. The

main idea of this structure is that we want to decrypt the packet not until whole bytes are

24

Fig. 15 AH-CCMP example

Fig. 16 AH-FCCMP example

Now we can calculate the service time, Ttotal*, with the following formulation:

* * 1

Pr

{

}

(

)

(

)

(

)

AH RS dec RS AH dec tatol

T

T

T

T

T

ob the last packet contains i blocks i T

T

T

T

L

T

T

T

T

K

T

T

T

K T

T











 

















 





 





25

where Lnum is the expected block number of the last retransmitted packet. Obviously,

Ttotal* is less than or equal to Ttotal and there is a high positive correlation between Tdec* and

Lnum.

Fig. 17 Lnum under different Be

As the result shows above, we notice that Tdec* increases when the Be is low, but TAH

decreases in the same condition. On the contrary, TAH rises but Tdec* descends under high Be

circumstance. Therefore, the growing rate of Ttatol*decreases as Be declines, and Ttatol* is close

to TAH when SNR is small.

As the structure we illustrate above, we can decrypt some blocks earlier after the first

successful block and make the service time shorten if all RS blocks satisfies those two

26

blocks at most and D must be an positive integer. Therefore, every RS block can be decrypted

independently. Second, redundancy in RS block has better include FCS. Otherwise, we need

to know if this block is cracked or not until it is been decrypted.

Fig. 18 RS block format in AH-FCCMP

The original RS block in AH-ARQ contains ni bytes information and (4+2θ) bytes

redundancy, including CRC-32 and FEC. But because of the first feature stated above, D

must be 255 (4 2 ) 16       

  bytes. For RS(255,239) codec, there will be 11 bytes waste in each RS block. The solution of this situation is reduce θ from 8 bytes into 4 bytes, RS(255,247),

27

Chapter 4.

Simulation

4.1 System configurations

In this section, the performance of the original AH-ARQ, AH-ARQ with CCMP, and

AH-ARQ with FCCMP schemes will be validated and compared via simulations. For

simulating the performance, we apply this system with Multi-mode RS-codec chip[5] for

RS-codec, Motorola PowerPC G4 7410, referenced by [15], for (F)CCMP, respectively, and

other MAC-defined parameters, which are described in 802.11n standard, are showing in

Table. 2.

Table. 2 Simulation System Parameters

Parameter

Value

Min / Max window size ( Wmin / WMax ) 7/31

Maximum back-off stage ( M ) 5 Maximum Retransmission ( RT ) 25 # of RS blocks in one MPDU ( R ) 16

Slot time ( σ ) 20 (μs)

Basic rate 7.2Mbps

TSIFS / TDIFS 10 / 50 (μs)

PHY header / MAC header 24 / 28 (Byte) RTS / CTS / BA 20 / 14 / 56 (Byte)

Delimiter 4 (Byte)

28

4.2 Performance comparison under different numbers of MPDUs

In this section, we demonstrate the performance evaluation under different number of

aggregated MPDUs within an A-MPDU, i.e., J = 1,10,20. The special case, J = 1, is shown

for comparison purpose because it is also the same as the SR-ARQ, which transmits only one

MPDU within each transmission. The rest configurations, RS-codec and MCS, are set by

RS(255,239) and MCS(16QAM,3/4,180Mbps) respectively.

Fig. 19 Performance comparison among three architectures when J = 1

29

Fig. 21 Performance comparison among three architectures when J = 20 Fig. 19, Fig. 20, and Fig. 21 show the performance comparison for both throughput and

mean service time under different Js consideration. As the result of these three figures, we

notice that the throughput performance declines as the SNR is lower than 8 and eventually

reaches the retransmission threshold when SNR is 6 due to high Be. The maximum

throughput ratio of AH-ARQ to AH-FCCMP are 99.8%, 87.89%, and 86.096% respectively,

and the ratio of AH-ARQ to AH-CCMP are 75.79%, 50.13%, and 47.99% respectively. The

difference of output rate between AH-ARQ and AH-FCCMP are extremely close especially

when the SNR is low and the reason is shown in Fig. 17 and Eq.(3.17) in Chapter 3. The

mean service time of AH-CCMP is the highest one in these three figures due to the time

wasting in the CCMP procedure. In AH-FCCMP scheme, the mean service time ratio of

