Unformatted text preview: Wireless Security Cryptography and Network Security
TECH 6350 Session 11
Graduate School of Management
University of Dallas 0 Wireless Security Session 12 – Contents
• Types of Wireless Networks
— Wireless Metropolitan Area Networks (WMAN) - WiMax
— Wireless Local Area Networks (WLAN) / Wi-Fi
— Wireless Personal Area Network (WPAN)
— Low-Rate Wireless Personal Area Network (LR-WPAN)
– Zigbee Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 1 1 Wireless Security The Wireless Landscape
Low-Rate Wireless Personal Area
(LR• General-purpose, inexpensive,
Generalself-organizing mesh network.
self• Low data rates and low power
consumption; a year or two
with a single alkaline battery. Wireless Wide Area Network
• Metro/Geographical area
• “Always On” Services
• Ubiquitous public connectivity
with private virtual networks Wireless Personal Area Network
• Small form factor, low-cost,
lowshort range, low power, radio
• Developed to link portable
devices without cables.
• Non-licensed spectrum
Desktop Zigbee Bluetooth Level of Mobility 0.1 0.25
Wireless WIMAX 2 •
(MIMO) Walk 4G 802.11n
Campus Fixed CDMA2000
3XRT Walk CDMA2000 1XRT Outside
Campus Vehicle 54 78
Wi-Fi Wireless Local Area Nework
Wireless Metropolitan Area
Public or Private Site or Campus
200 1000 Mbps
M. Mogollon – 01/08 - 2 • When talking about wireless data communications, there are three primary categories of networks:
Wireless Metropolitan-Area Network (WMAN), Wireless Local Area Network (WLAN), and
Wireless Personal Area Network (WPAN). The terms WIMAX and Wi-Fi are used instead of
WMAN and WLAN respectively.
• The Worldwide Interoperability for Microwave Access (WIMAX™) brand was created by the
WiMAX Forum™, which is working to facilitate the deployment of broadband wireless networks
based on the IEEE 802.16 standard. It achieves this by helping to ensure the compatibility and
inter-operability of broadband wireless access equipment. The organization is a global, nonprofit
association formed in June of 2001 by equipment and component suppliers to promote IEEE
802.16 compliant equipment. WiMAX technology enables the delivery of last mile wireless
broadband access as an alternative to cable and DSL.
• WIMAX is similar to WI-FI in the sense that both create hot-spots around a base station, but
WIMAX has a wider range, up to 25 to 30 miles.
• A WLAN or Wi-Fi can be used to connect computers to each other, to the Internet, and to wired
networks. The Wi-Fi ™ (Wireless Fidelity) brand was created by the Wi-Fi Alliance. The
organization is a global, nonprofit association formed in 1999 to certify the interoperability of
IEEE 802.11 products, as well as to promote 802.11 standards as the global, wireless LAN
standards across all market segments. The Wi-Fi Alliance has instituted a test suite to certify Wi-Fi
products’ interoperability. Wi-Fi networks use radio technologies based on the IEEE 802.11a,
802.11b, and 802.11g standards.
• A Wireless Personal Area Network (WPAN) uses a low cost, short-range wireless specification
called Bluetooth to connect mobile devices. The Bluetooth Special Interest Group (SIG), created in
September 1998, is a trade association comprised of leaders in the telecommunications,
computing, automotive, industrial automation, and network industries. The objective of SIG is to
drive the development of Bluetooth wireless technology. The Bluetooth SIG name was inspired by
Danish King Harald Bluetooth, known for unifying Denmark and Norway in the 10th century. 2 Wireless Security Wireless Networks
Network Standard Range Data Rate WMAN (Wireless Metropolitan Area IEEE 802.16I
Network) - WIMAX Approximately 30 miles
radius 78 Mbps WLAN (Wireless Local Area
Network) – WiFi IEEE 802.11 Approximately 300 feet
radius 54 Mbps WPAN (Wireless Personnal Area
Network) – Bluetooth IEEE 802.15 Approximately 30 feet
radius 1, 2, or 3
Mbps LR-WPAN (Low-Rate Wireless
Personal Area Networks) – Zigbee IEEE 802.15.4 Approximately 150 feet
radius 250 Kbps Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 3 3 Wireless Security WIMAX
• WIMAX is very similar to a Wi-Fi but it operates at higher speeds, over greater
distances, and for a greater number of users. • From the point of view of the infrastructure, a WiMAX network is similar to a cellular
— A based station covers a very large area and can simultaneously operate as a subscriber station
and as a base station in a full mesh network using a line-of-sight link.
— A subscriber station, which could be a small WIMAX receiver box, or a mobile station. • WIMAX operates in two primary bands, the 10-66 GHz band used where line-of sight
is necessary, and the licensed and un-licensed frequencies of 2 – 11 GHz for those
physical environments where line-of-sight is not necessary. • WIMAX also supports subscriber stations moving at vehicular speeds.
— The spectrum at 2.5 GHz and below (2.5 GHz, 1.5GHz, 700MHz, etc.) is used because it has
better characteristics for full mobility deployment. • WIMAX throughput is around 38 Mbit/sec when using orthogonal frequency division
multiplexing (OFDM), and 78 Mbit/sec when OFDM is combined with multiple-input
multiple-output (MIMO) antenna processing technology. • WiMAX expands the availability of broadband service to residences, businesses and
other locations with a high cost of wire deployment.
— Low-density rural locations in developed countries
— Emerging markets where user connectivity is sporadic. Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 4 • WIMAX is a fixed and mobile broadband wireless access system that can operate as a wireless
metropolitan area network and deliver Internet access at distances across tens of miles and at a cost similar
to IEEE 802.11 (Wi-Fi). The 802.16 standard on which WIMAX is based was designed from the ground
up to be truly broadband and packet-based. WIMAX provides a wireless alternative to cable and DSL for
last mile (last km) broadband access.
• A WIMAX network is very similar to a Wi-Fi network, but it operates at higher speeds, over greater
distances, and for a greater number of users. From the point of view of the infrastructure, a WIMAX
network is similar to a cellular network: it consists of a single WIMAX tower that covers a very large area
called a base station (BS) and a subscriber station (SS), which could be a small WIMAX receiver box, or
mobile station. The receiver box can be installed inside or outside of a building or house.
• The WIMAX tower node can simultaneously operate as a subscriber station and as a base station in a full
mesh network using a line-of-sight link. Using this technology, there are currently several cities
worldwide that are implementing WIMAX mesh networks using various base stations as backhauls to
cover the whole city. These networks connect one or several of the base stations to an Internet backbone
via a microwave link or by fiber optic cable.
• The original WIMAX standard (2001) 802.16, “Fixed Wireless Broadband and Air Interface,” used the
spectrum in the 10 - 66 GHz. The 802.16-2004 standard, “Air Interface for Fixed Broadband Wireless
Access Systems,” consolidated 802.16, 802.16a, and 802.16c. The 802.16-2004 specifies two primary
bands, the 10-66 GHz band to use where line-of-sight is necessary, and the licensed and un-licensed
frequencies of 2 – 11 GHz for those physical environments where line-of-sight is not necessary.
• In the line-of-sight service, a fixed dish antenna located on the roof or on a pole, points straight at the
WiMAX tower. The higher frequencies in 10-66 GHz allow transmission with fewer errors, less
interference, and more bandwidth. The target customers for these services are large carriers, as well as
cities and enterprises. In the non-line-of-sight, 2 – 11 GHz spectrum, the subscriber station can be located
inside a house or building and, because of the lower frequencies used, the transmission is not obstructed
by physical locations. 4 Wireless Security WIMAX Network
Line of sight, 10 – 66 GHz
band, 38 to 78 Mbit/sec Subscriber
Station 1 Fiber
Station 2 Subscriber
Base Station 1 is acting
as client to Base Station 2 Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 5 5 Wireless Security WIMAX Security
• WIMAX provides subscribers with privacy,
authentication, and confidentiality across the broadband
wireless network. • WIMAX security has three component protocols as
— Secure encapsulation of the data exchanged.
— Authentication for the subscriber station (SS) to obtain authorization
and traffic keying material from the base station (BS); also supports
periodic reauthorization and key refresh.
— A privacy key management protocol (PKM) to provide the secure
distribution of keying data from the BS to the SS. Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 6 • WIMAX security provides subscribers with privacy, authentication, and confidentiality across
the broadband wireless network. It does this by applying cryptographic transformations to the
data carried between the BS and the SS, either fixed or mobile.
• In addition, WIMAX security provides operators with strong protection from theft of service.
