CCMP Decapsulation and Processing

CCMP decapsulation is used to recover and decrypt a transmitted frame. The key steps of CCMP decapsulation are depicted in Figure 4-8 and summarized briefly as follows:

1. The encrypted frame is parsed to re-construct the AAD and the nonce. The AAD is formed from the frame header.

2. The nonce is formed from the PN plus the A2 (transmit address) and Priority fields.

3. CCM uses the Temporal key, AAD, nonce, MIC, and encrypted payload to recover the plaintext data and to verify the MIC. If the MIC integrity check fails, CCM will not return the plaintext. 4. The received frame header and the plaintext data are concatenated to form the plaintext frame.

5. The PN in the frame is validated against the PN maintained for the session. If the PN received is not greater than the session PN, the frame is simply discarded; this check prevents replay attacks.

Construct Nonce PN Construct AAD CCM Decryption A2, Priority AES

AAD Nonce Data

TK K=16, M=8, L=2 128-bit PN A2, Priority TK

MAC Header CCM Header Encrypted Data

Ciphertext MPDU

MIC

MAC Header Data

plaintext MPDU Out-of-sequence packet MPDU Okay PN check PN 48-bit Construct Nonce PN Construct AAD CCM Decryption A2, Priority AES

AAD Nonce Data

TK K=16, M=8, L=2 128-bit PN A2, Priority TK

MAC Header CCM Header Encrypted Data

Ciphertext MPDU

MIC

MAC Header Data

plaintext MPDU Out-of-sequence packet MPDU Okay PN check PN 48-bit

Figure 4-8. CCMP Decapsulation Block Diagram

4.4 Summary

An RSN is a wireless network that only allows the creation of RSNAs. An RSNA is a security

relationship based on the IEEE 802.11i 4-Way Handshake that allows for the protection of data frames and provides enhanced security over the now-antiquated WEP. RSNAs enable the following security features for IEEE 802.11 WLANs:

+ Enhanced user authentication mechanisms + Cryptographic key management

+ Data confidentiality

+ Data origin authentication and integrity + Replay protection.

RSNAs use several cryptographic keys to support key derivation, encryption, authentication, and integrity functions. The IEEE 802.11i specification defines two key hierarchies for RSNAs: the Pairwise Key Hierarchy, which is designed for unicast traffic protection, and the Group Key Hierarchy, which is intended for multicast/broadcast traffic protection. In the Pairwise Key Hierarchy, there are two ways in which keys may be installed in RSNA devices, as follows:

+ Pre-Shared Key (PSK), which is a static key delivered to the AS and the STA through an out-of- band mechanism. The IEEE 802.11 standard does not specify how PSKs are to be generated or distributed, so these decisions are left to implementers. As a result, organizations should review any PSK approach carefully for possible vulnerabilities and evaluate its performance

implications. Distributing PSKs in a large network might be infeasible.

+ Authentication, Authorization, and Accounting (AAA) Key (AAAK), also known as the Master Session Key (MSK), which is delivered to the AP through the Extensible Authentication Protocol (EAP) during the process of establishing an RSNA. Each time a user authenticates to the WLAN, the AAA key changes; the new key is then used for the duration of the user’s session. Decisions on the appropriate EAP authentication methods are left to the implementers of STAs or the AS. As a result, organizations should carefully review any EAP authentication methods and AAA key generation approaches for possible vulnerabilities.

The IEEE 802.11i amendment defines the following two data confidentiality and integrity protocols for providing confidentiality and integrity for RSNAs:

+ Temporal Key Integrity Protocol (TKIP). TKIP is intended as an interim solution for IEEE 802.11 WLANs to address the numerous inadequacies of WEP expeditiously. TKIP may be implemented through software updates; it does not require hardware replacement of APs and STAs.

+ Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). CCMP is considered the long-term solution for IEEE 802.11 WLANs. CCMP

requires hardware updates and will require that organizations replace their pre-RSN IEEE 802.11 equipment.

Table 4-2 compares the security features of WEP, TKIP, and CCMP. Support for CCMP is mandatory for any device claiming RSNA compliance. As indicated in the table, only CCMP uses a core

cryptographic algorithm that is FIPS-compliant. For other security features, CCMP offers the same or stronger implementations than WEP and TKIP. Accordingly, NIST requires the use of CCMP for Federal agencies. For legacy IEEE 802.11 equipment that does not provide CCMP, auxiliary security protection is required; one possibility is the use of an IPsec VPN, using FIPS-approved cryptographic algorithms. NIST SP 800-48 contains specific recommendations for securing legacy IEEE 802.11 implementations.46

Table 4-2. Summary of Data Confidentiality and Integrity Protocols

Security Feature WEP (pre-RSN) TKIP (RSN) CCMP (RSN)

Core cryptographic

algorithm RC4 RC4 AES

Key sizes 40-bit or 104-bit

(encryption) 128-bit (encryption), 64-bit (integrity protection) 128-bit (encryption and integrity protection) Per-packet key Created through

concatenation of WEP key and the 24-bit IV

Created through TKIP mixing function

Not needed; temporal key is sufficiently secure

Integrity

mechanism Enciphered CRC-32 Michael MIC with countermeasures CCM Header protection None Source and destination

addresses protected by Michael MIC

Source and destination addresses protected by CCM

Security Feature WEP (pre-RSN) TKIP (RSN) CCMP (RSN)

Replay detection None Enforce IV sequencing Enforce IV sequencing Authentication Open system or shared

key EAP method with IEEE 802.1X or PSK EAP method with IEEE 802.1X or PSK Key distribution Manual IEEE 802.1X or manual IEEE 802.1X or manual