Wi-Fi Connectivity
2
Glossary
AP - Access Point STA - Station BSS - Basic Service Set Infrastructure BSS IBSS - Independent BSS ESS - Extended Service Set
3
Advantages of WLAN•Allows mobility•Easy to use and hassle free•Total cost is normally lower•Application transparency
Disadvantages of WLAN•Security•Limitations related to radio waves•Data Transfer speed•Global operations
WLAN vs. Wired LAN
4
IEEE 802.11 Alphabet soup
OngoingWireless Performance Prediction 802.11T
OngoingESS mesh802.11s
OngoingFast BSS transition802.11r
OngoingWireless access in vehicular environments802.11p
OngoingHigh Throughput (Using MIMO)802.11n
OngoingStandard maintenance802.11m
OngoingRadio Resource Measurements802.11k
Completed5 GHz operation in Japan802.11j
CompletedSecurity enhancements802.11i
CompletedSpectrum and transmit power management802.11h
Completed2.4 GHz. DSSS and OFDM. 54 Mb/s802.11g
WithdrawnInter Access Point (Trail Use )802.11F
CompletedQoS enhancements802.11e
CompletedCountry-to-Country roaming extensions802.11d
CompletedNetwork Interoperability, Bridging Operations, now part of 802.1D802.11c
Completed2.4 GHz. DSSS. 11 Mb/s802.11b
Completed5 GHz OFDM 54 Mb/s802.11a
CompletedBase standard. 2.4 GHz and IR. DSSS and FHSS802.11
Standard FrequencyData Transfer Rate Typical (Max)
Range (indoor)
802.11a 5 GHz 20 (54) Mb/sec about 35 m (115ft)
802.11b 2.4 GHz 5.5 (11) Mb/sec 38 m (125ft)802.11g 2.4 GHz 22 (54) Mb/sec 38 m (125ft)
802.11n 2.4/5 GHz 110+ (300+) Mb/sec 70m (230ft)
The table below provides a brief overview of the four most popular current 802.11 standards.
Comparison of standards
Logical Link Control
Medium Access Control (MAC)Physical (PHY)
6
The scope of 802.11 standard is to develop:•Medium Access Control (MAC)•Physical Layer (PHY)
ApplicationPresentation
SessionTransportNetworkData LinkPhysical
IEEE 802.11 Standard
ISO OSI 7-layer model
IEEE 802 standards
7
The 802.11 Protocol Stack
Spread Spectrum Radio There are two types of spread spectrum radio
FHSS(Frequency Hopping Spread Spectrum) DSSS(Direct Sequence Spread Spectrum)
FHSS (FH-CDMA) and DSSS (DS-CDMA) are used in LWAN.
In Direct Sequence Spread Spectrum, the stream of information to be transmitted is divided into small pieces, each of which is allocated across to a frequency channel across the spectrum. A data signal at the point of transmission is combined with a higher data-rate bit sequence (also known as a chipping code) that divides the data according to a spreading ratio. The redundant chipping code helps the signal resist interference and also enables the original data to be recovered if data bits are damaged during transmission.
Direct Sequence Spread Spectrum
Frequency Hopping Spread Spectrum(FHSS)
In Frequency Hopping Spread Spectrum, or frequency hopping code division multiple access ,in which a broad slice of the bandwidth spectrum is divided into many possible broadcast frequencies. In general, frequency-hopping devices use less power and are cheaper, but the performance of DS-CDMA systems is usually better and more reliable.
Advantages: Highly resistant to narrowband interference Minimal noise Band width used efficiently
Orthogonal FDM’s (OFDM)
Orthogonal frequency-division multiplexing (OFDM) is a method of encoding digital data on multiple carrier signals that are spaced apart at precise frequencies.
A large number of closely spaced orthogonal sub-carrier signals are used to carry data. The data is divided into several parallel data streams or channels, one for each sub-carrier. Each sub-carrier is modulated with a conventional modulation scheme
The benefits of OFDM are High spectral efficiency Reduce cross talk Lower multi-path distortion.
Complementary Code Keying (CCK)
Complementary Code Keying (CCK) is a modulation scheme used with wireless networks (WLANs) that employ the IEEE 802.11b specification.