The BS protects against unauthorized access to data transport services by securing the associated
service flows across the network. For key management, WIMAX employs an authenticated
client/server key management protocol in which the BS, the server, controls the distribution of
keying material to an SS. Additionally, the basic security mechanisms are strengthened by
adding digital-certificates to the key management protocol for device-authentication of the SS or
• In WIMAX and in Wi-Fi, the unit of data exchanged between two peer entities to implement the
access control management protocol is called Medium Access Control Management Protocol
Data Unit (MPDU). The MPDU term is used in this chapter when describing the data exchanged
between a base station and a subscriber station or mobile station, in the case of WIMAX, or
between a client and the access point, in the case of Wi-Fi. 6 Wireless Security WIMAX Key Generation
• The Privacy Key Management authentication protocol establishes a
shared secret key, called an Authorization Key (AK), between the SS
and the BS. • Either RSA or EAP methods are used to generate the AK (Slide 8)
• The Authorization Key is then used, by both the BS and the SS, to
generate MAC Keys, HMAC Keys and Key Encrypting Keys (KEK).
(Slide 9). • The KEK is used to encrypt keys for transport from the BS to the
SS. • The BS randomly generates the Traffic Encryption Key (TEK),
enciphers it using KEK, and sends it to the SS in the TEK exchange.
KEK and TEK have 128-bit lengths. The TEK-128 is encrypted with
AES Key Wrap. (Slide 10). Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 7 • The Privacy Key Management (PKM) authentication protocol establishes a shared secret key
called an Authorization Key (AK) between the SS and the BS. The shared AK is then used to
secure subsequent PKM exchanges of Traffic Encryption Keys (TEKs). This two-tiered
mechanism for key distribution permits refreshing of TEKs without incurring the overhead of
• With the AK exchange, the BS authenticates the identity of a SS and the services the SS is
authorized to access. By doing this, the BS associates an SS authenticated identity to a paying
subscriber, and to the data services that the subscriber is authorized to access.
• There are two privacy key management protocols supported in IEEE 802.16e PKMv1 and
PKMv2. PKMv2 has more enhanced features such as a new key hierarchy, AES-CMAC, AESkey-wraps, and multicast and broadcast services (MBS).
• In PKMv2, there are two authentication schemes, one based on RSA and one based on EAP;
therefore, there are two primary sources of keying material. The keys used to protect message
integrity and transport the traffic encryption keys are derived from source key material generated
by the authentication and authorization processes.
• The traffic-key management portion of the PKM protocol adheres to a client/server model, where
the SS (a PKM client ) requests keying material, and the BS (a PKM server ) responds to those
requests, ensuring that individual SS clients receive only the keying material for which they are
authorized. 7 Wireless Security WIMAX Key Generation
MSK -512-bit Primary
Authorization Key transferred to
SS by EAP method during the
authentication exchange Pre-PAK – 256-bit Primary
Authorization Key transferred
from BS to SS using RSA during
the authorization process MSK Pre-PAK Truncate (MSK, 160)
PAK (160 bits)
Optional EIK Dot16KDF
(pre-PAK, SS MAC Address|BSID| EIK+PAK, 320)
EIK (160 bits) PAK (160 bits) PMK
(PMK, SS MAC Address|BSID| AK, 160) Dot16KDF
(PAK, SS MAC Address|BSID| AK, 160) AK AK MSK= Master Session Key
PMK= Pairwise Master Key
AK = Authorization Key
Wireless PAK WIMAX PAK = Primary Authorization Key
EIK = EAP Integrity Key
AK = Authorization Key
M. Mogollon – 01/08 - 8 Primary Authorization Key (PAK)
• The RSA-based authorization process yields the Pre-Primary Authorization Key (pre-PAK),
which is one of the possible roots of the key hierarchy. The pre-PAK is sent by the BS to the SS
encrypted with the public key of the SS certificate. Pre-PAK is mainly used to generate the
primary authorization key (PAK). The optional EAP Integrity Key (EIK) used to authenticate the
EAP payload is also generated from pre-PAK.
Master Session Key (MSK)
• If an RSA mutual authorization took place before the EAP exchange, the EAP messages may be
protected using EIK-EAP Integrity Key derived from pre-PAK.
• The result of the EAP exchange between the BS and SS is the master session key (MSK), which
is the other possible root of the key hierarchy. After the exchange, MSK is known to the AAA
server, to the authenticator (transferred from AAA server), and to the SS. The SS and the
authenticator derive a pairwise master key (PMK) and optional EIK by truncating the MSK to
320 bits. MSK has a 512-bit length; PMK and EIK have a 160-bit length.
Authorization Key (AK)
• Independent of whether RSA or EAP authentication is used, the AK is derived by the BS and the
SS from the PMK (from EAP-based authorization procedure) and/or the PAK (from RSA-based
authorization procedure). The AK has 160-bit length. 8 Wireless Security WIMAX Key Hierarchy
AK – 160-bit Authentication Key
(AK) context MAC
Mode CMAC Dot16KDF
(AK, SS MAC Address|BSID| CMAC_KEYS+KEK, 384)
(128 bits) CMAC_KEY_D
(128 bits) CMAC_KEY_U KEK
(64 or 128 bits) CMAC_KEY_D KEK MAC = Message Authentication Code
CMAC_KEY_U = Uplink CMAC Key
CMAC_KEY_D = Downlink CMAC Key
KEK = Key Encrypting Key Wireless WIMAX HMAC Dot16KDF
(AK, SS MAC Address|BSID| HMAC_KEYS+KEK, 448)
KEK CMAC = Cipher MAC (MAC based on block cipher)
HMAC_KEY_U = Uplink HMAC Key
HMAC_KEY_D = Downlink HMAC Key
KEK = Key Encrypting Key Wi-Fi Bluetooth
M. Mogollon – 01/08 - 9 Message Authentication Keys (HMAC/CMAC)
• MAC keys are used to sign messages in order to validate the authenticity of these messages. The
message authentication keys used to generate the cipher-based MAC (CMAC) value (Dworkin,
2005) and the HMAC digest are derived from the AK. The HMAC has a 160-bit length and
CMAC has a 128-bit length.
• A CMAC is a message authentication code (MAC) algorithm that is based on a symmetric key
block cipher. CMAC is specified in Special Publication 800-38B “Recommendation for Block
Cipher Modes of Operation: The CMAC Mode for Authentication”. The downlink authentication
keys CMA_KEY_D and HMAC_KEY_D are used to authenticate messages in the downlink
direction. The uplink authentication key CMA_KEY_U and HMAC_U are used to authenticate
messages in the uplink direction.
Key Encrypting Key (160 bits) and Traffic Encryption Key
• Another key, the key encrypting key (KEK), is derived directly from the AK by both the BS and
the SS. The KEK is used to encrypt keys for transport from the BS to the SS. In addition, the BS
randomly generates the traffic encryption key (TEK), enciphers it using KEK, and sends it to the
SS in the TEK exchange. KEK and TEK have a 128-bit length. The TEK-128 is encrypted with
AES key wrap.
• The BS and SS maintain two sets of TEKs and their associated initialization vectors (IVs) per
security association identifier (SAID), corresponding to two successive generations of key
materials. The two TEKs have overlapping lifetimes. 9 Wireless Security WIMAX TEK and Group Keys Derived by the BS
RNG TEK Send to SS Encryption
KEK RNG GKEK Send to SS Encryption
GKEK RNG GTEK Send to SS Encryption RNG = Random Number Generator
TEK = Traffic Encrypting Key (64 or 128 bits)
GKEK = Group Key Encryption Key
GTEK = Group Traffic Encrypting Key Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 10 Group Key Encrypting Key and Group Traffic Encryption Key
• The BS also randomly generates another key, the group key encrypting key (GKEK), which it
enciphers using KEK and sends to all the subscriber stations in the group security association
(GSA). GKEK is used to encrypt the group traffic encryption key (GTEK), which is sent in
multicast messages by the BS to the subscriber stations in the same multicast group. 10 Wireless Security Security Associations
• Security associations in WIMAX are used in the same way and have
the same meaning as the security associations used in IPSec, as
well as the security capabilities used in TLS and SSL. • A Security Association (SA) associates the security parameters with
the traffic to be protected. • Once the SA for a specific connection is defined, it is assigned an
identifier, the Security Association ID (SAID). • When a connection is established between a BS and an SS, the two
need to agree on, among other things, the following:
— The encryption and authentication algorithms.
— The crypto keys, the key sizes, and key lifetimes.
— How to exchange keys, the initialization values, and other related security
parameters. Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 11 • Security associations in WIMAX are used in the same way and have the same meaning as the
security associations used in IPsec; they also have the same security capabilities used in TLS and
SSL. A security association (SA) associates the security parameters with the traffic to be
protected. Another way to define an SA is to say that an SA describes the security parameter
information agreed upon between a sender and a receiver on how to secure a communication –in
the case of WIMAX, between a BS and a SS.
• When a connection is established between a BS and an SS, the two need to agree on, among
other things, the encryption and authentication algorithms, the crypto keys, the key sizes, key
lifetimes, how to exchange keys, the initialization values, and other related security parameters.
Once the SA for a specific connection is defined, it is assigned an identifier, the security
association ID (SAID).
