Wireless Security

WLAN 802.11

Esp. Ing. Fernando Boiero

Wireless Security
Maestría en Ciber-Seguridad
fboiero@gmail.com
 802.11 WLAN

•  It is defined by the standards specified by IEEE

802.11 Working Group
•  Specifies Physical and MAC layers
•  The primary purpose is to provide wireless
connectivity within a local area
•  Devices compliant with 802.11 are interoperable

13/10/16 Wireless Security 2

 802.11 Physical Layer

•  802.11 defines various Physical layer options

–  RF using Industrial Scientific and Medical unlicensed
2.4 GHz band (2.4 GHz-2.4835 GHz)
•  Frequency hopping spread spectrum (FHSS)
•  Direct sequence spread spectrum (DSSS): each bit becomes
a string of chips
–  IR (infra red)

13/10/16 Wireless Security 3

 802.11 Physical Layer - RF

13/10/16 Wireless Security 4

 802.11 standards

•  802.11b:
–  High Rate Direct Sequence Spread Spectrum (HR/
DSSS)
–  Data rates 5.5-11 Mbps
–  ISM unlicensed 2.4 GHz band
–  To counter interference it uses dynamic rate switching
(can lower from 11 down to 1 Mbps). This is also used
when distance to access point is longer to improve
signal quality.
–  Complementary Code Keying (CCK) used as
modulation scheme for higher rates

13/10/16 Wireless Security 5

 802.11 standards

•  802.11a:
–  RF bands used are known as Unlicensed National
Information Infrastructure (U-NII) bands
•  Operates in 5 GHz band
•  Allocation by Federal Communications Commission (FCC)
–  Orthogonal Frequency Division Multiplexing (OFDM)
–  Data rates: 6,9,12,18,24,36,48, and 54 Mbps
–  Different modulation techniques: Binary Phase Shift
Keying (BPSK), Quadrature Phase Shift Keying (QPSK),
and Quadrature Amplitude Modulation (QAM).
–  In Europe, 5 GHz band, is sometimes used by military
organizations for radar and satellite operations

13/10/16 Wireless Security 6

 802.11 standards

•  802.11g:
–  ISM unlicensed 2.4 GHz
–  Same MAC as 802.11b
–  Orthogonal Frequency Division Multiplexing (OFDM)
–  Rates of 54 Mbps-108 Mbps
–  Compatibility with 802.11b

13/10/16 Wireless Security 7

 802.11 standards

•  802.11n-2009:
–  Data rates up to 600 Mbps
–  Multiple-input multiple-output (MIMO) antenna
–  Frame aggregation
–  5 GHz and 2.4 GHz

•  802.11ac:
–  High throughput on 5 GHz
–  Multi-station WLAN throughput up to 1 Gbps
–  Single link up to 500 Mbps

•  802.11ad:
–  High throughput on 2.4, 5, and 60 GHz
–  Up to 7 Gbps

13/10/16 Wireless Security 8

 802.11 standards ammendement

•  802.11c: bridge procedures covering operation with 802.11 MAC for the IEEE 802.1d MAC
bridges standards
•  802.11d: requirements and definitions to allow 802.11 WLAN equipment to operate in
markets not served by the current standard
•  802.11e: support for quality of service (QoS)
•  802.11f: inter-Access Point protocols to provide support for roaming between access points
(AP) from different vendors
•  802.11h: spectrum and transmit power management extensions for 802.11a in Europe
•  802.11i: enhances security and authentication mechanisms by using Advanced Encryption
Standard (AES) with strong authentication and key exchange mechanisms
•  802.11j: enhancements to add channel selection for 4.9 and 5 GHz to 802.11a. For Japan.
•  802.11k: to define radio resource measurement enhancements.
•  802.11m: defines maintenance of technical and editorial corrections to the 802.11 WLAN
MAC and Physical layer specifications.

