802.11i - WPA2 Security ========================== .. toctree:: :maxdepth: 1 :hidden: :includehidden: 802_11i/802_11i 802_11i/mac_functions 802_11i/mac_timings 802_11i/packet_formats 802_11i/power_save 802_11i/interoperability 802_11i/physical_rates 802_11i/ppdu 802_11i/channels 802_11i/PHYs IEEE 802.11i is a security amendment to the Wi-Fi standard that enhances data protection and access control through robust encryption and authentication methods. .. list-table:: :widths: 20 60 20 :header-rows: 1 * - Category - Description - Use Case * - MAC Functions - Implements enhanced security functions including authentication, key management, and frame protection. - Securing wireless communication by enforcing strong encryption and access controls * - MAC Timings - Timing parameters adapted for security handshake exchanges and rekeying processes. - Ensuring timely and secure communication during authentication and key refresh cycles * - Packet Formats - Defines security-enhanced frame formats including protected management frames. - Protecting integrity and confidentiality of wireless frames during transmission * - Power Save - Supports secure power save modes without compromising encryption and key management. - Maintaining device battery life while preserving secure connectivity * - Interoperability - Ensures backward compatibility with legacy devices while enforcing security. - Facilitating deployment of secure Wi-Fi networks in mixed device environments * - Physical Rates - Operates over standard 802.11 physical rates, independent of security features. - Delivering secure communication at existing Wi-Fi speeds and modulations * - PPDU - Uses standard PPDU formats enhanced with security protections at the MAC layer. - Enabling secure encapsulation and transmission of data over Wi-Fi networks * - Channels - Uses the same frequency bands and channels as underlying PHY (5 GHz or 2.4 GHz bands). - Efficient spectrum use with added security layers on top * - PHY Overview - Relies on existing PHY technologies (e.g., OFDM in 802.11a, DSSS/OFDM in 802.11g). - Focuses on adding robust security while maintaining physical transmission efficiency .. tab-set:: .. tab-item:: 802.11i (Security Enhancements) **Standard:** IEEE 802.11i (2004) **Main Features:** - Introduced Robust Security Network (RSN) architecture - Defined WPA2 with AES-based CCMP encryption (replacing WEP and TKIP) - Supports 802.1X-based authentication with EAP methods - Implements 4-Way Handshake and Group Key Handshake - Introduced PMK (Pairwise Master Key) and PTK (Pairwise Transient Key) concepts - Provides data confidentiality, integrity, and access control **Use Cases:** - Enterprise-grade Wi-Fi networks requiring strong encryption - Home Wi-Fi using WPA2-Personal or WPA2-Enterprise - Environments requiring secure authentication and key management - Protecting against spoofing, replay, and man-in-the-middle attacks **Related Concepts:** - WPA2 (Wi-Fi Protected Access 2) - CCMP vs TKIP encryption - 802.1X with RADIUS and EAP - Key hierarchy: PMK, PTK, GTK - RSN Information Element (RSNIE) - MIC, replay protection, and secure roaming .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: What You Will Learn in This Section **Explore the security mechanisms of 802.11i:** * :ref:`Learnings in this section <802_11i_step1>` * :ref:`Terminology <802_11i_step2>` * :ref:`Version Info <802_11i_step3>` * :ref:`802_11i Version&IEEE Details <802_11i_step4>` * :ref:`802_11i Basic Setup on Ubuntu using IPv4 <802_11i_step5>` * :ref:`802_11i Basic Setup on Ubuntu using IPv6 <802_11i_step6>` * :ref:`Reference links <802_11i_step16>` .. button-link:: ./802_11i/802_11i.html :color: primary :shadow: :expand: Jump to "802.11i Basics" .. tab-set:: .. tab-item:: 802.11i MAC Functions **Standard:** IEEE 802.11i (2004) **Main Features:** - Implements enhanced security functions including authentication, key management, and frame protection - Provides robust encryption mechanisms such as AES-CCMP for data confidentiality - Handles secure key distribution and management protocols like 4-Way Handshake and Group Key Handshake - Ensures integrity protection for management and data frames - Supports secure association and re-association procedures - Integrates with MAC layer for seamless security enforcement in WLANs **Use Cases:** - Protecting Wi-Fi networks from unauthorized access and eavesdropping - Enabling secure communication for enterprise and personal wireless networks - Supporting regulatory compliance with strong wireless security standards **Related Functions:** - Authentication and key management protocols (802.1X, EAP) - Frame encryption and integrity checks - Secure management frame handling (Protected Management Frames) - Integration with MAC and PHY layers for secure transmission .