IEEE 802.11w-2009
   HOME

TheInfoList



Click Here for Items Related To - IEEE 802.11w-2009
OR:
IEEE 802.11w-2009 on:   [Wikipedia]   [Google]   [Amazon]

IEEE 802.11w-2009 is an approved amendment to the
IEEE 802.11 IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer commun ...
standard to increase the security of its management frames.


Protected management frames

Current 802.11 standard defines "frame" types for use in management and control of wireless links. IEEE 802.11w is the Protected Management Frames
standard Standard may refer to: Symbols * Colours, standards and guidons, kinds of military signs * Standard (emblem), a type of a large symbol or emblem used for identification Norms, conventions or requirements * Standard (metrology), an object th ...
for the
IEEE 802.11 IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer commun ...
family of standards. Task Group 'w' worked on improving the
IEEE 802.11 IEEE 802.11 is part of the IEEE 802 set of local area network (LAN) technical standards, and specifies the set of media access control (MAC) and physical layer (PHY) protocols for implementing wireless local area network (WLAN) computer commun ...
Medium Access Control layer. Its objective was to increase security by providing data confidentiality of management frames, mechanisms that enable data integrity,
data origin authenticity In information security, message authentication or data origin authentication is a property that a message has not been modified while in transit (data integrity) and that the receiving party can verify the source of the message. Message authentica ...
, and replay protection. These extensions interact with IEEE 802.11r and
IEEE 802.11u IEEE 802.11u-2011 is an amendment to the IEEE 802.11-2007 standard to add features that improve interworking with external networks. 802.11 is a family of IEEE technical standards for mobile communication devices such as laptop computers or mult ...
.


Overview

* Single and unified solution needed for all IEEE 802.11 Protection-capable Management Frames. * It uses the existing security mechanisms rather than creating new security scheme or new management frame format. * It is an optional feature in 802.11 and is required for 802.11 implementations that support TKIP or CCMP. * Its use is optional and can be negotiable between STAs.


Classes

* Class 1 ** Beacon and probe request/response ** Authentication and de-authentication ** Announcement traffic indication message (ATIM) ** Spectrum management action ** Radio measurement action between STAs in IBSS * Class 2 ** Association request/response ** Re-association request/response ** Disassociation * Class 3 ** Disassociation/de-authentication ** QoS action frame ** Radio measurement action in infrastructure BSS ** Future 11v management frames


Unprotected frames

It is infeasible/not possible to protect the frame sent before four-ways handshake because it is sent prior to key establishment. The management frames, which are sent after key establishment, can be protected. Infeasible to protect: * Beacon and probe request/response * Announcement traffic indication message (ATIM) * Authentication * Association request/response * Spectrum management action


Protected frames

Protection-capable management frames are those sent after key establishment that can be protected using existing protection key hierarchy in 802.11 and its amendments. Only TKIP/AES frames are protected and WEP/open frames are not protected. The following management frames can be protected: * Disassociate * Deauthenticate * Action Frames: Block ACK Request/Response (AddBA), QoS Admission Control, Radio Measurement, Spectrum Management, Fast BSS Transition * Channel Switch Announcement directed to a client (Unicast) Management frames that are required before AP and client have exchanged the transmission keys via the 4 way handshake remain unprotected: * Beacons * Probes * Authentication * Association * Announcement Traffic Indication Message * Channel Switch Announcement as Broadcast Uni-cast Protection-capable Management Frames are protected by the same cipher suite as an ordinary data
MPDU In telecommunications, a protocol data unit (PDU) is a single unit of information transmitted among peer entities of a computer network. It is composed of protocol-specific control information and user data. In the layered architectures of c ...
. * MPDU payload is TKIP or CCMP encrypted. * MPDU payload and header are TKIP or CCMP integrity protected. * Protected frame field of frame control field is set. * Only cipher suites already implemented are required. * Sender's pairwise temporal key (PTK) protects unicast management frame. Broad-/Multicast Robust Management Frames are protected using Broadcast/multicast integrity protocol (BIP) * Use Integrity Group Temporal Key (IGTK) received during WPA key handshake * Use Information Element: Management MIC IE with Sequence Number + Cryptographic Hash (AES128-CMAC based)


Replay protection

Replay protection is provided by already existing mechanisms. Specifically, there is a (per-station, per-key, per-priority) counter for each transmitted frame; this is used as a nonce/initialization vector (IV) in cryptographic encapsulation/decapsulation, and the receiving station ensures that the received counter is increasing.


Usage

The 802.11w amendment is implemented in Linux and BSD's as part of the 80211mac driver code base, which is used by several wireless driver interfaces; i.e., ath9k. The feature is easily enabled in most recent kernels and Linux OS's using these combinations.
OpenWrt OpenWrt (from ''open wireless router'') is an open-source project for embedded operating systems based on Linux, primarily used on embedded devices to route network traffic. The main components are Linux, util-linux, musl, and BusyBox. All ...
in particular provides an easy toggle as part of the base distribution. The feature has been implemented for the first time into
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washin ...
operating systems in Windows 8. This has caused a number of compatibility issues particularly with wireless access points that are not compatible with the standard. Rolling back the wireless adapter driver to one from Windows 7 usually fixes the issue.
Wireless LAN A wireless LAN (WLAN) is a wireless computer network that links two or more devices using wireless communication to form a local area network (LAN) within a limited area such as a home, school, computer laboratory, campus, or office buildi ...
s without this standard send system management information in unprotected frames, which makes them vulnerable. This standard protects against network disruption caused by malicious systems that forge disassociation requests (deauth) that appear to be sent by valid equipment http://www.ieee802.org/21/doctree/2005_Meeting_Docs/2005-09_meeting_docs/21-05-0381-00-0000-802-11-liaison-September05.ppt such as Evil Twin attacks.


See also

* IEEE 802.11i Enhanced Security * IEEE 802.11r Fast BSS Transition *
IEEE 802.11u IEEE 802.11u-2011 is an amendment to the IEEE 802.11-2007 standard to add features that improve interworking with external networks. 802.11 is a family of IEEE technical standards for mobile communication devices such as laptop computers or mult ...
Interworking with non-802.11 networks


References


External links


Status of the project 802.11w
IEEE Task Group w (TGw)
Tutorial on 802.11w
*Cisco 802.11r, 802.11k, and 802.11w Deployment Guide, Cisco IOS-XE Release 3.

{{DEFAULTSORT:Ieee 802.11w-2009 W pl:802.11w