In 1999, CCK was adopted to replace the Barker code in wireless digital networks.
“A complementary code contains a pair of finite bit sequences of equal length, such that the number of pairs of identical elements (1 or 0) with any given separation in one sequence is equal to the number of pairs of unlike elements having the same separation in the other sequence.”
A network using CCK can transfer more data per unit time for a given signal bandwidth than a network using the Barker code, because CCK makes more efficient use of the bit sequences.
13
Purpose of 802.11 standard
Defines MAC procedures
Defines several PHY signalling techniques
Describes the functions and services required to operate within ad-hoc and infrastructure networks
Describes mobility requirements
Describes coexistence among overlapping 802.11 WLANs
Describes authentication and privacy requirements
14
It provides addressing and channel access control mechanisms that make it possible for several terminals or network nodes to communicate within a multiple access network
Medium Access Control (MAC)•Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA)
IEEE 802.11x
Upper layer Authentication Protocol
MAC Layer
Carrier-Sense Multiple Access with Collision Avoidance (CSMA/CA)
Carrier-Sense Multiple Access with Collision Detection (CSMA/CD)
17
Station (STA)
Device that contains IEEE 802.11 conformant MAC and PHY interface to the wireless medium
Supports STA services, but not Distribution services
Station services•Authentication, •De-authentication•Data confidentiality•Delivery of data
Most often end-stations available in terminals (work-stations, laptops, hand-helds etc.)
18
Access Point (AP)
An AP is an STA that also provides Distribution Services
Distribution Services•Association: Allows STA to set up a logical connection with the AP.
•Disassociation: Allows AP/STA to break down the logical connection
•Re-Association: Allows STA to associate with new AP. It provides information about the old AP to the new AP
•Distribution: AP uses this service internally to determine how to deliver frames it receives (whether back into same BSS, to Distribution System, or to another network)
•Integration: Integration with other LANs. Frame translation is carried out.
19
Association Sequence
20
Association Sequence
21
Basic Service Set (BSS)
A set of STAs that communicate with each other is called a Basic Service Set.
A BSS can have an Access-Point (both in standalone networks and in building-wide configurations), or can run without an Access-Point (in standalone networks only)
BSS with AP is called Infrastructure BSS. And BSS without AP is called Independent BSS or IBSS.
22
Infrastructure BSS A Basic Service Set (BSS) with an Access-Point is called
Infrastructure BSS
AP can be configured to send out beacons so that STAs can know if its presence
STAs can scan for APs, and then associate with chosen AP
Diameter of the cell is twice the range between STA and AP
STAs enjoy the benefits of having an AP, such as•Higher range•Enhanced QOS•Enhanced Power saving
Beacon ContentsA typical beacon frame is approximately 50bytes
long, with about half of that being a common frame header and cyclic redundancy checking (CRC) field.
As with other frames, the header includes source and destination MAC addresses as well as other information regarding the communications process. The destination address is always set to all ones, which is the broadcast Medium Access Control (MAC) address. This forces all other stations on the applicable channel to receive and process each beacon frame. The CRC field provides error detection capability.
The beacon's frame body resides between the header and the CRC field and constitutes the other half of the beacon frame.
BEACON
24
Infrastructure BSS
Infrastructure BSS
25
Independent BSS (IBSS) A Basic Service Set (BSS) which forms a self-contained
network in which no access to a Distribution System is available
A BSS without an Access-Point
Also known as Ad-Hoc network
One of the stations in the IBSS can be configured to initiate the beaconing. This responsibility is taken up in a distributed manner as more members join in.
Diameter of the cell equal to maximum range between two STAs
26
Independent BSS (IBSS)
IBSS
27
Extended Service Set (ESS)
A set of one or more Infrastructure Basic Service Sets interconnected by a Distribution System (DS)
Allows STAs to roam between APs
Distribution System: Mechanism by which one AP communicates with another to exchange frames for STAs in their BSS
•Wired: Using cable to interconnect the Access-Points•Wireless: Using wireless to interconnect the Access-Points•Integrated: A single Access-Point in a standalone network
28
Extended Service Set (ESS) with wired DS
BSS
BSS
Distribution
System
29
Extended Service Set (ESS) with wireless DS
BSS
BSS
Distribution
System
30
ESS – Single BSS (with integrated DS)
BSS
Passive scanning listens to beacons sent by the access points. That means waiting for the beacon to be sent (usually a few seconds).
Active scanning will emit probes to those APs immediately.
A Sniffer is a software program that monitors network traffic. Sniffers can capture data being transmitted on a network and are sometimes used illegitimately to hack a network.
A Bridge is a wireless device that connects multiple networks together.
32
The Medium Access Control (MAC) is a set of rules to access the transmission medium
MAC purpose:•Coordinate and share use of common bandwidth•Timing synchronization•User data transfer•MAC layer management functions
MAC: General Information
33 In 802.3 (Ethernet) Carrier Sense Multiple Access with Collision Detection (CSMA/CD) is used
Short description:•If medium is idle, transmit, otherwise next step•If medium is busy, continue to listen until the channel is idle, then transmit immediately•If a collision is detected during transmission, transmit a brief jamming signal (32 bits) to ensure that the stations know that there has been a collision and then stop transmission•After transmitting the jamming signal, wait a random amount of time, then attempt to transmit again•If another collision happens, increase range for random number (Binary Exponential Back off)•Maximum number of attempts is 16
MAC mechanism in Ethernet
34
Requirements of MAC for WLAN
The MAC protocol must be independent of the underlying physical layer
The access mechanism must be efficient for both bursty and periodic traffic
The MAC must handle mobile users
Why CSMA/CD can’t be used in wireless LAN?•Requires the implementation of a full duplex radio that would increase the price significantly.•Not all stations would be able to hear each other on a wireless environment (which is the basic assumption of the CD scheme).
35
CSMA/CA basic access
Used in DCF (Distributed Coordination Function)
CSMA part:•Listen Before Talk (LBT)•STA senses the medium and attempts to send frames when there is no other station transmitting
CA part 1:•If another station is sending a frame, STA uses Binary Exponential Back off to choose a random amount of time to wait before trying again.•The range for random number is called Contention Window (CW)•Min and Max values for CW depend on PHY
36
CSMA/CA basic access
CA part 2:•MAC maintains a Network Allocation Vector (NAV)•NAV updated whenever MAC sees a frame on the medium – the frame has a duration field•MAC Layer checks the value of its Network Allocation Vector (NAV) - it must be zero before a station can attempt to send a frame.
Receiving station needs to send an acknowledgement (ACK) if it doesn’t detect any errors in the received frame
37
Timing Intervals
Basic Intervals determined by PHY:•Short Inter Frame Space (SIFS)•Slot time
Additional Intervals built from above 2:•PCF Inter Frame Space (PIFS): SIFS + 1 Slot Time•Distributed Inter Frame Space (DIFS): SIFS + 2 Slot Times•Extended Inter Frame Space (EIFS): Much larger than the others
38
CSMA/CA basic access
39
Side Note: PCF
PCF: Point Coordination Function Centrally Controlled Access Mechanism For a period of time, called Contention Free
Period (CFP), AP coordinates frame transmission from STAs
STAs are polled one by one to ask if they have data to send, and are given a limited but assured period of time to do so
PIFS is used instead of DIFS At the end of CFP, Contention Period (CP) starts
– regular DCF used PCF is optional, and not widely implemented
40
CSMA/CA with RTS/CTS
Hidden Node Problem – STA may not be aware of existence of another STA
41
CSMA/CA with RTS/CTS
4-way handshake protocol:•RTS, CTS, DATA, ACK
When a sending station wants to transmit data, it first sends a Request to Send (RTS) and waits for the destination to reply with Clear to Send (CTS)
If CTS is received, then it transmits data and the destination sends an ACK on receiving data completely and correctly
All other stations that hear RTS or CTS would defer transmission in the duration indicated in RTS or CTS.
