802.

11 Layer 2
Dynamic Encryption
Key Generation
 802.11 Layer 2 Dynamic Encryption
Key Generation
• Dynamic WEP
• Robust Security Network (RSN)
• RSN Information Element
• Authentication and Key Management (AKM)
• RSNA Key Hierarchy
• 4‐Way Handshake
• Group Handshake
• Peer Key Handshake
• TDLS Peer Key Handshake
• Passphrase‐to‐PSK Mapping
• Roaming and Dynamic Keys
Advantages of Dynamic Encryption
• EAP - TLS, EAP - TTLS, EAP - FAST, EAP - LEAP, and all versions
of PEAP utilize mutual authentication and can provide the
seeding material needed for dynamic encryption key
generation.
• The use of static keys is typically an administrative nightmare.
• Dynamic Keys cannot be compromised by social engineering
attacks because the users have no knowledge of the keys.
• Every user has a different and unique key. If a single user ’ s
encryption key was somehow compromised, none of the
other users would be at risk because every user has a unique
key.
 Dynamic WEP encryption
• Dynamic WEP is a nonstandard and legacy encryption solution
that was mostly used with autonomous access points prior to
the widespread use of WLAN controllers.
• After an EAP frame exchange where mutual authentication is
required, both the authentication server and the supplicant
now have information about each other due to the mutual
authentication exchange of credentials.
• These dynamic keys are generated per session per user ,
meaning that every time a supplicant authenticates, a new key
is generated and every user has a unique and separate key.
 Dynamic WEP encryption
• This dynamic session key is often referred to as the unicast
key because it is the dynamically generated key that is used
to encrypt and decrypt all unicast 802.11 data frames.
• After the unicast key is created, the authentication server
delivers its copy of the unicast key encapsulated inside a
RADIUS packet to the authenticator.
• A second key exists on the access point known as the
broadcast key .
• The broadcast key is used to encrypt and decrypt all
broadcast and multicast 802.11 data frames.
• Each client station has a unique and separate unicast key, but
every station must share the same broadcast key.
Dynamic WEP
 Robust Security Network (RSN)
• The 802.11 - 2007 standard defines what is known as a
robust security network (RSN) and robust security network
associations (RSNAs).
• A security association is a set of policies and keys used to
protect information.
• A robust security network association (RSNA) requires two
802.11 stations (STAs) to establish procedures to
authenticate and associate with each other as well as create
dynamic encryption keys through a process known as the 4 -
Way Handshake .
• CCMP/AES encryption is the mandated encryption method,
while TKIP/RC4 is an optional encryption method.
 Robust Security Network (RSN)
• When RSN security associations are used within a
BSS, all of the client station radios have unique
encryption keys that are shared with the radio of
the access point.
• This key is called the pairwise transient key (PTK)
and is used to encrypt/decrypt unicast traffic.
• All the stations share a broadcast key called the
group temporal key (GTK), which is used to
encrypt/decrypt all broadcast and multicast traffic.
Robust Security Network (RSN)
 RSN
• A robust security network (RSN) is a network
that allows for the creation of only robust
security network associations (RSNAs).
• In other words, a basic service set (BSS) where
all the stations are using only TKIP/RC4 or
CCMP/AES dynamic keys for encryption would
be considered an RSN.
• Robust security only exists when all devices in
the service set use RSNAs.
RSN
 RSN
• Each WLAN has a logical name (SSID) and each WLAN BSS
has a unique Layer 2 identifier, the basic service set
identifier (BSSID).
• The BSSID is typically the MAC address of the access point’s
radio card if only one SSID is being transmitted. However,
most WLAN vendors offer the capability to transmit
multiple SSIDs from an access point radio.
• If multiple SSIDs are transmitted from the same AP radio,
multiple BSSIDs are also needed. As shown in Figure, the
multiple BSSIDs are effectively virtual MAC addresses that
are incremented or derived from the actual physical MAC
address of the AP radio.
Robust Security Network (RSN)
 RSN Information Element
• RSN security can be identified by a field found in
certain 802.11 management frames.
• This field is known as the robust security network
information element (RSNIE) and is often referred to
simply as the RSN information element.
• The RSN information element can identify the
encryption capabilities of each station. The RSN
information element will also indicate whether
802.1X/EAP authentication or preshared key (PSK)
authentication is being used.
 RSN Information Element
• The RSN information element field is always found in
four different 802.11 management frames: beacon
management frames, probe response frames, association
request frames, and reassociation request frames.
• When stations roam from one access point to another
access point, they use the reassociation request frame to
inform the new access point of the roaming client
station’s security capabilities. The security capabilities
include supported encryption cipher suites and
supported authentication methods.
The RSN Information Element
Authentication and Key Management (AKM)