AH-ARQ decreases from 1.894 to 1.1105, 3.0812 to 1.3153, and 3.2195 to 1.3447

30

Fig. 22 Performance comparison under different value of J with AH-FCCMP scheme

Fig. 22 provide performance compared to the SR-ARQ scheme, whose number of MPDU per packet is one, since frame aggregation can improve channel utilization effectively.

More MPDUs in one packet reduces the time consumptions by shared contention phase and

PHY header. The maximum throughput enhancement to SR-FCCMP are 97.55% and

107.9% for J = 10 and 20 respectively. However, the mean service time increments are not the

multiple of the number of MPDUs. In AH-FCCMP scheme, the mean service time ratio of

J=1 to J = 10 and 20 are 5.896 and 11.382 respectively in high SNR circumstance. Based on the simulation result, we notice that the performances are close in J=10 and 20's schemes, so

the configuration of J in the next two cases is set with 10.

4.3 Performance comparison under different RS-codec schemes

In this section, we demonstrate the performance evaluation under different RS coding

rate. While the number of AES encrypted payloads must be an integer and the total payload

should be lower than RS's information data, the payloads in a MPDU with AH-ARQ scheme

with RS(255,223), RS(255,239), and RS(255,247) are 3300, 3556, and 3812 bytes

respectively as the number of RS blocks in one MPDU, R, is 16. Note that the 3556-byte

31

239 4 14 16

D_  _

  , BlockAES = 16 bytes, and MAC_Header = 28 bytes. The rest

configurations, J and MCS, are set by 10 and MCS(16QAM,3/4,180Mbps) respectively.

Fig. 23 Performance comparison among three architectures under RS(255,223)

Fig. 24 Performance comparison among three architectures under RS(255,239)

32

Fig. 23, Fig. 24, and Fig. 25 show the performance comparison for both throughput and

mean service time under different RS-codec consideration. As the result of these three figures,

we notice that the throughput performance under RS(255,223), RS(255,239), and RS(255,247)

FEC code declines as the SNR are lower than 6, 8, 10 and eventually reaches the

retransmission threshold when SNR are 4, 6, 8 due to high Be. The maximum throughput ratio

of AH-ARQ to AH-FCCMP are 93.89%, 87.89%, and 85.53% respectively, and the ratio of

AH-ARQ to AH-CCMP are 52.061%, 50.13%, and 48.35% respectively. In AH-FCCMP

scheme, the mean service time ratio of AH-ARQ decreases from 2.928 to 1.165, 3.0812 to

1.3153, and 3.233 to 1.467 respectively in high SNR circumstance.

Fig. 26 Performance comparison under different RS-codec with AH-FCCMP scheme

33

Fig. 26, and Fig. 27 provide performance comparison within different RS-codec in AH-ARQ and AH-FCCMP scheme. The maximum throughput of AH-ARQ are 125.36,

135.148, and 144.958 Mbps and throughput of AH-FCCMP are 117.69, 118.78, and 119.64

Mbps in three schemes. In AH-FCCMP scheme, the mean service time ratio of RS(255,239)

are 0.886 and 1.115 in high SNR condition and 0.47 and 1.498 in low SNR condition for

RS(255,223) and RS(255,247) respectively. In addition, In addition, the values shown in

AH-ARQ scheme are 1.0001 and 0.9994 in high SNR condition and 0.4889 and 1.5596 in

low SNR condition for RS(255,223) and RS(255,247) respectively in AH-ARQ scheme.

