Discover how using the IEEE standards approach plugs vulnerabilities and thwarts attacks.
By Kapil Sood and Mathew Eszenyi
The rapid proliferation of 802.11 wireless networks requires the continual need to address security concerns. Currently the security of data packets has been addressed with 802.11i; however, the protection of wireless networks management frames has been neglected until the advent of 802.11w. 802.11w is a set of security mechanisms that leverages the preexisting framework offered by 802.11i, providing networks protection against numerous potential denial of service attacks. Fortunately vendors and contributors to the 802.11w specification all see the necessity of protecting wireless management frames, and are expeditiously completing an easy-to-deploy solution that builds upon the predominant 802.11i security standard technology.
Management Frame Security
IEEE 802.11 management frames provide the Data Link layer (Layer 2 of the OSI 7 layer model) signaling of management commands between the IEEE 802.11 Access Point (AP) and Stations (STA). In a typical IEEE 802.11 WLAN, management commands are communicated between various WLAN devices to ensure proper operation. Advanced WLAN applications like voice and video quality of service (QoS), fast roaming, and network management are increasingly using management frames. These management frames are currently insecure and susceptible to exploits. Protecting management traffic is now a key security requirement from WLAN Enterprise IT and operators.
A security design for protecting IEEE 802.11 Wireless LANs (WLANs) management traffic is currently under consideration at the IEEE 802.11 Task Group ‘w’ (TGw). The recently ratified IEEE 802.11i security standard provides data confidentiality and integrity security services for IEEE 802.11 Layer 2 data frames. TGw extends the security algorithms and key management of 802.11i to secure both unicast and multicast management traffic, and helps ensure reliable and protected administration of WLANs.
Threats and Vulnerabilities
Proper functioning of Enterprise and operator-deployed 802.11 APs and STAs requires that the management frames are transmitted with certain security properties. For instance, guarantees of source authentication, which ensures that the receiver can detect forgery attacks; confidentiality, which prevents eavesdropping attacks; and integrity protection, which prevents against in-flight modification of messages, are very important. Without these assurances, multiple attacks can be launched against the IEEE 802.11 WLANs, for instance:
- Forged Disconnects: An attacker can disconnect authorized users from the WLANs by sending forged disassociate messages.
- MAC State Machine Corruption: Management frames enable transitions of the internal state machines in the 802.11 WLAN APs and STAs. Incorrect sequence or forged management messages can cause WLAN devices to lock up or enter inconsistent state.
- Unauthorized Service Corruption: Attackers can forge messages to prevent authorized users from gaining access to a network service; for instance, a certain QoS for its voice application.
An attack is illustrated as follows: In a WLAN with unprotected management frames, forged disconnects can occur when an attacker sends the “Disassociate” message to a valid user on behalf of the AP to which that user is connected. The user may have executed complete WPA2 authentication, but since the “Disassociate” management message is unprotected, an attacker can easily launch such attacks. In a slight variation of this attack, an attacker can send a broadcast “Disassociate” management message to all connected users, on behalf of the AP, which can cause all users to immediately disconnect, causing widespread disruption of service.
Security Architecture and Protocol
One of the fundamental design requirements of IEEE 802.11w was to facilitate a security design that builds upon the strengths of the recently ratified security protocol in IEEE 802.11i, which mandated use of CCMP (Counter with CBC MAC Protocol) and TKIP (Temporal Key Integrity Protocol), standardize by WiFi Alliance as WiFi Protected Access (WPA and WPA2) for enterprise and operator deployments.
IEEE 802.11w makes WLANs security-ready for advanced services by:
- Protecting unicast management frames from outside forgery and disclosure attacks
- Protecting broadcast management frames from outside forgery attacks
- Protecting broadcast disassociate from insider forgery attacks
The protocol for securing management frames uses separate sequence counters for preventing replay attacks. Replay attacks allow an attacker to capture a message for later delivery to the recipient. Replay attacks also allow an attacker to replay the same message multiple times.
The 802.11w protocol also includes the management frame header in message-integrity checks, which prevents forgeries of the message type and prevents state machine corruption. The 802.11w security protocol encrypts the unicast management frame body to prevent unintended disclosures of sensitive system parameters.
A common security design for data and management is desired to also allow for easier field upgrades over existing WPA and WPA2 deployments. In addition, the overlay solution for management security does not require any additional security configuration and settings, besides the ones that enable management security in the network.
Ease of Deployment
A common concern among owners of wireless network infrastructure is the complexity of deployment and resources required to make the necessary changes. However, with the consideration of legacy networks and the use of the preexisting 802.11i framework, wireless network owners can choose from a variety of flexible migration paths that are applicable to their deployment, as demonstrated in Figure 1.
Figure 1: IEEE 802.11w Migration Flow
Deployment of IEEE 802.11w in the enterprise can be phased in, with both 802.11w-enabled and legacy (non-802.11w enabled) devices coexisting. The capability negotiation within this security protocol, therefore, allows enterprise managers to gradually convert all non-802.11w enabled devices to be enabled for 802.11w on their schedule and based on their roadmap.
The use of preexisting security mechanisms provides easy hooks for systems integrators and equipment manufacturers to implement 802.11w.
The IEEE 802.11w protocol security design work is moving at a rapid pace through various stages of the IEEE development phases. The IEEE 802.11w has delivered a first draft within 12 months of inception, and is expected to go for IEEE Working Group Letter Ballot in Summer 2006, which means that a thorough review from over 600+ members of IEEE 802.11.
Once the IEEE protocol draft is stable, it is expected that the WiFi Alliance will initiate work in parallel to certify and test for interoperability from various vendors. It is expected that 802.11w compliant systems will be ready for enterprise deployment in 2007 timeframe.
IEEE 802.11w is a security protocol under development for protecting WLAN management frames, and closes the security gaps that were not addressed by IEEE 802.11i (WPA/WPA2) protocol. Encryption and integrity protection of management frames prevents multiple attacks, which can otherwise be launched. The development of this protocol within IEEE is rapidly progressing to meet the market demand, and industry is expected to ship IEEE 802.11w compliant products in 2007. Wireless network owners can now start planning their painless migration paths to protect the management frames of their voice, video and data WLANs.
About the Authors
Kapil Sood serves as a Security Architect for Intel Labs, driving strategic mobile and industry enabling standards and platform technologies. He is a key contributor at IEEE 802.11 WLAN standards for Management Frames Protection (TGw), Secure Fast Roaming (TGr), and at the WiFi Alliance and IETF. Kapil has earned an MS (CS), MBA, and BS (CS), and has multiple patents, papers, and open-source contributions.
Mathew S. Eszenyi is a Senior Technical Marketing Engineer in Intel’s Communications Technology Lab, part of the Corporate Technology Group. He is responsible for technical and strategic positioning to Intel’s Mixed Wireless Networks Initiative. Mathew has been with Intel since 1999. Prior to joining Intel, he worked for Epson and Gateway in Enterprise Networking. Mathew has earned a BS in Economics, an MBA, numerous industry certifications, and Cisco’s CCNA and Sun’s SCSA.