Wi-Fi is a Passion


Encryption Methods

In the blog about legacy encryption we covered in depth WEP and TKIP as encryption methods. This blog is about encryption methods, in general, and CCMP/GCMP, the non legacy methods.

Encryption operates at layer 2 and is for protecting the upper layers (3-7) from the OSI model. The MPDU (MAC Protocol Data Unit) has a header (MAC Header), a body (MSDU), and a trailer (FCS/CRC). The MSDU contains the LLC and the data from the upper layers. The MSDU is encapsulated inside the frame body. So, the payload/MSDU contains the IP package plus some LLC data. The payload is between 0 and 2,304 bytes, and the frame body can be larger due to the encryption overhead. Not all the 802.11 frames are encrypted. For example, management frames carry no upper layer data (only layer 2 payload). Those frames are not encrypted. 802.11w is developed for protecting the management frames from DoS (Denial or Service) attacks. Control frames don’t have a body, only a header and a trailer, so also those don’t need to be encrypted. The last group of frames that don’t need encryption are the 802.11 data frames that don’t carry any data (NULL frames). So, only 802.11 data frames that contains MSDU payload will be encrypted.

The encryption methods are WEP, TKIP, CCMP, and GCMP. All are symmetric algorithms (using the same key for encrypting and decrypting). WEP and TKIP uses ARC4 (stream cipher) and CCMP uses AES (block cipher).

A quick overview for WEP. There are two standards of WEP, 64 bits and 128 bits. WEP has a 24 bits clear text that is called the Initialization Vector (IV). The IV, together with the static key, is the seed for the ARC4 algorithm that generates the pseudorandom bits named the keystream. WEP runs a cyclic redundancy check (CRC) on the plain text and adds the integrity check value (ICV). The plain text and ICV, together with the keystream, go through the XOR process to create the cryptic data. The weak part is the IV that is in clear text. The MSDU format is as follows. There is a 4 octet IV. This IV is 3 octets—the IV itself (24 bits clear text) and 1 octet split into the pad (6 bits) —and the Key ID (2 bits). This is the encryption overhead that is said earlier. After the 4 octets IV, the encrypted MSDU is there and the trailer is a 4 octet ICV.

Also, a brief overview of TKIP. TKIP was developed by Wi-Fi Alliance in 2002 after WEP was broken. TKIP uses 128 bits temporal key, a 48 bits sequence counter (TSC), and the Transmitter Address (TA). This all together is two phases seeding material for the ARC4 algorithm that generates the keystream. TSC are 6 separated octets (TSC0 – TSC5). The first phase is a mix of TSC2 – TSC5, TA and the Temporal Key from the 4-way handshake. This together is called the TTAK. The second phase is the TTAK, TSC0, TSC1 and again the Temporal Key. This is the seed for ARC4 algorithm. The MSDU format is for a TKIP encrypted MSDU as followed the header is 16 octets in total. The first 8 are called IV/Key ID and the second set of 8 are called the extended IV. The IV/Key ID is built up as TSC1 (8 bits), Seed (8 bits), TSC0 (8 bits), a reserved spot from 5 bits, EXT IV bit that is 1 when EXT IV is used and a 2 bits Key ID. The last 8 octets of the header is the EXT IV that is TSC2, TSC3, TSC4 and TSC5, all are 8 bits in total. Then you have the encrypted MSDU payload an it ends with a 12 octets trailer. The first 8 is the MIC (Message Integrity Check) and the last 4 is the ICV. You see that the overhead is more than with WEP. TKIP and WEP has also another limitation. They support only up to 54 Mbps data rates.

CCMP is an acronym for Counter Mode with Cipher-Block Chaining Message Authentication Code Protocol. CCMP uses AES instead of ARC4, and is the replacement for WEP and TKIP. Within RSNA is CCMP mandatory and TKIP optionally. The first part of the long name CCMP is Counter Mode. Counter Mode also referred to CTR is used for data confidentiality. The last part is Cipher Block Chaining Message Authentication Code (CBC-MAC). CBC-MAC is used for authentication and integrity. So, CTR with CBC-MAC is another way to write CCMP. When you read CCM, it references to the block cipher and not the protocol. CCM uses the key for encrypting the MSDU payload as well for integrity check (MIC).

The CCMP process is a little bit more complicate than WEP and TKIP. First a packet number (48 bits) is created (PN). The packet number is comparable to the TKIP sequence number and is unique to identify the frame and increment after every frame.
Second step is to create the Additional Authentication Data (AAD). The AAD created by fields from the MAC header and is used for integrity, so the receiving station can validate those values. See below figure to see which values are used to create the AAD and are protected.
The third step is creating the Nonce (this is not the same as the ANonce and the SNonce from the 4-way handshake). The Nonce is created from the Transmit Address, and the PN and the QoS priority data. It is a random numerical value and generated only once. It is in total 104 bits. In the fourth step the CCMP header is created, this includes the PN (PN0 – PN5) and the key ID. It is comparable to the header from TKIP with all the TSC values.
The CCM module is in the fifth step. During this step, the encryption takes place. The temporal key from the 4-way handshake, the Nonce (PN + TA), the AAD and the plain text will be mixed together to create the MIC (8 octets). At this point the MSDU payload and the 8 octet MIC are encrypted in 128-bit blocks.
In the last step, the MAC header appends to the CCMP header, MSDU payload and MIC trailer.

To dive into the frame body the header is a 8 octet CCMP header that is divided into PN0 (8 bits), PN1 (8 bits), a reserved spot (5 bits), Key IV (1 bit), Key IV (2 bits), PN2 (8 bits), PN3 (8 bits), PN4 (8 bits) and PN5 (8 bits). As you can see, this header looks quite the same as the header that is used in TKIP. Also, the trailer is 8 octets MIC like in a TKIP frame. The overhead is in total 16 bytes, what is less than the 20 bytes in TKIP, since CCMP don’t use a 4 octet ICV at the end.

CCMP was implemented with data rate of 54 Mpbs and did not changed after the newer PHY like 802.11n and 802.11ac. CCM defied the encrypted data into blocks of 16 bytes and link them together. The first block is used for the encryption of the second block and so on. The CCMP acronym, as described above, are different methods. One part is the Cipher-Block Chaining, that is used to link the 16 bytes block data together. CCM uses two AES operation per block, in combination with the other processes CCM does, it requires a large number of AES operations and the question is if CCMP will be capable to keep up with the introduction of gigabit WLAN.

Galois/Counter Mode Protocol is faster and more efficient than CCMP. GCM uses also AES but applied it in a different way. GCM uses one AES operation per block. So, the encryption process is half of the process that CCM does. Other differencing between GCM and CCM is that GCM blocks are not liked together, the blocks are independent from each other, this is not the case with CCM. The blocks from GCM can be processed parallel, so more efficient. GCMP is specified in 802.11ad (optional in 802.11ac), not backward-compatible with other equipment, so you need new equipment for this.

Suite B
This is a suite of algorithms that are specified by the National Institute of Standards and Technology (NIST) and approved by National Security Agency (NSA). Part of the Suite B is AES-128 or AES-256 in combination with CTR or GCM. Elliptic Curved Digital Signature Algorithm (ECDSA), Elliptic Curved Diffie-Hellaman (ECDH) Key Exchange and the fourth one is Secure Hash Algorithm (SHA-256 of SHA-384).

Beside the above-mentioned implementations, there are still others. There are vendor-specific products, for example xSec from Aruba.