13/10/16 Wireless Security 9

 802.11 Components

•  Access Point:
–  Wireless hub
–  Allows a number of wireless clients to be connected to the wired network
–  Acts as a bridge between different networks mediums (802.3 and 802.11)
–  At least 2 wireless interfaces (wires and wireless)
–  Provides a coverage area where a devices maintains the connection
–  WLAN will typically contain a number of AP’s for larger coverage areas
•  Wireless client adapter:
–  To connect a device to the WLAN
–  Different power levels
–  Require a device driver in the device
•  Antenna
–  To transmit and receive radio signals

13/10/16 Wireless Security 10

 802.11 Topologies

•  Basic Service Set (BSS): The coverage area within

which two or more devices can communicate with
each other
–  The fundamental building block of any 802.11 WLAN
•  Supported modes of operation
–  Ad-Hoc: two or more wireless devices can communicate
directly with each other. No need for AP. Also called
Independent Basic Service Set (IBSS)
–  Infrastructure (managed): the BSS is defined by the
coverage area of an AP that also provides connectivity
(bridge) to the wired network
•  The wired network is known as the distribution system
•  An AP has its own Service Set Identifier (SSID)

13/10/16 Wireless Security 11

 802.11 Topologies

•  Extended Service Set: when a number of AP’s are

connected together by a distribution system a wider
WLAN can be created.
–  This network type is an Extended Service Set (ESS)
–  All AP’s have the same SSID
–  Each individual BSS may overlap allowing mobile devices
to move from one BSS to another without losing network
connectivity
–  Co-location: for redundancy
–  3 Mobily types:
•  No-transition
•  BSS Transition
•  ESS Transition

13/10/16 Wireless Security 12

 802.11 Topologies

13/10/16 Wireless Security 13

 802.11 Client connection to AP

•  First thing a client does in a WLAN is to send a probe

packet on all allowed frequencies and then receives
probe responses from all AP’s in range.
•  Then it is decided to which AP to associate (based on
signal strength, AP capabilities, configuration, etc)
•  All AP’s transmit beacon packets on a regular basis
•  When a mobile device is moving from one BSS to
another, it sends an association packet to the new AP
and the new AP sends a re-association message to the
old AP through the distribution system
•  The old AP removes association and sends any buffered
packet to the new AP for it to relay to the device
–  Inter-Access Point Protocol (IAPP)

13/10/16 Wireless Security 14

 Authentication methods

•  Two authentication methods

–  Open Authentication
•  Simpler
•  Without utilizing a key
•  It may be difficult to limit the number of wireless clients
accessing the WLAN
–  Shared Key authentication
•  Wireless client and AP must use identical WEP keys
1-Challenge text
3-AP decrypts
and compares
to ch. text

2-Encrypted challenge text

13/10/16 Wireless Security 15
 802.11 Station and DS Services

•  Station Services: Implemented by AP’s and clients

–  Authentication
•  Open System Authentication: no security
•  Shared Key Authentication: shared secret key in both devices
–  De-authentication
–  Privacy
–  MSDU delivery
•  Distributed System Services: supported by AP’s
–  Association: after authentication and before sending data. This allows the
DS to know which AP is sending data to the wireless device
–  Disassociation
–  Distribution
–  Integration: sending packets from WLAN device to a LAN device
–  Re-association: move from one AP to another

13/10/16 Wireless Security 16

 Authentication

•  To verify credentials of a wireless client adapter

trying to associate to the AP
–  Open System
–  Shared Key
•  The subtype invoked is indicated in the body of
the authentication management frames

13/10/16 Wireless Security 17

 Association

•  The process of mapping a station to the

distribution system through an AP.
•  The AP provides Distributed Services to the
wireless client adapter
•  The wireless client adapter is associated to only
one AP

