802.11 Wireless LANs       Abhishek Karnik,        Dr. Ratan Guha  University Of Central Florida
OVERVIEW• Introduction• 802.11 Basics• 802.11e for QoS• WEP
INTRODUCTION• In 1997 the IEEE adopted IEEE Std. 802.11-1997• Defines MAC and PHY layers for LAN and wireless connectivity...
802.11 BASICS• Wireless LAN Station          The station (STA) is any device that contains the functionality of the 802.11...
IBSS (Independent Basic Service Set – Ad-hoc Mode)                    STA                          STA                   p...
Infrastructure Basic Service Set                                   Wired Backbone                  AP
ESS (Extended Service Set)                  Wired Backbone        AP                         AP     BSS1                  ...
Beacon                                                      TBTT            PCF                                  DCF      ...
Distributed Coordinated Function (DCF)• Also known as the Contention Period• STAs form peer-peer connections. No central a...
Inter-Frame Spacing :DIFS -     34 µsecPIFS -     25 µsec ( Used in PCF )SIFS -     16 µsecSlot Time - 9 µsec             ...
Data Transmission from Node A to B                  CWA                                                        DIFS   ACK ...
CWA                                                       DIFS ACK                         DATAA              ACKB        ...
Example :rA = 4 and rC = 6                                                       DIFSACK                         DATAA    ...
A Collision between nodes A and C                               DATAC ACK                       DATAA       DIFS          ...
NAV – Network Allocation VectorSTAA                      DATASTAB                                           ACKSTAC   ACK ...
Hidden Node Problem and Exposed Node Problem                                     STAC                         STAB        ...
RTS/CTS :•   RTS (Request To Send) - (Approx 20 bytes)•   CTS (Clear To Send)     - (Approx 16 bytes)•   Use of RTS/CTS is...
Preventing a collision at STAB               RTS                CTS                           B            C       A      ...
DIFS   CW         SIFS     SIFS            SIFS         DIFSSTAA                     RTS                   DATASTAB       ...
Point Coordinated Function (PCF)• Also known as the CFP (Contention Free Period)• Operation in an Infrastructure BSS• STAs...
Beacon    • Management Frame    • Synchronization of Local timers    • Delivers protocol related parameters    • TBTT - Ta...
AP taking over the Wireless medium using PIFS                                   PIFS                    DATA       A      ...
Operation in CFP                                 CFP                                 CPB    D1 + Poll                 D2 +...
• Admission Control• Purpose of having separate DCF and PCF• Different 802.11 Working groups    • 802.11a (54Mpbs in 5GHz ...
802.11e for QoS• QoS (Quality of Service)• 802.11e for QoS – Draft Supplement – Nov 2002• Introduction of new QoS mechanis...
HC              PC                                   ( Enhanced Station )BSS                         QBSS(Basic Service Se...
QoS Support Mechanisms of 802.11e :EDCA :• Introduction of 4 Access Categories ( AC ) with 8 Traffic   Classes ( TC )• MSD...
AC_VO [0]   AC_VI [1]   AC_BE [2]   AC_BK [3] AIFSN          2           2           3              7 CWmin          3    ...
EDCATC          AC1    AC2       AC3      AC4                  Virtual Collision
Access Category based Back-offs              AIFS[AC3]         AIFS[AC2]        AIFS[AC1]      AIFS[AC0]                  ...
QoS Parameter Set Element Format                         CWmin[AC]              CWmax[AC]Element ID                      C...
HCCA ( Hybrid Coordination FunctionControlled Channel Access )Extends the EDCA access rules.CP : TxOP• After AIFS + Back o...
Hybrid CoordinatorHC                             PIFSHCCA                      EDCA                                       ...
802.11e Operation in the CFP• Guaranteed channel access on successful registration• Each node will receive a TxOP by means...
Traffic Specification (TSPEC)                                                      MaximumElement ID     Length        TS ...
Example :                 AC[0]   AC[1]   AC[2]        AIFSN      2       4       7        CWmin      7      10      15   ...
