WLAN Roaming | Optimisation, configuration, and troubleshooting

Wi-Fi Security Standards and Certifications

Wenn I learn something new, the most difficult and important point for me is to understand the whole picture and create a short description or a pivot table for the topic. While preparing for the CWSP exam I took a lot of notes and now is a good time for the final part.
I took as a basis the table 1.2 Security Standards and Certifications at the page 20 of the book CWSP Certified Wireless Security Professional Study Guide: Exam CWSP-205, 2nd Edition (ISBN-10: 1119211085). 
The main reason why I decided to create a new table is that I didn't find in the Internet similar table with include information about the WPA3. So simple is that.

Security Standards

The history of Wi-Fi security standards can be divided into two parts: pre-RSNA (before the the 802.11i was established) and RSNA (IEEE 802.11i) 
The RSNA stands for Robust Security Network Association. Don’t confuse the 802.11 Association and the RSN Association. The 802.11 Association is the compatibility check between two STAs. The 802.11 Association is like the green LED of the switch port for a wired network. The successful 802.11 Association means that the transport protocols are up and working and both STAs can transmit data frames to each other.
The RSN Association is as an extension over the legacy 802.11 security. The RSNA provides data encryption with secure integrity protocols TKIP, CCMP and GCMP, a secure STA’s authentication and association, and creation and management of dynamic encryption keys. If the RSNA is done, both STAs have been authenticated and can securely transmit data to each other.

Key points of the RSNA are:

• Key hierarchy: MSK (Master Session Key); Master Keys for unicast (PMK) and multicast (GMK) derivative; and encryption keys for unicast (PTK) and multicast (GTK)
• The 4-way handshake and the group key handshake to establish PTK and GTK
• dynamic keys

Wi-Fi Security Certification

Whereas IEEE standards describe technologies, Wi-Fi Protected Access (WPA) certifications specify mandatory and optional requirements to be met by any certified device.

At this moment the Wi-Fi Alliance developed three generation of the certification programs – WPA, WPA2, and WPA3. Each program consists of at least one Personal and at least one Enterprise certification. 

• WPA is based on the draft of the IEEE 802.11i. It was a temporary solution to cover security risks of the WEB. The reason for the designing of the temporary solution was that in most cases it could be implemented through a firmware update. The WPA implements the Temporal Key Integrity Protocol (TKIP).
• WPA2 is an implementation of the full version of the IEEE 802.11i. The WPA2 includes mandatory support for CCMP, an AES-based encryption mode
• WPA3 replaces direct derivation from PSK through SAE key generation and provides more secure encryption protocol GCMP and cypher modes for Enterprise deployments. The WPA3-Enterprise 192 uses the Cipher Suite B (AES-256 in GCM mode with SHA-384 as HMAC). Also, all WPA3 certifies devises have to support the Protected Management Frames (PMF) standard, which was described in the IEEE 802.11w. 

802.11 authentication

As you know there are two mandatory steps in case a client wants to join the wireless network: the 802.11 authentication and the 802.11 association. 

The 802.11 authentication is like physically plug in to a switch port for a wired network. There are fore types of the 802.11 authentication:

• Open System – means a NULL authentication. There are three use cases for this type of authentication:
• You have an open network and use neither identity verification no wireless traffic encryption or you authenticate users over a WEB portal only.
• You have an upper layer security, for example VPN.
• You have a Robust Security Network (RSN) for identity verification, data privacy and key management.
• Shared WEP key authentication (SK) – four-way 802.11 authentication frame exchange. Due to the WEP authentication sends the challenge text in clear and in hashed text within the handshake, the passphrase can be easily cracked.
• Fast BSS Transition authentication. It is used for fast roaming. Since it is not used for initial authentication, it is not listed in the table.
• The Simultaneous Authentication of Equals (SAE) Authentication. The SAE was originally designed for use between peers (for instance for MESH networks) and later was adopted for the WPA3-Personal security standard. The biggest advantage of the SAE that password isn’t used as a credential in the authentication. As a result, the SAE has high protection against dictionary and/or brute‐force attacks. Unlike WPA/WPA2 the PMK is secretly calculated by both parties without sharing key data used in the process.
  

RSN Authentication

The Robust Security Network support three authentications:

• Pre-shared key (PSK) authentication. Do not confuse the WPA2-PSK authentication with the SK authentication for the WEP. In both cases the authentication is used to check that both the client and access point possess the correct pre-shared password. Both authentications use the 4-frame exchange. But:
• The WPA-PSK use open 802.11 Authentication and the 4-Way Handshake for authentication and key generation.
• The WPA-PSK generate unique dynamic encryption keys for the session between WLAN devices, while the WEP use static keys
• Encryption keys of WPA-PSK are secretly calculated by both parties without sharing key data, unlike in WEP
• The WPA-PSK passkey is not used to encrypt the frame, unlike in WEP.
• Extended Authentication Protocol (EAP) described in the IEEE 802.1X standard. The EAP authentication requires a RADIUS server to check client identity.
• Simultaneous Authentication of Equals (SAE) was first described in the IEEE 802.11s standard and then became part of the WPA3-Personal certification.
  

Encryption Protocols and Cipher Suite

I have tried to put all information I have about this topic into one table.

The WEP and TKIP should not be used in wireless RSN design.

The CCMP and GCMP are secure protocols used to provide authentication and data confidentiality. More information about these protocols you will find in the my blog post: CCMP vs GCMP