42
CSMA/CA with RTS/CTS
43
CSMA/CA with RTS/CTS
dot11RTSThreshold MIB attribute defines threshold length of frame required to be preceded by RTS/CTS frames
By default, RTS/CTS transmission is disabled Decision to enable it, and set the threshold frame
length should be based on:•Comparison of bandwidth lost due to RTS & CTS vs. bandwidth lost due to transmissions being corrupted by hidden nodes
Examples:•In single BSS, with no other BSS active, RTS/CTS not necessary•If STAs are concentrated into small area, not necessary•If APs are co-located and sharing channels, necessary
44
802.11 MAC frame format
Note: Some fields may be absent, based on frame type, subtype, and other factors…
45
802.11 MAC frame format
ProtocolVersion Type SubType To
DS Retry PwrMgt
MoreData
Protect-ed
Rsvd
Frame Control Field
Bits: 2 2 4 1 1 1 1 1 1 1 1
DSFrom More
Frag
Protocol Version:•Consists of 2bits•Indicates current version of standards•Fixed value(0).
46
802.11 MAC frame format
47
802.11 MAC frame format
ProtocolVersion Type SubType To
DS Retry PwrMgt
MoreData
WEP Order
Frame Control Field
Bits: 2 2 4 1 1 1 1 1 1 1 1
DSFrom More
Frag
To DS0011
From DS0101
Address 1RA=DARA=DA
RA=BSSIDRA
Address 2TA=SA
TA=BSSIDTA=SA
TA
Address 3BSSID
SADADA
Address 4N/AN/AN/ASA
Transmitter Address (TA): Address of the MAC that physically transmits the frame onto the wireless medium
Receiver Address (RA): Address of the MAC to which the frame is sent over the wireless medium
Source Address (SA): Address of the MAC that originated the frame Destination Address (DA): Address of the final destination to which the
frame is to be sent
48
802.11 MAC frame format
To DS:• 1 when frame is addressed to AP.• 0 when frame is addressed to Destination STA.From DS:• 1 when Frame is Coming From DS.• 0 when frame is coming from Source STA.
More Fragments:• 1 when Frame is Fragmented.• Else 0.
Retry:• Set to 1 when Fragment is a Retransmission of a previously
transmitted fragment.
49
802.11 MAC frame format
Power Management:• 1 when STA going to PS mode.• Else 0.
More Data:• Used for Power Management.• AP uses to indicate more frames buffered .
WEP:• Indicates Frame body encrypted or not.
Order:• Indicates Frame is being sent using the Strictly-Ordered service
class.
50
802.11 MAC frame format
Duration/ID:• Indicates either STA ID or Duration value used for NAV calculation.
Address 1:• Always the Station on the BSS which is immediate recipient of
packet.
Address 2:• Always the Station which is Physically transmitting the packet.
Address 3:• Indicates either Source Address or Destination Address.
Address 4:• Indicates either Source Address or Destination Address.
51
802.11 MAC frame format
Sequence Control:• Indicates Fragment Number and Sequence Number.
CRC:• 32-bit Cyclic Redundancy Check.
52
Information Element (IE)
Flexible data structure to convey variety of information
Typically used in Management frames Contents:
•Element ID•Data Length•Data
E.g. RSN IE used in Beacon sent by AP using 802.11i security
53
MAC management services
Scanning: For station to begin communication it must first locate APs or other stations.
•Passive scanning: Involves only listening for 802.11 Beacons•Active scanning: Requires the scanning station to transmit Probe Requests and elicit Probe responses from other stations and/or APs
Authentication: Exchange of proof of identity.•Shared key: Challenge-response mechanism based on shared key•Open system authentication: Null authentication
54
MAC management services
Association:•It is a process of mobile station connecting to an AP within BSS•This lets the network know the station’s current position in the ESS
Privacy•The need of secure communications is strong when wireless medium is used.•The IEEE 802.11 Wired Equivalent Privacy (WEP) mechanism is designed to provide a protection level that is perceived as being equivalent to that of a wired LAN •However, WEP has turned out to be deeply flawed. It is advisable to use WPA/WPA2
IEEE 802.11n
Standard to improve network throughput over the two previous standards 802.11a and 802.11g.
