Documente Academic
Documente Profesional
Documente Cultură
Abstract
This document captures those clauses of the IEEE 802.11i Draft
3.0 that comprise an enhanced security implementation for
802.11i known as Wi-Fi Protected Access. Implementation
notes are also provided.
Line number references to the 802.11i Draft 3.0 standard are used throughout
this document. In order to ensure consistent referencing, this document should
be used in conjunction with the Portable Document Format (PDF) version of the
IEEE 802.11i Draft 3.0 standard.
Version 2.0
April 29, 2003
1 INTRODUCTION 4
2 WPA OVERVIEW 5
APPENDIX A: REMOVED 32
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
2
APPENDIX J: SUGGESTIONS FOR RANDOM NUMBER GENERATION 46
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
3
1 Introduction
Wi-Fi Protected Access (WPA) is a subset of 802.11i draft 3.0 that satisfies some of the
requirements of the full 802.11i standard. Some of the significant features of WPA are:
1. It supports two authenticated key management protocols in infrastructure mode
using 802.1X with pre-shared key and with EAP authentication. A simple IBSS
approach is described for reference but is not supported in WPA. The IBSS
approach described uses no authenticated key management protocol but uses a
pre-shared key directly as the encryption/integrity key (Note: IBSS is much
reduced in security since it has no key management).
2. APs and Stations shall use IEEE 802.11 open authentication when they use WPA.
The 802.11 MAC state machine is the same as the existing state machine in
Figure 8 of the IEEE 802.11 1999 standard.
3. APs must advertise what they support (Cipher suite, authentication modes).
Stations must request the cipher suites and authenticated key management
protocol they want. A propriety information element in the Beacon and probe
response messages is used to carry this information. The station uses the same
information element in association request message.
This information element is described in Section 2.1 and Appendix D.
4. Authentication and Association are required
This is described in Section 2.2.
5. TKIP encryption with the Michael integrity check is required.
TKIP and Michael are described in Section 3.3.
6. It does not perform an integrity check on management and control messages.
7. It does not support preauthentication for fast handoff.
8. MIB support
Station:
Implementations of WPA will need a configuration utility or similar to
configure the pre-shared key. This is implementation dependent and will
not be defined here. The pre-shared key shall be a 256 bit key (since it is
used as the pairwise master key (PMK)) and the implementation will need
to be able to enter this value either as a 256bit key via hex or via an ASCII
password. It must be able to enter the key as 64 hex characters though it
may be possible to enter the key in a different format. If the key is entered
as an ASCII password the 256bit key must be generated as described in
Section 2.3.
A station should be able to configure a different pre-shared key for each
SSID.
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
4
Configuration of cipher suites is also supported. This is implementation
dependent and will not be defined here.
AP:
Implementations of WPA will need a configuration utility or similar to
configure the pre-shared key. This is implementation dependent and will
not be defined here. The pre-shared key shall be a 256 bit key and the
implementation will need to be able to enter this value either as a 256bit
key via hex or via an ASCII password. It must be able to enter the key as
64 hex characters though it may be possible to enter the key in a different
format. If the key is entered as an ASCII password the 256bit key must be
generated as described in Section 2.3.
The AP control panel will also need to provide configuration for the
interval at which 802.1X should update the group key. This is
implementation dependent and will not be defined here.
Configuration of cipher suites is also supported. This is implementation
dependent and will not be defined here.
802.1X on the AP needs to be able to configure temporal keys into the
802.11 MAC. This is implementation dependent and will not be defined
here.
2 WPA Overview
WPA supports the changes to the 1999 802.11 standard as described in the following
clauses of 802.11i Draft 3.0
7.1.3.1.9
7.2.2
7.2.3.1
7.2.3.4
7.2.3.6
7.2.3.9
7.2.3.10
The framework and operation of WPA are described in the following clauses of 802.11i
Draft 3.0
8.1
8.1.1 (TKIP only)
8.1.2
8.1.3
8.1.4
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
5
8.1.5
8.2 (including all subsections)
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
6
The multicast cipher must always be the lowest unicast cipher enabled. So, if WEP is
enabled in 1 then the multicast is WEP. If only WPA is enabled in 1 and TKIP is enabled
in 2, then the multicast cipher is TKIP. If only WPA is enabled in 1 and only AES is
enabled in 2, then the multicast cipher is AES.
