802.11 Wave Rider

Friday, October 25, 2019

Authentication and Key Management (AKM) & PSK Authentication

October 25, 2019

In the previous blogs, we have mentioned about Robust Security Network (RSN) that was being defined in 802.11i amendment. RSN now also being part of the 802.11-2012 standard. Robust security network association (RSNA) requires 802.11 stations to have process for dynamic encryptions keys creation after the authentication and association.

AKM which stands for Authentication and Key Management is the process that helps us to explain how encryption keys are derived from authentication. It was also defined in the 802.11-2012 standard for the AKM services.

Authentication is the process or action of verifying the identity of a client station before its access to the network is granted
Encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot.

Although Authentication and Encryption serves two different set of goal, but they were linked together in the modern 802.11 network in the AKM services.

Before we view and study the whole frame exchanges during the AKM services, it is important that we understand the RSN key hierarchy and its different keys.

Master Session Key (MSK)
MSK is at the top of the RANA key hierarchy. It is the first key being generated during the process from 802.1X/EAP or is derived from PSK authentication. In PSK authentication, it follows the below passphrase-PSK mapping formula to convert the passphrase to a 256bit PSK:

PSK = PBKDF2(PassPhrase, ssid, ssidLength, 4096, 256)

Master Keys
There are two master keys being created which are PMK and GMK. These master key will be used as seeding material later for the 4-Way Handshake process.

Pairwise Master Key (PMK)
The PMK is derived from MSK seeding material. In 802.1X/EAP authentication, a unique PMK is generated every time a client authenticates or re-authenticates. While in PSK authentication, the 256-bit PSK is also being used as the PMK and thus every client will be having the same PMK in this case. PMK will be used to create PTK.

Group Master Key (GMK)
GMK is another master key but created randomly on the access point or authenticator. This GMK key may be regenerated at a time interval. GMK will be used to create GTK.

Temporal Keys
PTK and GTK are being created from the 4-Way Handshake process and these temporary keys are used to encrypt or decrypt 802.11 data.

4-Way Handshake
During the 4-Way Handshake, four EAPOL-key frames are being exchanges to create the dynamic encryption keys. We will look into the details of these exchanges in the next blog.

Wednesday, October 16, 2019

Authentication Series - Open System Authentication

October 16, 2019

In this series of WLAN security blogs, we will understand different types of authentication methods and the steps required for a client station to connect to the 802.11 BSS. The first one is Open System Authentication. It is one of the legacy WLAN security but the only pre-RSNA security that has not been deprecated. RSNA stands for robust security network associations which indicates the better authentication algorithm with stronger encryption. It was defined in the 802.11i amendment ratified and published in 2004. Another legacy authentication methods WEP has been superseded by WPA.

Open System Authentication involves the exchange of above frames between the client station and the access point during the Authentication and Association process. However, it is considered to be a null authentication because there will not be any process to exchange or verify the client’s identity.

After the probe request/response, there will be two messages (Highlighted in Blue) involved in authentication frame exchange process and another two more messages (Highlighted in Green) for the association frame.

1.    Authentication Request
2.    Authentication Response
3.    Association Request
4.    Association Response

Authentication Request & Response (Frame 58 & 59)
For the first message, the client STA sends an 802.11 authentication management frame to an AP to request for authentication.

From the IEEE 802.11 wireless LAN part of the frame body, the authentication Algorithm 0 indicates it is Open System. The authentication is open and we can see the Authentication Sequence (SEQ) is set to be 1 (0x0001). Status code to be Successful (0).

Then for the second message, when the AP received the authentication management frame, it will respond to the client STA with the Authentication Sequence (SEQ) indicates 2 (0x0002).

Association Request & Response (Frame 61 & 62)
After authentication successful, client station and access points will exchange two more association frames.

The association request has included the station’s capabilities information

The AP response with status code to be Successful; Association ID is assigned to the associated client STA:

Once open system authentication and association occurs, the client station will join the BSS and is connected to the network.