Increase in the maximum data rate from 54 Mbit/s to 600 Mbit/s
Adding MIMO(Multiple Input and Multiple Output)
MIMO is a technology which uses multiple antennas to coherently resolve more information than possible using a single antenna
MIMO Transmit and Receive with multiple radios simultaneously in same
spectrum
Multiple independent data streams are sent between the transmit and receive antennas to deliver more bits in the specified bandwidth
channelRadio
Radio
DSPBits
TX
Radio
Radio
Radio
DSP Bits
Radio
RX
MIMO (cont..) Number of antennas: a x b : c Functions of MIMO: Pre coding: Multi-stream beam forming. In beam forming, the same signal
is emitted from each of the transmit antennas with appropriate phase (and sometimes gain) weighting such that the signal power is maximized at the receiver input. The benefits of beam forming are to increase the received signal gain, by making signals emitted from different antennas add up constructively, and to reduce the multipath fading effect.
SM: A high rate signal is split into multiple lower rate streams and each stream is transmitted from a different transmit antenna in the same frequency channel. If these signals arrive at the receiver antenna array with sufficiently different spatial signatures, the receiver can separate these streams into parallel channels. Spatial multiplexing is a very powerful technique for increasing channel capacity at higher signal-to-noise ratios (SNR). The maximum number of spatial streams is limited by the lesser of the number of antennas at the transmitter or receiver.
Diversity coding: No channel knowledge at the transmitter. There is no beam forming or array gain.
Wi-Fi Security Threats
Wireless technology doesn’t remove any old security issues, but introduces new ones
Eavesdropping
Man-in-the-middle attacks
Denial of Service
Eavesdropping
Easy to perform, almost impossible to detect
By default, everything is transmitted in clear text Usernames, passwords, content ... No security offered by the transmission medium
Different tools available on the internet Network sniffers, protocol analysers . . . Password collectors
With the right equipment, it’s possible to eavesdrop traffic from few kilometers away
MITM Attack
Attacker spoofes a disassociate message from the victim
The victim starts to look for a new access point, and the attacker advertises his own AP on a different channel, using the real AP’s MAC address
The attacker connects to the real AP using victim’s MAC address
Denial of Service
Attack on transmission frequecy used Frequency jamming Not very technical, but works
Attack on MAC layer Spoofed deauthentication / disassociation messages can target one specific user
Attacks on higher layer protocol (TCP/IP protocol)
Wi-Fi Security
The requirements for Wi-Fi network security can be broken down into two primary components:
Authentication
User Authentication
Server Authentication
Authentication
Keeping unauthorized users off the network
User Authentication Authentication Server is used Username and password Risk:
Data (username & password) send before secure channel established Prone to passive eavesdropping by attacker
Solution Establishing a encrypted channel before sending username and
password
Authentication (cont..)
Server Authentication Digital Certificate is used Validation of digital certificate occurs automatically
within client software
An individual wishing to send an encrypted message applies for a digital certificate from a Certificate Authority (CA).
The CA issues an encrypted digital certificate containing the applicant's public key and a variety of other identification information on Internet.
Wi-Fi Security Techniques
Service Set Identifier (SSID)
Wired Equivalent Privacy (WEP)
Wireless Protected Access (WPA, WPA2)
Service Set Identifier (SSID) SSID is used to identify an 802.11 network. All wireless devices on a WLAN must
employ the same SSID in order to communicate with each other. The SSID on wireless clients can be set either manually, by entering the SSID into the
client network settings, or automatically, by leaving the SSID unspecified or blank. A network administrator often uses a public SSID, that is set on the access point and
broadcast to all wireless devices in range. Some newer wireless access points disable the automatic SSID broadcast feature in an attempt to improve network security.
SSIDs are case sensitive text strings. The SSID is a sequence of alphanumeric characters (letters or numbers). SSIDs have a maximum length of 32 characters.
BSSID identifies unique BSS. In an infrastructure BSS, the BSSID is the MAC address of the wireless access
point(WAP). In an IBSS, the BSSID is a locally administered MAC address generated from a 46-bit
random number. It is transmitted in clear text
Provide very little security Software like Kismet
Wired Equivalent Privacy (WEP)
Provide same level of security as by wired network
Original security solution offered by the IEEE 802.11 standard
Uses RC4 encryption with pre-shared keys and 24 bit initialization vectors (IV)
Key schedule is generated by concatenating the shared secret key with a random generated 24-bit IV
WEP (cont..)
