802.11i
1.Temporal Key Integrity Protocol (TKIP): a data-confidentiality protocol that was designed to improve the security of products that implemented WEP. TKIP uses a message integrity code called Michael, which enables devices to authenticate that the packets are coming from the claimed source. Also TKIP uses a mixing function to defeat weak-key attacks, which enabled attackers to decrypt traffic.
2. Counter-Mode/CBC-MAC Protocol (CCMP): a data-confidentiality protocol that handles packet authentication as well as encryption. For confidentiality, CCMP uses AES in counter mode. For authentication and integrity, CCMP uses Cipher Block Chaining Message Authentication Code (CBC-MAC). In IEEE 802.11i, CCMP uses a 128-bit key. CCMP protects some fields that aren't encrypted. The additional parts of the IEEE 802.11 frame that get protected are known as additional authentication data (AAD). AAD includes the packets source and destination and protects against attackers replaying packets to different destinations.
3.IEEE 802.1x: offers an effective framework for authenticating and controlling user traffic to a protected network, as well as dynamically varying encryption keys. 802.1X ties a protocol called EAP (Extensible Authentication Protocol) to both the wired and wireless LAN media and supports multiple authentication methods.
4. EAP encapsulation over LANs (EAPOL)– it is the key protocol in IEEE 802.1x for key exchange. Two main EAPOL-key exchanges are defined in IEEE 802.11i. The first is referred to as the 4-way handshake and the second is the group key handshake.
This is the key hierarchy specified by the IEEE 802.11r standard.
The 802.11r standard applies to a 3-tier reference architecture that divides the access network into mobility zones. A mobility zone is defined as the collection of lightweight access points connected to a central management unit, here after referred to as controller. Generally, neighboring access points covering a certain geographic zone are grouped into a single mobility zone.When a 802.11r compliant station enters a mobility zone, it first performs authentication using EAP. The resulting MSK is used by the station and the controller to derive a key called PMK-R0. PMK-R0 is then used to derive per-access-point PMKs. The name for such keys is PMK-R1. The controller finally sends the PMK-R1 keys to their corresponding access points. The mobility zone controller that holds the PMK-R0 key is called R0 Key Holder (R0KH), while the access points to which PMK-R1 keys are delivered are R1 Key Holder(R1KH).
802.11k
A proposed IEEE standard, 802.11k aims to provide key client feedback to
wireless-LAN access points and switches. The proposed standard defines a series
of measurement requests and reports that detail Layer 1 and Layer 2 client
statistics. In most cases, access points or WLAN switches ask clients to report
data, but in some cases clients might request data from access points.
Because 802.11k is designed to be implemented in software, existing WLAN
equipment can be upgraded to support it. For the standard to be effective, both
clients (WLAN cards and adapters) and infrastructure (access points and WLAN
switches) will need to support it.
Here are some of the measurements 802.11k defines:
• Roaming decisions.• RF channel knowledge.• Hidden nodes.•
Client statistics.• Transmit Power Control (TCP).
802.11w
Protected Management Frames
Current 802.11 standard defines "frame" types for use in management and control of wireless links. IEEE 802.11w is the Protected Management Frames standard for the IEEE 802.11 family of standards. TGw is working on improving the IEEE 802.11 Medium Access Control layer. The objective of this is to increase the security by providing data confidentiality of management frames, mechanisms that enable data integrity, data origin authenticity, and replay protection. These extensions will have interactions with IEEE 802.11r and IEEE 802.11u
Wireless LANs send system management information in unprotected frames, which makes them vulnerable. This standard will protect against network disruption caused by malicious systems that forge disassociation requests that appear to be sent by valid equipment.
The above picture is a connection diagram.
