The Cable Guy - August 2005
Wi-Fi Protected Access 2 Data Encryption and Integrity
.gif "TechNet's The Cable Guy")
Wi-Fi Protected Access 2 (WPA2), as described in Wi-Fi Protected Access 2 (WPA2) Overview, the May 2005 The Cable Guy article, is a product certification available through the Wi-Fi Alliance that certifies wireless equipment as being compatible with the IEEE 802.11i standard.
The IEEE 802.11i standard formally replaces Wired Equivalent Privacy (WEP) in the original IEEE 802.11 standard with a specific mode of the Advanced Encryption Standard (AES) known as the Counter Mode Cipher Block Chaining-Message Authentication Code (CBC-MAC) protocol (CCMP). CCMP provides both data confidentiality (encryption) and data integrity. This article describes the details of the WPA2 implementation of AES CCMP for encryption, decryption, and data integrity validation of 802.11 wireless frames.
Cryptographic Features of WPA2
As described in Wi-Fi Protected Access Data Encryption and Integrity, the November 2004 The Cable Guy article, WEP in the original IEEE 802.11 standard had cryptographic weaknesses. The following table shows how WPA2 addresses these weaknesses.
| WEP weakness | How weakness is addressed by WPA2 |
|---|---|
Initialization vector (IV) is too short |
In AES CCMP, the IV has been replaced with a Packet Number field and has doubled in size to 48 bits. |
Weak data integrity |
The WEP-encrypted checksum calculation has been replaced with the AES CBC-MAC algorithm, which is designed to provide strong data integrity. The CBC-MAC algorithm calculates a 128-bit value, and WPA2 uses the high-order 64-bits as a message integrity code (MIC). WPA2 encrypts the MIC with AES counter mode encryption. |
Uses the master key rather than a derived key |
Like WPA and the Temporal Key Integrity Protocol (TKIP), AES CCMP uses a set of temporal keys that are derived from a master key and other values. The master key is derived from the Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) or Protected EAP (PEAP) 802.1X authentication process. |
No rekeying |
AES CCMP rekeys automatically to derive new sets of temporal keys. |
No replay protection |
AES CCMP uses a Packet Number field as a counter to provide replay protection. |
WPA2 Temporal Keys
Unlike WEP, which uses a single key for unicast data encryption and typically a separate key for multicast and broadcast data encryption, WPA2 uses a set of four different keys for each wireless client-wireless AP pair (known as the pairwise temporal keys) and a set of two different keys for multicast and broadcast traffic.
The set of pairwise keys used for unicast data and EAP over LAN (EAPOL)-Key messages consist of the following:
Data encryption key A 128-bit key used for encrypting unicast frames.
Data integrity key A 128-bit key used for calculating the MIC for unicast frames.
EAPOL-Key encryption key A 128-bit key used for encrypting EAPOL-Key messages.
EAPOL-Key integrity key A 128-bit key used for calculating the MIC for EAPOL-Key messages.
WPA2 derives the pairwise temporal keys using a 4-way handshake process that is the same as WPA. For more information, see the WPA Temporal Keys section of Wi-Fi Protected Access Data Encryption and Integrity.
WPA2 Encryption and Decryption Process
AES CCMP uses CBC-MAC to calculate the MIC and AES counter mode to encrypt the 802.11 payload and the MIC. To calculate a MIC value, AES CBC-MAC uses the following process:
Encrypt a starting 128-bit block with AES and the data integrity key. This produces a 128-bit result (Result1).
Perform an exclusive OR (XOR) operation between Result1 and the next 128 bits of the data over which the MIC is being calculated. This produces a 128-bit result (XResult1).
Encrypt XResult1 with AES and the data integrity key. This produces Result2.
Perform a XOR between Result2 and the next 128 bits of the data. This produces XResult2.
Steps 3-4 repeat for the additional 128-bit blocks in the data. The high-order 64 bits of the final result is the WPA2 MIC. The following figure shows the MIC calculation process.
.gif "Figure 1")
.gif){kind=link}
To calculate the MIC for an IEEE 802.11 frame, WPA2 constructs the following:
.gif "Figure 2")
.gif){kind=link}
The starting block is a 128-bit block that is described later in this article.
The MAC header is the 802.11 MAC header with the values of the fields that can change in transit set to 0.
The CCMP header is 8 bytes and contains the 48-bit Packet Number field and additional fields.
