IEEE 802.11 Robust Security Network (RSN)

IEEE 802.11: Robust Security Network (RSN)

Agenda

  • Preliminaries
  • General features
  • Security associations
  • Authentication
  • Key management
  • Attacks
  • 802.11w (PMF)
  • WPA3
  • OWE
  • MAC randomization

Introduction

  • The initial IEEE 802.11 standard (1999-2004) provided:
    • Two authentication methods: Open System and Shared Key.
    • WEP for confidentiality.
    • CRC-32 ICV appended to the plaintext prior to WEP's RC4 encryption, intended for message integrity.
  • Due to WEP's weaknesses, a more robust solution was developed.
  • In October 2002, the Wi-Fi Alliance announced WPA as an interim standard while IEEE 802.11i (later WPA2) was still in development.
  • WPA was a subset of 802.11i, addressing WEP's vulnerabilities by introducing TKIP and 802.1X authentication.
  • Deployed in April 2003, before 802.11i was ratified, as some components of the final standard were not yet finalized.
  • WPA was superseded by WPA2.
  • During WPA development, TKIP/Michael protocol and key management were completed. AES support and secure de-authentication/disassociation procedures were still under development.
  • IEEE 802.11i was ratified in June 2004.
  • 802.11i superseded WEP.
  • The Wi-Fi Alliance announced WPA2 shortly after, fully compliant with 802.11i.
  • WPA2 is a device certification standard confirming compatibility with 802.11i.
  • WPA2-certified devices support all mandatory security features of 802.11i.
  • WPA2 and WPA3 offer authentication services for:
    • Enterprise environments via IEEE 802.1X.
    • Personal use via pre-shared (WPA2) or dynamically generated (WPA3) pre-shared keys (PSK).
  • WPA3 is based on IEEE 802.11-2016 and 802.11-2020 standards. Since July 1, 2020, all newly released Wi-Fi Alliance certified devices must support WPA3.
  • The 802.11i standard defines a Robust Security Network Association (RSNA).
  • Robust Security Network (RSN) definition:
    • A network that allows only the creation of RSNAs.
    • Identified by the indication in the RSN Element (RSNE) of beacon frames that the specified group cipher suite is not WEP.
  • In Enterprise RSNs, IEEE 802.1X provides authentication through controlled port access, with 802.11 and 802.1X managing encryption keys together. PSKs are used for authentication and key management in Personal RSNs.
  • 802.11i Enhanced Security Features:
    • Improved authentication mechanisms.
    • Key management algorithms.
    • Session key agreement methods for confidentiality and integrity.
    • Improved encapsulation mechanism CCMP.
    • Optionally TKIP (discouraged due to security concerns).
  • 802.11ad-2012 amendment added GCMP, and 802.11ac-2013 extended GCMP by adding support for 256-bit keys.
  • AES-GCM uses counter mode for encryption, with the resulting ciphertext authenticated using the GHASH function (NIST Special Publication 800-38D).
  • CCMP and GCMP are secure if no IV is repeated for the same key.
  • 802.11i Enterprise relies on elements external to the IEEE 802.11 architecture, like the IEEE 802.1X framework, with the Authentication Server (AS) as its core entity.
  • RSNA uses the 802.1X port concept to control network access.
  • Each port in 802.1X has a controlled port and an uncontrolled port.
  • Information transmission is possible in the controlled port only after 802.1X authentication through the uncontrolled port.
  • All data flow occurs through the controlled port after authentication.
  • The most significant security features of 802.11 after the addition of 802.11i are summarized next.
  • In an IBSS configuration, each STA enforces the security policy. In an infrastructure BSS, this responsibility is transferred to the APs.
  • Authentication Methods Defined by 802.11i:
    • Open System (link authentication for WPA, WPA2, WPA3 quick reconnection only).
    • Shared Key (link authentication - WEP only).
    • RSNA (access authentication).
  • RSNA is based on the 802.1X framework or pre-shared keys (PSK). The Simultaneous Authentication of Equals (SAE) method was added in 802.11-2016.
  • 802.1X uses the Extensible Authentication Protocol (EAP) to mutually authenticate STAs and AS (see RFC 3748).
  • Link Authentication:
    • Purpose: Establishes a basic connection between a STA and an AP, verifying that the STA is authorized to communicate with the AP at a fundamental level; the initial handshake.
    • Mechanism:
      • Open System and Shared Key authentication methods were historically used for link authentication. Open System is essentially a null authentication and is used for quick reconnections in modern WPA, WPA2, WPA3 networks.
      • Shared Key authentication (WEP only) involved exchanging a shared secret key, which was flawed.
    • Scope: Occurs at Layer 2 of the OSI model, establishing the basic wireless link but not granting access to the network resources.
  • Access Authentication:
    • Purpose: Verifies the identity of the user or device and grants or denies access to the network resources, ensuring the entity is authorized to use the network.
    • Mechanism:
      • RSNA is the primary method for access authentication in 802.11i.
      • 802.1X/EAP: Complex authentication process using an AS to verify credentials.
      • PSK (Pre-Shared Key): Uses a shared passphrase for authentication.
      • SAE is used within WPA3.
    • Scope: Occurs at a higher level than link authentication (Layer 3 or higher). Link authentication establishes the connection, and access authentication grants network access.
  • Confidentiality: RSN supports various encryption algorithms:
    • WEP, TKIP, CCMP, GCMP. WEP and TKIP use RC4, while CCMP and GCMP are based on AES.
    • The default confidentiality state is the transmission of data in plaintext.
  • Key Management: Essential for improved authentication, confidentiality, and replay protection.
    • Keys are generated independently at the involved network elements through a 4-way handshake, group key, and other key establishment protocols.
  • Data origin authenticity: Ensures that the MPDUs received by a device originate from the authentic sender, preventing masquerading attacks. Provided by GCMP, CCMP, and TKIP protocols.
  • Protection against security-downgrade attacks: RSN protocols cryptographically secure the security parameter negotiation processes.
  • In RSN, knowledge of the Pairwise Master Key (PMK) by the two parties (STA & AP) is insufficient. Additional actions are required before the port opens.
  • Personal mode:
    • Pre-shared keys (PSKs) are used. No higher-level authentication method is performed, as the PMK (generated from the PSK) is known to the STA and AP. The PSK is generated from the passphrase.
    • SAE: A password-based authentication and key establishment protocol initially introduced in IEEE 802.11s-2011 for mesh networks. With SAE, the passphrase is not exposed, and it is nearly infeasible to find the passphrase through brute-force dictionary attacks.
  • 802.1X & EAP (Enterprise):
    • 802.1X enables port-based authentication services.
    • It defines a general framework that supports many existing and new EAP methods. The recommended method for authenticating the AS to the STAs is through digital certificates, using methods such as EAP-TLS.
    • STA authentication can also be based on digital certificates or different credentials, using methods such as EAP-AKA, EAP-PEAP, EAP-OTP, and others.
    • In 802.1X, the AS authenticates the STAs and sends the generated key (PMK) to the AP through a secure external channel.
    • The STA calculates the same key during authentication.
    • The creation and transmission of the PMK are completed with an EAP-success message.

RSNA

  • 802.11i defines three operating modes within a BSS:
    • Bidirectional (one-to-one communication between STAs and wired networks via APs).
    • Unidirectional (one-to-many communication from an AP to STAS for secure groups, e.g., video streaming).
    • Bidirectional direct communication between two STAs associated with the same AP (important for real-time applications).
  • The three operating modes require the same authentication procedures between STA and AP.
  • Depending on the communication type within an ESS, RSNA supports:
    • Secure access for an STA to the DS via an AP.
    • Unidirectional secure group communication from an AP to two or more STAS.
    • Secure direct communication between two STAS.
  • IEEE 802.11r-2008 defines Fast BSS Transition (aka Fast Transition or FT or fast roaming).
    • Allows for STA fast roaming in 802.11 realms within the same Mobility Domain.
    • Ensures that the STA does not need to re-authenticate to the AS or execute a full 802.1X/EAP exchange every time it roams from one AP to another.
    • FT aims to reduce the length of time that connectivity is lost between a STA and the DS during a BSS transition.
    • Sets up security and QoS parameters prior to reassociation to a new AP by pre-distributing security keys within the mobility domain, reducing or removing the need for full reauthentication with the AS.
    • After a STA connects to the first AP on the network, the STA is "authorized" for every AP in the same Mobility Domain.
    • The new AP becomes aware that this STA has already had its security context established within the Mobility Domain, meaning it does not need to repeat the full 802.1X/EAP exchange. Information from the original association, specifically the PMK-R1, is passed to the new AP to facilitate rapid key derivation.
    • Support for 802.11r is advertised in AP beacon and probe response frames and it comes in two flavors: Over-the-Air FT Roaming (the STA communicates directly with the target AP) and Over-the-DS FT Roaming (the Distribution System is used to pre-distribute the PMK-R0/PMK-R1 keys, to the target AP).
    • Unlike the standard 4-way handshake, the FT handshake is started by the STA. Initially, the 2 messages are an Authentication request/response pair that contain nonces that are used in the PMK-R1 derivation. Next, the STA and AP perform the FT 4-way handshake, within the reassociation request and response frames, which derives the PTK and transfers the GTK to the STA. None of the messages contain a replay counter (Ctr), but the handshake relies on the 2 nonces to offer replay protection between different runs of the handshake. Only the reassociation request and response messages are integrity protected through a MIC.
    • Many modern Wi-Fi access points and client devices support 802.11r, especially in enterprise-grade Wi-Fi networks where smooth transitions are essential for applications like voice over Wi-Fi (VoWi-Fi) and video conferencing. Consumer-grade routers and devices are also increasingly incorporating 802.11r support.
    • 802.11r often works in conjunction with other Wi-Fi standards, such as 802.11k (Radio Resource Measurement) and 802.11v (Wireless Network Management), to further optimize roaming performance.
  • RSNA defines several security associations (SAs) (not a complete list):
    • PMKSA (pairwise master key SA)
    • PTKSA (pairwise transient key SA)
    • GTKSA (group transient key SA)
    • STKSA (station-to-station link transient key SA - applies up to 802.11-2016)
    • SMKSA (station-to-station link master key SA - required to create the STKSA, created after successful derivation of a station-to-station link master key - applies up to 802.11-2016)
    • TPKSA (tunneled direct link setup (TDLS) PeerKey SA - RSNA for direct-link communication between two STAS - see #29 - applies from 802.11-2020 onward)
    • IGTKSA (integrity group temporal key SA)*
    • BIGTKSA (beacon integrity group temporal key SA)*
    • PMK-RO SA: A result of a successful FT initial mobility domain association-see #22
    • PMK-R1 SA: A result of a successful FT initial mobility domain association or FT authentication sequence- see #22
    • [*Data integrity and replay protection for (i) group addressed robust management frames after establishment of an IGTKSA, and (ii) beacon frames after establishment of a BIGTKSA]
  • In 802.11, similar to the Internet Key Exchange (IKE) protocol, an SA defines the cryptographic parameters necessary for secure communication between devices. This encompasses agreed-upon algorithms (e.g., CCMP, GCMP), keying material, security policies (including key lifetimes and encryption modes), and protocols used for secure data exchange.
  • Key Derivation:
    • For the PMKSA, PTKSA, and TPKSA, SAS are established through key derivation methods. This process involves the independent computation of keys by the participating devices, based on shared secrets and standardized cryptographic algorithms.
    • PMK is derived during the initial authentication phase (e.g., 802.1X/EAP), and the PTK is derived from the PMK during the 4-way handshake using the PMK as a seed.
    • The TPK (TDLS PeerKey) for the TPKSA is derived during the TPK handshake between the TDLS initiator and responder STAs. This derivation uses exchanged keying material between the two STAs.
  • Key Transport:
    • For the GTKSA, IGTKSA, BIGTKSA, and SMKSA the AP securely transmits the keys to the involved STAs over an already established secure channel.
    • The GTK, IGTK, and BIGTK are group keys used for multicast and broadcast traffic, and the AP, as the central control point, manages their distribution. This key transport happens over a channel that has already been secured by the pairwise keying material.