In the wireless authentication lesson, you learned that the original 802.11 standard only supported WEP and open authentication. WEP is insecure and shouldn’t be used anymore. In this lesson, we’ll take a look at some of the other algorithms and protocols to encrypt and protect the integrity of wireless traffic.
WEP uses the RC4 algorithm for encryption, which is supported in hardware. Most wireless equipment only supported RC4 and not a more advanced encryption algorithm like AES. We know that WEP is insecure, so to make sure that the older hardware could still use a secure encryption method, IEEE developed the Temporal Key Integrity Protocol (TKIP).
TKIP adds the following security features:
- MIC: We have an extra message integrity check called Michael, which adds a hash value to each frame. We use this so we can detect if someone made changes to the frame.
- TKIP sequence counter: This counter provides a record of frames sent by each MAC address. We use this so an attacker can’t perform a replay attack by retransmitting frames.
- Key mixing algorithm: This algorithm calculates a unique 128-bit WEP key for each frame.
- A longer initialization vector (IV): The IV size is 48 bits, versus 24 bits for WEP. This makes it much harder to brute force calculate all WEP keys.
- Timestamp: We add a timestamp to the MIC to prevent replay attacks. A replay attack attempts to retransmit a frame that was previously sent.
- Sender MAC address: The MIC includes the sender’s MAC address. This is used to prove who the actual sender of the frame is.
TKIP was a temporary solution, while IEEE worked on the 802.11i standard. Nowadays, TKIP also has vulnerabilities, and you shouldn’t use it anymore. TKIP is deprecated in the 802.11-2012 standard.
CCMP stands for Counter Mode with Cipher Block Chaining Message Authentication Code Protocol. That’s a mouthful. CCMP consists of two algorithms:
- AES counter mode encryption
Advanced Encryption Standard (AES) is a widely used encryption algorithm and the most secure encryption method available at the moment.
The National Institute of Standards and Technology (NIST) has defined five modes of operation for AES (and other FIPS-approved block ciphers). The five modes are:
- Electronic Code Book (ECB)
- Cipher Block Chaining (CBC)
- Cipher Feedback (CFB)
- Output Feedback (OFB)
- Counter (CTR)
Cipher Block Chaining Message Authentication Code (CBC-MAC) is a technique that constructs a message authentication code from a block cipher. The data is encrypted with AES and creates a chain of blocks. Each block depends on the encryption of the previous block.
Before you can use CCMP, your wireless hardware has to support AES and CBC-MAC. You can’t use CCMP on older hardware that only supports WEP or TKIP.
802.11ad offers even higher data rates than 802.11ac and requires faster encryption than CCMP can offer. Galois/Counter Mode Protocol (GCMP) can be run in parallel, so it’s more efficient and provides higher performance than CCMP.