13/10/16 Wireless Security 18

 Open System Authentication

•  A wireless client can associate with an AP with

or without a WEP key
•  If WEP encryption is not used messages convey
plaintext

13/10/16 Wireless Security 19

 Open System Authentication

•  The wireless client establishes an initial

connection with the AP

All AP’s receive

Probe request
it

All AP’s respond

Probe response
Selects the AP
with correct SSID
and strongest
signal

13/10/16 Wireless Security 20

 Open System Authentication

•  Authentication and association

•  After association WEP keys can be used to encrypt data frames

Authentication Only to selected AP

request

Authentication
response

Association
Approved/Rejected request

Association
response

Data frames

13/10/16 Wireless Security 21

 Shared Key Authentication

•  An AP uses a pre-shared key to authenticate a

wireless client
•  Both must have the same key
•  WEP Key distribution is not defined by IEEE
802.11 standard

13/10/16 Wireless Security 22

 Shared Key Authentication

Probe request

Probe response

Authentication Generates random

Encrypts challenge challenge text
request (shared Key)
text with WEP key
Challenge Text

Decrypts message
Encrypted Challenge Text
with WEP key
Authentication
Do decrypted
If authentication response
challenge text and
successful then plain challenge text
association Association match?
occurs

Data frames

13/10/16 Wireless Security 23

 Shared Key Authentication Limitations

•  An unauthorized user can determine the WEP

key by comparing the unencrypted and
encrypted challenge text

13/10/16 Wireless Security 24

 WLAN configuration in AP

13/10/16 IPv6 Addressing and 25

Implementation
 MAC

•  Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)

–  Known as Distributed Coordination Function (DCF)
•  Virtual Carrier Sensing mechanism
–  Before a station transmit data, it sends a short control frame, Request to Send (RTS)
frame, and will receive a Clear to Send (CTS) frame.
•  Both frames contain a duration value representing the time required to transmit the pending
data

–  Wireless devices listen to these control frames and learn about the impending use of
the medium and estimate for how long it will be in use. They defer transmission
attempts consequently.
•  Physical Carrier Sensing mechanism
–  To detect whether any RF energy is present at the transmission frequency to be used.
Then transmission attempt is defered.
•  If the device learns the medium is busy it uses a random time backoff
period. This reduces probability of collisions.
•  To determine if a collision occurred, wireless devices use a positive
acknowledgment (ACK) mechanism
•  If ACK is not received, the frame is re-transmitted

13/10/16 Wireless Security 26

 MAC

B A E C D

RTS_C
RTS_B

Defer
CTS_D
CTS_A
DATA_C

Deaf
DATA_B

ACK_D
RTS_E
Collision

Figure 2: Data Packet Collision

If node B is transmitting data to node A, and node C is transmitting data to node D, then node E is known as the
“deaf node”. If node E misinterprets the CTS and sends something to A, node A will not understand signal
because packets from B and E have collided at A.

13/10/16 Wireless Security 27

 Optional MAC Method

•  Point Coordination Function (PCF): the AP acts

as a point coordinator by polling wireless devices
to determine if the have data to send
•  Both PCF and DCF MAC methods can be used
in the same wireless network
–  Alternate between contention-free period and
contention period
•  PCF adoption was limited

13/10/16 Wireless Security 28

 802.11 in the TCP/IP stack

•  802.11 in the TCP/IP stack

Application Application

Transport Transport
Network Network Network
IEEE
802.2 LLC
LLC: 802.2 802.1 LLC
802.2
IEEE 802.11 Bridging
MAC MAC MAC
MAC
IEEE 802.11
Physical Physical Physical
Phy
Access Point

13/10/16 Wireless Security - TCP/IP 29

 MAC Frames

Generic 802.11 MAC Frame

Frame Control: 2 Octets

Type:
00: Management
01: Control
10: Data
11: Reserved
Management Subtype:

13/10/16 Wireless Security 30

 MAC Frames

Type:
00: Management

Subtype:
• 0000: Association Request
• 0001: Association Response
• 0100: Probe Request
• 0101: Probe Response
• 1011: Authentication

01: Control
10: Data
11: Reserved
Management Subtype:

13/10/16 Wireless Security 31