AIFS[AC] = AIFSN[AC] * aSlotTime + SIFSPIFS -      25 µsec ( Used in HCCA)SIFS -      16 µsecSlot Time - 9 µsecAIFS[0] = (...
Back-off Algorithm :802.11 :     CWRANGE = [ 0 , 2 2+i – 1 ]802.11e :   newCW[AC] = [(oldCW[AC] + 1) * PF] - 1            ...
WEP (Wired Equivalent Privacy)• Optional in WLANS• Uses the RC4 (Rivest Cipher 4) Stream Cipher generated with a    64bit/...
Encrypted WEP Framehttp://www-106.ibm.com/developerworks/security/library/s-wep/
Encryption / Decryption :• M – Original Data Frame• CRC-32 (c) applied to M to obtain c (M)• c (M) and M are concatenated ...
Draw Backs of WEP:• A number of attacks can be used against WEP   • Passive Attacks based on statistical analysis   • Acti...
All in a days work : • Shared Key is long lived – May last a week, month,    even a year or more • Consider a busy AP whic...
PT  Key  CT                  CT  Key  PTXOR :     0   0            0     0   1            1     1   0            1 ...
PASSIVE ATTACK         Sender                 ReceiverPT   K            CT   CT   K              PT0    0           0    ...
• IV repeats generating K• Identical K used to encrypt MSG1 and MSG2     MSG1  K  C ( MSG1 )     MSG2  K  C ( MSG2 )• ...
Example :MSG1  0 0 1 1MSG2  1 0 1 1            MSG1                   MSG2PT1    K           CT1   PT2   K          CT20...
CT1 XOR CT2                     MSG1 XOR MSG2CT1    CT2                        MSG1 MSG20      1             1           ...
AP         Wired Networkxx               Hi Attacker
Active Attack :• Attacker knows exact plain text for one encrypted packet• Use this knowledge to construct correct encrypt...
Upcoming SlideShare
Loading in …5
×

80211

294 views
208 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
294
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Ad-Hoc Network
  • Association , Re-association , Disassociation.
  • Explain nodes sensing medium using common antenna
  • If A sends to B and C initially senses data but later gets blocked by a wall or something, he may feel that the medium is free and transmit leading to a collision…………….Denial Of Service Attack
  • 80211

    1. 1. 802.11 Wireless LANs Abhishek Karnik, Dr. Ratan Guha University Of Central Florida
    2. 2. OVERVIEW• Introduction• 802.11 Basics• 802.11e for QoS• WEP
    3. 3. INTRODUCTION• In 1997 the IEEE adopted IEEE Std. 802.11-1997• Defines MAC and PHY layers for LAN and wireless connectivity.• Facilitate ubiquitous communication and location independent computing• 802.11b operates at 11Mbps in the 2.4 GHz ISM Band (‘99)• 802.11a operates at 54Mbps in the 5 GHz Band (’99)• 802.11g operates at 54Mbps in the 2.4 GHz Band (’02)• Increased deployment and popularity lead to introduction of QoS• 802.11e for QoS – Draft Supplement – Nov 2002
    4. 4. 802.11 BASICS• Wireless LAN Station The station (STA) is any device that contains the functionality of the 802.11 protocol, that being MAC, PHY, and a connection to the wireless media. Typically the 802.11 functions are implemented in the hardware and software of a network interface card (NIC). Ex : PC , Handheld , AP (Access Point)• Basic Service Set (BSS) 802.11 defines the Basic Service Set (BSS) as the basic building block of an 802.11 wireless LAN. The BSS consists of a group of any number of stations.
    5. 5. IBSS (Independent Basic Service Set – Ad-hoc Mode) STA STA peer-peer connections STA STA
    6. 6. Infrastructure Basic Service Set Wired Backbone AP
    7. 7. ESS (Extended Service Set) Wired Backbone AP AP BSS1 BSS2
    8. 8. Beacon TBTT PCF DCF Super Frame DCF - Distributed Coordinated Function (Contention Period - Ad-hoc Mode) PCF - Point Coordinated Function (Contention Free Period – Infrastructure BSS) Beacon - Management Frame Synchronization of Local timers Delivers protocol related parameters TBTT - Target Beacon Transition Time
    9. 9. Distributed Coordinated Function (DCF)• Also known as the Contention Period• STAs form peer-peer connections. No central authority• First listen and then speak• Uses CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance)• ACK indicates successful delivery• Each node has one output buffer
    10. 10. Inter-Frame Spacing :DIFS - 34 µsecPIFS - 25 µsec ( Used in PCF )SIFS - 16 µsecSlot Time - 9 µsec DIFS = SIFS + (2 * Slot Time)SIFS required for turn around of Tx to Rx and vice versa
    11. 11. Data Transmission from Node A to B CWA DIFS ACK DATAA ACKB DIFS SIFS • CW – Contention Window. Starts only after DIFS. • Random number ‘r’ picked form range ( 0-CW ) • CWmin minimum value of CW • CWmax maximum value the CW can grow to after collisions • ‘r’ can be decremented only in CW • CW doubles after every collision
    12. 12. CWA DIFS ACK DATAA ACKB DIFS SIFS• What if some node C wanted to send data while A was transmitting data to B ?• What about during SIFS ?• What if after ACK, more than one say B,C,D,E nodes are waiting to transmit data ?
    13. 13. Example :rA = 4 and rC = 6 DIFSACK DATAA ACKB DATAC DIFS SIFS• What if rA and rC had both been picked as 4 ?• What if rA and rC has collided and DATAA length was 10 while DATAC length were 15 ?
    14. 14. A Collision between nodes A and C DATAC ACK DATAA DIFS SIFS DIFS • Length (DATAA) = 10 Slot times • Length (DATAC) = 15 Slot times • CW after Collision 1  0 – 7 • CW after Collision 2  0 – 15 • CW after Collision 3  0 – 31 • CW after Collision 4  0 – 63
    15. 15. NAV – Network Allocation VectorSTAA DATASTAB ACKSTAC ACK DIFS SIFS DIFS NAVB and C
    16. 16. Hidden Node Problem and Exposed Node Problem STAC STAB STAA
    17. 17. RTS/CTS :• RTS (Request To Send) - (Approx 20 bytes)• CTS (Clear To Send) - (Approx 16 bytes)• Use of RTS/CTS is optional• Solves two problems : 1. Hidden Node Problem 2. Wastage of time due to collisions• Maximum MSDU is 2304 bytes
    18. 18. Preventing a collision at STAB RTS CTS B C A CTS CTS D
    19. 19. DIFS CW SIFS SIFS SIFS DIFSSTAA RTS DATASTAB CTS ACKSTAC ACK NAVSTAD NAVNew NAVNode
    20. 20. Point Coordinated Function (PCF)• Also known as the CFP (Contention Free Period)• Operation in an Infrastructure BSS• STAs communicate using central authority known as PC (Point Coordinator) or AP (Access Point)• No Collisions take place• AP takes over medium after waiting a period of PIFS• Starts with issue of a Beacon
    21. 21. Beacon • Management Frame • Synchronization of Local timers • Delivers protocol related parameters • TBTT - Target Beacon Transition TimeBeacon TBTT PCF DCF Super Frame
    22. 22. AP taking over the Wireless medium using PIFS PIFS DATA A B DIFS SIFS DIFS DIFS - 34 µsec PIFS - 25 µsec SIFS - 16 µsec Slot Time - 9 µsec B - Beacon
    23. 23. Operation in CFP CFP CPB D1 + Poll D2 + ACK + Poll CF_End U1 + ACK U1 + ACK SIFS
    24. 24. • Admission Control• Purpose of having separate DCF and PCF• Different 802.11 Working groups • 802.11a (54Mpbs in 5GHz Band) • 802.11b (11 Mbps in 2.4 GHz Band) • 802.11c Wireless AP Bridge Operations • 802.11d Internationalization • 802.11e (QoS) • 802.11f Inter-vendor AP hand-offs • 802.11h Power control for 5Ghz region • 802.11g (54Mbps in 2.4 GHz Band) • 802.11i (Security)