Stations get the WPA information element from the beacon or probe response messages.
Based on the station encryption/integrity capabilities and policy configuration of the
ciphers the station is willing to communicate with, the station decides which APs it is
willing to use. The policy configuration could include the ciphers the station is willing to
use, the authenticated key management the station is willing to use, whether the station is
willing to allow Group keys to be used for unicast, etc.
If the station or AP receives a WPA information element with an authentication suite of
WPA, then it should do 802.1X authentication and 802.1X key management. If the
authentication suite is WPA-PSK then it should do 802.1X key management.
Note: 802.1X key management is the term used for managing the keys using IEEE
802.1X EAPOL-Key message as described in Section 2.2.4
If the station does not receive a WPA information element in the Beacon or Probe
Response, the station shall follow the normal 802.11 authentication (This may include the
current 802.1X authentication).
If the AP does not receive a WPA information element in the Association Request, the
AP shall follow the normal 802.11 association processing (This may include the current
802.1X authentication).
Note: The AP should have a way to disable non-WPA clients from associating.
If the AP supports WPA and non-WPA stations, there are a couple of cases to consider:
1. The non-WPA station supports an 802.1X supplicant that is a non-WPA 802.1X
supplicant. In this case the AP can use 802.1X to send WEP key updates to the
station. A non-WPA supplicant only supports group keys and so the AP must
track per station whether it supports unicast keys or not.
2. The non-WPA station does not support an 802.1X supplicant. Then the WEP key
must be pre-configured into the non-WPA station and AP. Since the AP for
broadcast/multicast traffic must use the pre-configured key, it must use WPA key
update exchanges to send the key to the WPA stations. This means that the WPA
stations in this configuration will have fixed keys for broadcast/multicast traffic,
though they may use different keys for the unicast traffic if supported by the
station and AP. The AP shall use WPA Group key exchange to send the fixed
WEP key to the WPA stations.
When WPA and non-WPA stations are both enabled, it should be possible to enter a
default WEP key and disable group key updating to support case 2.
By default, group key updating should be enabled and if 802.1X is enabled on the AP
then 802.1X should be used to update the group key on non-WPA stations.
The station then associates with the AP using an association request message. The
association request message specifies the unicast and multicast ciphers it wants, given the
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
7
station’s cipher capabilities and configuration. When the station receives the association
response it authenticates using 802.1X with the AP. The AP sends an 802.11 association
response message (with Reason code 1) if it didn’t like something in the WPA
information element. When the AP receives the RADIUS accept, the AP then sends an
EAP-Success to complete the authentication at the station. The AP then does an EAPOL-
Key message exchange with the station to setup the encryption/integrity keys with the
station and sets the Secure bit in the EAPOL-Key message when the initial keys are sent
to the station.
Note: In general, when this document talks about sending an 802.11 disassociation and/or
802.11 deauthenticate message it means that the 802.11 MAC should send the necessary
messages to get the state between the source and destination stations to state 1 of the state
machine diagram in Figure 8 in the IEEE 802.11 1999 standard.
When a station or AP fills the WPA information element, the multicast cipher is from
multicast cipher selection and the unicast cipher is from unicast cipher selection. If WPA
is enabled and there is no pre-configured key then the authenticated key management is
WPA otherwise the authenticated key management protocol is WPA-PSK if the
station/AP is in ESS mode otherwise it is WPA-None
For the case when all stations associated with an AP are 802.1X and WPA stations, and a
station that does not use 802.1X or WPA wants to associate, that new station must use the
pre-configured key for broadcast/multicast. The AP can used the knowledge of whether a
non-WPA station is associated to generate a multicast key with the existing stations as
they associated until a non-WPA station wants to associate, and then send the pre-
configured key to the existing stations (so that all stations will then be using the pre-
configured key). Otherwise it can send the pre-configured key to all stations as they
associate.
If the legacy station is configured to use default key 0 as the broadcast key then a WPA
AP must use the “Unicast as Group key” WPA capability bit to decide whether to use
Pairwise keys as encryption/integrity keys or not.
If an AP supports non-WPA open or shared stations then the open or shared station
bypasses the 1X port switch. Note: The security of such an AP is reduced and there
should be a way to disable non-WPA clients from associating to the AP.
