IEEE 802.11i

The IEEE and its standards are introduced in Chapter 3, "WLAN Standards." The IEEE 802.11 committee is responsible for wireless LANs and includes several subcommittees, known as Task Groups. Task Groups are charged with developing standards, which often are then rolled into the main standard, after they are adopted.

Task Group i (TGi) was formed in March 2001 as a split from the MAC Enhancements Task Group (TGe). Its charge was to "enhance the 802.11 Media Access Control (MAC) to enhance security and authentication mechanisms." TGi finished work on the 802.11i standard, and it has been approved.

The 802.11i standard enhances 802.11 with several new security mechanisms to ensure message confidentiality and integrity. Some of these mechanisms are additions, and some are complete replacements of 802.11 procedures. 802.11i also incorporates the 802.1x port authentication algorithm, another IEEE standard, to provide a framework for strong mutual authentication and key management. The additional features include the following:

  • Two new network types, called Transition Security Network (TSN) and Robust Security Network (RSN)

  • New data encryption and data integrity methods: Temporal Key Integrity Protocol (TKIP) and Counter mode/CBC-MAC Protocol (CCMP)

  • New authentication mechanisms using the Extensible Authentication Protocol (EAP)

  • Key management via security handshake protocols conducted over 802.1x

TKIP is a cipher suite and includes a key mixing algorithm and a packet counter to protect cryptographic keys. It also includes Michael, a Message Integrity Check (MIC) algorithm that, along with the packet counter, prevents packet replay and modification. TKIP and Michael are used together and are designed to work with legacy equipment, thus providing a way to secure existing networks.

CCMP is an algorithm based on AES that accomplishes encryption and data integrity. CCMP provides stronger encryption and message integrity than TKIP and is preferred, but it is not compatible with the older WEP-oriented hardware. Ultimately, vendors will be required to implement CCMP to stay in compliance with the specification.

An RSN is one that allows only machines using TKIP/Michael and CCMP. A TSN is one that supports both RSN and pre-RSN (WEP) machines to operate. TSN networks have a weakness in that broadcast packets have to be transmitted with the weakest common denominator security method. Thus, if there is a device using WEP in a network, it weakens the security of broadcast traffic for all the devices. RSN is definitely preferred, and getting all networks to use CCMP exclusively would be ideal.

802.11i specifies the use of 802.1x port management, which relies on EAP for authentication. Master keys can be established after successful EAP authentication. After master keys are established, key management is performed by one or more handshakes, which are described in the "Key Management" section later in this chapter. Chapter 3 covers 802.1x in more detail, and Chapter 7, "EAP Authentication Protocols for WLANs," covers EAP.

The next section describes WEP and the new 802.11i protocols in more detail.