Jan 20, 2014

Long guard intervals and Reduced Inter frame space

The basic concept is that 802.11n uses OFDM, where bits of information are send access mini-channels called tones or sub-carriers within the 20 MHz signal. Each chunk of information is followed by a small silence (the guard interval). This silence is in fact a time during which the subcarrier does not send any useful information. The reason is that we want to let the reflections and other multipach echoes occur before sending the next chunk of information, to avoid collision. The default silence time is 800 nanoseconds. It can be reduced to 400 nanoseconds, offering overall 11% more throughput, but also more collision risk

CLI from WLC:

config 802.11a 11nSupport guard_interval long




802.11n also introduces RIFS(Reduced Inter Frame Spaces), where a station can send blasts of data, separated by 2 microsecond inter frame spaces. RIFS improves the efficiency of the 802.11n network,
but my disturb networks where a lot of non-802.11n stations are present.

CLI from WLC:

config 802.11a 11nSupport rifs rx enable

Jan 19, 2014

Wireless LAN - Enterprise Security













セキュリティ規格 WEP ( IEEE802.11 ) WPA WPA2 ( IEEE802.11i )
規格策定の団体 IEEE802.11 Wi-Fiアライアンス IEEE802.11i
規格策定の時期 1997年 2002年10月 2004年6月
暗号化方式 WEP TKIP CCMP
暗号化アルゴリズム RC4 RC4 AES
暗号鍵の長さ 40 or 104bit 104bit 128bit
認証鍵の長さ - 64bit 64bit
IVの長さ 24bit 48bit 48bit
整合性の検証 CRC32 MIC CCM
アンチ ・ リプレイ攻撃 なし あり あり
認証方式
① オープンシステム認証
② シェアードキー認証
③ オープンシステム認証
+ IEEE802.1x認証
① PSK (Pre-Shared Key) 認証
② IEEE802.1x認証
① PSK (Pre-Shared Key) 認証
② IEEE802.1x認証

What is WPA? How is WPA 2 different from WPA?

WPA is a standard-based security solution from the Wi-Fi Alliance that addresses the vulnerabilities in native WLANs. WPA provides enhanced data protection and access control for WLAN systems. WPA addresses all known Wired Equivalent Privacy (WEP) vulnerabilities in the original IEEE 802.11 security implementation and brings an immediate security solution to WLAN networks in both enterprise and small office, home office (SOHO) environments.

WPA2 is the next generation of Wi-Fi security. WPA2 is the Wi-Fi Alliance interoperable implementation of the ratified IEEE 802.11i standard. WPA2 implements the National Institute of Standards and Technology (NIST)-recommended Advanced Encryption Standard (AES) encryption algorithm with the use of Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). AES Counter Mode is a block cipher that encrypts 128-bit blocks of data at a time with a 128-bit encryption key. WPA2 offers a higher level of security than WPA. WPA2 creates fresh session keys on every association. The encryption keys that WPA2 uses for each client on the network are unique and specific to that client. Ultimately, every packet that is sent over the air is encrypted with a unique key.

Both WPA1 and WPA2 can use either TKIP or CCMP encryption. (It is true that some access points and some clients restrict the combinations, but there are four possible combinations). The difference between WPA1 and WPA2 is in the information elements that get put into the beacons, association frames, and 4-way handshake frames. The data in these information elements is basically the same, but the identifier used is different. The main difference in key handshake is that WPA2 includes the initial group key in the 4-way handshake and the first group key handshake is skipped, whereas WPA needs to do this extra handshake to deliver the initial group keys. Re-keying of the group key happens in the same way. The handshake occurs before the selection and use of the cipher suite (TKIP or AES) for the transmission of user datagrams. During the WPA1 or WPA2 handshake, the cipher suite to use is determined. Once selected, the cipher suite is used for all user traffic. Thus WPA1 plus AES is not WPA2. WPA1 allows for (but often is client side limited) either the TKIP or AES cipher.

What is TKIP?

TKIP stands for Temporal Key Integrity Protocol. TKIP was introduced to address the shortcomings in WEP encryption. TKIP is also known as WEP key hashing and was initially called WEP2. TKIP is a temporary solution that fixes WEPs key reuse problem. TKIP uses the RC4 algorithm to perform encryption, which is the same as WEP. A major difference from WEP is that TKIP changes the temporal key every packet. The temporal key changes every packet because the hash value for every packet changes.

What is Broadcast Key Rotation?

Broadcast key rotation allows the AP to generate the best possible random group key. Broadcast key rotation periodically updates all clients capable of key management. When you enable broadcast WEP key rotation, the AP provides a dynamic broadcast WEP key and changes the key at the interval you set. Broadcast key rotation is an excellent alternative to TKIP if your wireless LAN supports non-Cisco wireless client devices or devices that you cannot upgrade to the latest firmware for Cisco client devices.

If you use "dubeg client " from WLC(wireless lan controller), you can find the following message

Dec 24 17:32:59.282: 00:40:96:b3:16:75 Updated broadcast key sent to mobile 00:40:96:B3:16:75

What is WEP Encryption?

WEP stands for Wired Equivalent Privacy. WEP is used to encrypt and decrypt data signals that transmit between WLAN devices. WEP is an optional IEEE 802.11 feature that prevents disclosure and modification of packets in transit and also provides access control for the use of the network. WEP makes a WLAN link as secure as a wired link. As the standard specifies, WEP uses the RC4 algorithm with a 40-bit or 104-bit key. RC4 is a symmetric algorithm because RC4 uses the same key for the encryption and the decryption of data. When WEP is enabled, each radio "station" has a key. The key is used to scramble the data before transmission of the data through the airwaves. If a station receives a packet that is not scrambled with the appropriate key, the station discards the packet and never delivers such a packet to the host.

What are Open Authentication and Shared Key Authentication?

Open Authentication is basically a null authentication algorithm, which means that there is no verification of the user or machine. Open Authentication allows any device that places an authentication request to the access point (AP). Open Authentication uses clear-text transmission to allow a client to associate to an AP. If no encryption is enabled, any device that knows the SSID of the WLAN can gain access into the network. If Wired Equivalent Privacy (WEP) is enabled on the AP, the WEP key becomes a means of access control. A device that does not have the correct WEP key cannot transmit data through the AP even if authentication is successful. Neither can such a device decrypt data that the AP sends.

Shared Key Authentication works similar to Open Authentication with one major difference. When you use Open Authentication with WEP encryption key, the WEP key is used to encrypt and decrypt the data, but is not used in the authentication step. In Shared Key Authentication, WEP encryption is used for authentication. Like Open Authentication, Shared Key Authentication requires the client and the AP to have the same WEP key. The AP that uses Shared Key Authentication sends a challenge text packet to the client. The client uses the locally configured WEP key to encrypt the challenge text and reply with a subsequent authentication request. If the AP can decrypt the authentication request and retrieve the original challenge text, the AP responds with an authentication response that grants access to the client.  

Note that WEP is set on AP and Client. 

Add caption

What is the need for Wireless Security?

In a Wired network, data remains in the cables that connect the end devices. But Wireless networks transmit and receive data through a broadcast of RF signals into the open air. Because of the broadcast nature that WLANs use, there is a greater threat of hackers or intruders who can access or corrupt the data. In order to alleviate this problem, all WLANs require the addition of:

  1. User authentication to prevent unauthorized access to network resources.


  2. Data privacy to protect the integrity and privacy of transmitted data (also known as encryption).