CCMP Decapsulation and Processing

CCMP decapsulation is used to recover and decrypt a transmitted frame. The key steps of CCMP decapsulation are depicted in Figure 4-8 and summarized briefly as follows:

1. The encrypted frame is parsed to re-construct the AAD and the nonce. The AAD is formed from the frame header.

2. The nonce is formed from the PN plus the A2 (transmit address) and Priority fields.

3. CCM uses the Temporal key, AAD, nonce, MIC, and encrypted payload to recover the plaintext data and to verify the MIC. If the MIC integrity check fails, CCM will not return the plaintext. 4. The received frame header and the plaintext data are concatenated to form the plaintext frame. 5. The PN in the frame is validated against the PN maintained for the session. If the PN received is

not greater than the session PN, the frame is simply discarded; this check prevents replay attacks.

4-13

4.4 Summary

An RSN is a wireless network that only allows the creation of RSNAs. An RSNA is a security relationship based on the IEEE 802.11i 4-Way Handshake that allows for the protection of data frames and provides enhanced security over the now-antiquated WEP. RSNAs enable the following security features for IEEE 802.11 WLANs:

 Enhanced user authentication mechanisms  Cryptographic key management

 Data confidentiality

 Data origin authentication and integrity  Replay protection.

RSNAs use several cryptographic keys to support key derivation, encryption, authentication, and integrity functions. The IEEE 802.11i specification defines two key hierarchies for RSNAs: the Pairwise Key Hierarchy, which is designed for unicast traffic protection, and the Group Key Hierarchy, which is intended for multicast/broadcast traffic protection. In the Pairwise Key Hierarchy, there are two ways in which keys may be installed in RSNA devices, as follows:

 Pre-Shared Key (PSK), which is a static key delivered to the AS and the STA through an out-of- band mechanism. The IEEE 802.11 standard does not specify how PSKs are to be generated or distributed, so these decisions are left to implementers. The security of the WLAN is

compromised if any of the PSKs does not possess sufficient cryptographic strength. As a result, organizations should review any PSK approach carefully for possible vulnerabilities and evaluate its performance implications. Distributing PSKs in a large network might be infeasible.  Authentication, Authorization, and Accounting (AAA) Key (AAAK), also known as the

Master Session Key (MSK), which is delivered to the AP through the Extensible Authentication Protocol (EAP) during the process of establishing an RSNA. Each time a user authenticates to the WLAN, the AAA key changes; the new key is then used for the duration of the user’s session. Decisions on the appropriate EAP authentication methods are left to the implementers of STAs or the AS. As a result, organizations should carefully review any EAP authentication methods and AAA key generation approaches for possible vulnerabilities.

The IEEE 802.11i amendment defines the following two data confidentiality and integrity protocols for providing confidentiality and integrity for RSNAs:

 Temporal Key Integrity Protocol (TKIP). TKIP is intended as an interim solution for IEEE 802.11 WLANs to address the numerous inadequacies of WEP expeditiously. TKIP may be implemented through software updates; it does not require hardware replacement of APs and STAs.

 Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). CCMP is considered the long-term solution for IEEE 802.11 WLANs. CCMP requires hardware updates and will require that organizations replace their pre-RSN IEEE 802.11 equipment.

Table 4-2 compares the security features of WEP, TKIP, and CCMP. Support for CCMP is mandatory for any device claiming RSNA compliance. As indicated in the table, only CCMP uses a core cryptographic algorithm that is FIPS-compliant. For other security features, CCMP offers the same or

stronger implementations than WEP and TKIP. Accordingly, NIST requires the use of CCMP for Federal agencies. For legacy IEEE 802.11 equipment that does not provide CCMP, auxiliary security protection is required; one possibility is the use of an IPsec VPN, using FIPS-approved cryptographic algorithms. NIST SP 800-48 contains specific recommendations for securing legacy IEEE 802.11 implementations.46

Table 4-2. Summary of Data Confidentiality and Integrity Protocols

Security Feature

Manual WEP (pre- RSN)

Dynamic WEP (pre- RSN) TKIP (RSN) CCMP (RSN) Core cryptographic algorithm RC4 RC4 RC4 AES

Key sizes 40-bit or 104-bit (encryption)

40-bit or 104-bit (encryption)

128-bit (encryption), 64- bit (integrity protection)

128-bit (encryption and integrity protection) Per-packet key Created through

concatenation of WEP key and the 24-bit IV

Derived from EAP authentication

Created through TKIP mixing function Not needed; temporal key is sufficiently secure Integrity mechanism

Enciphered CRC-32 Enciphered CRC-32 Michael MIC with countermeasures

CCM Header

protection

None None Source and destination addresses protected by Michael MIC Source and destination addresses protected by CCM Replay detection

None None Enforce IV sequencing Enforce IV

sequencing Authentication Open system or

shared key

EAP method with IEEE 802.1X

EAP method with IEEE 802.1X or PSK

EAP method with IEEE 802.1X or PSK

Key distribution

Manual IEEE 802.1X IEEE 802.1X or manual IEEE 802.1X or

manual

46

NIST SP 800-48 is available at http://csrc.nist.gov/publications/nistpubs/800-48/NIST_SP_800-48.pdf.

4-15

This page has been left blank intentionally.