Continue Reading

Wednesday, October 9, 2019

Wireless Authentication and Encryption Overview

October 09, 2019

When it comes to deploying a Wireless LAN, it is very important to deploy secure methods for authentication and encryption so that the network can only be used by those individuals and devices that are validated and authorized. In this series of articles on WLAN security, we will talk about different types of authentication and encryption types that are commonly used in the Wi-Fi network. Below is the overview of the methods that we will talk about:

WLAN Authentication Methods:

Open System
Open System authentication provides authentication without performing any type of user verification. It does not require the use of any credentials and allows any devices to connect to the wireless network. It provides simplicity. Although being part of the legacy WLAN security, 802.11 open system authentication still being adopted prior to 802.1X/EAP authentication.

Shared Key
Another legacy authentication from original 802.11 standard. Shared Key authentication is based on a challenge-response protocol. It requires WEP mechanisms to authenticate client stations and requires that a static WEP key be configured on both the client station device and the access point. Authentication will not work if the static WEP keys do not match. If Shared key authentication were successful, the same static WEP key that was used during the authentication process would also be used to encrypt the 802.11 data frame.

PSK (Pre-Shared Key)
The PSK is the most widely used method of Wi-Fi Authentication for SOHO wireless networks. The Wi-Fi Alliance name for PSK authentication is WPA-Personal or WPA2-Personal. It moves away from static encryption key to a dynamically generated keys using a simple passphrase as a seed. WPA/WPA2 personal allows an end user to enter a simple ASCII character string, dubbed a passphrase, anywhere from 8 to 63 characters in size. The ASCII passphrase is converted to the PSK by passphrase-PSK mapping.

802.1X/EAP
802.1X/EAP is the highly secure authentication method. The 802.1X standard is actually a port-based access control standard which was originally developed for the 802.3 Ethernet networks. Later it was being adopted to provide additional support for the 802.11 wireless networks.

802.1X authentication involves three parties: Supplicant is the client devices that want to be authenticated and access to the network. An authenticator is a network device (usually either an AP or a WLAN controller) that block or allow traffics which restrict the supplicant’s communication with the authentication server. Authentication server is typically a trusted server that receive, validate the credentials of the supplicant and respond to the request for network access.

Extensible Authentication Protocol (EAP) is the layer 2 authentication protocol operates over the data link layer to be used by the supplicant and the authentication server to communicate when performing the authentication process.

Tuesday, October 1, 2019

802.11 State Machine

October 01, 2019

The state of wireless client connectivity is not just having “Connected” or “Disconnected”. When we are doing the troubleshooting on WLAN connectivity issues, it is important for us to see the whole picture and understand different states of client connectivity. We can refer to the 802.11 State Machine for the four states:

State 1: Unauthenticated and Unassociated
State 2: Authenticated and Unassociated
State 3: Authenticated and Associated
State 4: Authenticated and Associated (Required in RSA authentication methods e.g. PSK or 802.1X/EAP)

Beacon
Beacon frame is one of the 802.11 management frame. It is transmitted periodically based on the defined beacon interval. The access point use beacon frame to advertise the presence of basic service set (BSS) and that contain all the necessary information for a client STA to learn about the parameters of the BSS.

Passive/Active Scanning
Before the client STA can connect to a wireless network, they need to first discover and access point and BSS. This will be done by two scanning methods: passive or active. In passive scanning, the client STA will listen for the beacon frame that are sent by the AP. In contrast, during the active scanning, the client STA will transmit a probe request and listen for a probe response from an AP.

Below is an example of the probe request and probe response for a client STA doing a directed probe request for specific SSID named “Hive-SSID”:

Beacon probing and passive/active scanning are being part of the unauthenticated and unassociated steps to enter State 1.

Continue Reading

Tuesday, September 17, 2019

Remote Wireless LAN Packet Captures in Extreme Cloud IQ with CloudShark

September 17, 2019

This blog will cover how we can run a remote packet captures for WLAN through the cloud management platform of Extreme Cloud IQ and Cloudshark.

Extreme Cloud IQ support native packet capture and it has integrated with CloudShark. With that, we can initiate a packet capture for the WLAN connectivity and direct the resulting capture to our CloudShark account. All of these can be done through a web interface which makes the packet analysis and troubleshooting much easier than before.