    25. 25. 802.11e for QoS• QoS (Quality of Service)• 802.11e for QoS – Draft Supplement – Nov 2002• Introduction of new QoS mechanism for WLANs
    26. 26. HC PC ( Enhanced Station )BSS QBSS(Basic Service Set) (Basic Service Set for QoS) PCF DCF HCCA EDCA
    27. 27. QoS Support Mechanisms of 802.11e :EDCA :• Introduction of 4 Access Categories ( AC ) with 8 Traffic Classes ( TC )• MSDU are delivered through multiple back offs within one station using AC specific parameters.• Each AC independently starts a back off after detecting the channel being idle for AIFS• After waiting AIFS , each back off sets counter from number drawn from interval [1,CW+1]• newCW [AC] >= ((oldCW[TC] + 1 ) * PF ) - 1
    28. 28. AC_VO [0] AC_VI [1] AC_BE [2] AC_BK [3] AIFSN 2 2 3 7 CWmin 3 7 15 15 CWmax 7 15 1023 1023Prioritized Channel Access is realized with the QoSparameters per TC, which include :• AIFS[AC]• CWmin[AC]• PF[AC]
    29. 29. EDCATC AC1 AC2 AC3 AC4 Virtual Collision
    30. 30. Access Category based Back-offs AIFS[AC3] AIFS[AC2] AIFS[AC1] AIFS[AC0] BackOff[AC3] + Frame BackOff[AC2] + Frame BackOff[AC1] + FrameACK BackOff[AC0] + Frame
    31. 31. QoS Parameter Set Element Format CWmin[AC] CWmax[AC]Element ID CWmin[0]….CWmin[3] CWmax[0]….CWmax[3] AIFSN[AC] TxOPLimit[AC] AIFSN[0]….AIFSN[3] TxOP[0]….TxOP[3] AIFS [AC] = AIFSN [AC] * aSlotTime + SIFS
    32. 32. HCCA ( Hybrid Coordination FunctionControlled Channel Access )Extends the EDCA access rules.CP : TxOP• After AIFS + Back off• QoS Poll ; After PIFSCFP : TxOP• Starting and duration specified by HC using QoS Poll .
    33. 33. Hybrid CoordinatorHC PIFSHCCA EDCA PIFS DATA A DATA AIFS SIFS AIFS
    34. 34. 802.11e Operation in the CFP• Guaranteed channel access on successful registration• Each node will receive a TxOP by means of polls granted to them by the HC• TxOP based on negotiated Traffic specification (TSPEC) and observed node activity• TxOP is at least the size of one Maximum sized MSDU at the PHY rate.• Access Point advertises polling list
    35. 35. Traffic Specification (TSPEC) MaximumElement ID Length TS info Nominal size MSDU size (1) (1) (2) MSDU (2) (2)Minimum Maximum Inactivity Minimum Mean Data Service Service Interval Data Rate (4) Rate (4)Interval (4) Interval (4) (4)Maximum Minimum Surplus Peak Data Delay BoundBurst Size PHY Rate Bandwidth Rate (2) (2) (4) (4) Allowed (2)
    36. 36. Example : AC[0] AC[1] AC[2] AIFSN 2 4 7 CWmin 7 10 15 CWmax 7 31 255 PF 1 2 2
    37. 37. AIFS[AC] = AIFSN[AC] * aSlotTime + SIFSPIFS - 25 µsec ( Used in HCCA)SIFS - 16 µsecSlot Time - 9 µsecAIFS[0] = (2 * 9) + 16 = 34 µsec = DIFSAIFS[1] = (4 * 9) + 16 = 52 µsec  (52 – 34) / 9 = 18/9 = 2 SlotsAIFS[2] = (7 * 9) + 16 = 79 µsec  (79 – 34) / 9 = 45/9 = 5 Slots
    38. 38. Back-off Algorithm :802.11 : CWRANGE = [ 0 , 2 2+i – 1 ]802.11e : newCW[AC] = [(oldCW[AC] + 1) * PF] - 1 Collision1 Collision2 Collision3 AC[0] [(7+1)*1]-1 = 7 ( 0-7 ) ( 0-7 ) (0-7) AC[1] [(10+1)*2]-1 = 21 [(21+1)*2]-1 = 43 ( 0 – 31 ) ( 0 - 21 ) ( 0 – 31 ) AC[2] [(15+1)*2]-1 = 31 [(31+1)*2]-1 = 63 [(63+1)*2]-1 = ( 0 – 31 ) ( 0 – 63 ) 127 ( 0 – 127 )
    39. 39. WEP (Wired Equivalent Privacy)• Optional in WLANS• Uses the RC4 (Rivest Cipher 4) Stream Cipher generated with a 64bit/128 bit Key• Key composed of 24 bit IV (Initialization Vector)• Key = (24 Bit IV, 40 Bit WEP Key) = 64 Bits• Key = (24 Bit IV, 104 Bit WEP Key) = 128 Bits• Goal to provide authentication, confidentiality and data integrity• Secret Key is shared between communicators• The encrypted packet is generated with a bitwise exclusive OR (XOR) of the original packet and the RC4 stream.• 4-byte Integrity Check Value (ICV) is computed on the original packet and appended to the end which is also encrypted with the RC4 cipher stream.• Encryption done only between 802.11 stations.
