In IEEE 802.11-2007 standard define 3 encryption methods that operate at layer 2 of OSI model (WEP, TKIP, CCMP). These used to encrypt upper layer information of 802.11 data frames what has MSDU payload. They all use symmetric algorithms where WEP,TKIP use RC4 cipher while CCMP use AES cipher.
Here are the details about CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
* AES is a block cipher based on Rijndael algorithm.
* Algorithm allows for a selection of block sizes & key sizes (128,192 & 256 bits for each), when NIST adopted for AES, it specified only 128 bit block size.
* IEEE 802.11-2007 standard restricts both the key size & block length to 128 bits.
* To make use of a block cipher a method used to convert messages to blocks referred as block cipher’s “mode of operation”
* CCMP uses a mode called “CCM–Counter Mode + CBC-MAC” which itself based on “Counter Mode–CTR”
* Counter mode encrypt the value of an arbitrary value called the “counter” & then XOR the result with the data to produce ciphertext.
* Counter is generally incremented by 1 for each successive block processed.
* Counter might start at an arbitrary value & might increment by some other value or pattern (not same as shown above)
* Receiving party who wants to decrypt the message must know the starting value of counter & rules for advancing it.
* In counter mode, decryption is exactly same process as encryption because XOR the same value twice takes you back to the original value (so easy to implement)
* Encryption can be done completely in parallel as counter values are known at the start.
* Basic counter mode does not provide any message authentication, only encryption.(so RSN, additional capability must be added)
* CCM uses counter mode in conjunction with message authentication method called “cipher block chaining – CBC“.
* CBC is used to produce a message integrity code(MIC)
* MIC is called message authentication code by cryptographic community leading to CBC-MAC (in IEEE 802.11-2007 standard it is CBC-MIC to avoid confusion with MAC)
* In CBC-MIC, take the 1st block & encrypt it using AES, XOR the result with 2nd block & then encrypt the result & XOR the result with next block & encrypt it .. so on.
* If one or more bits were changed, computed MIC is different ( provide msg authenticity)
* MSDU will be fragmented into MPDUs & assign its own 802.11 header.
* Each MPDU is processed by the CCMP algorithm to generate a new encrypted MPDU.
* Only data part is encrypted, not the header. But MIC provide data integrity for both MSDU data & portions of MAC header of the MPDU.
* CCMP header prepend encrypted data & transmitted in clear text. It has two purpose
1. 48 bit Packet Number (PN) provides replay protection & enable receiver to derive vlaue of the “nonce” used for encryption.
2. In the case of multicast, it tells the receiver which group key has been used.
* CCMP header is very similar to TKIP header & it was intentionally done in that way to simplify the implementation of TKIP & CCMP mixed environment.
* Out of 8 byte CCMP header, 6 used for PN, 1 reserved & remaining byte contain key ID values (2 bits for key id)
* The bit next to the Key-ID is set to 1 (Ext IV in TKIP) to indicate that the frame format is RSN rather than earlier WEP format.
* In CCMP first block of CBC-MAC is not directly taking from MPDU, but formed in special way using “nonce” value.
* 104 bit “nonce” is formed using Packet Number(PN), Transmitter Address (TA) & priority bits in QoS.
* “flag” field has a fixed value of 01011001 and indicates that the MIC is 64 bits.
* “Dlen” indicate length of the plain text data.
* Additional Authentication Data (AAD) is constructed from portion of MPDU header
* 128 bit counter value is constructed using “nonce” & “Flag” & “Ctr” field
* CCMP encryption & data integrity process is like below
* 48 bit PN crated & incrementing with each MPDU
* AAD created using MPDU header
* Nonce is created using PN, TA & QoS filed.
* 8 byte CCMP header is constructed
* CCM which use AES block cipher used to created integrity check (8 byte-MIC) & encrypt upper layer data
* Original MAC header is append to CCMP header.
* FCS is calculated over all the fields of the header & entire frame body.
* Overhead that resulted from CCMP is 16 bytes (8-CCMP header & 8-MIC)
1. CWSP Official Study Guide
2. Real 802.11 Security: Wi-Fi Protected Access and 802.11i
1. CWSP – TKIP Encryption Method
2. CWSP – 4 Way Handshake
3. CWSP – RSN Information Element
Vijaysinh Jadeja said:
Thank you for detailed explanation. one question – When we have one SSID configured in mixed mode – WPA + WPA2, what is the maximum data rate achieved and why. i read many blogs & articles stating that it falls back to TKIP – 54Mbps in mixed mode. i will appreciate if you can provide explanation.
There is two keys derive
1. PTK for Unicast
2. GTK for broadcast/multicast
In mixed mode environments, GTK has to use TKIP (instead of AES) as it is lowest common factor. So that broadcast/multicast traffic use TKIP which is limited to 54Mbps.
Pingback: CISSP PRACTICE QUESTIONS – 20210313 - Wentz Wu