The result shows that larger latency used for error correction leads to higher error

tolerance under noisy channel quality but less efficiency when channel quality is good. But

there is a special case showed in Fig. 26 when the SNR is high but the throughputs are all

close to 118Mbps. It is because of the limitation of Motorola PowerPC G4 7410's

computational speed. Each AES received encrypted block needs two AES calculation, which

are used for data confidentiality and authentication respectively, to recover the original

information. This chip computational speed for AES and CCMP calculation are

approximated as 265Mbps and 120Mbps respectively. When the throughput of AH's is over

120Mbps, the system output rate will be saturated by cipher chip's speed. Upgrading the

cipher chip is one of the solution, but the cost of each device will raise. It can be a

consideration for trade-off between throughput and cost.

4.4 Performance comparison under different MCSs

In this section, we demonstrate the performance evaluation under different MCS

configuration. Under the number of spatial streams is 2, the MCS for simulation are

34

respectively. The rest configurations, J and RS-codec, are set by 10 and RS(255,239)

respectively.

Fig. 28 Performance comparison among three architectures under MCS(QPSK,1/2,60Mbps)

Fig. 29 Performance comparison among three architectures under MCS(16QAM,3/4,180Mbps)

Fig. 30 Performance comparison among three architectures under MCS(64QAM,5/6,300Mbps)

35

Fig. 28,

Fig. 29, and Fig. 30 show the performance comparison for both throughput and mean service

time under different MCS consideration. As the result of these three figures, we notice that

the throughput performance under MCS(QPSK,1/2,60Mbps), MCS(16QAM,3/4,180Mbps),

and MCS(16QAM,3/4,180Mbps) declines as the SNR are lower than 5.5, 8, 12 and eventually

reaches the retransmission threshold when SNR are 2.5, 6, 6.5 due to high Be. The maximum

throughput ratio of AH-ARQ to AH-FCCMP are 99.98%, 87.89%, and 57.73% respectively,

and the ratio of AH-ARQ to AH-CCMP are 73.26%, 50.13%, and 39.74% respectively. In

AH-FCCMP scheme, the mean service time ratio of AH-ARQ decreases from 1.749 to

1.0025, 3.0812 to 1.3153, and 4.225 to 2.5834 respectively in high SNR circumstance.

We notice that the mean service time increases as long as the SNR raises after the SNR

is 10.5, and it is unusual from the other figures shown before. The reason of this rebound is

the limitation of cipher chip's computational speed, and the detail is stated in Chapter 4.3.

The sender's strategy in simulation program is that transmitting a new packet as long as the

previous packet is all received correctly within AH-ARQ but not take into account whether it

is fully decrypted by CCMP or not. Therefore, higher input rate leads early initial time, but

the ending time of each packet is bounded by AES. On the other hand, the difference

36

Fig. 31 Performance comparison under different MCS with AH-FCCMP scheme

Fig. 32 Performance comparison under different MCS with AH-ARQ scheme Fig. 31, and Fig. 32 provide performance comparison within different MCS

configuration in AH-ARQ and AH-FCCMP scheme. The ratio of data rate to maximum

throughput are 82.73%, 75.08% and 68.73% in three setting respectively in AH-ARQ scheme,

and 82.72%, 65.99% and 39.67% in AH-FCCMP scheme. In AH-FCCMP scheme, the mean

service time ratio of MCS(16QAM,3/4,180Mbps) are 2.12 and 1.266 in high SNR condition

and 1.326 and 0.3413 in low SNR condition for MCS(QPSK,1/2,60Mbps) and

MCS(16QAM,3/4,180Mbps) respectively. In addition, the values shown in AH-ARQ scheme are 2.78 and 0.645 in high SNR condition and 1.38 and 0.355 in low SNR condition.

37

Chapter 5.