• The 802.11-2012 standard defines authentication

and key management (AKM) services.
• AKM services consist of a set of one or more
algorithms designed to provide authentication
and key management
• An authentication and key management protocol
(AKMP) can be either a preshared key (PSK) or an
EAP protocol used during 802.1X authentication.
 AKM
• When an 802.1X/EAP authentication solution is used,
AKM operations include the following:
• Secure Channel The 802.11 - 2007 standard makes the
assumption that the authenticator and authentication
server (AS) have established a secure channel.
• Discovery A client station discovers the access point ’ s
security requirements by passively monitoring for
beacon frames or through active probing. The access
point ’ s security information can be found in the RSN
information element field inside beacon and probe
response frames.
 AKM
• Authentication the authentication process
starts when the AP ’ s authenticator sends an
EAP - Request or the client station supplicant
sends an EAPOL – Start message. EAP
authentication frames are then exchanged
between the supplicant and authentication
server via the authenticator ’ s uncontrolled
port.
 AKM
• Master Key Generation the supplicant and authentication server
generate a master encryption key called the pairwise master key
(PMK). The PMK is sent from the authentication server to the
authenticator over the secure channel described earlier. The
controlled port is still blocked.
• Temporal Key Generation and Authorization a 4 - Way
Handshake frame exchange between the supplicant and the
authenticator utilizing EAPOL – Key frames is used to generate
temporary encryption keys that are used to encrypt and decrypt
the MSDU payload of 802.11 data frames. Once the temporal
keys are created and installed, the controlled port of the
authenticator opens, and the supplicant can then send encrypted
802.11 data frames through the controlled port onward to
network resources.
Authentication and Key Management (AKM)
Authentication and Key Management (AKM)
Discovery Component
Authentication and Key Management (AKM)
Authentication and Master Key Generation
Authentication and Key Management (AKM)
Temporal key generation and authorization
 RSNA Key Hierarchy
• Five keys make up a top-to-bottom hierarchy
that is needed to establish a final robust security
network association (RSNA).
• One set of keys is considered to be group keys,
which are keys that are used to protect multiple
destinations.
• Another set of keys is considered to be pairwise .
A pairwise relationship can be defined as two
entities that are associated with each other.
RSNA Key Hierarchy
 Master Session Key (MSK)
• At the top of the RSNA key hierarchy is the master
session key (MSK), which is also sometimes referred to
as the AAA key.
• The MSK is generated either from an 802.1X/EAP
process or is derived from PSK authentication.
• The MSK is at least 64 octets in length.
• After the creation of the MSK as a result of 802.1X/EAP,
two master keys are created.
• The MSK seeding material is then used to create a
master key called the pairwise master key (PMK) .
 Master Keys
• The pairwise master key (PMK) is derived from the MSK seeding
material.
• The PMK is simply computed as the first 256 bits (bits 0 – 255) of the
MSK.
• PMK resides on both the supplicant and the authentication server.
• When 802.1X/EAP is used, every client’s PMK is unique to that
individual client.
• A PMK is installed on both the supplicant, and the authenticator.
• Another master key, called the group master key (GMK), is randomly
created on the access point/authenticator.
• The master keys are now the seeding material for the 4 - Way
Handshake process.
• The 4 – Way Handshake process is used to create the keys that are used
to encrypt and decrypt data.
 Master Keys
• The keys generated from the 4 - Way Handshake
are called the pairwise transient key (PTK) and the
group temporal key (GTK).
• The pairwise master key (PMK) is used to create the
pairwise transient key (PTK), and the group master
key (GMK) is used to create the group temporal key
(GTK).
• The master keys are used to produce the temporal
keys that are used to encrypt 802.11 data frames.
Master Keys
 Temporal Keys
• The pairwise transient key (PTK) is used to encrypt all unicast
transmissions between a client station and an access point.
• The group temporal key (GTK) is used to encrypt all broadcast
and multicast transmissions between the access point and
multiple client stations.
• The PTK is composed of three sections
- Key Confirmation Key (KCK), as the name implies, is used to
prove the possession of the PMK and to bind the PMK to the AP.
- Key Encryption Key (KEK) is used to distribute the Group
Transient Key (GTK).
- Temporal Key 1 & 2 (TK1/TK2) are used for encryption. Usage of
TK1 and TK2 is ciphersuite-specific.
• PTK/GTKs used for encryption are either CCMP/AES or TKIP/RC4
as defined by the 802.11 - 2007 standard.
Temporal Keys
Group Temporal Key (GTK)
 4‐Way Handshake
• The 4‐Way Handshake is a final process used to generate pairwise
transient keys for encryption of unicast transmissions and a group
temporal key for encryption of broadcast/multicast transmissions.
• The 4‐Way Handshake uses four EAPOL‐Key frame messages
between the authenticator and the supplicant for six major
purposes:
■ Confirm the existence of the PMK at the peer station.
■ Ensure that the PMK is current.
■ Derive a new pairwise transient key (PTK) from the PMK.
■ Install the PTK on the supplicant and the authenticator.
■ Transfer the GTK from the authenticator to the supplicant and
install the GTK on the supplicant and, if necessary, the authenticator.
■ Confirm the selection of the cipher suites.
 4‐Way Handshake
• The 4 - Way Handshake uses pseudo-random functions.
• Some of the other inputs used by the pseudo - random function are called nonces. A
nonce is a random numerical value that is generated one time only.
• The 4 - Way Handshake consists of the following steps:
• 4 - Way Handshake Message 1 The authenticator and supplicant each randomly
create their respective nonces. The authenticator sends an EAPOL - Key frame
containing an Anonce to the supplicant. The supplicant now has all the necessary
inputs for the pseudo–random function. The supplicant derives a PTK from the PMK,
ANonce, SNonce, and MAC addresses. The supplicant is now in possession of a
pairwise transient key that can be used to encrypt unicast traffic.
• 4 - Way Handshake Message 2 The supplicant sends an EAPOL - Key frame
containing an SNonce to the authenticator. The authenticator now has all the
necessary inputs for the pseudo - random function. The supplicant also sends its
RSN information element capabilities to the authenticator and a message integrity
code (MIC). The authenticator derives a PTK from the PMK, ANonce, SNonce, and
MAC addresses. The authenticator also validates the MIC. The authenticator is now
in possession of a pairwise transient key that can be used to encrypt unicast traffic.
 4‐Way Handshake
• 4 - Way Handshake Message 3 If necessary, the authenticator
derives a GTK from the GMK. The authenticator sends an
EAPOL - Key frame to the supplicant containing the ANonce,
the authenticator’s RSN information element capabilities, and a
MIC. The EAPOL - Key frame may also contain a message to the
supplicant to install the temporal keys. Finally, the GTK will be
delivered inside this unicast EAPOL - Key frame to the
supplicant. The confidentiality of the GTK is protected because
it will be encrypted with the PTK.
• 4 - Way Handshake Message 4 The supplicant sends the final
EAPOL - Key frame to the authenticator to confirm that the
temporal keys have been installed.
4‐Way Handshake
 Group Key Handshake