• There are three types of SAs in WIMAX: unicast connections, GSA for multicast groups, and
MBSGSA for MBS services. The unicast SAs can be primary, static, and dynamic. In general,
the following is the information contained in a SA:
• The SAID, a 16-bit identifier of the SA.
• The KEK, a 128-bit key encryption key derived from the AK.
• The TEK, 128-bit traffic encryption key, generated within the BS and transferred from the
BS to the SS using a secure exchange.
• The TEK’s lifetime.
• PNO and PN32, a 32-bit packet number for use by the link cipher.
• RxPN0 and RxPN1, a 32-bit received sequence counter, for use by the link cipher. 11 Wireless Security WIMAX Authorization and AK Exchange
Station • •
Station Authentication Information
The authentication information message is strictly
informative. It contains the SS X.509 certificate.
SS X.509 certificate.
List of crypto suites (security associations’ IDs) supported
by the SS.
SS Connection Identifier (CID).
Authorization Reply •
• A pre-PAK or MSK encrypted with the SS public key. •
• A key lifetime. A 4-bit sequence number used to distinguish successive
generations of Pre-PAK or MSK.
The SAID used by the SS to obtain keying information.
Creating the PAK or PMK and AK) Authentication
Key Wireless SS and BS create the PAK or PMK, and from the PAK
or PMK derive the 160-bit AK. WIMAX Wi-Fi Authentication
M. Mogollon – 01/08 - 12 • A BS authenticates a client SS during the initial authorization exchange. All SSs have factoryinstalled RSA private/public key pairs and X.509 certificates, or have an internal algorithm to
generate such key pairs dynamically; They also have the means to create X.509 certificates. The
digital certificate contains the SS’s public key and MAC address. When requesting an
authorization key an SS presents its digital certificate to the BS. The BS verifies that the digital
certificate is authentic, and then uses the verified public key to encipher an AK, which the BS then
transmits back to the requesting SS. 12 Wireless Security WIMAX Re-Authentication & TEK Exchange
Station Creating CMAC or HMAC and KEK
SS and BS create CMAC or
HMAC and KEK
Re-Authentication • • The SS sends re-authentication request signed by HMAC or
SS requests a TEK.
Key Reply • The BS generates TEK as a random number and enciphers
it using a wrapping algorithm keyed with the KEK. •
• The BS sends the encrypted TEK to SS.
SS deciphers the encrypted TEK using the wrapping
algorithm keyed with KEK. BS and SS are ready to send encrypted information using the data
encryption algorithm specified in the cipher suite keyed with TEK.
Exchanged ciphertext messages are authenticated using HMAC or CMAC.
Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 13 • From the AK, the SS and the BS create the key for the CMAC, HMAC, and the key encrypting
key (KEK). When the service is ready to transmit and receive data, the SS requests a traffic
encryption key (TEK) for the connection. Using a pseudorandom number generator, the BS
generates a TEK. The TEK is encrypted using a wrapping algorithm keyed with the KEK and
transmitted to the SS. The SS deciphers the encrypted TEK using the same wrapping algorithm
keyed with KEK.
• At this moment, the BS and the SS are ready to send encrypted information using the data
encryption algorithm specified in the cipher suite keyed with TEK. Exchanged ciphertext messages
are authenticated using HMAC or CMAC.
• The AK and TEK have a limited lifetime and are periodically refreshed according to the authorized
grace time and TEK grace time encoding. 13 Wireless Security WIMAX Cryptographic Suites
Value Data Encryption Data Authentication TEK Exchange 0x000001 No data encryption No data authentication 3-DES, 128
3-DES, 128 0x010001 CBC-Mode 56-bit DES No data authentication 0x000002 No data encryption No data authentication RSA, 1024 0x010002 CBC-Mode 56-bit DES No data authentication RSA, 1024 0x020103 CCM-Mode 128-bit AES CCM-Mode, 128-bit ECB mode AES with 128-bit key 0x020104 CCM-Mode 128bits AES CCM-Mode AES Key Wrap with 128-bit key 0x030003 CBC-Mode 128-bit AES No data authentication ECB mode AES with 128-bit key 0x800003 MBS CTR Mode 128 bits AES No data authentication AES ECB mode with 128-bit key 0x800004 MBS CTR mode 128 bits AES No data authentication AES Key Wrap with 128-bit key All remaining
values Reserved Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 14 • WIMAX uses two encryption algorithms to encipher data, DES in CBC mode and AES in CCM,
CBC, or CTR modes. The type of encryption algorithm to use is designated in the data
encryption algorithm identifier in the cryptographic suite. A cryptographic suite is the SA’s set of
methods for data encryption, data authentication, and TEK exchange. The WIMAX
cryptographic suites are listed in Table 14-2.
• The AES CCM mode is defined in NIST “Special Publication 800-38C, FIPS-197,” and is
explained in WLAN Security Enhancement, “CTR with CBC-MAC Protocol section.” The AES
CBC mode is defined in NIST Special Publication 800-38A, FIPS-197 and is explained in
Session 2, “Cipher Block Chaining (CBC) Mode.” 14 Wireless Security WIMAX AES Residual Termination Block
Pn Pn-1 + EK C + EK cn-2 Cn Cn-1 Ö DK DK b bits
a bits Cn (b – a) bits Cn Ö Cn-1 Pn = Last plaintext block
Cn = Last ciphertext block
EK = Encryption with key K
b = Block size
Ö = Padded bits Wireless WIMAX Ö +
Pn Pn-1 =
Pn-1 Next to last plaintext block
Next to last ciphertext block
Decryption with key K
Number of bits in Pn
Ciphertext of Ö Wi-Fi Bluetooth
M. Mogollon – 01/08 - 15 • The AES-CBC residual termination is defined in 802.16-2005 as follows:
• If the final short plaintext block is a bits, where a is less than the cipher block size b, the next
to last plaintext is enciphered and the ciphertext block is divided into two parts. One of the
parts is a bits and the other part is b – a bits. The b – a part of the ciphertext is concatenated
with the padding used in the short plaintext and is sent as the final block cipher. The short
plaintext block is padded to complete a plaintext block, encrypted with AES in CBC mode,
and sent as the next-to-last ciphertext.
• If the payload is less than the cipher block size, the most significant n bits of the generated
CBC IV are XORed with the n bits of the payload to generate the short cipher block.
• The AES CTR mode is defined in “NIST Special Publication 800-38A, FIPS-197” and is
explained in Session 2, “Counter (CTR) Mode.” In the CRT mode, input blocks are blocks of
bits called counters that must have the property that each counter block in the sequence is
different from every other counter block. There are several methods to generate the counters.
• In WIMAX, a 32-bit nonce is made of an 8-bit rollover counter (ROC) and the 24-bit
synchronization field or frame number. The nonce is repeated four times to construct the 128-bit
counter block required by the AES-128 cipher: initial counter = nonce || nonce || nonce || nonce.
The 8-bit ROC is sent in clear and concatenated with the AES-CTR ciphertext. Therefore, the
encryption process yields a payload that is 8 bits longer than the plaintext payload.
• The NIST AES key wrap algorithm is designed to wrap or encrypt key data. The key wrap
operates on blocks of 64 bits. Before being wrapped, the key data is parsed into n blocks of 64
bits. The only restriction the key wrap algorithm places on n is that n be at least two. It is
recognized that n ≤ 4 will accommodate all supported AES key sizes. 15 Wireless Security Wireless LAN (WLAN) - WiFi
WLAN Security Switch Subnet “B” Subnet “A” WLAN
– AP Roam From One to
the other –
WL AP –
WL AP PDA PDA
Adaptor Wireless Terminal WIMAX Terminal WLAN Mobile
Adaptor Wi-Fi Bluetooth
M. Mogollon – 01/08 - 16 • WLANs are normally privately owned networks that companies or individuals set up for the use
of their employees or their own use. The WLAN data transfer rate is currently up to 54 Mb, but it
has a limited coverage of up to approximately 300 feet. The range of current 802.11g technology
can be improved threefold by using multiple transmitter and receiver antennas and by
overlapping the signals of two wireless-G compatible radios, the Multiple In, Multiple Out
(MIMO). MIMO also improves the data rate by yielding up to 8 times more throughput than
• Wireless networks have fundamental characteristics that make them significantly different from
traditional wired LANs. The following describes some of those differences:
• Communications are carried using radio transmission; some countries impose specific
requirements for radio equipment and for the frequencies that can be used.
• Since communications are radio broadcast, they need to be protected.
• There are range limitations when using wireless networks that depend on the type of
modulation, transmitting frequency, and type of antenna used.
• Wireless communications must be able to handle mobile, as well as portable stations. A
portable station is one that is moved from location to location, but that is only used while at a
fixed location. A mobile station actually accesses the LAN while in motion, and may often
be battery powered. Hence, power management is an important consideration.
• A station needs to be associated with an access point.