The following table describes the various configuration options and the expected system
behavior.
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
8
Network Authentication Encryption Manual 802.1X
Type mode or status Key enabled?
authenticated required?
key
management
ESS Open None No No
ESS Open WEP Optional Optional
ESS Shared None Yes No
ESS Shared WEP Optional Optional
ESS WPA WEP No Yes
ESS WPA TKIP No Yes
ESS WPA AES No Yes
ESS WPA-PSK WEP Yes Yes
ESS WPA-PSK TKIP Yes Yes
ESS WPA-PSK AES Yes Yes
IBSS Open None No No
IBSS Open WEP Yes No
IBSS Shared None Yes No
IBSS Shared WEP Yes No
IBSS WPA-None WEP Yes No
IBSS WPA-None TKIP Yes No
IBSS WPA-None AES Yes No
Note: Manual Key required is whether a key is required for this mode to work.
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
9
• The OUI shall be 00:50:F2 instead of 00:00:00;
• WPA doesn't ignore WRAP and CCMP, it reserves the codes (per Table 2 of
page 20) but doesn't define the encryption schemes (See IEEE 802.11i Draft
3.0 for definitions of WRAP and CCMP);
• WPA has TKIP as default rather than CCMP;
• The preauthentication bit (p21, line14 and Figure 8) should always be 0.
• When the information element is used in an association request message or
probe response for IBSS stations a maximum of one authenticated key
management suite and a maximum of one unicast cipher suite is allowed.
Note: “Authenticated Key Management using pre-shared key over 802.1X” means that
any STA that has the key can impersonate any other STA.
Note: If an AES cipher either WRAP or CCMP is used for unicast or for multicast then
the AES EAPOL-Key format key descriptor from 802.11i must be used.
Note: An AP that does not install the Pairwise keys means that stations can impersonate
each other.
Note: Element ID 221 is also used for vendor extension. STAs should ignore information
elements with ID 221 that do not contain the value 00:50:F2:01 in the additional four
bytes inserted before the version field if they do not know how to process them.
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
10
AP that the keys were obtained from. The station shall delete the keys when it
disassociates/deauthenticates from all BSSIDs in the ESS.
Connecting to an IBSS station consists of the following operations:
1. Select a network i.e. specifying a SSID
2. Find a WPA IBSS station that is nearby for the selected SSID
3. Install the pre-shared key
1 is internal to the management entity choosing the SSID for 2.
2 is the management entity calling MLME-Scan.Request
3 is the management entity calling MLME-SetKeys.Request
2.2.1 Associate/Re-Associate
The following rules should be applied:
1. A station must use IEEE 802.11 open authentication.
2. A station must complete 802.1X, obtain and install keys before attempting to send
class 3 data packets other than 802.1X
3. An AP must complete 802.1X, obtain and install keys before attempting to send
class 3 data packets on or off the DS for a station.
4. If the IEEE 802.1X authentication fails, a station may try again or attempt to
authenticate to another AP.
5. If the AP does not have the station authenticated, it shall send a deauthenticate
message to the station on receiving any message from a station.
6. If the AP fails during authentication, it sends a deauthenticate message.
7. An AP can delete a station’s state if it requires to because of inactivity timeout,
resource shortages, etc. This is if the AP wants to recover the resources used by a
stations’ association. The AP should attempt to inform the station by sending a
deauthentication message.
8. IEEE 802.1X messages are sent in the clear if a Pairwise key for the station is not
installed and encrypted if a Pairwise key is installed, IEEE 802.1X messages are
not encrypted using Group keys.
Note: The use of Pairwise keys is more secure than the use of only Group keys,
since stations cannot spoof each others MAC address and IEEE 802.1X messages
will be encrypted and protected against spoofing.
9. If the AP cannot send the EAPOL-Key message containing a Group key update to
a station, the AP may queue the message. If the AP deletes the message the AP
should send a deauthenticate message and delete the association state by setting
the L2Failure event in the Authenticator state machine. The AP may not be able
to send the message because the station is out of range, the station is asleep, etc.
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
11
The Authenticator state machine will eventually timeout the acknowledgement
message for the Group Key update but the L2Failure optimizes the detection of
the failure.