In this testing, I have setup an AP managed by the Cloud IQ Platform. For the CloudShark part, I have already registered a CS Personal SaaS account:

After login to the CloudShark account, the first step is to go Preference> API Tokens:

This should bring up a small window and we can copy the API Token. This token will later be entered in my Cloud IQ Platform:

Now we switch back to our Cloud IQ platform, go to Tools> Packet Capture. Here we enter the API token in the CloudShark API Token field:

Sunday, September 1, 2019

External Antenna Access Point is better in wireless coverage?

September 01, 2019

External Antenna Access Point is better in wireless coverage?

It is often perceived that the access points will provide better wireless coverage or higher transmission strengths if the devices has external antennas rather than built-in internal antennas. This is one of the common customer facing questions when we are designing which access points to be used in the project. For this blog, we are going to look into antenna radiation patterns for us to tell the difference of these access points. In fact, access points with integrated or internal antennas doesn’t mean compromise in wireless signal coverage.

Before we get to the comparison of external and internal antenna models, we need to understand there are different types of antennas, and these antennas are designed for different purposes.

Omni-directional antenna radiate an RF signal equally in all directions. A perfect omni-directional antenna would radiate RF signal like a theoretical isotropic radiator.

Semi-directional antenna radiate an RF signal in a specific direction. It is used for short-to medium distance communication.

Highly-directional antenna radiate an RF signal also in a specific direction but with more focused and narrow beamwidth. It is used for longer distance point to point communications. For example, bridging networks between two buildings that are far from each other.

To identify the RF signal characteristics of the antennas, we can leverage the antenna radiation chart that illustrates the radiation pattern of an antenna. These information can usually be found in the datasheets of antennas or access points by referring to Azimuth and Elevation chart. Below are the examples:

A radiation pattern has both horizontal and vertical coverage area. Azimuth chart shows the signal pattern from looking down from a ceiling at a vertical polarized antenna; while the Elevation chart illustrates the signal pattern looking at the same antenna but from a side view. In either chart. The antenna is placed at the center. The degree symbols along the outer ring of the chart indicates the coverage pattern around the antenna from 0 to 360 degrees.

Besides, you will also find a number of concentric circles originate from the center of the chart showing different number of decibel (dB) levels e.g. -10, -20 & 0.
These charts are often misinterpreted because of this representation of dB mapping of antenna coverage.

The outer ring of the chart usually represents the strongest signal of the antenna. However, the chart does not represent distance or any level of power or strength;
It represents only the relationship of power between different points on the chart.
Decibels are essentially a logarithmic measurement of the gain or loss that the antenna provides. 3 dB of attenuation reduces absolute power to 1/2 of the original power. And 10 dB of attenuation reduces absolute power to 1/10 of the original power.

After understanding how to read the Azimuth and Elevation chart, let us go back to our topic and compare the radiation pattern for the access points with internal or external antennas. In the example below, we will compare two models from Cisco Aironet 2700 Series which are both 802.11ac dual band with 3x4 MIMO supporting 3 spatial streams. In order to better see the difference, we leverage iBwave software tool (http://www.ibwave.com) which support 3D Wi-Fi planning that provide us the 3D visual of antenna RF pattern.

Since both models are with Omni-directional antenna types. They radiate in all directional and we can see the radiation pattern is circular. Another observation we have is that the access point with external Omni-directional antenna is more like a doughnut shape pattern; while the internal antenna model is more like a heart shape pattern. However, the signal coverage difference is not that huge. This is because both access points also have their transmission power strictly related by the law and local regulatory.

AIR-CAP2702I-x-K9 (Internal Antenna Model)

Friday, August 9, 2019

Maximum Transmission Power in WLAN Radio?

August 09, 2019

“What is the maximum Wi-Fi transmission power of your access points or wireless router?” This is one of the common questions I always come across during the first meeting with clients in the RF designing stage. Very often we will hear the answer like 100mW or 20 dBm from the engineers, it is the maximum transmit power we can generally configure in most of the WLAN radio transmission power settings.

However, as a WLAN professional, we would like to dig in the IEEE 802.11 specification and the local regulatory domain authority who is responsible for the maximum transmit power regulations. WLAN emissions are subject to local regulatory limits. Countries apply their own regulations to allow devices and maximum power levels within the WLAN frequency ranges. Besides, different radio bands also require different regulatory power limits.

In Hong Kong SAR, we would refer to specification from OFCA (The Office of the Communications Authority) who is the responsible body for telecommunication regulatory and also allocation of the radio frequency portion of the electromagnetic spectrum.