• It is possible to have one access point and many stations. Each station’s connection to the
access point is independent and does not interfere with that of other stations.
• Access points’ coverage may overlap. 16 Wireless Security IEEE 802.11 Standards
IEEE 802.11 The original 1 Mbit/s and 2 Mbit/s, 2.4 GHz RF and IR standard (1999) IEEE 802.11a 54 Mbit/s, 5 GHz standard (2001) IEEE 802.11b Enhancements to 802.11 to support 5.5 and 11 Mbit/s (1999) IEEE 802.11c Bridge operation procedures; included in the IEEE 802.1D standard (2001) IEEE 802.11d International (country-to-country) roaming extensions (2001) IEEE 802.11e Enhancements: QoS, including packet bursting (2005) IEEE 802.11g 54 Mbit/s, 2.4 GHz standard (backwards compatible with b) (2003) IEEE 802.11h Spectrum Managed 802.11a (5 GHz) for European compatibility (2004) IEEE 802.11i Enhanced security (2004) IEEE 802.11n 802.11n builds upon previous 802.11 standards by adding MIMO (multiple-input multipleoutput) and orthogonal frequency-division multiplexing (OFDM). MIMO uses multiple
transmitter and receiver antennas to allow for increased data throughput. IEEE 802.11p WAVE - Wireless Access for the Vehicular Environment (such as ambulances and passenger
cars) IEEE 802.11s ESS Mesh Networking
Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 17 • The standard for wireless LAN is the IEEE802.11, “Wireless LAN Medium Access Control and
Physical Layer Specifications.” According to this document, the standard given defines the
protocol and compatible interconnection of data communication equipment via radio or infrared.
The standard also specifies that local area networks (LANs) use the Carrier Sense Multiple
Access Protocol with the Collision Avoidance (CSMA/CA) medium sharing mechanism. The
protocol includes authentication, association services, but confidentiality (encryption and
decryption) is optional.
• The medium access control is formatted as frames, and each frame consists of a header, a
variable length frame body, and a frame check sum (FCS), which contains a cyclic redundancy
code (CRC). The unit of data exchanged between two peer entities to implement the access
control management protocol, as in WIMAX, is also called MPDU. The MPDU term is used
when describing the data exchanged between a client and the access point. 17 Wireless Security IEEE 802.11 Security Services
— Open System
— Shared Key • Confidentiality
— WEP • Access control in conjunction with layer management.
• Secure Roaming Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 18 • In a wired LAN, a hacker needs to be connected physically to the network to be able to monitor the LAN
traffic, so even though wired LANs are physically closed and controlled networks, authentication, access
control, and confidentiality are required security services.
• In a wireless shared medium, any IEEE 802.11-compliant station can receive all traffic that is within
range of the access point and can transmit to any other 802.11 station within range. Thus, the connection
of a single wireless link (without privacy) to an existing wired LAN may seriously degrade the security
level of the wired LAN. The wireless physically open-medium nature of an IEEE 802.11 wireless LAN
makes authentication, access control, and confidentiality a must in its implementation.
• The following are the security services provided in IEEE 802.11:
3. Access control in conjunction with layer management; and
4. Secure roaming.
• IEEE 802.11 defines two subtypes of authentication service: open system and shared key. Open system
authentication is the simplest of the available authentication algorithms. Essentially, it is a null
authentication algorithm. Any station that requests authentication with this algorithm may become
authenticated. The type of authentication is set at the access point, and in some products, the open system
authentication is the default authentication algorithm.
• In a shared-key authentication, identity is demonstrated by knowledge of a shared secret. During the
shared-key authentication exchange, both the challenge and the encrypted challenge are transmitted. The
challenge is encrypted using the shared secret, so only those stations who know the shared secret key are
authenticated. The shared secret key needs to be loaded, via a secure channel, into the access point and
into all stations that request access. Shared-key authentication is only available if the WEP option is
• IEEE 802.11 provides the ability to encrypt the contents of messages. This functionality is provided by
the optional Wired Equivalent Privacy (WEP), which, according to the standard, is not designed for
ultimate security but rather to be at least as secure as wired networks.
• The default privacy state for all IEEE 802.11 stations is in clear, and, if the privacy service is not
invoked, all messages are sent unencrypted. Since many users didn’t know about or didn’t bother to
change the setup, many WLAN were set to transmit in clear. 18 Wireless Security WEP Encapsulation Secret Key (40, 104, 232) RC4 || Initialization Vector (IV) 802.11 Frame
Header Keystream Payload + Encrypted Payload ICV Key Number Encrypted Payload ICV || CRC-32 Header Integrity Check Value
(ICV) IV WEP Frame Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 19 • The IEEE 802.11 WEP is a data confidentiality algorithm designated to protect authorized users
of a wireless LAN from casual eavesdropping; WEP uses RC4, a symmetric encryption
algorithm. Data confidentiality depends on an external key management service to distribute the
key because the same key is used to encipher and to decipher.
• The secret key is concatenated with an initialization variable (IV), and the resulting seed is input
to RC4 to produce a key stream of k pseudorandom octets equal in length to the number of data
octets that are to be transmitted. To protect against unauthorized data modification, an integrity
algorithm operates on the plaintext to produce an integrity check value (ICV). The plaintext is
concatenated with the ICV and the result is XORed with the RC4 pseudorandom keystream
output. The ciphertext is then concatenated with the IV.
• In WEP, each MPDU is considered a different message, so each MPDU is encrypted with a
different key. However, in 802.11, there is no provision for key management, so there is no way
for the access point and the client to exchange new keys to encipher each packet; nor can it be
done in a situation, when packets are dropped, and it is necessary to re-synchronize the RC4
symmetric encryption algorithm with a new key.
• Since it was not possible to have a different key for each MPDU and to avoid the problem of
starting at the same point every time re-synchronization was required, the designers of WEP
added an IV that determines a different starting point in the RC4 keystream. The number of
starting points was 224 and the starting point was sent unencrypted. The secret key remained
constant while the IV changed periodically; in this way, the IV extended the useful lifetime of
the secret key. The fundamental problem, however, was that there was a finite number of starting
positions, and WEP didn’t specify an algorithm to generate the IVs. The result was that in most
of the implementations, the IV started at zero and was incremented sequentially for each packet.
With only 224 number of possible IV starting positions and the IV selected at random, there was
a 50% probability of using a previous IV after fewer than 4,792 MPDUs using birthday attack
19 Wireless Security IEEE 802.11i
• Several reports were written revealing 802.11’s security weaknesses. • The IEEE 802.11i amendment added stronger encryption, authentication,
and key management strategies for wireless data and system security. • The amendment proposed two new data-confidentiality upgrades: In June 2004, the IEEE Standards Association approved the IEEE 802.11i a
security enhancement amendment to the original IEEE 802.11 specification. — An interim software upgrade solution that didn’t need hardware upgrades
– The Temporal Key Integrity Protocol (TKIP)
— A final solution with different hardware and, therefore, not compatible with the previous
version of WEP.
– CTR [counter mode] with CBC-MAC [cipherblock chaining (CBC) with a message
authentication code (MAC)] Protocol (CCMP), and IEEE 802.1X's to control access
to the network. • The 802.11i amendment also provided improvement for the following
— Key management
— Data origin authenticity
— Replay detection Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 20 • In June 2004, the IEEE Standards Association approved a security enhancement amendment to
the original IEEE 802.11 specification. It was the IEEE 802.11i, "Wireless LAN Medium Access
Control and Physical Layer Specifications: Medium Access Control Security Enhancement.“
• The IEEE 802.11i amendment added stronger encryption, authentication, and key management
strategies for wireless data and system security. The amendment proposed two new dataconfidentiality upgrades: (1) a software upgrade, Temporal Key Integrity Protocol (TKIP); (2) a
hardware upgrade, called CTR [counter mode] with CBC-MAC [cipherblock chaining (CBC)
with a message authentication code (MAC)] Protocol (CCMP). In addition, IEEE 802.11i also
uses IEEE 802.1X's to control access to the network.
• According to the standard, in addition to improving confidentiality, the 802.11i amendment also
provides improvement for the following security issues:
• Key management – The enhanced confidentiality, data authentication, and replay protection
mechanisms require fresh cryptographic keys. 802.11i provides fresh keys by means of
protocols called the 4-Way Handshake and Group Key Handshake.
• Data origin authenticity – The data origin authenticity mechanism defines a means by which
a station that receives a data frame can determine which station transmitted the MPDU. This
feature is required to prevent one station from masquerading as another station. This
mechanism is provided by using CCMP or TKIP.