2.2.2.1 AP
If the AP receives a unicast encrypted packet that it does not have keys to decrypt, it
should send a disassociate message to the station and discard the data packet.
2.2.2.2 Station
A station on receiving a disassociate message or an 802.11 deauthenticate message
should delete the Pairwise key and attempt to rejoin the network (i.e. reassoicate to an AP
if the station was a member of an ESS).
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
12
8.4.1.1
8.4.2
8.4.3
p79, line 8, text “STAs that fail to assert RSN” should read “… that fail to
include the RSNIE in the associate or re-associate request message”
PSK &&
!AuthenticationServerSystem
GLOBALPSK
Remove PTK
Remove GTK(1..2)
802.1X::portControl = ForceAuthorized;
GTK = PSK;
SetGTK(1, Tx/Rx, GTK);
802.1X:VirtualPort = True
802.1X::VirtualSecure = True
802.1X::portMode = Enabled;
Note: When using TKIP the two MIC keys must be the same since there is no Supplicant
and Authenticator.
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
13
Note: A station when using pre-shared keys in IBSS mode must remember the last IV it
used with a particular pre-shared key and continue from that point when using the key
again.
Note: Saving the IV to non-volatile storage every N packets and when loading the IV out
of the non-volatile storage adding N to the IV can be used to reduce how often the IV
needs to be saved. A value of N of 1,000,000 means that if the system is restarted once
per minute and the system is transmitting packets as fast as possible over an 802.11a
MAC the IV will last over 100 years.
Note: The IV shall be initialized to a random 48 bit value when a stored IV is not
available.
Note: While a different IV can be used for each pre-shared key, it is possible to share the
IV across the different pre-shared keys, so for example it is possible to store a single IV
for use with all the IBSS pre-shared keys. This reduces the information needed to be
stored in non-volatile storage at the expense of the time each pre-shared key can be used
for. Since the time for a single IV is over 800 years (or 100 years with N = 1,000,000)
sharing the IV doesn’t cause a problem.
Note: The station needs to track the receive IV for each station in range.
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
14
2.2.5.3 Nonce Generation
WPA uses the nonce generation conventions defined in clause 8.5.7.
Note: A good source of a random number is required to initialize the Key Counter, if not
then the Key Counter may be predicable and previous 4-way handshakes can be replayed.
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
15
2.2.5.4.4 Supplicant Request for key update
The Supplicant can request for a key update by sending an EAPOL-Key message with the
Request bit set. This is used when the MAC detects a data integrity attack.
If the EAPOL-Key message has a key type of Pairwise key, the authenticator shall do a
4-way handshake with the Supplicant and then send a Group key update of the current
Group key to the Supplicant.
If the EAPOL-Key message has a key type of Group key, the authenticator shall change
the Group key, do a 4-way handshake with the Supplicant and do a Group key update to
all Supplicants.
A Michael MIC Failure message (see section 3.1) has the Request bit set, but does not
imply a request for key update. An AP receiving a correctly formatted Michael MIC
Failure message that passes the MIC test may optionally initiate a key update as
described in this section.
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
16
2.2.5.4.8 EAPOL-Key encoding
This is addressed in clause 8.5.2.1 of the Draft
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
17
2.2.5.4.10.2.3 States
The authenticator states are described in clause 8.5.6.1. However, all of clause 8.5.6.1 in
Draft 3.0 should be replaced with the following:
DISCONNECT: This state is entered is an EAPOL-Key message is received and fails its
MIC check. It sends a deauthenticate message to the Access Point and enters the
INITIALIZE state.
DISCONNECTED: This state is entered when disassociate or deauthenticate messages is
received.
INITIALIZE: This state is entered from the DISCONNECTED state, when a
DeauthenticationRequest event occurs or when the station initializes. The state initializes
the key state variables.
AUTHENTICATION: This state is entered when an AuthentiationRequest is sent from
the Management entity to authentication a BSSID.
AUTHENTICATION2: This state is entered from the AUTHENTICATION state or from
the PTKINITDONE state.
INITPMK: This state is entered when the 802.1X backend authentication server
completes successfully. If a RadiusKey is supplied it goes to the PTKSTART state,
otherwise it goes to the DISCONNECTED state.