    40. 40. Encrypted WEP Framehttp://www-106.ibm.com/developerworks/security/library/s-wep/
    41. 41. Encryption / Decryption :• M – Original Data Frame• CRC-32 (c) applied to M to obtain c (M)• c (M) and M are concatenated to get Plain Text P = (M, c (M))• WEP produces a Key-stream as a function 24 bit IV and 40-bit WEP Key using RC4; equal to the length of P.• Key Stream and the Plaintext are XORed to produce the Cipher Text• The IV is transmitted in the clear (unencrypted)• The receiver uses the IV and the shared key to decrypt the message
    42. 42. Draw Backs of WEP:• A number of attacks can be used against WEP • Passive Attacks based on statistical analysis • Active Attacks based on known plain text• WEP relies on a Shared Key to ensure that packets are not modified in transit.• There is no discussion on how these keys are distributed and hence usually a single key is used which is shared amongst all STA’s and the AP
    43. 43. All in a days work : • Shared Key is long lived – May last a week, month, even a year or more • Consider a busy AP which constantly sends packets of length 1500 bytes at 11Mbps • Since IV on 24 bits in length and Shared key is unchanged, IV gets exhausted after 2^24 * (1500 * 8) / (11 * 10^6) = 18000 secs = 5 hours • Lucent wireless cards
    44. 44. PT  Key  CT CT  Key  PTXOR : 0 0  0 0 1  1 1 0  1 1 1  0• XORing a Bit with itself gives 0
    45. 45. PASSIVE ATTACK Sender ReceiverPT K CT CT K PT0 0  0 0 0  00 1  1 1 1  01 0  1 1 0  11 1  0 0 1  1
    46. 46. • IV repeats generating K• Identical K used to encrypt MSG1 and MSG2 MSG1  K  C ( MSG1 ) MSG2  K  C ( MSG2 )• Obtain C( MSG1) and C( MSG2) and XOR them• XORing causes Key Stream to cancel which yields the XOR of MSG1 and MSG2 i.e. XOR of Plain Text packets• This XOR can now be used to apply Statistical Analysis
    47. 47. Example :MSG1  0 0 1 1MSG2  1 0 1 1 MSG1 MSG2PT1 K CT1 PT2 K CT20 0  0 1 0  10 1  1 0 1  11 0  1 1 0  11 1  0 1 1  0
    48. 48. CT1 XOR CT2 MSG1 XOR MSG2CT1 CT2 MSG1 MSG20 1  1 0 1  11 1  0 0 0  01 1  0 1 1  00 0  0 1 1  0Apply Statistical analysis on last three bits and educatedguess on the rest
    49. 49. AP Wired Networkxx Hi Attacker
    50. 50. Active Attack :• Attacker knows exact plain text for one encrypted packet• Use this knowledge to construct correct encrypted packet• Construct a new message , calculate CRC-32 and perform bit flips on original encrypted packet to change the plaintext to the new message.

    ×