Printer Friendly
The Free Library
19,573,962 articles and books
Member login
User name  
Password 
 
Join us Forgot password?

802.11i secures the WLAN.


Wireless LAN has a checkered past. The initial attempt to provide privacy over the air using techniques native to 802.11 forced security-conscious users to turn to Layer 3 mechanisms, such as virtual private networks, to ensure the security of WLAN See wireless LAN.

WLAN - wireless local area network  communications. Now, the 802.11i standard has been released, and over-the-air communications can finally be secured at Layer 2.

The IEEE's initial attempt at WLAN security was wired equivalent privacy Wired Equivalent Privacy or Wireless Encryption Protocol (WEP) is a scheme to secure IEEE 802.11 wireless networks. It is part of the IEEE 802.11 wireless networking standard.  (WEP (Wired Equivalent Privacy) An IEEE standard security protocol for wireless 802.11 networks. Introduced in 1997, WEP was found to be very inadequate and was superseded by WPA, WPA2 and 802.11i. ), which was quickly shown to provide little of the privacy it advertised. In 802.11i, completely new techniques are used to secure communications.

First, a key called the pairwise master key (PMK PMK Pairwise Master Key (wireless protocol security mechanism)
PMK Pattali Makkal Katchi (political party in India)
PMK Postmark
PMK Popular Mechanics for Kids
PMK Person Most Knowledgeable ) is established between the wireless station and the access point. This key is typically generated using 802.1X, that is, an EAP (Extensible Authentication Protocol) A protocol that acts as a framework and transport for other authentication protocols. EAP uses its own start and end messages, but then carries any number of third-party messages between the client (supplicant) and access control  authentication of the user to a RADIUS or other authentication-authorization-accounting (AAA AAA: see American Automobile Association.


(Triple A) A common single-cell battery used in a myriad of electronic devices of all variety. Like its double A (AA) cousin, it provides 1.5 volts of DC power. When used in series, the voltage is multiplied. ) server. Both station and AAA servers derive identical keys, and the AAA server returns that key to the access point. Alternatively, a pre-shared key may be configured in both station and access point as the PMK.

Next, the station and access point exchange a message sequence called the four-way handshake. In this exchange, the PMK and fresh (random) nonces (numbers only used once) from both station and access point are used to derive a new key, called the pairwise transient key. This key is subdivided into several keys: one to sign four-way handshake messages, one to encrypt a group key during the four-way handshake and one for security the data connection.

During the four-way handshake, the station and access point negotiate the type of encryption to be used for the data connection. Two encryption ciphers are negotiated: the pairwise cipher cipher: see cryptography.


(1) The core algorithm used to encrypt data. A cipher transforms regular data (plaintext) into a coded set of data (ciphertext) that is not reversible without a key.  is used for unicast data between station and access point, and the group cipher is used for broadcast/ multicast traffic from the access point to multiple stations. The group cipher allows the access point to send one copy of each multicast packet to all stations, rather than to send a separately encrypted packet to each station.

While any encryption cipher may be negotiated, the cipher of choice for 802.11i is advanced encryption standard (cryptography, algorithm) Advanced Encryption Standard - (AES) The NIST's replacement for the Data Encryption Standard (DES). The Rijndael /rayn-dahl/ symmetric block cipher, designed by Joan Daemen and Vincent Rijmen, was chosen by a NIST contest to be AES.  (AES), with a 128-bit key, in CCM mode (counter with CBC-MAC (Cipher Block Chaining-Message Authentication Code) A message integrity method that uses block ciphers such as DES and AES. Each block of plaintext is encrypted with the cipher and then XOR'd with the second encrypted block. ). AES is the U.S. federal government standard for encryption, and CCM CCM Contemporary Christian Music
CCM Critical Care Medicine
CCM County College of Morris (New Jersey)
CCM Chama Cha Mapinduzi (political party, Tanzania)
CCM CORBA Component Model  has recently been approved as FIPS-compliant.

In an 802.11i-only environment, AES will normally be used both as the pairwise and group cipher. In a mixed environment, access points will typically use a lowest-common-denominator cipher as the group cipher, such as wired equivalent privacy or temporal key integrity protocol, to allow both 802.11i and pre-802.11i stations to decrypt To convert secretly coded data (encrypted data) back into its original form. Contrast with encrypt. See plaintext and cryptography.  multicast traffic.

802.11i also speeds roaming from one access point to the next. Previously, the station needed to perform a complete 802.1X authentication each time it associated with a new access point. With 802.11i, when the station returns to an access point it already authenticated with, it can reuse the PMK established with that access point to omit 802.1X authentication and perform only the four-way handshake. This speeds transitions between access points. Additionally, the station may "pre-authenticate" to a new access point it intends to roam to while still associated with the current access point; this allows the station to only perform a four-way handshake once it does roam.

Another fast-roaming technique made possible by 802.11i is informally called opportunistic key caching (also proactive key caching). If multiple access points are able to share PMKs among themselves, the station may be able to roam to a new access point it has not visited before and re-use a PMK established with the current access point. This allows the station to roam quickly to an access point it never authenticated to, without having to perform pre-authentication. This mechanism is commonly available on wireless switches, since the central switch can provide a store of PMKs across all the access point it controls. There are also centralized architectures using "fat" access points that can provide equivalent capability.

For more information from Funk Software: www.rsleads.com/509cn-260

This article was provided by Paul Funk, president of Funk Software, Cambridge, Mass.
COPYRIGHT 2005 Nelson Publishing
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2005 Gale, Cengage Learning. All rights reserved.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:Wireless
Publication:Communications News
Date:Sep 1, 2005
Words:685
Previous Article:Dump the parallel universe: emerging wireless security solutions eliminate the need for a parallel network infrastructure.
Next Article:Rugged enclosure.
Topics:



Related Articles
Making wireless networks secure. (Security).
WPA tightens wireless security. (Trends).
MARVELL LEADING ADOPTION OF IEE 802.11G STANDARD.
ARUBA UNVEILS END-TO-END WLAN SWITCHING FAMILY.
BRIDGEWATER SYSTEMS LAUNCHES WI-FI SECURITY/ACCESS CONTROL.
Wi-Fi upgrade for Intel Centrino.
NETGEAR LAUNCHES PROSAFE DUAL BAND WIRELESS ACCESS POINT.
Wireless security is evolving.
Dual-band access point.
ARUBA NETWORKS/GENERAL DYNAMCS SIGN JOINT MARKETING PACT.

Terms of use | Copyright © 2012 Farlex, Inc. | Feedback | For webmasters | Submit articles