Wireless LAN – WLAN
BAT54-Rail/F..
Release
7.54
06/08
3.2
Development of WLAN security
43
The suffix CCM denotes the way in which AES is used in WLAN packets. The
process is actually quite complicated, for which reason CCM is only sensibly
implemented in hardware—software-based implementations are possible,
but would result in significant speed penalties due to the processors com-
monly used in access points.
In contrast to TKIP, AES only requires a 128-bit key, with which both the en-
cryption and protection against undetected changes to packets is achieved.
Furthermore, CCM is fully symmetric, i.e. the same key is used in both com-
munications directions—a standards compliant TKIP implementation, on the
other hand, requires the use of different Michael keys in the send and receive
directions, so that CCM is significantly simpler in use than TKIP.
Similar to TKIP, CCM uses a 48-bit Initial Vector in each packet—an IV rep-
etition is impossible in practice. As in TKIP, the receiver notes the last IV
used and discards packets with an IV which is equal to or less than the com-
parison value.
U Pre-authentication and PMK caching
802.11i is intended to help with the use of WLAN for speech connections
(VoIP) in enterprise networks. Especially in connection with WLAN-based
wireless telephony, quick roaming (switching from one access point to anoth-
er without lengthy interruptions) is of special significance. In telephone con-
versations, interruptions of 100 milliseconds are irritating, but the full
authentication process over 802.1x, including the subsequent key negotia-
tion with the access point, can take significantly longer.
For this reason, the so-called PMK caching was introduced as a first mea-
sure. The PMK serves as the basis for key negotiation in an 802.1x authen-
tication between client and access point. In VoIP environments it is possible
that a user moves back and forth among a relatively small number of access
points. Thus it may happen that a client switches back to an access point in
which it was already registered earlier. In this case it wouldn't be sensible to
repeat the entire 802.1x authentication again. For this reason, the access
point can provide the PMK with a code, the so-called PMKID, which it trans-
mits to the client. Upon a new registration, the client uses the PMKID to ask
whether this PMK is still stored. If yes, the 802.1x phase can be skipped and
the connection is quickly restored. This optimization is unnecessary if the
PMK in a WLAN is calculated from a passphrase as this applies everywhere
and is known.
To Next Page
Loading...
Need help?
General