According to HKCA 1039 from OFCA – Performance Specification For Radio communications Apparatus Operating In The 2.4GHz Or 5GHz Band. The peak output power of the apparatus shall not exceed the levels indicated below:

Short overview representing E.I.R.P in dBm:

2.400 - 2.4835 GHz (ch1-11) 4W (36dBm)

5.15 - 5.35 GHz (ch36-64) 200mW (23dBm)

5.470 - 5.725 GHz (ch100-140) 1W (30dBm)

5.725 - 5.850 GHz (ch149-165) 4W (36dBm)

The 5GHz Hong Kong regulatory is similar to ETSI Standards. The maximum allowed output power actually depends on which frequency band that we select according to the channels that we assign to the access points.

However, what is EIRP?

EIRP (Effective Isotropic Radiated Power) is the measured radiated power of an antenna in a specific direction. It is also called Equivalent Isotropic Radiated Power. It is the output power when a signal is concentrated into a smaller area by the Antenna. The EIRP can take into account the losses in transmission line, connectors and includes the gain of the antenna. It is represented in dB. Enter the transmitted power, cable loss and antenna gain to calculate the EIRP (Effective Isotropic Radiated Power)

RF Components:

Sunday, July 8, 2018

Performing Spectrum Analysis for troubleshooting

July 08, 2018

We always need to deal with RF interference when it comes to WLANs troubleshooting. Wi-Fi Access Points are generally operating either on 2.4GHz and 5GHz frequency range, however it is not just Wi-Fi who are using these channels. There are some other common electronic devices such as Bluetooth, Microwave Ovens, Cordless Phone and Wireless Camera, etc.… also operates in the same radio range that creates interference and noise to WLANs.

Spectrum analyzer is the layer 1 diagnostic tool that we often used to perform analysis to identify the RF interference that has caused negative impact on wireless performance. In today’s blog, we will walked through two primary types of spectrum analysis hardware and explore the features that we can leverage to detect non-Wi-Fi interference.

Integrated Spectrum Analyzers
Integrated spectrum analysis use AP chipsets and radios to perform the scanning of the spectrum. It can be used for effective remote troubleshooting. And there will be graphical analysis feedback that can be viewed in the web-based management interface of the AP infrastructure.

Below is an example for spectrum intelligence from Aerohive HiveManager:

There are four different types of graph presented for the captured spectrum.

Real-time FFT
Fast Fourier Transform (FFT) is a mathematic algorithm for computing the frequency spectrum of a received input signal. This line chart indicates the power level of a signal on a channel or frequency monitored.

FFT Duty Cycle
This line chart indicates the amount of time as a percentage of total time a signal is broadcast on a channel or frequency monitored. The FFT Duty Cycle is often referred to as channel utilization.

Swept Spectrogram
This plot displays FFT power levels for monitored channel or frequency over time. It produces a color-coded sweep of spectral information to show the real time FFT.

Swept Spectrogram-FFT Duty Cycle
This plot displays FFT duty cycle for monitored channel or frequency over time. It also produces a color-coded sweep to represent duty cycle information.

Thursday, January 25, 2018

Using Wireless Diagnostics Utilities in MacOS

January 25, 2018

I met one partner this week and he has asked me for the suggestion of Wi-Fi Analyzer tools for MacBook. In fact, MacOS has the built in Wireless Diagnostics tools that we can use for Wi-Fi Scanning and Packet Capture.

See below for the instructions and steps we can follow to open the Wireless Diagnostics tools in your MacOS.

First, press Command + Space and we type “Wireless Diagnostics” to bring up the window:

When we got the Wireless Diagnostics window open, move to top left of the display and select Windows options in the title bar:

Wireless Diagnostics includes below additional utilities from the menu bar including Assistant, Info, Logs, Scan, Performance and Sniffer. Let’s take a look at how these tools can be useful for Wi-Fi Analysis.

Info: Gathers key details about your current network connections.

Logs: Enables background logging for Wi-Fi.

Scan: finds Wi-Fi in your environment and gathers key details about them.

Performance: Uses live graphs to show the performance of your Wi-Fi connection:

Rate shows the transmit rate over time in megabits per second.

