802.11i Channels
What is IEEE 802.11i-2004?
IEEE 802.11i-2004, commonly called 802.11i, is an amendment to the IEEE 802.11 standard that specifies enhanced security for WLANs such as stronger encryption, authentication and key management.
What does RSN (Robust Security Network) mean in 802.11i?
RSN refers to the security framework defined in 802.11i, using protocols like 802.1X/EAP for authentication, plus TKIP or CCMP for encryption.
What encryption protocols are defined under 802.11i?
802.11i defines TKIP (Temporal Key Integrity Protocol) and CCMP (AES‑based Counter with CBC‑MAC) as encryption/integrity protocols. CCMP is mandatory for full compliance.
How is authentication handled in 802.11i?
Authentication is handled via 802.1X/EAP for enterprise networks, or via pre-shared key (PSK) in simpler/home settings. Then a 4‑way handshake is used to derive transient keys.
What is the 4‑way handshake in 802.11i?
A process between a station (STA) and access point (AP) to derive fresh session keys, confirm knowledge of shared secrets, and ensure data confidentiality/integrity. It exchanges nonces and uses authentication to establish Pairwise Transient Key (PTK) and Group Temporal Key (GTK).
What is CCMP and why is it important?
CCMP (Counter Mode with CBC‑MAC Protocol) is the AES‑based encryption/integrity protocol introduced with 802.11i. It provides strong confidentiality, message integrity, and protection versus replay attacks.
What is TKIP and why was it used?
TKIP (Temporal Key Integrity Protocol) was introduced as an interim solution to fix many of the vulnerabilities in WEP. It works with legacy hardware using RC4 stream cipher, but is less secure than CCMP and is considered deprecated.
What is 802.1X and how is it used with 802.11i?
802.1X is a port-based network access control protocol used by 802.11i for strong authentication, often with a RADIUS server. It ensures that only authenticated users or devices can connect.
Is WEP still considered secure under 802.11i?
No. WEP is deprecated due to many known vulnerabilities. 802.11i was specifically designed to replace WEP.
What is the group key handshake?
After authentication, the AP distributes a Group Temporal Key (GTK) to all associated stations for multicast/broadcast frame encryption. This happens using secure key distribution.
How does 802.11i protect against replay attacks?
Using sequence numbers and message integrity checks (MIC), especially under CCMP, to ensure old frames cannot be resent in a malicious way.
What is PSK mode in 802.11i?
PSK (Pre‑Shared Key) mode is for simpler setups (home/small offices) where there’s no authentication server. All devices share a passphrase.
What hardware/software requirements are there for 802.11i?
Devices need to support AES‑CCMP, with sufficient processing for the cryptographic operations. Older hardware that only supported WEP might need firmware or hardware upgrades.
What are potential vulnerabilities in 802.11i?
Although much more secure than WEP, 802.11i is still subject to issues like weak passwords (in PSK mode), denial‑of‑service via management frame spoofing, and risk during roaming if keys are not properly protected.
What is a Weak Password Attack in the context of 802.11i?
When PSK (Pre‑Shared) mode is used and users choose simple passphrases, attackers can brute force or dictionary‑attack the passphrase, undermining security.
What is WPA2 in relation to 802.11i?
WPA2 is the Wi‑Fi Alliance certification that implements the full RSN features of 802.11i, especially mandatory support for AES‑CCMP.
Does 802.11i support fast roaming?
Roaming itself is supported, but fast roaming improvements (e.g. 802.11r) can complement 802.11i to reduce delays during handoffs.
What is PMK caching?
Pairwise Master Key (PMK) caching allows a station and AP to reuse a previously established PMK to speed up reconnection/roaming, reducing authentication delays.
What is the group temporal key (GTK)?
GTK is used to encrypt broadcast or multicast traffic under an RSN. It is shared among all associated stations.
How are encryption keys renewed in 802.11i?
Keys are periodically refreshed (rekeyed) automatically to maintain security, both for pairwise/unicast and group/multicast traffic.
What is the difference between unicast and multicast protection in 802.11i?
Unicast traffic uses PTK (derived using 4‑way handshake) for each STA‑AP link. Multicast/broadcast traffic uses GTK shared among STAs, with group key handshake.
What happens if a device fails authentication in 802.11i?
The device is denied access to data frames; it will not receive encryption keys (PTK/GTK) and cannot send/receive secured data.
Is management frame protection included in 802.11i?
Base 802.11i does not fully protect all management frames; additional amendments like 802.11w provide protection for management frames to avoid attacks on deauth/disassoc frames.
Is 802.11i still relevant given newer standards?
Yes — much of wireless security today (WPA2 etc.) depends on 802.11i. Even with newer standards (WPA3 etc.), 802.11i concepts remain foundational.
Topics in this section,
Channel Number (MHz) |
Center Frequency (MHz) |
Frequency Range |
DFS Required |
|---|---|---|---|
36 |
5180 |
5170 – 5190 |
No |
40 |
5200 |
5190 – 5210 |
No |
44 |
5220 |
5210 – 5230 |
No |
48 |
5240 |
5230 – 5250 |
No |
52 |
5260 |
5250 – 5270 |
Yes |
56 |
5280 |
5270 – 5290 |
Yes |
60 |
5300 |
5290 – 5310 |
Yes |
64 |
5320 |
5310 – 5330 |
Yes |
100 |
5500 |
5490 – 5510 |
Yes |
104 |
5520 |
5510 – 5530 |
Yes |
108 |
5540 |
5530 – 5550 |
Yes |
112 |
5560 |
5550 – 5570 |
Yes |
116 |
5580 |
5570 – 5590 |
Yes |
120 |
5600 |
5590 – 5610 |
Yes |
124 |
5620 |
5610 – 5630 |
Yes |
128 |
5640 |
5630 – 5650 |
Yes |
132 |
5660 |
5650 – 5670 |
Yes |
136 |
5680 |
5670 – 5690 |
Yes |
140 |
5700 |
5690 – 5710 |
Yes |
144 |
5720 |
5710 – 5730 |
Yes |
149 |
5745 |
5735 – 5755 |
No |
153 |
5765 |
5755 – 5775 |
No |
157 |
5785 |
5775 – 5795 |
No |
161 |
5805 |
5795 – 5815 |
No |
165 |
5825 |
5815 – 5835 |
No |
channel widths
Band Name |
Frequency Range (GHz) |
Frequency Range (MHz) |
Channels |
|---|---|---|---|
UNII-1 |
5.150 – 5.250 |
5150 – 5250 |
36, 40, 44, 48 |
UNII-2 (DFS) |
5.250 – 5.350 |
5250 – 5350 |
52, 56, 60, 64 |
UNII-2 Extended (DFS) |
5.470 – 5.725 |
5470 – 5725 |
100, 104, 108, 112, 116, 120, 124, 128, 132, 136, 140, 144 |
UNII-3 |
5.725 – 5.825 |
5725 – 5825 |
149, 153, 157, 161, 165 |
Reference links