64 bit preshared key-WEP
128 bit preshared key-WEP2
Encrypt data only between 802.11 stations.once it enters the wired side of the network (between access point) WEP is no longer valid
Security Issue with WEP Short IV Static key
Offers very little security at all
Wireless Protected Access (WPA)
Developed by the Wi-Fi Alliance to secure wireless computer networks.
WPA sometimes referred to as the draft IEEE 802.11i standard.
TKIP (Temporal Key Integrity Protocol) encryption
TKIP employs a per-packet key (a new 128-bit key for each packet ) and thus prevents the types of attacks that compromised WEP.
Uses a Message Integrity Check algorithm called Michael to verify the integrity of the packets which is much stronger than a CRC used in WEP.
MIC (Message Integrity Check)
MIC is part of a draft standard from IEEE 802.11i working group.
The MIC is an additional 8 byte field which is placed between the data portion of an 802.11 (Wi-Fi) frame and the 4 byte ICV (Integrity Check Value).
The MIC has a function very similar to the older ICV. However, the ICV only protects the packet payload. The MIC protects both the payload and the header.
The algorithm which implements the MIC is known as Michael. Michael also implements a frame counter, which discourages replay attacks.
Some analysts refer to MIC as a component of TKIP.
WPA2
Based on the Robust Security Network (RSN) mechanism.
Strong encryption and authentication support for infrastructure and ad-hoc networks (WPA is limited to infrastructure networks).
Reduced overhead in key derivation during the wireless LAN authentication exchange.
Support for opportunistic key caching to reduce the overhead in roaming between access points.
Support for pre-authentication, where a station completes the IEEE 802.1X authentication exchange before roaming.
RADIUS & EAP Remote Authentication Dial-In User Service (RADIUS)- is a
networking protocol that provides centralized Authentication, Authorization, and Accounting (AAA) management for computers to connect and use a network service. RADIUS was developed by Livingston Enterprises, Inc., in 1991 as an access server authentication and accounting protocol and later brought into the Internet Engineering Task Force (IETF) standards.
When a user connects, the NAS sends a RADIUS Access-Request message to the AAA Server, relaying information like the user's name and password, type of connection (port), NAS identity, and a message Authenticator.
The AAA Server tries to find the user's name in its database. It then applies the password and perhaps other attributes carried in the Access-Request to decide whether access should be granted to this user.
RADIUS & EAP(Cont..)
The AAA Server may return a RADIUS Access-Challenge message that carries a random number, which the NAS relays to the AAA Server inside another RADIUS Access-Request message.
If the AAA Server is satisfied that the user is authentic and authorized to use the requested service, it returns a RADIUS Access-Accept message. If not, the AAA Server returns a RADIUS Access-Reject message and the NAS disconnects the user.
When an Access-Accept message is received and RADIUS Accounting is enabled, the NAS sends a RADIUS Accounting-Request (Start) message to the AAA Server.
RADIUS (cont..)
Extensible Authentication Protocol (EAP)
Extensible Authentication Protocol (EAP) - A remote access protocol that acts as a framework for specific authentication and encryption technologies.
In EAP the party demanding proof of authentication is called the authenticator and the party being authenticated is called the supplicant.
Defines four types of packets: request, response, success and failure. Request packets are issued by the authenticator and they solicit a response packet from the supplicant.
If the authentication is successful, a success packet is sent to the supplicant; if not, a failure packet is sent.
EAP types (cont..)
Extensible Authentication Protocol - Transport Level Security (EAP-TLS) - Based on the Transport Layer Security (TLS) protocol, which uses public key cryptography for authentication and negotiation of keys that can be used to encrypt data.
TLS can only be used by organizations with a Certificate Authority (CA) that issues user certificates; as such, although it offers excellent security, it is not widely deployed.
Two further EAP types, Protected EAP (PEAP) and Tunneled TLS (TTLS), work around this problem. Both of these types also use TLS for server authentication and encryption, but avoid the need for user certificates by using a second authentication protocol between the supplicant and the server that is protected by the
The main difference between the types is that PEAP can only protect other EAP types, whereas TTLS can protect almost any authentication protocol.
77
Acknowledgements
Sources of material:•802.11® Wireless Networks The Definitive Guide - Matthew Gast•802.11 Wireless LAN Fundamentals Cisco Press - Pejman Roshan, Jonathan Leary
Thank You