Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

The nuts and bolts of 802.11i wireless LAN security

WEP wasn't good enough, but 802.11i does the job

Article comments

The IEEE's initial attempt at wireless LAN security was Wired Equivalent Privacy. This turned out to be a quite unfortunate moniker, as WEP was quickly shown to provide very little of the privacy it advertised.

802.11i improves on WEP by using completely new encryption algorithms and key-derivation techniques. This wireless security standard, finalized in 2004, makes it possible to safeguard over-the-air communications at Layer 2.

A key called the Pairwise Master Key (PMK) is established between the wireless station and the access point. This key is typically generated using 802.1X, which is authentication of the user to a RADIUS or other authentication server using Extensible Authentication Protocol. Both the station and RADIUS server derive identical keys, and the RADIUS server returns that key to the access point.

Next, the station and access point exchange a sequence of four messages, called the "four-way handshake." In this exchange, the PMK and freshly generated random values from both station and access point are used to derive a new key, called the Pairwise Transient Key. This key is subdivided into several keys: one to sign four-way handshake messages; one to secure data packets transmitted between station and access point; and one to encrypt a "group key" to the station during the four-way handshake. The group key lets the access point broadcast one multicast packet to all stations, rather than send a separately encrypted packet to each station.

During the four-way handshake, the station and access point negotiate the type of encryption to be used for the data connection. Two encryption ciphers are negotiated: The pairwise cipher is used for unicast data between station and access point, and the group cipher is used for broadcast/multicast traffic from the access point to multiple stations.

Why AES is best
While any encryption cipher may be negotiated, the cipher of choice for 802.11i is Advanced Encryption Standard (AES), with a 128-bit key, in Counter with CBC-MAC (CCM) mode. AES is the US federal government standard for encryption. CCM is a very well designed mode of operation and recently has been approved as Federal Information Processing Standard-compliant.

In an 802.11i-only environment, AES normally will be used both as the pairwise and group cipher. In a mixed environment, access points typically will use a lowest-common-denominator cipher as the group cipher, such as WEP or Temporal Key Integrity Protocol, to let both 802.11i and pre-802.11i stations decrypt multicast traffic.

Speeding roaming up
802.11i also speeds roaming from one access point to the next. Previously, it was necessary for the station to perform a complete 802.1X authentication each time it associated with a new access point. With 802.11i, when the station returns to an access point it already authenticated with, it can reuse the PMK established with that access point to omit 802.1X authentication and perform only the four-way handshake. This greatly speeds up transitions between access points. Additionally, the station may pre-authenticate to a new access point it intends to roam to, while still associated with the current access point; this lets the station only perform a four-way handshake once it roams.

Another fast-roaming technique made possible by 802.11i is informally called Opportunistic Key Caching (also Proactive Key Caching). If multiple access points can share PMKs among themselves, it is possible for the station to roam to a new access point it hasn't visited before and re-use a PMK established with the previous access point; this lets the station quickly roam to access points it never authenticated to, without even having to perform pre-authentication.

To deploy 802.11i, you'll need the following three hardware/software elements, each of which must support that standard:

  • The "supplicant," a piece of software that sits on the hardware device you want to authenticate, performs high-level functions such as 802.1X and the four-way handshake.

  • The wireless card/driver, which performs data encryption and communicates over the air with the access point.

  • The access point, which provides the gateway to the network.

Funk is president of Funk Software. This article originally appeared in Network World.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *