（一百二十六）IEEE 802.11i-2004

参考https://en.wikipedia.org/wiki/IEEE_802.11i-2004

 

IEEE 802.11i-2004

IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks, replacing the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, the amendment deprecated broken Wired Equivalent Privacy (WEP), while it was later incorporated into the published IEEE 802.11-2007 standard.

IEEE 802.11i-2004或简称802.11i是对原始IEEE 802.11的修正，实现为Wi-Fi保护访问II（WPA2）。 标准草案于2004年6月24日获得批准。该标准规定了无线网络的安全机制，用详细的安全条款取代了原始标准的简短认证和隐私条款。 在此过程中，修正案弃用了有线等效保密（WEP），后来将其纳入已发布的IEEE 802.11-2007标准。

 

Replacement of WEP

802.11i supersedes the previous security specification, Wired Equivalent Privacy (WEP), which was shown to have security vulnerabilities. Wi-Fi Protected Access (WPA) had previously been introduced by the Wi-Fi Alliance as an intermediate solution to WEP insecurities. WPA implemented a subset of a draft of 802.11i. The Wi-Fi Alliance refers to their approved, interoperable implementation of the full 802.11i as WPA2, also called RSN (Robust Security Network). 802.11i makes use of the Advanced Encryption Standard (AES) block cipher, whereas WEP and WPA use the RC4 stream cipher.[1]

802.11i取代之前的安全规范，有线等效保密（WEP），它被证明存在安全漏洞。 Wi-Fi保护接入（WPA）之前已被Wi-Fi联盟引入作为WEP不安全性的中间解决方案。 WPA实施了802.11i草案的子集。 Wi-Fi联盟将其完整的802.11i批准，可互操作的实施称为WPA2，也称为RSN（鲁棒安全网络）。 802.11i使用高级加密标准（AES）分组密码，而WEP和WPA使用RC4流密码。[1]

 

Protocol operation

IEEE 802.11i enhances IEEE 802.11-1999 by providing a Robust Security Network (RSN) with two new protocols: the four-way handshake and the group key handshake. These utilize the authentication services and port access control described in IEEE 802.1X to establish and change the appropriate cryptographic keys.[2][3] The RSN is a security network that only allows the creation of robust security network associations (RSNAs), which are a type of association used by a pair of stations (STAs) if the procedure to establish authentication or association between them includes the 4-Way Handshake.[4]

IEEE 802.11i通过提供具有两种新协议的强健安全网络（RSN）来增强IEEE 802.11-1999：四次握手和组密钥握手。它们利用IEEE 802.1X中描述的认证服务和端口访问控制来建立和更改适当的加密密钥。[2] [3] RSN是一种安全网络，仅允许创建健壮的安全网络关联（RSNA），在STA之间建立认证或关联的过程要包括四次握手。

The standard also provides two RSNA data confidentiality and integrity protocols, TKIP and CCMP, with implementation of CCMP being mandatory since the confidentiality and integrity mechanisms of TKIP are not as robust as those of CCMP.[5] The main purpose to implement TKIP was that the algorithm should be implementable within the capabilities of most of the old devices supporting only WEP.

该标准还提供了两种RSNA数据机密性和完整性协议，TKIP和CCMP，因为TKIP的机密性和完整性机制不像CCMP那样强大，所以CCMP的实施是强制性的。[5]实现TKIP的主要目的是该算法在大多数仅支持WEP的旧设备的能力范围内，即为了兼容性。

The initial authentication process is carried out either using a pre-shared key (PSK), or following an EAP exchange through 802.1X (known as EAPOL, which requires the presence of an authentication server). This process ensures that the client station (STA) is authenticated with the access point (AP). After the PSK or 802.1X authentication, a shared secret key is generated, called the Pairwise Master Key (PMK). The PMK is derived from a password that is put through PBKDF2-SHA1 as the cryptographic hash function. In a pre-shared-key network, the PMK is actually the PSK. If an 802.1X EAP exchange was carried out, the PMK is derived from the EAP parameters provided by the authentication server.

初始认证过程使用预共享密钥（PSK）或通过802.1X进行EAP交换（称为EAPOL，需要存在认证服务器）来执行。此过程确保客户端站（STA）通过接入点（AP）进行身份验证。在PSK或802.1X认证之后，生成共享密钥，称为成对主密钥（PMK）。 PMK源自通过PBKDF2-SHA1作为加密散列函数的密码。在预共享密钥网络中，PMK实际上是PSK。如果执行了802.1X EAP交换，则PMK从认证服务器提供的EAP参数派生。

 

Four-way handshake

The four-way handshake is designed so that the access point (or authenticator) and wireless client (or supplicant) can independently prove to each other that they know the PSK/PMK, without ever disclosing the key. Instead of disclosing the key, the access point (AP) and client encrypt messages to each other—that can only be decrypted by using the PMK that they already share—and if decryption of the messages was successful, this proves knowledge of the PMK. The four-way handshake is critical for protection of the PMK from malicious access points—for example, an attacker's SSID impersonating a real access point—so that the client never has to tell the access point its PMK.

设计四次握手，使得接入点（或认证者）和无线客户端（或请求者）可以彼此独立地证明他们知道PSK / PMK，而不会泄露密钥。 接入点（AP）和客户端不会泄露密钥，而是相互加密消息 - 只能通过使用已经共享的PMK进行解密 - 如果消息的解密成功，则证明了PMK的知识。 四次握手对于保护PMK免受恶意接入点的影响至关重要 - 例如，攻击者的SSID模拟真实接入点 而客户端永远不必告知接入点其PMK。

The PMK is designed to last the entire session and should be exposed as little as possible; therefore, keys to encrypt the traffic need to be derived. A four-way handshake is used to establish another key called the Pairwise Transient Key (PTK). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through a pseudo-random function. The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic.

PMK旨在持续整个会话，应尽可能少地暴露; 因此，需要导出加密流量的密钥。 四次握手用于建立另一个称为成对瞬态密钥（PTK）的密钥。 通过连接以下属性生成PTK：PMK，AP nonce（ANonce），STA nonce（SNonce），AP MAC地址和STA MAC地址。 然后将产品通过伪随机函数。 握手还产生GTK（组临时密钥），用于解密多播和广播流量。

The actual messages exchanged during the handshake are depicted in the figure and explained below (all messages are sent as EAPOL-Key frames):

1. The AP sends a nonce-value (ANonce) to the STA together with a Key Replay Counter, which is a number that is used to match each pair of messages sent, and discard replayed messages. The STA now has all the attributes to construct the PTK.
2. The STA sends its own nonce-value (SNonce) to the AP together with a Message Integrity Code (MIC), including authentication, which is really a Message Authentication and Integrity Code (MAIC), and the Key Replay Counter which will be the same as Message 1, to allow AP to match the right Message 1.
3. The AP verifies Message 2, by checking MIC, RSN, ANonce and Key Replay Counter Field, and if valid constructs and sends the GTK with another MIC.
4. The STA verifies Message 3, by checking MIC and Key Replay Counter Field, and if valid sends a confirmation to the AP.

• AP向密钥重放计数器发送一个随机数值（ANonce）以及一个密钥重放计数器，该计数器用于匹配发送的每对消息，并丢弃重放的消息。 STA现在具有构建PTK的所有属性。
• STA将其自己的随机值（SNonce）与消息完整性代码（MIC）一起发送到AP，包括认证，其实际上是消息认证和完整性代码（MAIC），以及密钥重放计数器将是相同的 作为消息1，允许AP匹配正确的消息1。
• AP通过检查MIC，RSN，ANonce和密钥重放计数器字段来验证消息2，如果有效，则构建并用另一个MIC发送GTK。
• STA通过检查MIC和密钥重放计数器字段来验证消息3，并且如果有效则向AP发送确认。

The four-way handshake in 802.11i

The Pairwise Transient Key (64 bytes) is divided into five separate keys:

1. 16 bytes of EAPOL-Key Confirmation Key (KCK) – Used to compute MIC on WPA EAPOL Key message
2. 16 bytes of EAPOL-Key Encryption Key (KEK) – AP uses this key to encrypt additional data sent (in the 'Key Data' field) to the client (for example, the RSN IE or the GTK)
3. 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
4. 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP
5. 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station

The Group Temporal Key (32 bytes) is divided into three separate keys:

1. 16 bytes of Group Temporal Encryption Key – used to encrypt/decrypt Multicast and Broadcast data packets
2. 8 bytes of Michael MIC Authenticator Tx Key – used to compute MIC on Multicast and Broadcast packets transmitted by AP
3. 8 bytes of Michael MIC Authenticator Rx Key – currently unused as stations do not send multicast traffic

The Michael MIC Authenticator Tx/Rx Keys in both the PTK and GTK are only used if the network is using TKIP to encrypt the data.

This four-way handshake has been shown to be vulnerable to KRACK.

 

Group key handshake

The Group Temporal Key (GTK) used in the network may need to be updated due to the expiration of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP.

To handle the updating, 802.11i defines a Group Key Handshake that consists of a two-way handshake:

1. The AP sends the new GTK to each STA in the network. The GTK is encrypted using the KEK assigned to that STA, and protects the data from tampering, by use of a MIC.
2. The STA acknowledges the new GTK and replies to the AP.

由于预设定时器到期，可能需要更新网络中使用的组临时密钥（GTK）。 当设备离开网络时，GTK也需要更新。 这是为了防止设备从AP接收任何更多的多播或广播消息。

为了处理更新，802.11i定义了一个由双向握手组成的组密钥握手：

•      AP将新GTK发送给网络中的每个STA。 GTK使用分配给该STA的KEK加密，并通过使用MIC保护数据不被篡改。
•      STA确认新的GTK并回复AP。

 

总结

• 在预共享密钥网络中，PMK实际上是PSK。如果执行了802.1X EAP交换，则PMK从认证服务器提供的EAP参数派生。
• 四次握手用于建立另一个称为成对瞬态密钥（PTK）的密钥。 通过连接以下属性生成PTK：PMK，AP nonce（ANonce），STA nonce（SNonce），AP MAC地址和STA MAC地址。
• 四次握手的流程说的不是很清楚，待继续学习。。。