• Replay detection – The replay detection mechanism defines a means by which a station that
receives a data frame from another station can detect whether the data frame is an
unauthorized retransmission. This mechanism is provided by using CCMP or TKIP. 20 Wireless Security 802.11 Security Framework
RADIUS Servers Cisco ACS, Microsoft IAS, FreeRADIUS, Juniper SBR Authentication User Credentials Certificates Either Username/
Password Either EAP Implementations EAP-TLS PEAP EAP-MD5 EAP-TTLS WI-FI Alliance Modes:
WI- Enterprise PSK Personal 802.1X Integrity Algorithm 802.1X 802.1X WPA2 released: 09/2004
802.11i ratified: 06/2004
WPA released: 04/2003
802.11 ratified: 06/1997 CCMP Port Control
Integrity EAP Plus others such as
and LEAP WPA2 cipher suite is
indicated in the Robust
Security Network (RSN)
Information Element. MIC Encryption Algorithm WEP TKIP Encryption Cipher RC4 RC4 AES 802.11 802.11i (RSN) 802.11i (RSN) WPA/WPA2 WPA2 IEEE
WIWireless WIMAX Wi-Fi Also, supported by WPA
but not certified in, as
some vendors implement
WPA with AES. Bluetooth
M. Mogollon – 01/08 - 21 • WPA and WP2 are the WI-FI Alliance functionality certification versions of IEEE 802.11i. WPA
and WPA2 use 802.1X and EAP for authentication. WPA and WPA2 continue the use of RC4
cipher with TKIP, but WPA2 also uses a stronger encryption mechanism with AES, using Counter
Mode with Cipher Block Chaining Message Authentication Code Protocol (AES-CCMP). Built
into the CCMP algorithm is an integrity check.
• Both WPA and WPA2 have personal and enterprise certified modes of operation that meet the
needs for two different market segments. In the personal mode of operation, a pre-shared key
(password) is used for authentication, while in the enterprise mode of operation, authentication is
achieved via 802.1X and EAP. The personal mode requires only an access point and the client
device, while the enterprise mode typically requires a RADIUS or other authentication server on
• The personal mode is designed for users who do not have authentication servers, such as RADIUS.
For authentication, personal modes use a pre-shared key that is manually entered at the access
point and at all user stations; consequently, a personal mode does not scale well in an enterprise
network. The pre-shared key is used to generate the encryption key; therefore, the PSK should be
of sufficient strength by including a mix of letters, numbers, and non-alphanumeric characters. The
personal mode uses the same encryption methods as enterprise mode. It supports per-user, persession, and per-packet encryption via TKIP with WPA or AES with WPA2.
• WPA and WPA2-enterprise use IEEE 802.1X authentication with EAP methods to provide mutual
authentication and to ensure that only authorized users are granted access to the network and only
to authorized areas within the network. 21 Wireless Security TKIP Encapsulation
TK Phase 1
Mixing TSC DA + SA + Priority +
Plaintext MSDU Data RC4 Key RC4
(128 bits) Ciphertext MPDU Fragment(s)
necessary) Michael MIC Key WEP
MSDU + MIC
TA = Transmitter Address
TK = Temporary Key
TSC = TKIP Sequence Counter MIC = Message Integrity Code
DA = Destination Address
SA = Source Address Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 22 • As mentioned before, TKIP was designed in a way that the algorithm could be implemented
within the hardware capabilities of most devices supporting only WEP. In this way, such devices
could be field-upgradeable by the manufacturers.
• TKIP uses the RC4 stream cipher with 128-bit keys for encryption and 64-bit keys for
authentication. The key selected by the user goes through two mixing functions, Phases 1 and 2.
Phase 1 mixes the appropriate temporary key, TK, (pairwise or group) with the transmitter
address, TA, with TKIP, and with sequence counter, TSC. Phase 2 mixes the output of Phase 1
with the TSC and TK to produce the WEP seed, also called the per-frame key. Both Phase 1 and
Phase 2 rely on an S-box, the only difference being that the second S-box table is an octetswapped replica of the first. The S-boxes substitute one 16-bit value with another 16-bit value.
• To defend against active attacks, TKIP used a MIC called Michael. In the traditional way, the
MIC was simply an authentication code, but the acronym MAC was already used in the 802.11
standard for another meaning. Similar to a MAC (see Session 5, “Message Authentication
Code”) the MIC was a key-dependent one-way hash function. The integrity provided by the MIC
was based on the fact that it was not possible to generate a MIC without knowing the MIC key.
An adversary without knowledge of the key would not be able to modify data and then generate
an authentic MIC on the modified data. If the MIC key were known only by the source and the
destination, this algorithm would provide both data origin authentication and data integrity for
MPDUs sent between the two parties. In addition, only a station or access point with the identical
MIC key could verify the hash.
• Another improvement of TKIP over WEP was that the IV bit length was increased from 24 to 48
bits, so the 50% probability of a previous IV being used increased from fewer than 4,792
MPDUs to 19,629,343 MPDUs (calculated using the birthday attack). 22 Wireless Security CBC – MAC Authentication
Function Input Data (N, A, P) Output Data (B0, B1, B2, ……, Br) B0 B1 Br + + + Input Block 1 Input Block 2 Input Block r CIPHK CIPHK CIPHK Output Block 1 Output Block 2 Output Block r Yr = CIPHK(Yr -1 XOR Br)
T = MSBTlen(Yr)
The number of blocks in the formatted input data (N, A, P).
The CBC-MAC result
The bit string consisting of the s left-most bits of the bit string X.
The MAC that is generated as an internal variable in the CCM processes.
The bit length of the MAC. Y0 = CIPHK(B0)
= Wireless Y1 = CIPHK(Y0 XOR B1) WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 23 • The following are the prerequisites for the authentication and encryption process of CCM:
block cipher algorithm, key K, counter generation function, formatting function, and MAC
length Tlen. The following are the inputs: valid nonce N, valid payload P of length Plen bits,
and a valid associated data A. • Steps:
Apply the formatting function to (N, A, P) to produce the blocks B0, B1, …, Br.
• Set Y0 = CIPH K ( B0 ) • For i = 1 to r, do
• Set Yi = CIPH K ( Bi ⊕ Yi − 1 ) T = MSBNTTlen (Yr ) Where
•r = The number of blocks in the formatted input data (N, A, P). • Yr = The CBC-MAC result • MSBs(X) = The bit string consisting of the s left-most bits of the bit string X. •T = The MAC that is generated as an internal variable in the CCM
processes. • Tlen = The bit length of the MAC. 23 Wireless Security Counter (CTR) Mode Encryption
Counter 2 Flag, N,
Counter 1 Encrypt Ctr0 Flag, N,
Counter m Ctr1 Input Block 1 Ctrm Input Block 2 Input Block m CIPHK CIPHK CIPHK Output Block 1 Output Block 2 Output Block m S1 = CIPHK(Ctr1). Sm = CIPHK(Ctrm). S0 = CIPHK(Ctr0). S = S1 || S2 || …….|| Sm C = ( P ⊕ MSBPlen ( S ))
= || T ⊕ MSBTlen ( S0 ))
Authentication The number of blocks in the formatted payload, equal to Plen/128.
The bit length of the payload.
The bit string consisting of the s left-most bits of the bit string X.
The MAC that is generated as an internal variable in the CCM processes.
The bit length of the MAC. Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 24 • Apply the counter generation function to generate the counter blocks Ctr0, Ctr1, …, Ctrm, where m = ⎡Plen / 128⎤
• For j = 0 to m, do • Set S = S1 || S2 || …|| Sm. • Return S j = CIPH k (Ctr j ) C = ( P ⊕ MSBPlen ( S )) T ⊕ MSBTlen ( S0 ))
• The first portion of C is the ciphertext of the payload and the second part is the authentication. • If the block cipher behaves as a pseudo-random permutation, by encrypting T, CBC-MAC
collision attacks are avoided because the attacker doesn’t get information about the CBC-MAC
results. • CCM was designed for use in a packet network, and the authentication process requires the
message length to be known at the beginning of the operation. This is not a problem because in
almost all environments, message or packet lengths are known in advance. It is possible to
compute the message authentication code and perform encryption in a single pass because
authentication doesn’t have to be completed before encryption can begin. The encryption key
stream can be pre-computed, but authentication cannot. 24 Wireless Security IEEE 802.1X EAP Authentication
(Access Point) Authentication
Server (Radius) Port Lock
802.1X EAP Start
802.1X EAP Request
802.1X EAP Response
Access Request (EAP Request)
EAP Authentication Access Protocol (Exchange PMK)
Accept / EAP Success / Key
802.1X EAP Success Port Unlock Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 25 • The IEEE 802.1X authentication procedure is as follows:
• The Supplicant connects to the Authenticator; the Authenticator’s port is always in the
unauthorized state, so it only accepts 802.1X, EAPOL, traffic and discards any other type of
traffic such as HTTP, FTP, Dynamic Host Configuration Protocol, and Simple Mail Transfer
• The Supplicant sends an EAPOL Start message.
• The Authenticator replies with an EAP-Request Identity message to obtain the client's
• The Supplicant sends the EAP Response Identity. The Authenticator passes the client
identity to the Authentication Server (RADIUS) encapsulated in RADIUS protocol.
