Charles Engelke's Blog

February 26, 2004

Building 802.11i Enabled Equipment

Filed under: RSA 2004 — Charles Engelke @ 5:06 pm

This is a bit of a departure for me, since I don’t intend to build
any equipment, 802.11i or not. However, I hope to gain more insight
into the wireless security standards from listening. Muhammad Raghib
Hussain of Cavium Networks is speaking.

802.11i is a new layer 2 standard for user authentication and
encryption on wireless networks, to address the weaknesses of WEP
(Wired Equivalent Privacy).
The new replacement for WEP, Wireless Protected Access (WPA), is a
subset of 802.11i.

802.11i is intended to address problems of WEP. Has
key renegotiation to avoid replay attacks. Supports discovery of
security capabilities. Authentication is EAP (Extensible Authentication
Protocol) which is centrally managed instead of in the access
points. RADIUS is the de facto transport for EAP, and EAP-TLS
is the de facto standard authentication protocol.

Key management is a four way handshake that creates fresh session
keys for each wireless station/access point connection. It guarantees
that there is no man in the middle. Data protection has two
protocols, TKIP for legacy gear, CCMP using AES for others. The
packet payloads are encrypted, and the headers are protected against
modification. And no, I don’t know what TKIP and CCMP stand for.
AES is the advanced encryption standard. Wait! TKIP is temporal
key integrity protocol, a quick fix for WEP’s problems. It still
uses the RC4 encryption algorithm, but changes keys every 10,000
packets. It combines the card’s MAC address with the pre-shared
key to create separate keys for each station.

WPA is a subset of 802.11i, and is forward compatible with other
parts of 802.11i. Only firmware or drivers should have to be
updated to add this to existing hardware. It adds message integrity
control, and implements EAP authentication, and refreshes keys often.

WPA was announced in late 2002, and certification started early in
2003. It should be generally available on current equipment.

802.11i is WPA version2. It uses more computationally intensive
protocols, which are too hard to do in software on current hardware.
The AES algorithm needs a security coprocessor in access points.

Now he’s showing lots of hardware diagrams, all filled with undefined
abbreviations, only about half of which are familiar to me. Not a
lot of useful information for me here. Up until now this has been
a good talk from my perspective. But now the slides are not only
often incomprehensible to me, he is showing some of them for less
than five seconds each! It’s turning into an ad for his own
products, trying to overwhelm the viewer with all the complicated
things it does, rather than educate the viewer on what those
complicated things are.


Create a free website or blog at

%d bloggers like this: