Wireless networking and IEEE 802.11

Introduction to this web page

This page is an amalgam of information already on the web, I wrote it as a web page instead of generating lots of paper notes that would get lost.

IEEE 802.11

Wireless networking is defined in a Standard called IEEE 802.11 - however it isn`t a single item. Since it was originally written in 1997, there have been several amendments which have been written as wireless network technology evolves.

The different amendments to IEEE 802.11 are named by adding an alphabetical character to the name IEEE 802.11, so we end up with IEEE 802.11b, IEEE 802.11g, etc. In many cases, these amendments are regarded as standards in their own right, though to be strictly correct, they aren`t seperate standards.

The original IEEE 802.11 that came out in 1997 is now sometimes referred to as "IEEE 802.11 Legacy"

Some information on some of these follows.

IEEE 802.11 Legacy

Released around 1997, this standard defined a basic network MAC layer, using either wireless on a 2.4 MHz carrier, or an infra red carrier.

Data rates were quite slow, up to about 2 MB/s

This original wireless standard was used in the wider world, but not to any great extent. The standard wasn`t very tightly defined, so that different manufacturers implemented it in different ways, resulting in incompatible systems.

Few people will ever meet a system based on IEEE 802.11 Legacy.

IEEE 802.11b

Released around 1999.

Although IEEE 802.11 Legacy was the first standard, IEEE 802.11b was the first amendment that became widely used for wireless networking.

It also used an rf frequency of around 2.4 GHz, which is the same frequency band as used by some other equipment such as cordless phones and microwaves, so interference can be a problem.

The type of modulation is dynamic, changing with variation in signal strength. For strong signals, only a small amount of error correction is required, so data rates are high. As signal strength drops, more error correction is required, so data rates drop accordingly.

IEEE 802.11a

Also released around 1999.

This amendment defines the use of 5 GHz instead of 2.4 GHz as the carrier frequency.

It never really had a big impact on wireless networking, because by the time it was released, IEEE 802.11b was already very widely used, and the higher carrier frequency of IEEE 802.11a made it harder to implement in hardware. In addition, the higher carrier frequency is more affected by objects in the radio path.

However in the right environment, it can deliver higher data rates than IEEE 802.11b.

IEEE 802.11g

This came out in June 2003, and goes back to 2.4 GHz for the carrier frequency. Data rates are however much higher, with a maximum of 54 Mb/s.

However this isn`t all good news, as the different modulation technique means that higher signal strengths are required, with data rates dropping rapidly as the signal strength drops.

One of the characteristics that is built into IEEE 802.11g is backward compatibility with IEEE 802.11b, they both use 2.4 GHz as the carrier frequency. However when a system is using a mix of equipment built to the IEEE 802.11b standard and equipment built to the IEEE 802.11g standard, then the highest data rate achievable is determined by the equipment built to the IEEE 802.11b standard, so the advantage of the IEEE 802.11g equipment is lost.

Systems using IEEE 802.11g are subject to the same interference from other types of equipment as systems using IEEE 802.11b.

There has been widespread development of equipment built to the IEEE 802.11g standard, and quite often, this equipment is actually multiband, being able to work to IEEE 802.11g and to IEEE 802.11b; in some cases, also to IEEE 802.11a

Radio channels

All the above IEEE 802.11 amendments specify the way the rf carrier is utilised.

IEEE 802.11b and IEEE 802.11g specify that there are 14 channels available, with mostly a channel spacing of 5 MHz. So the centre frequencies are 2.412 GHz, 2.417 GHz, 2.422 GHz, ......... up to 2.484 GHz.

IEEE 802.11a specifies that there are 16 channels available, with variable channel spacing between 10 MHz and 25 MHz. So the centre frequencies are 5.170 GHz, 5.180 GHz, 5.190 GHz, ........... up to 5.805 GHz.

However in both cases, not all these channels are used in all countries, as different countries have their own frequency utilisation regulations. So for example. the United States only allows use of 11 of the 14 available 2.4 GHz channels, and 8 of the 16 available 5 GHz channels.

Just as IT technology advances, so does rf technology - when IEEE 802.11b was published, the 5 MHz channel spacing allowed data rates up to 11 Mb/s.

The 10 MHz and higher channel spacing of IEEE 802.11a allowed data rates up to 54 Mb/s.

By the time IEEE 802.11g was published, developments in modulation techniques allowed for data rates up to 54 Mb/s within a 5 MHz channel spacing, although higher signal strengths are required.

One of the problems in wireless networks is that all users accessing a single access point have to share the available bandwidth of that access point consecutively rather than concurrently, and a technique called "Carrier Sense Multiple Access with Collision Avoidance" is used to manage this. Also known as "CSMA/CA", this technique effectively requires that all nodes have to listen to the network to check that it is unused, before initiating contact with any other node.

CSMA/CA is similar to, but not the same as, the CSMA/CD technique used on wired Ethernet networks, where the same problem exists.

Because of the problems associated with multiple access to an access point, the actual maximum data rates achievable are at best about half the figures given above.

It is very likely that in areas requiring high traffic capability, the wireless networking industry will move towards the sectored antenna and cellular channel distribution techniques that are already widely used in the cellular telephone industry.

WEP

Included in the various standards above is an optional data encryption mechanism known as "Wire Equivalent Privacy", or "WEP".

The reason for its inclusion was recognition that a wireless network is fundamentally less secure than a wired network such as Ethernet - you can pick up a wireless signal from outside a building, in the street, in a car, across the road in a park, etc. So to have an unprotected wireless network is a significant security risk.

I haven`t found a definitive answer as to whether WEP was an option on IEEE 802.11 Legacy, but it was certainly an option on IEEE 802.11b and IEEE 802.11g.

The basic mechanism of WEP is that each node in a wireless network system uses a key to encrypt the data that is sent across the wireless links. Any node that knows the key can encrypt / unencrypt the data. Any node that doesn`t know the key can`t.

WEP uses RC4 encryption

The key that is used to encrypt the data is created by combining two different sub keys -

a 24 bit initialisation vector ( Known as "IV" )
either a 40 bit or a 104 bit WEP key that is generated from a password supplied by the system administrator

So this produces either a 64 bit or a 128 bit encryption key.

In conventional encryption terms, the IV is the public key, and the WEP key is the shared secret key.

The IV sub key is transmitted in clear text form along with the data in each data packet - provided the receiver knows the shared secret WEP key, the receiver can reconstruct the encryption key, and unencrypt the data that it has received.

This all sounds like quite a good system, but in reality the IV actually introduces quite a few security weaknesses.

the standard defining WEP doesn`t actually state that the IV should change on each packet, so in theory the same IV could be used on all packets - reusing encryption keys is a known weakness of encryption systems
many manufacturers do change the IV for each packet, however the IV is only 24 bits long, so there are about 16.7 million possible values of the IV. Snooping on a reasonably busy wireless network for a few hours will capture the same encryption key used more than once, and that leads to being able to crack it
with a 24 bit IV, there are about 9000 values which are known as weak keys, as there is a higher probability of predicting the rest of the encryption key from the first few bytes
the algorithm used to create the IV tends to produce IV`s that are are quite similar for the first few IV`s that are produced, leading to a more easy cracking of the encryption key

So WEP has a problem in that it is possible to crack the key just by sitting on the wireless network and evesdropping on the data exchanges. The internet is a ready source of software tools which allow WEP keys to be extracted.

However despite this, it is definitely worth using if a better system is not available.

Because of the fundamental weakness of WEP, a new security standard was produced called "WPA".

WPA

"WPA", or "WiFi Protected Access" was developed by the WiFi Alliance, which is an alliance of various manufacturers, with the aim of maximising interoperability between different makes of wireless networking equipment.

There are several key factors about WPA -

WPA is a lot more secure than WEP
WPA was specifically developed to work on hardware that was originally designed to use WEP
Because of this, WPA is not as secure as it could be if it had been developed to use new hardware types
There are two versions of WPA - these are "WPA Personal" and "WPA Enterprise"
"WPA", "WPA Personal", and "WPA Enterprise" are trademarks of the WiFi Alliance

In WPA, encryption is still based on RC4, but the IV has been increased to 48 bits, which reduces the chance of reuse of a key by a factor of 2 to the power of 24.

WPA uses TKIP - Temporal Key Integrity Protocol - for the encryption process.

WPA uses a new form of data integrity checking known as "Michael".

WPA was developed to work on hardware designed to operate WEP - however that isn`t the end of the story - some hardware designed for WEP won`t work with WPA. Also, most of the hardware designed for WEP will need to have firmware / driver upgrades before the hardware will work with WPA.

In WEP, the master key itself is directly used to encrypt the data. This is a known weakness in encryption systems, and in WPA, the master key is used to produce a hierarchy of sub keys, which are the keys used in the encryption process.

In WPA, known weak key values are not used.

As highlighted above, there are two types of WPA - WPA Personal and WPA Enterprise.

WPA Enterprise, otherwise known just as WPA, was designed around IEEE 802.1x and EAP. The component parts are therefore the client, an access point that can pass through authentication requests, and a back-end authentication server such as Radius or LDAP.

The authentication server can authenticate on the basis of some kind certificate supplied by the client, or it can authenticate on the basis of a username and password.

If the back-end server approves the connection, the authenticator in the access point is responsible for generating the master key and sub-keys that are used by TKIP to encrypt the data traffic across the wireless link, and so there is no requirement for users or administrators to provide passwords or passphrases in order to generate the encryption keys.

WPA Personal, which is also known as WPA-PSK, doesn`t require an authenticating server. Instead, a password or passphrase is created by the system administrator and distributed across the system to all nodes. This password / passphrase is used to generate the keys used by TKIP to encrypt the data traffic.

A weakness has been identified in the encryption used in WPA-PSK - this isn`t a fault with the encryption itself. The problem lies in the passwords used in the creation of the keys. It has been found that if a password has less than 20 characters, then it can be much more easily cracked by off-line dictionary attacks. So it is essential to use passphrases with more than 20 characters, and which are not dictionary words or near-dictionary words.

IEEE 802.11i or WPA2

As suggested above, WPA was designed as an interim solution to the deficiencies of WEP, whilst working on the same hardware that WEP works on.

The future lies in IEEE 802.11i, or WPA2.

IEEE 802.11i is a further amendment to the original IEEE 802.11, and the WiFi Alliance have now certified this in WPA2.

Like WPA, WPA2 comes in two versions, WPA2 Enterprise, and WPA2 Personal.

Also as before, "WPA2", "WPA2 Enterprise", and "WPA Personal" are trademarks of the WiFi Alliance.

In WPA2, RC4 is replaced by AES, which is a much more robust encryption system, and because of this use of AES, Michael is replaced by CCMP.

AES requires a lot of computing power, so only quite new wireless cards will work with WPA2, some may need driver upgrades.

It looks as if Microsoft Windows XP sp2 has support for IEEE 802.11i built in.

IEEE 802/11i or WPA2 is the only way to go if a wireless network has to be reasonably secure, but implementing it across an organisation will require a lot of hardware upgrades.

Return to the Index page