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: What You Will Learn in This Section **Explore the details of 802.11i MAC Functions:** * :ref:`Reference links ` .. button-link:: ./802_11i/mac_functions.html :color: primary :shadow: :expand: Jump to "802.11i MAC Functions" .. tab-set:: .. tab-item:: 802.11i MAC Timings **Standard:** IEEE 802.11i (2004) **Main Features:** - Defines timing parameters relevant to secure frame transmission and acknowledgment - Includes Interframe Spaces (SIFS, DIFS, PIFS, AIFS) tailored for secure QoS support - Specifies backoff timers and contention windows adapted for encrypted traffic - Ensures collision avoidance and fair medium access while maintaining security integrity - Manages timing for retransmissions, acknowledgments, and secure handshake protocols - Coordinates timing between MAC and PHY layers for secure and efficient communication **Use Cases:** - Coordinating secure transmission timing in protected WLANs - Reducing collisions and optimizing throughput in encrypted networks - Supporting Quality of Service (QoS) with security considerations **Related Timing Parameters:** - Short Interframe Space (SIFS) - Distributed Interframe Space (DIFS) - Arbitration Interframe Space (AIFS) - Slot time and backoff timers adjusted for security overhead .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: What You Will Learn in This Section **Explore the details of 802.11i MAC Timings:** * :ref:`Reference links ` .. button-link:: ./802_11i/mac_timings.html :color: primary :shadow: :expand: Jump to "802.11i MAC Timings" .. tab-set:: .. tab-item:: 802.11i Packet Formats **Standard:** IEEE 802.11i (2004) **Main Features:** - Defines the structure of MAC and PHY layer frames with enhanced security fields - Includes Frame Control, Duration, Address fields, Sequence Control, and CRC - Adds fields for encryption and authentication like the CCMP header - Supports management, control, and data frames with security extensions - Enables secure key management and integrity checking within frames - Allows fragmentation and reassembly for encrypted large packets **Use Cases:** - Structuring secure wireless packets for communication in protected WLANs - Ensuring confidentiality, integrity, and authentication in transmissions - Enabling interoperability between secure 802.11i-compliant devices **Related Frame Types:** - Management frames (e.g., Authentication, Association with security extensions) - Control frames (e.g., ACK, RTS, CTS) - Data frames with CCMP or TKIP encryption .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: What You Will Learn in This Section **Explore the details of 802.11i Packet Formats:** * :ref:`Reference links ` .. button-link:: ./802_11i/packet_formats.html :color: primary :shadow: :expand: Jump to "802.11i Packet Formats" .. tab-set:: .. tab-item:: 802.11i Power Saving Mechanisms **Standard:** IEEE 802.11i (2004) **Main Features:** - Integrates with 802.11 power save features while ensuring security during sleep states - Supports Power Save Mode (PSM) with secure buffering of frames at the AP - Ensures secure delivery of buffered data through encryption and authentication - Uses beacon frames with Delivery Traffic Indication Message (DTIM) for multicast/broadcast notifications - Coordinates sleep and wake cycles with secure key management to prevent replay attacks - Balances energy efficiency with maintaining secure connectivity in protected WLANs **Use Cases:** - Extending battery life of devices in secure Wi-Fi networks - Maintaining data confidentiality and integrity while devices sleep - Supporting power saving for mobile and IoT devices with WPA2 security **Related Mechanisms:** - Secure beacon frame handling with TIM and DTIM - Robust key management during power state transitions - Coordination of sleep cycles with encryption key refresh .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: What You Will Learn in This Section **Explore the details of 802.11i Power Saving mechanisms:** * :ref:`Reference links ` .. button-link:: ./802_11i/power_save.html :color: primary :shadow: :expand: Jump to "802.11i Power Saving" .. tab-set:: .. tab-item:: 802.11i Interoperability **Standard:** IEEE 802.11i (2004) **Main Features:** - Ensures secure compatibility between devices from different vendors implementing WPA2/WPA3 - Supports interoperability with legacy 802.11 standards while enforcing strong security policies - Defines standardized security frame formats, key management, and authentication protocols - Facilitates secure roaming and handoff between access points in enterprise networks - Implements robust mechanisms for coexistence with other wireless protocols - Uses standardized management and control frames with enhanced security features **Use Cases:** - Enabling secure multi-vendor Wi-Fi deployments with WPA2/WPA3 support - Supporting seamless and secure roaming in enterprise WLANs - Ensuring backward compatibility while maintaining security standards **Related Mechanisms:** - Secure management frame interoperability (e.g., 802.11w) - Robust security network association (RSNA) - Standardized key management and authentication protocols (802.1X, EAP) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: What You Will Learn in This Section **Explore the details of 802.11i Interoperability mechanisms:** * :ref:`Reference links ` .. button-link:: ./802_11i/interoperability.html :color: primary :shadow: :expand: Jump to "802.11i Interoperability" .. tab-set:: .. tab-item:: 802.11i Physical Rates **Standard:** IEEE 802.11i (2004) **Main Features:** - Supports physical layer rates defined by underlying 802.11 standards (e.g., 802.11a/b/g) - Secures data transmission across all supported physical rates using robust encryption - Works with dynamic rate adaptation mechanisms to maintain secure and efficient connectivity - Applies security protocols (WPA2/WPA3) transparently regardless of physical data rate - Ensures compatibility with multiple modulation and coding schemes (MCS) for performance - Focuses on secure transmission rather than defining new physical rates **Use Cases:** - Secure wireless networking across various data rates in enterprise and consumer environments - Enabling robust encryption without sacrificing throughput or adaptability - Supporting secure multimedia streaming, voice, and data over Wi-Fi **Related Concepts:** - Encryption and authentication algorithms (AES-CCMP, TKIP) - Rate adaptation with security context - Integration with physical layer modulation schemes .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: What You Will Learn in This Section **Explore the details of 802.11i Physical Rates and their impact on security:** * :ref:`physical_rates in 802.11i ` * :ref:`Reference links ` .. button-link:: ./802_11i/physical_rates.html :color: primary :shadow: :expand: Jump to "802.11i Physical Rates" .. tab-set:: .. tab-item:: 802.11a PPDU **Standard:** IEEE 802.11a (1999) **Main Features:** - Defines the Physical Protocol Data Unit (PPDU) structure for 802.11a - Includes a preamble for synchronization and channel estimation - Contains SIGNAL field specifying the data rate and length - Payload carries the MAC frame encoded with OFDM modulation - Supports various data rates with adaptive modulation and coding - Enables reliable wireless data transmission at 5 GHz frequency band **Use Cases:** - Ensuring proper encapsulation of data for transmission over 802.11a PHY - Synchronization between transmitter and receiver - Facilitating robust and efficient wireless communication **Related Concepts:** - OFDM symbol structure - Service field and tail bits - Channel coding and interleaving .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: What You Will Learn in This Section **Explore the details of 802.11a PPDU:** * :ref:`Reference links ` .. button-link:: ./802_11a/ppdu.html :color: primary :shadow: :expand: Jump to "802.11a PPDU" .. tab-set:: .. tab-item:: 802.11i Channels **Standard:** IEEE 802.11i (2004) **Main Features:** - Operates on the same frequency bands as the underlying PHY (commonly 2.4 GHz and 5 GHz bands) - Utilizes existing channel allocations and bandwidths defined by the underlying PHY (e.g., 20 MHz channels in 802.11a/g) - No modifications to channel structure; security enhancements operate above the PHY layer - Supports secure communications without impacting channel planning or spectrum usage - Compatible with existing regulatory domain channel restrictions and DFS/TPC requirements **Use Cases:** - Securing wireless transmissions in enterprise and home Wi-Fi networks - Enhancing data confidentiality, integrity, and access control without altering RF characteristics - Maintaining performance while enforcing robust security policies over existing channels **Related Concepts:** - Security protocols (WPA2, CCMP, TKIP) implemented above the PHY - Underlying PHY channel concepts such as UNII bands and DFS remain relevant - Integration of security with physical layer frequency planning and coexistence .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: What You Will Learn in This Section **Explore the details of 802.11i Channels:** * :ref:`List of channels ` * :ref:`List of channel widths ` * :ref:`List of Bands ` * :ref:`Reference links ` .. button-link:: ./802_11i/channels.html :color: primary :shadow: :expand: Jump to "802.11i Channels" .. tab-set:: .. tab-item:: 802.11i PHY **Standard:** IEEE 802.11i (2004) **Main Features:** - Builds on existing PHY layers (e.g., 802.11a, 802.11g) without altering physical transmission methods - Focuses on enhancing security at the MAC and upper layers rather than changing PHY characteristics - Supports strong encryption mechanisms like AES-CCMP integrated with the PHY layer - Maintains compatibility with OFDM modulation and channel structures defined in underlying PHYs - Ensures secure key exchange and management aligned with PHY timing and frame formats - Works transparently with PHY layer mechanisms to enable secure, robust wireless communication **Use Cases:** - Enabling secure wireless data transfer over existing 802.11 PHYs - Protecting confidentiality, integrity, and authentication of wireless frames - Securing enterprise and personal Wi-Fi networks while preserving performance **Related Concepts:** - AES-CCMP encryption and MIC authentication - Robust security network (RSN) framework integration - Interaction with PHY layer timing and frame processing .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: What You Will Learn in This Section **Explore the details of 802.11i PHY:** * :ref:`Reference links ` .. button-link:: ./802_11i/PHYs.html :color: primary :shadow: :expand: Jump to "802.11i PHY"