INITPSK: This state is entered when a pre-shared key is configured.
PTKSTART: This state is entered from INITPMK or INITPSK to start the 4-way
handshake, or if no response to the 4-way handshake occurs.
PTKINITNEGOTIATING: This state is entered when the second EAPOL-Key message
for the 4-way handshake is received with the key type of Pairwise key.
PTKINITDONE: This state is entered when the last EAPOL-Key message for the 4-way
handshake is received with the key type of Pairwise key. This state may call SetPTK; if
this call fails the AP should detect and recover from the situation, for example by doing a
Disconnect event for this association.
UPDATEKEYS: This state is entered when an EAPOL-Key message is received from the
Supplicant to initiate the 4-way handshake from the Supplicant. The key type in the
EAPOL-Key message must be set to Pairwise key and the Request bit must be set.
INTEGRITYFAILURE: This state is entered when a data integrity failure occurs either
locally or from a remote station by receiving an EAPOL-Key message with the key type
set to Pairwise key and the Request and Error bits must be set.
KEYUPDATE: This state is entered from INTEGRITYFAILURE.
REKEYNEGOTIATING: This state is entered when the Group key is to be sent to the
Supplicant.
Note: The TxRx flag for sending a Group Key is always the opposite of whether the
Pairwise Key is used for data encryption/integrity or not. If a Pairwise key is used for
encryption/integrity then the station never transmits with the Group Key otherwise the
station uses the Group Key for transmit.
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
18
REKEYESTABLISHED: This state is entered when an EAPOL-Key message is received
from the supplicant with the key type set to Group key.
KEYERROR: This state is entered if the EAPOL-Key acknowledgement for the Group
key update is not received.
SETKEYS: This state is entered if the Group key is to be updated on all Supplicants.
SETKEYSDONE: This state is entered if the Group key has been updated on all
Supplicants.
Note: SETKEYSDONE calls SetGTK to set the Group key for all associated stations if
this fails all communication via this key will fail and the AP needs to detect and recover
from this situation.
1. Initialization of keys
This occurs on a management event, when the current Group key needs to be
changed. When this event occurs will depend on the environment the network will
be in, possible times are:
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
19
The Per-MSDU Tx Pseudo-code of clause 8.7.1 should be changed as follows
if MPDU has a group RA and the Privacy subfield of the
Capability Information field in this BSS is set to 0 then
the MPDU is transmitted without protections
else // No key found so try either default WEP
if dot11WEPDefaultKeys[dot11WEPDefaultKeyID] = null
then
if Ethertype is 802.1X then
transmit the MPDU without protection
else
discard the MSDU and generate an
MA-UNITDATA-STATUS.indication
primitive to
notify LLC that the entire MSDU was
undeliverable
due to a null WEP key
to
if MPDU has a group RA and the Privacy subfield of the
Capability Information field in this BSS is set to 0 or Ethertype is
802.1X then
the MPDU is transmitted without protections
else // No key found so try either default WEP
if dot11WEPDefaultKeys[dot11WEPDefaultKeyID] = null
then
discard the MSDU and generate an
MA-UNITDATA-STATUS.indication primitive to
notify LLC that the entire MSDU was undeliverable
due to a null WEP key
2.2.5.7 PRF
The pseudo-random function capabilities for WPA are described in clause 8.5.5.1.
Note: When the PRF is used to generate key material, it should never be used with the same
input parameters. Note the use of the Global Counter for generating unique nonces. The reason
for this is that outputs from shorter PRFs are prefixes of longer PRFs given the same input.
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
20
2.3 ASCII Password Support for Pre-Shared Key
WPA uses the password hash function described in Annex F.8 of 802.11i Draft 3.0 to
define the algorithm to generate the 256 bit key used in pre-shared key authentication.
It is recommended that users enter longer passwords than 8 characters (e.g. 20 characters
or longer).
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
21
The following rule should be added to Clause 8.3.2.4.4:
“The recipient shall maintain a separate replay window for each IEEE 802.11 Traffic
Class, and shall use the TSC recovered from a received frame to detect replayed frames.
A replayed frame occurs when the TSC extracted from a received frame is repeated or
not greater than the current Traffic Class replay window value for the frame’s traffic
class. The replay window accommodates frames that may be delayed due to traffic class
priority values.”
Note: TKIP Replay protection rules means that certain features that re-order packets will
not work:
1. Use of Contention Free without WME or 802.11e will not work.
2. Use of Power Save with Group key only will not work unless encryption and
integrity protection is done after re-ordering of multicast/unicast packets.
3. Use of QoS without WME or 802.11e will not work unless encryption and
integrity protection is done after any packet re-ordering.
The rate of MIC failure events must be kept below two per minute. This implies
that STAs and APs detecting two MIC failure events within 60 seconds must
disable all receptions using TKIP for a period of 60 seconds. The slowdown
makes it difficult for an attacker to make a large number of forgery attempts in a
short time.
As an additional security feature, the PTK and, in the case of the authenticator,
the GTK will be changed. This is not required to defend against the known MIC
attacks, but is good practice when an attack of any kind is detected.
Before verifying the MIC, the receiver shall check the FCS, ICV, and IV for all related
MPDUs. MPDUs with invalid FCSs, ICVs, or with whose MPDUs’ IVs falling before
the IV window shall be discarded before checking the MIC. This avoids unnecessary
MIC failure events. Checking the IV before the MIC makes countermeasure-based DoS
attacks harder to perform. While the FCS and ICV mechanisms are sufficient to detect
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
22
noise, they are insufficient to detect active attacks. The FCS and ICV provide error
detection but not integrity protection.
A single counter or timer is used to log Michael MIC failure events. These failure events
are defined as:
1. For an Authenticator:
• Detection of a Michael MIC failure on a received unicast frame
• Receipt of Michael MIC failure report via an EAPOL Key frame with the
following bits in the Key Information bit set to 1: error bit , request bit,
MIC bit. This frame is referred to as the Michael MIC failure report
frame.
2. For a Supplicant:
• Detection of a Michael MIC failure on a received unicast or multicast
frame
The number of Michael MIC failures is accrued independent of the particular key
context. Any single MIC failure, whether detected by the Supplicant or the
Authenticator, and whether resulting from a Group MIC key failure or a pairwise MIC
key failure, shall be treated as cause for a MIC failure event.
A single IEEE 802.1X EAPOL Key message is used by the Supplicant to report a
Michael MIC failure event to the Authenticator. This message is referred to as the
Michael MIC failure report frame and is protected with the current PTK to compute an
appropriate 802.1X EAPOL MIC and encrypted as all normal IEEE 802.11 data frames.
The frame shall also have the following Key Information bits set to 1:, error bit, request
bit, MIC bit.
The first Michael MIC failure must be logged and a timer is initiated to enforce the
countermeasures. If the MIC failure event is detected by the Supplicant, it must also
report the event to the AP by sending a Michael MIC failure report frame.
When a subsequent MIC failure occurs within 60 seconds of the preceding failure, then a
device will disassociate itself (if a Supplicant) or disassociate all the associated STAs (if
an Authenticator). Furthermore, the device will not deliver any class 3 TKIP encrypted
data frames to or from any peer for a period of 60 seconds. If the device is an AP, it shall
disallow new associations for a period of 60 seconds; at the end of the 60 second period,
the AP shall resume normal operations and allow STAs to (re)associate. If the device is a
Supplicant, it shall first send a Michael MIC failure report frame prior to revoking its
PTK and disassociation.
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
23
The aMICFailTime attribute shall contain the sysUpTime value at the time the
Michael MIC failure was logged. When the STA from which the AP received any
previous Michael MIC errors leaves the BSS, the AP shall not update this variable as a
result of this action.
2. If this is the first MIC failure, initialize the countermeasures timer. If the
failure was in a unicast frame, discard the offending frame.
3. If less than 60 seconds have passed since a previous Michael MIC failure,
transition every STA using TKIP (for either unicast or broadcast/multicast
frames) in the BSS to State 2 in the 802.11 state diagram. This effectively
disassociates and deletes the PTK for all the STAs. The GTK must also be
revoked. The Authenticator shall disallow associations using TKIP for the
duration of 60 seconds. At the end of the 60 seconds, the MIC failure counter
and timer may be reset and new associations resume.