• The Authentication Server sends back a supplicant access challenge.
• The Authenticator unpacks the client access challenge using RADIUS protocol, re-packs it
using EAP protocol, and forwards the access challenge to the Supplicant.
• The Supplicant responds to the challenge and sends it to the Authenticator, which passes the
response to the Authentication Server.
• The result is an accept or reject packet from the Authentication Server to the Authenticator.
• The Authenticator enables the port to the services offered and allows the supplicant’s traffic
to be forwarded.
• At logoff, the Supplicant sends an EAP-logoff message that forces the Authenticator to
transition the port to the services offered to an unable state. 25 Wireless Security 4-Way Handshake
(Peer, Client) Authenticator
(Access Point) PMK is knowngenerate SNonce PMK is knowngenerate ANonce
Message 1 EAPOL – Key (ANonce, Unicast) Derive PTK
Message 2 EAPOL – Key (SNonce, Unicast, MIC)
Derive PTK. If
Message 3 EAPOL – Key (Install PTK, Unicast, MIC, Encrypted GTK)
Message 4 EAPOL – Key (Unicast, MIC)
Install PTK and
GTK Wireless Install PTK WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 26 • IEEE 802.11.i (2004) defines two key hierarchies: (1) Pairwise key hierarchy, to protect unicast traffic
and (2) Group key hierarchy, consisting of a single key to protect multicast and broadcast traffic. The
pairwise key can be used in TKIP or CCMP, so in a mixed environment, an AP may simultaneously
communicate with some stations using TKIP or CCMP.
• The client and access server (Radius) perform authentication using the EAP, via 802.1X, to agree on a
256-bit secret key called the Pairwise Master Key.
• The 4-way Handshake Protocol consists of the following steps:
• The authenticator sends Message 1 to the supplicant at the end of a successful IEEE 802.1X PMK
exchange, or when a station requests a new key. The message includes an ANonce, as well as a key
description version (RC4 encryption with HMAC-MD5 or AES key wrap with HMAC-SHA1-128)
and key data, the PMKID for the PMK being used during this exchange.
• On reception of Message 1, the supplicant generates a new nonce, SNonce, and derives the PTK from
ANonce and SNonce.
• The supplicant prepares and sends Message 2. Message 2 includes the SNonce, the same key
description selected by the authenticator, and key data information with the authentication and cipher
suite enabled by the supplicant’s policy. In other words, the message contains the authentication and
cipher suite that the station is proposing or supports. The message also includes the message integrity
• Upon reception of Message 2, the authenticator derives the PTK, verifies message 2’s integrity
(MIC), and then, if needed, derives GTK. Finally, it prepares and sends Message 3.
• The authenticator sends Message 3, which includes the ANonce. In the key data field, the
authentication and cipher suite selected by the authenticator are included, as well as the MIC, and an
indication of whether or not to install the temporal keys, and the encapsulated GTK.
• When Message 3 is received, the supplicant (1) Verifies that the ANonce value in Message 3 is the
same as the ANonce value in Message 1; (2) Checks that the authentication and cipher suite sent by
the access point are the same as the one sent in Message 2; (3) Verifies the MIC; (4) Confirms that
temporal keys are installed; and (5) Prepares and sends Message 4.
• Upon reception of Message 4, the authenticator verifies the MIC. 26 Wireless Security Pairwise and Group Key Hierarchy
PRF- X(PMK, Pairwise key expansion,
AA, SPA, ANonce, SNonce) Pairwise Transient Key (PTK)
TKIP 512 bits
CCM 384 bits
L(PTK 0-127) EAPOL-Key Key
L(PTK 128-255) Temporal Key
TKIP L(PTK 256-511)
CCMP L(PTK 256-383 AA = Authenticator Address
SPA = Supplicant Address
ANonce = Authenticator’s Nonce
SNonce = Supplicant’s Nonce
GNonce = Group’s Nonce Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 27 • The Pairwise Master Key is used to generate a Pairwise Transient Key (PTK) and the PTK is
partitioned to create three types of keys.
• The pairwise key hierarchy utilizes a pseudorandom function to expand the PMK to a 384-bit or
a 512-bit PTK using a pseudorandom function. TKIP uses 512-bits and CCMP uses 384-bits.
The PTK is partitioned into several keys:
• The key confirmation key (KCK) is used by IEEE 802.1X to provide data origin authenticity
in the 4-way handshake and group key handshake messages; it consists of the first 128 bits
(bits 0–127) of the PTK.
• The key encryption key (KEK) is used by the EAPOL-Key frames to provide confidentiality
in the 4-Way Handshake and Group Key Handshake messages; it consists of bits 128–255 of
• Temporal Keys are used by the station and consist of bits 256–383 (for CCMP) or bits 256–
511 (for TKIP).
• All these keys are used to protect unicast communications between the authenticator’s and
supplicant’s respective stations. PTKs are used between a single supplicant and a single
authenticator. 27 Wireless Security Pairwise and Group Key Hierarchy
Group Master Key
PRF- X(GMK, “Group key
expansion”, AA || GNonce) Group Temporal Key (GTK)
TKIP L(PTK 0-255)
CCMP L(PTK 0-127 AA = Authenticator Address
SPA = Supplicant Address
ANonce = Authenticator’s Nonce
SNonce = Supplicant’s Nonce
GNonce = Group’s Nonce Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 28 • The group key hierarchy utilizes a pseudorandom function to expand the GMK to a 128-bit or a
256-bit group temporary key (GTK). TKIP uses 256-bits and CCMP uses 128-bits. The GTK is
partitioned into temporal keys to protect broadcast/multicast communication. The temporal key
could have a length of 40, 104, 128, or 256 bits. GTKs are used between a single authenticator
and all supplicants authenticated by that authenticator. 28 Wireless Security Securing WLAN
• Use Wireless Security Switches
• Use Strong Encryption
• Turn Off SSID Broadcasting
• Change the Default Administrative Password and SSID
• Turn Off the System
• Use MAC Filtering
• Control the Wireless Signal Output
• Use VPN
• Use WLAN Audits
Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 29 • Use Wireless Security Switches
• Intelligent wireless access points manage security and authentication locally, and each one needs to be managed keeping in
mind the potential of having security holes. It is not that complicated for small or medium business IT managers to set up three
to ten access points. However, when companies install, for example 50 access points, IT managers need centralized APManagement tools.
• Use Strong Encryption
• Purchase WLAN equipment that supports the IEEE802.1i Enterprise mode that uses AES encryption. Equipment that supports
this mode is labeled WPA2.
• Turn Off SSID Broadcasting
• The Service Set Identifier is a 32-character unique identifier attached to the header of packets that identify one WLAN from
another. A station will not be permitted to connect to the access point unless it can provide the unique SSID. The problem is
that, by default, most WAPs broadcast the SSID, making it easy for users to find the network, as it shows up on their wireless
client computers. If SSID is not broadcasted, users will have to find out the SSID to be able to connect, the SSID then becomes
a type of password. Because an SSID can be sniffed in plaintext from a packet, it does not supply any security to the network.
Turning off SSID broadcasting will not deter a serious hacker, but it will deter casual users who try to piggyback to a network.
• Change the default Administrative Password and SSID
• Manufacturers use the same SSID name for all wireless equipment. Therefore, the first things that should be changed are the
administrative password and the SSID name. Select a password and name that are difficult to guess.
• Turn Off the system
• Several security advisors emphasize that to improve security, just turn off the computer when it is not use. The same applies to
a wireless network. If possible, turn off the access point or wireless switch when not in use, e.g., at night or during the weekend
when there is no need for anyone to connect to the network.
• Use MAC Filtering
• In some access points, it is possible to use media access control (MAC) address filtering. Therefore, it is possible to set up a list
of computer MAC addresses that can have access to the access point. It is possible for a hacker to spoof a MAC address, but
there is an access control against the piggybacker.
• Control the Wireless Signal Output
• Manufacturers sell special high-gain antennas to extend the range of an access point. A typical 802.11b/g WAP has a range of
300 feet and now, 802.11n MIMO technology, may double or triple that range. However, extending the range of an access point
exposes the wireless networks to hackers. If possible, use a directional antenna instead of an omnidirectional, and adjust the
signal strength to reduce the range.
• Use VPN
• Use a VPN to provide end-to-end security instead of securing only the air portion of the wireless connection. Connecting to the
corporate network using VPN ensures that the session between the PC and the server is encrypted.