Signal shows both signal (RSSI) and noise measurements over time. RSSI, or “Received Signal Strength Indicator,” is a measurement of how well your device can hear a signal from an access point or router. It’s a value that is useful for determining if you have enough signal to get a good wireless connection.

Ref: Wi-Fi signal strength basic from MetaGeek
https://www.metageek.com/training/resources/wifi-signal-strength-basics.html

Quality shows the signal-to-noise ratio (SNR) over time.

SNR = Signal Strength – Noise Floor

A higher SNR value means that the signal strength is stronger in relation to the noise levels, which allows higher data rates and fewer re-transmissions.

Sniffer: Captures traffic on your Wi-Fi connection, which can be useful when diagnosing a reproducible issue.

We can select the channel and channel width that we would like to do the packet capture, and click “Start”.

Once you finished the packet capture, we can click Stop “Stop” and a PCAP file will be automatically created and store in /var/tmp.

We can now use the packet analyzer to open and do the further analysis of the 802.11 packet captured.

Reference:
https://support.apple.com/en-us/HT202663 Continue Reading

Sunday, January 14, 2018

Wi-Fi Basics & RF Calculation

January 14, 2018

When dealing with RF and Wi-Fi, we will see a lot of different terms like dB, dBi, dBm, RSSI and SNR. It would be super confusing if we do not understand the meaning and difference among these units, not to mention if we need to do the RF mathematics to calculate the Wi-Fi signal strength and power.

So I thought it could be useful for us to do a quick explanation of what each of these measurements means when we are studying WLAN technology.

Watt (W) & Milliwatt (mW)
The common way to express power is by unit of Watt (W); while Milliwatt (mW) is equal to one thousandth (1/1,000) of a watt.

Decibel (dB)
Unlike W and mW, Decibel (dB) is not a unit of power or absolute measurement. It is a unit of comparison which is the relative measurement of two different power levels. It has to be referenced to something else to provide meaningful measurement.

Decibels relative to an isotropic radiator (dBi)
dBi stands for decibels measured against an isotropic reference antennas (isotropic radiators). An isotropic radiator radiate an equal signal in all directions. dBi is usually used for measurement of the amount of gain that an antenna puts on a signal.

Decibel relative to 1 mW (dBm)
dBm stands for decibel measured against 1 milliwatt (mW). Instead of comparing a signal to another signal. dBm is an expression for the amount of relative power transmitted per milliwatt.

It is important to know that dBm does not scale in linear like what we expect in Watt. But instead it is being logarithmic (with base 10).

Ref: https://en.wikipedia.org/wiki/Decibel

Rule of 10s and 3s
The rule below does not give the exact values from logarithmic formula calculation. But it did highlight the logarithmic nature of dBm which is good for reference when considering the RF gain and attenuation.

3 dB of loss = -3 dB = halves the absolute power
e.g. (100mW - 3dB ≈ 20mW)

3 dB of gain = +3 dB = doubles the absolute power
e.g. (100mW + 3dB ≈ 200mW)

10 dB of loss = -10 dB = decreases the absolute power to one tenth
e.g. (100mW - 10dB ≈ 10mW)

10 dB of gain = +10 dB = increase the absolute power by ten-fold
e.g. (100mW + 10dB ≈ 1000mW)

dBm and mW Conversions Table

Received Signal Strength Indicator (RSSI)
dBm and RSSI both represent the signal strength. However, they are different because RSSI is not an absolute number. RSSI is a measure of the RF energy received. It is a metric to be used by the WLAN equipment manufacturer as a relative measurement of quality of a RF received signal to a client device. Different Wi-Fi chipset manufacturer might have RSSI varies.

Noise Floor
The noise floor indicates the amount of radio energy of background noise in the environment on a specific channel. If the noise level is too high, it can result in degraded strength and performance for the wireless signal strength.

Signal-to-Noise Ratio (SNR)
The SNR is the difference between the received wireless signal and the noise floor.

SNR = Signal Strength – Noise Floor

A higher SNR value means that the signal strength is stronger in relation to the noise levels, which allows higher data rates and fewer re-transmissions.

For below example, if the received signal for a client device is -70 dBm. And then the noise floor is measured at -95 dBm. The difference between the received signal and the noise floor is 25 dB. Thus the SNR is 25 dB.