Note that while a Supplicant may disassociate with a reason code of Michael MIC failure,
the Authenticator shall not log the disassociation as a Michael MIC failure event; this is
to prevent denial of service attacks through disassociations. The Supplicant must report
the Michael MIC failure event through the Michael MIC failure report frame in order for
the AP to log the event.
Informative Note: since an access point may support ciphers other than TKIP,
the Authenticator may disassociate all STAs who are employing TKIP while
allowing non-TKIP running STAs to remain associated.
Informative Note: The requirement to disassociate all stations using TKIP will
include those using AES as a pairwise cipher if they are also using TKIP as the
group cipher.
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
24
Informative Note: since a single multicast frame can trigger multiple Michael
MIC Failure reports, to prevent this single frame to force a disassociation at the
access point, the EAPOL MIC Failure report can provide the TSC value detected
in the multicast frame in the EAPOL-Key RSC field. The access point can discard
subsequent EAPOL MIC Failure reports if the RSC fields are the same.
Michael MIC
Failure Event
Received
Yes
Disassociate all
STAs, Revoke all
PTKs and GTK
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
25
forged, as it does not contain a MIC. The STA may attempt association
with this, or another AP. If the frame was genuine, then it is probable that
attempts to associate with the same AP requesting the use of TKIP will
fail because the AP will be conducting countermeasures.
Yes
Wait 60 seconds
before associating Continue
with TKIP
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
26
Name Type Valid Range Description
Count Integer 1 or 2 the current number of Michael MIC failure
event
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
27
Source address,
Destination address,
Data
}
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
28
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
29
3.2 Multicast/Broadcast data packets to AP
An AP should drop any data MSDU packets whether multicast/broadcast receiver addresses it
receives from stations.
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
30
bytes of the per packet Phase 2 key, the next byte includes the key id and the
ext IV bit set, and the next four bytes contain the upper four bytes of the TSC.
12. On the AP the pairwise key assigned to a Client should have a key id of 0.
Group Keys created by the AP should have a key ID of 2 or 3.
13. The TSCs are saved in memory and used in LSB to MSB order.
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
31
Appendix A: Removed
struct _IE {
uchar Elementid;
uchar length;
uchar oui[4];
ushort version;
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
32
uchar multicast[4];
ushort ucount;
struct {
uchar oui[4];
} unicast[1]; // the rest is variable so need to
// overlay ieauth structure
};
struct _ieauth {
ushort acount;
struct {
uchar oui[4];
} auth[1];
};
int multicast;
int unicast[4];
ushort ucount;
int auth[4];
ushort acount;
int unicastasgroup;
int replayindex;
multicast = TKIP;
unicast[0] = TKIP;
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
33
ucount = 1;
auth[0] = IEEE802_1X;
acount = 1;
unicastasgroup = 0;
replayindex = 2;
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
34
else if (!memcmp(IE->unicast[i].oui,
oui03, 4))
unicast[j++] = AESCCMP;
else if (!memcmp(IE->unicast[i].oui,
oui04, 4))
unicast[j++] = AESWRAP;
else
// any vendor checks here
;
}
else
break;
}
ucount = j;
}
m = i;
if (IE->length >= 14+m*4) {
// overlay ieauth structure into correct place
ieauth = (struct _ieauth *)IE->unicast[m].oui;
j = 0;
for(i = 0; (i < ieauth->acount)
&& (j < sizeof(auth)/sizeof(int)); i++) {
if(IE->length >= 14+4+(m+i)*4) {
if (!memcmp(ieauth->auth[i].oui, oui00,
4))
auth[j++] = IEEE802_1X;
else
// any vendor checks here
;
}
else
break;
}
if(j > 0)
acount = j;
}
n = i;
if(IE->length+2 >= 14+4+(m+n)*4) {
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
35
caps = (char *)ieauth->auth[n].oui;
unicastasgroup = (*caps)&GROUPFLAG;
replayindex =
2<<((*caps>>REPLAYBITSSHIFT)&REPLAYBITS);
}
}
}
char *cip[] = { "", " WEP40", " TKIP", " AES-CCMP", "AES-WRAP",
“WEP104” };
char *cip1[] = { " NONE", " WEP40", " TKIP", " AES-CCMP", "AES-WRAP",
“WEP104” };
char *aip[] = { "", " 802.1X" };
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
36
0x00, 0x50, 0xf2, 0x01,
0x02, 0x00, 0x00, 0x50, 0xf2, 0x02,
0x01, 0x00, 0x00, 0x50, 0xf2, 0x00};
// unicast count past end of IE
uchar test9[] = { 0xdd, 0x16, 0x00, 0x50, 0xf2, 0x01, 0x01, 0x00,
0x00, 0x50, 0xf2, 0x01,
0x10, 0x00, 0x00, 0x50, 0xf2, 0x02,
0x01, 0x00, 0x00, 0x50, 0xf2, 0x00};
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
37
A reference implementation and test vectors for PRF are provided in Annex F.5 and
subclauses of 802.11i Draft 3.0.