• Use WLAN Audits
• Unauthorized rogue access points can present a significant security threat if they do not comply with enterprise security
policies. Use NetStumbler to find out if there are rogue access points connected to the network. 29 Wireless Security Bluetooth
• Conceived as a low-cost, low-profile, low-power, short-range radio
technology, open standard. • Designed to create small wireless networks for interconnecting
devices such as wireless headsets, printers, keyboards, and mice. • Used to enhance wireless connectivity by connecting almost any
device to any other device. • Works as an ad-hoc network, typically created on a temporary and
random basis. • Consists of up to eight Bluetooth devices in a network, called a
piconet, working in a master-slave relationship, with one device
designated as master and the rest as slaves. • Employs a dynamic topology in which the master controls and
reconfigures the changing network topologies. • Creates a chain of piconets, referred to as a scatter-net, in which a
slave from one piconet acts as the master of another piconet. Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 30 • Bluetooth™ is an open standard conceived as a low-cost, low-profile, low-power, short-range
radio technology. It was designed to create small wireless networks to replace cables for
interconnecting devices such as wireless headsets, printers, and keyboards. Bluetooth can be used
to enhance wireless connectivity by connecting almost any device to any other device; it could
ultimately eliminate wires and cables between both stationary and mobile devices and between
• Bluetooth networks are ad hoc networks. According to the Bluetooth Specification, an ad hoc
network is a network typically created in a spontaneous manner. An ad hoc network requires no
formal infrastructure and is limited in temporal and spatial extent. Devices in an ad hoc networks
move in an unpredictable fashion; they are configured on the fly and maintain random dynamic
network topology. They also control the network configuration, maintain and share resources,
and rely on a master-slave system. When combined with other technologies, ad hoc networks can
have access to a network or to the Internet. An example would be a computer using a mobile
phone to access the Internet.
• Bluetooth ad hoc networks are established on a temporary and random basis. A Bluetooth
network, called a piconet, consists of up to eight Bluetooth devices; It sets up a master-slave
relationship with one device designated as master and the rest as slaves. Although only one
device may perform as the master for each network, a slave in one network can act as the master
for other networks, thus creating a chain of piconets referred to as a scatter-net.
• In a Bluetooth network, the master of the piconet controls the changing network topologies. It
also controls the flow of data between devices that are capable of supporting direct links to each
other. As devices move about in an unpredictable fashion, these networks must be reconfigured
on the fly to handle the dynamic topology. The routing protocol that Bluetooth employs allows
the master to establish and maintain these shifting networks. 30 Wireless Security Bluetooth Frequency and Power Operation
• Bluetooth operates in the 2.4 GHz industrial, scientific, and medical (ISM)
non-license spectrum. • The system uses frequency-hopping, spread spectrum (FHSS)
transmission. • Devices in a piconet use a specific hopping pattern of 79 frequencies in the
ISM band that changes frequency about 1,600 times per second. • The master device controls and sets up the network’s pseudo-random,
frequency-hopping sequence, and the slaves synchronize to the master. Power Class Max Output Power Min Output Power 1 100 mW 1 mW Up to 300 feet 2 2.5 mW 1 mW Up to 30 feet 3 1 mW N/A Wireless WIMAX Wi-Fi Range Less than 30 feet Bluetooth
M. Mogollon – 01/08 - 31 31 Wireless Security Bluetooth Security
• Provides confidentiality and authentication for peer-to-peer
communications over short distances. • Four variables are used for security:
— Bluetooth device address
— Two secret keys
— A pseudo-random number that is regenerated for each new transaction. Variable Bit Length Bluetooth device address 48 bits Private user key (Link Key), authentication 128 bits Private user key, encryption configurable
length (byte-wise) 8 – 128 bits Random number 128 bits Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 32 • Bluetooth provides confidentiality and authentication for peer-to-peer communications over short
distances. There are four variables used for security: a Bluetooth device address, two secret keys,
and a pseudorandom number that is regenerated for each new transaction. The four variables and
their bit lengths are shown above.
• For authentication, the private user key, also referred to as the link key, is derived during
initialization, and the private user key for encryption is derived during the authentication process.
The random numbers are generated from a pseudorandom number generator and are nonrepeating. Even though the authentication key is used to generate the encrypting key, each is
different. Every time encryption is activated, a new encrypting key is generated. The size of the
encrypting key is configurable, 8 – 128 bits, to conform to export regulations and the policies of
various countries about privacy. The authentication key is more static, so the particular
application running in the device decides when to change the key. 32 Wireless Security Bluetooth Key Generation
Bluetooth Device 1 Bluetooth Device 2 BD_ADDR, PIN,
IN_RAND BD_ADDR, PIN,
IN_RAND Key Generator
Function E2 Key Generator
Function E2 BD_ADDR,
RAND Kinit Kinit Key Generator
Function E2 KA + CA K B = C B ⊕ K init
Function E3 Wireless K AB = K A ⊕ K B + CB KB K AB = K A ⊕ K B KC KC = Encryption Key WIMAX Key Generator
Function E2 K A = C A ⊕ K init KAB = Link Key
RAND Wi-Fi EN_RAND,
Key (KAB) Key Generator
Function E3 Bluetooth
M. Mogollon – 01/08 - 33 • The first generated key is the link key, which must be generated and distributed among the devices during
the initialization phase. The initialization, as well as the secret link-key generation, are carried out for each
of the two devices that are using authentication and encryption. Several steps are carried out to generate
the link key. Those are explained below.
• Both Bluetooth devices create a 128-bit initialization key, Kinit, to be used for key exchange during
the generation of a link key. Kinit is generated using Key Generator E2, Mode 2, and by using as
inputs BD_ADDR (Bluetooth device address), a PIN code, the length of the PIN code, and an
initialization random number (IN_RAND). The BD_ADDR is the address of the device that receives
• Each Bluetooth device creates a 128-bit unit key, KA and KB, using Key Generator E2, Mode 2. for
each, its own BD_ADDR (Bluetooth Device Address), and a random number (RAND) are used as
• Each device enciphers its unit key as follows: C A = K A ⊕ K init and C B = K B ⊕ K init
• Then, the devices exchange the enciphered, CA and CB, keys. After receiving the cipher key, both
units decipher the other device’s unit key as follows:
K B = C B ⊕ K init and K = C ⊕ K
• The link key is K AB = K A ⊕ K B . If the devices have memory restrictions, then KAB = KA.
• Each device creates the ciphering Kc using a Key Generator E3 and by using as inputs an encryption
random number (EN_RAND), the ciphering offset (COF), and the link key, KAB calculated above.
• COF is determined in two ways. If the current link is a master key, it is derived from the master
address (COF = BD_ADDR || BD_ADDR). Otherwise, COF is equal to the Authenticated Ciphering
Offset (ACO), which is calculated during the authentication process. The master generates and
distributes EN_RAND to all slaves. 33 Wireless Security Bluetooth Authentication
Bluetooth Device 1
(Claimant) Bluetooth Device 2
BD_ADDR Address AU_RAND E1 Encryption
Algorithm Link Key
(Kab) 96 bits E1 Encryption
Algorithm 32 bits 32 bits 96 bits SRES
BD_ADDR Wireless =
= SRES No
Same? Authentication Ciphering Offset
Link Key (128 bits)
Authentication Random Number (128 bits)
Bluetooth Device 1 (Claimant) Address (48 bits) WIMAX Link Key
(Kab) Wi-Fi ACO
M. Mogollon – 01/08 - 34 • The two Bluetooth devices in the authentication process are referred to as the “verifier” and the
“claimant.” The claimant is the device trying to prove its identity by knowledge of a secret key,
the link key, and the verifier is the device that challenges the claimant to authenticate a random
input in a challenge-response scheme. The verifier is not required to be the master. • The authentication function E1 uses the encryption function SAFER+ (Massey et al, 1998).
The algorithm is an enhanced version of an existing 64-bit block cipher SAFER-SK 128. • The following describes the Bluetooth authentication process:
1. The claimant transmits its 48-bit address (BD_ADDR) to the verifier.
2. The verifier transmits a 128-bit random challenge (AU_RAND) to the claimant.
3. The claimant uses the E1 encryption algorithm to encipher BD_ADDR and AU_RAND,
using the link key, Kab, as the key. The verifier carries out the same encryption operation.
4. The claimant returns part of the encryption result, SRES, to the verifier.
5. The verifier compares the SRES from the claimant with its own generated SRES.
6. If both SRESs are the same, then the verifier allows the connection. • The ACO is used as a ciphering offset (COF) to generate the encrypting key Kc. See previous
section, “Key Generation.” 34 Wireless Security Bluetooth Encryption
Bluetooth Device A
(Master) COF Link Key Random Number
Generator (RNG) BD_ADDRA
(128 bits) Plaintext
(Packet) ClockA E0 Encryption
= ClockA 111001 E0 Encryption
Constant Wireless COF EN_RANDA Key Generator
Function (E3) Key Reduction
Function Bluetooth Device B
(Slave) Key Generator
Function (E3) Link Key KC
(128 bits) Key Reduction
(Packet) + Master Real-Time Clock (26 bits)
Encryption Random Number (128 bits)
Bluetooth Device A (Master) Address (48 bits)
Encryption Key (128 bits)
111000 (6 bits) WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 35 • In Bluetooth, user information can be protected by enciphering the packets’ payload exchanged
between the two devices, using an encryption algorithm called E0. The access code and the
packet header are not encrypted. • There are three possible modes of confidentiality:
• No encryption is performed on broadcast or point-to-point traffic.