Conclusion

In this thesis, we propose the efficient structure of 802.11n with WPA2 protocol,

Aggregated Hybrid Automatic Repeat Request Mechanism with Fragmentation Counter

Mode with CBC-MAC Protocol (AH-FCCMP), while we consider different parameters in

802.11n configuration so as to analyze the performance of the AH-FCCMP scheme in

practice. The AH-FCCMP scheme is composed of two algorithms: AH-ARQ protocol and

FCCMP protocol.

AH-ARQ is designed with the consideration of frame aggregation and block

acknowledgement, which are proposed in 802.11n, for boosting the throughput under low

SNR channel quality by using Reed-Solomon block code as the forward error correction code

(FEC). Based on the feature of AH-ARQ, we modify the CCMP to FCCMP so that we can

compute in parallel not only the AES decryption but the CBC-MAC calculation. The

modification of CCMP may raise some flaws such as replay attack, but we demonstrate the

solution for preventing replay attack in Chapter 3.2.2 and 3.2.3. As long as AES is not

38

From the simulation results in Chapter 4, we can conclude that the throughput of

AH-FCCMP is close to the one without security requirement. AH-FCCMP makes the cost

of security operation decrease and provides the same security level. Moreover, we find that

the total throughput is bounded by either data rate or cipher chip operation capability. So that

39

References

[1] Cisco PSE, Inside 802.11n Technical details about the new WLAN standard, Mar. 2009. [2] J.-C. C. e. al., "WIRELESS LAN SECURITY AND IEEE 802.11i," IEEE Wireless

Communications, pp. 24 - 36, Feb. 2005.

[3] Committee, LAN/MAN Standards, "Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications," IEEE Computer Society, 2012.

[4] C.-X. W. e. al., "A Novel Generative Model for Burst Error Characterization in Rayleigh Fading Channels," IEEE PIMRC Proceedings Vol.1, pp. 960 - 964, Sept. 2003.

[5] H.-Y. Hsu, Reconfigurable Multi-mode Reed-Solomon Codec for High-Speed

Communication Systems, National Central University,, 2001.

[6] J.-S. L. e. al., "Novel Design and Analysis of Aggregated ARQ Protocols for IEEE 802.11n Networks," IEEE Trans. Mobile Computing vol.12, no.3, pp. 556-570, Mar. 2013.

[7] Y. Wu, "Novel Burst Error Correction Algorithms for Reed-Solomon Codes,"

nformation Theory, IEEE Trans. on , vol.58, no.2, pp. 519 - 529, Feb. 2012.

[8] D. e. a. Skordoulis, "IEEE 802.11n MAC frame aggregation mechanisms for

next-generation high-throughput WLANs," Wireless Communications, IEEE , vol.15,

no.1, pp. 40 - 47, Feb. 2008.

[9] Advanced Encryption Standard (AES), NIST, 2001.

[10] V. Technologies, Counter CBC-MAC Protocol (CCMP) Encryption Algorithm, 2003. [11] L. C. T. Shi, "Combining techniques and segment selective repeat on turbo coded hybrid

ARQ," WCNC. 2004 IEEE , vol.4, pp. 21-25, Mar. 2004.

[12] S. C. Tinnirello I., "Efficiency analysis of burst transmissions with block ACK in contention-based 802.11e WLANs," ICC 2005. on , vol.5, pp. 16 - 20, May 2005. [13] D. J. Bernstein, "AES speed," Sept. 2008. [Online]. Available:

http://cr.yp.to/aes-speed.html.

[14] V. R. Joan Daemen, "AES Proposal: Rijndael," http://www.esat. kuleuven.ac.be/~rijmen/rijndael, 2001.

[15] Y.-T. H. e.al, "Performance analysis for aggregated selective repeat ARQ scheme in IEEE 802.11n networks," IEEE PIMRC, pp. 37,41, 13-16, Sept. 2009.

102 碩 士 論 文 一 個_802.11n 通 訊 協 定 以_WPA2 加 密 之 有 效 結 構 及 其 實 現 交 通 大 學 電 信 工 程 研 究 所 邱 鐙 標