• The 802.11-2012 standard also defines a two-frame

handshake that is used to distribute a new group temporal
key (GTK) to client stations that have already obtained a
PTK and GTK in a previous 4-Way Handshake exchange.
• The Group Key Handshake is identical to the last two
frames of the 4-Way Handshake.
• The authenticator can update the GTK for a number of
reasons. For example, the authenticator may change the
GTK on disassociation or deauthentication of a client
station. WLAN vendors may also offer a configuration
setting to trigger the creation of a new GTK based on a
timed interval.
Group Key Handshake
 Passphrase-to-PSK Mapping
• When a PSK authentication solution is used, AKM
operations include the following:
• Discovery A client station discovers the access point’s
security requirements by passively monitoring for beacon
frames or through active probing. The access point’s
security information can be found in the RSN information
element field inside beacon and probe response frames.
The client station security requirements are delivered to
the AP in association and reassociation frames.
• Negotiation The client STA associates with an AP and
negotiates a security policy. The preshared key (PSK)
becomes the pairwise master key (PMK).
 Passphrase-to-PSK Mapping
• Temporal Key Generation and Authorization The 4 - Way
Handshake exchange between the supplicant and the
authenticator utilizing EAPOL - Key frames is used to generate
temporary encryption keys that are used to encrypt and
decrypt the MSDU payload of 802.11 data frames. Once the
temporal keys are created and installed, the controlled port of
the authenticator opens and the supplicant can now send
traffic through the controlled port onward to network
resources.
• The PSK authentication used during RSNA is often known by
the more common name of WPA - Personal or WPA2 -
Personal.
 Passphrase-to-PSK Mapping
• The PSK is generated using a password-based key generation function
(PBKDF).
• PSK = PBKDF2( PassPhrase , ssid , ssidLength , 4096, 256)
• The PassPhrase is a sequence of between 8 and 63 ASCII - encoded characters.
The limit of 63 is mandated so as to differentiate between an ASCII passphrase
and a PSK that is 64 hexadecimal characters.
• Each character in the passphrase must have an encoding in the range of 32 to
126 (decimal), inclusive.
• ssid is the SSID of the ESS or IBSS where this passphrase is in use, encoded as
an octet string used in the beacon and probe response frames for the ESS or
IBSS.
• ssidLength is the number of octets of the ssid .
• 4096 is the number of times the passphrase is hashed.
• 256 is the number of bits output by the passphrase mapping.