• Point-to-Point only encryption.
• Point-to-point and broadcast encryption. All messages are encrypted. • The effective length of the encryption key may vary between 8 and 128 bits. Note that the
actual key length, KC, as obtained from E3, is 128 bits. Then, the key length may be reduced to
the required length; after reduction, the result is expanded again to 128 bits in order to
distribute the starting states more uniformly. The resulting encryption key is called K’C. • The initial inputs to the encryption algorithm E0 are the following: the encryption key, K’c; a
48-bit address (BD_ADDR); the 26 bits of the master real time clock, CLK26-1; and a constant
111001 for a total of 208 bits. Since the CLK26-1 changes with each packet, and even though the
other variables remain the same, the encryption algorithms are reinitialized with each packet. A
single bit change in any of the inputs produces an independent key stream, thus achieving
orthogonality. 35 Wireless Security Bluetooth Encryption Engine
Combiner Logic Initial Value LFSR1 x1t LFSR2 x2t LFSR3 x3t LFSR4 x4t XOR Encryption Stream Zt
(1 bit) c0t
Z-1 1bit 2 bit T1 Ct
x4t + T2 3 bits + 3 bits /2 Ct + 1 2 bits
2 bits St + 1 XOR 2 bits 2 bits 2 bits Yt Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 36 • The E0 Bluetooth crypto engine consists of four linear feedback shift registers of lengths L1 = 25,
L2 = 31, L3 = 33, and L4 = 39, with feedback taps on L1 = 25, 20, 12, 8 and 0; L2 = 31, 24, 16, 12
and 0; L3 = 33, 28, 24, 4, and 0; and L4 = 39, 36, 28, 4, and 0. The output of the LFSRs is taken
from the positions 24, 24, 32, and 32 for L1, L2, L3, and L4. The crypto engine uses the XOR
function to mix the output of the LFSRs, integer additions, and table mappings to blend the carry
• The output of the encryption stream is obtained from the following equations: z t = x 1t ⊕ x 2 t ⊕ x 3 t ⊕ x 4 t ⊕ c 0 t ⊕ ⎢ y + ct ⎥
St + 1 = ( S 1t + 1 , S 0 t + 1 ) = ⎢ t
ct + 1 = ( c t + 1 , c t + 1 ) = St + 1 ⊕ T1 [ct ] ⊕ T2 [ct + 1 ]
Table 14-5 LFSRs Information
Length Prime Factorization
Numbers Feedback Taps Output
Stage 1 25 3.35 x 107 31 • 601 • 1,801 0, 8, 12, 20, 25 24 2,147,483,647 0, 12, 16, 24,
31 24 9 2 31 2.4 x 10 3 33 8.58 x 109 7 • 23 • 89 • 599,479 0, 4, 24, 28, 33 32 4 39 5.49 x 1011 7 • 8,191 • 79 • 121,369 0, 4, 28, 36, 39 32 36 Wireless Security Bluetooth Encryption Engine Initialization
+ + ADR CL K’C
K’C K’C K’C CL24 +
12 8 25
+ ADR ADR K’C K’C
K’C K’C CLL 001 +
12 24 25 - 31
24 28 33 +
+ 4 28 CLu = CL7 CL6 CL5 CL4 (4 bits) WIMAX X4t
36 33 - 39 + CLL = CL3 CL2 CL1 CL0 (4 bits) Wireless 16 24 + ADR ADR K’C K’C
K’C K’C CLu 111 X2t
+ + + ADR CL K’C K’C
K’C K’C CL25 20 + 31 X1t ADR[n], CL[n], K’c[n] have 8 bits
CLn has 1 bit Wi-Fi Bluetooth
M. Mogollon – 01/08 - 37 • The crypto engine’s initialization process is as follows:
• Open all feedback switches on the shift register, so there is no feedback when loading the
inputs; set the content of all shift registers elements to zero.
• Arrange input bits from K’c, the device address, the clock, and a 6-bit constant 111001
according to a specific pattern. The pattern, as shown above, uses the notation X[n] where
n is the octet number of the input X and the clock signal CLK1, corresponding to CL0.
Therefore, 49 bits are loaded in L1, 55 bits in L2, 49 bits in L3, and 55 bits in L4. Since 55
bits are loaded in L3 and L4, there are a total of 55 clocks in the initialization.
• Reset both blend registers c39 = c39 – 1 = 0 when the switch of LSFR4 is closed at t = 39. 37 Wireless Security Bluetooth Encryption Engine Run-up
+ Z + 12 8 Z 20 Z0 Z
24 + +
12 + Z Z X2t
+ 16 Z 24 Z7- 1
+ X3t + Z +
24 Z Z 28 Z0 Z
31 + +
4 + Z Z Z 28 Z
31 Wireless WIMAX Wi-Fi X4t
36 Z 7 - 1
M. Mogollon – 01/08 - 38 • After the key generator initialization process ends, run-up the crypto engine to mix the
initialization process as follows:
• Keep blend register and use carry bit CT.
• Clock the LFSRs 200 more times with all switches closed (t = 239).
• Collect the 200 stream cipher bits that were created.
• Load the last 128 of the 200 generated bits into the LFSRs according to Figure 14-20 at t=
240. • From this point on, when clocked, the crypto engine produces a keystream sequence that is
bitwise XORed with the transmitted payload data for encryption to create the cipher text. At
the receiving end, the same sequence is XORed with the ciphertext to decipher the payload. • The first bit to use is the one produced at t = 240. The crypto engine runs for the entire length
of the current payload. Then, before the reverse direction is started, the payload from the slave,
the entire initialization process is repeated with updated values on the input parameters. 38 Wireless Security Bluetooth Profiles
• A Bluetooth device must be able to interpret certain
Bluetooth profiles. • Bluetooth profiles are general behaviors through which
Bluetooth enabled devices communicate with other
devices. • For example, the Headset Profile (HSP) describes how a
Bluetooth enabled headset should communicate with a
computer or other Bluetooth enabled device such as a
mobile phone. • http://bluetooth.com/Bluetooth/Technology/Works/Profil
Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 39 39 Wireless Security To Probe Further
• Bluetooth Special Interest Group (SIG) – 2004, “Specification of the Bluetooth System V2.” Retrieved on
December 19, 2005, from https://www.bluetooth.org/spec/ • Dworkin, M (December 2001). Recommendation for Block Cipher Modes of Operation Methods and Techniques.
NIST Special Publication 800-38A. Natl. Inst. Stand. Technol. Retrieved December 19, 2005, from
http://csrc.nist.gov/publications/nistpubs/800-38a/sp800-38a.pdf • Dworkin, M (May 2005). Recommendation for Block Cipher Modes of Operation: The CMAC Mode for
Authentication. NIST Special Publication 800-38B. Natl. Inst. Stand. Technol. Retrieved December 21, 2005, from
http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf • Dworkin, M (May 2004). Recommendation for Block Cipher Modes of Operation: The CCM Mode for Authentication
and Confidentiality. NIST Special Publication 800-38C. Natl. Inst. Stand. Technol. Retrieved December 21, 2005,
from http://csrc.nist.gov/publications/nistpubs/800-38C/SP800-38C.pdf • Fluher, S., Mantin, I., and Shamir, A. (2001). Weaknesses in the Key Scheduling Algorithm of RC4. 8th Annual
Workshop Selected areas in Cryptography. August 2001. •
• IEEE Std 802.16e – 2005, “Part 16: Air Interface for Fixed and Mobile Broadband Wireless Access Systems.” • IEEE Std 802.11i – 2004, “Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY)
specifications Amendment 6: Medium Access Control (MAC) Security Enhancements.” • Karygiannis, T, Owens L. (2002). Wireless Network Security, 802.11. Bluetooth and Handheld Devices. NIST
Special Publication. Downloaded on November 15, 2004, from http://csrc.nist.gov/publications/nistpubs/80048/NIST_SP_800-48.pdf • Shinder, D. (2005). 10 Ways to Wireless Security. Tech Republic. Retrieved October 10, 2005, from
http://insight.zdnet.co.uk • Wi-Fi Security – Addressing Concerns. Hewlett Packer. Downloaded on October 10, 2003 from
http://h50012.www5.hp.com/createuse/learning/ITguide_planning.asp IEEE Std 802.15.1 – 2005, “Part 15.1: Wireless medium access control (MAC) and physical layer (PHY)
specifications for wireless personal area networks (WPANs).” Wireless WIMAX Wi-Fi Bluetooth
M. Mogollon – 01/08 - 40 40 ...
View Full Document
- Spring '10
- Cryptography, Wi-Fi, IEEE 802.11, WiMAX, M. Mogollon