hmac_sha1(
digest, ssidlength+4,
(unsigned char *)password, (int)strlen(password),
digest1);
hmac_sha1(
digest1, A_SHA_DIGEST_LEN,
(unsigned char *)password, (int)strlen(password),
digest);
Password=”aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa”
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
38
SSID=”ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ” SSIDLength=32
becb93866bb8c3832cb777c2f559807c8c59afcb6eae734885001300a981cc62
This appendix describes the state machines for the TKIP Michael MIC Countermeasures.
These state machines are an extension for existing state machines not a replacement – for
example data frames from disassociated stations are discarded in the existing state
machines, so there is no need to repeat that in this description. .
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
39
State 3
Blocking
State 3
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
40
Blocking
‘Carry out
Send frame disassociation’
MLME- Blocking
ASSOCIATE
.confirm(Michael
MLME- MLME-
failure)
EAPOL.con DISASSOCI
firm ATE.confirm
Note that this is
rejecting the
association
Blocking Blocking
Yes
Still MLME-
Associated? DISASSOCIATE
.request
No
‘Carry out
disassociation’
State 2
MLME-
DISASSOCI
ATE.confirm
State 2
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
41
Normal
No Wait for
disassociation
confirm
Normal
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
42
Normal
Operation
MLME-
Frame with
MichaelMICFailure.
MIC failure
request
detectTimer
running &&
Yes No
less than
60?
‘Start the
‘Disassociate all
detectTimer’
STAs. All RX & TX
data should be
dropped’
Normal
Operation
‘Start 60 second
blocking timeout’
Blocking
Association
MA-
Request Blocking
MichaelMICFailure.
Frame from timeout expired
request
STA
Note that all STAs
are disassociated,
Disassociation Normal Operation so all data traffic
frame (MIC will be dropped
failure) to STA
Blocking
Figure 8 - AP MAC
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
43
*
EAPOL-Key with
MIC failure
indication
MLME-
MICfailure.re
quest
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
44
Validation of WPA IE in beacon/probe Required
response/association/re-association request with
WPA IE in 4-way handshake
Group key update Required
Pairwise Request (with or without error) Required
Group Request (with or without error) Required
Encryption of 802.1X messages with Pairwise key Required
802.1X messages not encrypted with Group Keys Required
WPA authentication mode Required
WPA-PSK authentication mode Required
WPA-None authentication mode Optional for NIC
Open 802.11 MAC authentication for all WPA Required
authentication modes
WPA-PSK ASCII passphrase hash Required
WPA-PSK 256 bit key Recommended
Non-WPA support Recommended
Non-WPA and WPA mixed mode Recommended
Group key cipher Required
Pairwise key cipher Required for NIC
Recommended for AP
No sending of non-802.1X data packets until the Required
correct key is installed. (Note: This is Group key
for multicast/broadcast from AP or from station if
Pairwise key is not installed. This is Pairwise key
for unicast from AP or all traffic from station if a
Pairwise key is installed)
Queuing of EAPOL-Key messages when in power Required
save
Saving of IBSS IV Required
Support for RADIUS Required for AP
Group Key Update on a time interval Recommended
Group key update on a disassociation of a Optional
authenticated station
Use of PRF for Pairwise key generation Required
Use of PRF for Group Key generation Required
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
45
Use of random number on AP for master key for Required
Group Key generation
Initialization of Key Counter Required
Initialization of EAPOL-IV from Key Counter Required
Wi-Fi Protected Access Version 2.0 – April 29, 2003 Wi-Fi Alliance CONFIDENTIAL
46