Padding bytes (set to 0) are added to ensure that the portion of the entire data block up to the plaintext data is an integral number of 128-bit blocks.
The data is the plaintext (unencrypted) portion of the 802.11 payload.
Padding bytes (set to 0) are added to ensure that the portion of the MIC data block that includes the plaintext data is an integral number of 128-bit blocks.
Unlike data integrity for both WEP and WPA, WPA2 provides data integrity for both the 802.11 header (except changeable fields) and the 802.11 payload.
The starting block for the MIC calculation consists of the following:
.gif "Figure 3")
.gif){kind=link}
The Flag field (8 bits) is set to 01011001 and contains various flags, such as a flag that indicates that the MIC used in the 802.11 frame is 64 bits long.
The Priority field (8 bits) is reserved for future purposes and is set to 0.
The Source Address (48 bits) is from the 802.11 MAC header.
The Packet Number (48 bits) is from the CCMP header.
The length of the plaintext data in bytes (16 bits).
The AES counter mode encryption algorithm uses the following process:
Encrypt a starting 128-bit counter with AES and the data encryption key. This produces a 128-bit result (Result1).
Perform an exclusive OR (XOR) operation between Result1 and the first 128-bit block of the data that is being encrypted. This produces the first 128-bit encrypted block.
Increment the counter and encrypt it with AES and the data encryption key. This produces Result2.
Perform XOR between Result2 and the next 128 bits of the data. This produces the second 128-bit encrypted block.
AES counter mode repeats steps 3-4 for the additional 128-bit blocks in the data until the final block. For the final block, AES counter mode XORs the encrypted counter with the remaining bits, producing encrypted data of the same length as the last block of data. The following figure shows the AES counter mode process.
.gif "Figure 4")
.gif){kind=link}
The starting counter value for AES counter mode consists of the following:
.gif "Figure 5")
.gif){kind=link}
The Flag field (8 bits) is set to 01011001, which is the same Flag value that is used for the MIC calculation.
The Priority field (8 bits) is reserved for future purposes and is set to 0.
The Source Address (48 bits) is from the 802.11 MAC header.
The Packet Number (48 bits) is from the CCMP header.
The Counter field (16 bits) is set to 1 and is only incremented if an 802.11 payload is fragmented into smaller payloads. Note that this Counter field is not the same as the 128-bit counter value used in the AES counter mode encryption algorithm.
To encrypt a unicast data frame, WPA2 uses the following process:
Input the starting block, 802.11 MAC header, CCMP header, data length, and padding fields into the CBC-MAC algorithm with the data integrity key to produce the MIC.
Input the starting counter value and the combination of the data with the calculated MIC into the AES Counter mode encryption algorithm with the data encryption key to produce the encrypted data and MIC.
Add the CCMP header containing the Packet Number to the encrypted portion of the 802.11 payload, and encapsulate the result with the 802.11 header and trailer.
The following figure shows the WPA2 encryption process for a unicast data frame.
.gif "Figure 6")
.gif){kind=link}
To decrypt a unicast data frame and verify data integrity, WPA2 uses the following process:
Determine the starting counter value from values in the 802.11 and CCMP headers.
Input the starting counter value and the encrypted portion of the 802.11 payload into the AES counter mode decryption algorithm with the data encryption key to produce the decrypted data and MIC. For decryption, AES counter mode XORs the encrypted counter value with the encrypted data block, producing the decrypted data block.
Input the starting block, 802.11 MAC header, CCMP header, data length, and padding fields into the AES CBC-MAC algorithm with the data integrity key to calculate a MIC.
Compare the calculated value of the MIC to the value of the unencrypted MIC. If the MIC values do not match, WPA2 silently discards the data. If the MIC values match, WPA2 passes the data to the upper networking layers for processing.
The following figure shows the WPA2 decryption process for a unicast data frame.
.gif "Figure 7")
.gif){kind=link}
For More Information
For more information about WPA and 802.11 wireless LAN security, consult the following resources:
Wi-Fi Protected Access 2 (WPA2) Overview, the May 2005 The Cable Guy article
Wi-Fi Protected Access Data Encryption and Integrity, the November 2004 The Cable Guy article
IEEE 802.11 Wireless LAN Security with Microsoft Windows XP white paper
For a list of all The Cable Guy articles, click here.