WLAN

family of standardised technologies for wireless Local Area Networks

IEEE 802.11

replacement and/or extension of wired 802.3/Ethernet LANs

covers the Physical and Data Link Layer only

Designed to work with TCP/IP

Formation of Ad-hoc networks is possible without infrastructure

most recent version: IEEE 802.11-2020

Incorporates most important amendments

Amendments are named by adding one or more small letters to the standard name

Radio Frequency (RF) transmission

Original standard also allowed Infrared (now deprecated)

several substandards exist for the Physical Layer

Demand for increasing data rate —> replacement of modulation schemes

National regulatory requirements on RF usage necessitate alternative frequency bands

several possibilities for WLAN transmission

1. Direct Sequence Spread Spectrum (DSSS) on a single frequency

2. Frequency Hopping Spread Spectrum (FHSS), jumping between multiple frequencies

3. Infrared transmission

FHSS and Infrared are obsolete

DSSS uses 2.4 GHz

maximum data rate is 1-2Mb/s

enhancement to support higher data rates

3 non-overlapping channels of 22MHz each, split into smaller subchannels depending on the geographic region

maximum data rate of 11Mb/s

Frequency band is changed to 5GHz

Orthogonal Frequency Division Multiplexing (OFDM) instead of DSSS

through smart choosen orthogonal frequency channels could be overlapping without much interference

Maximum data rate is 54Mb/s

Adaptation of 802.11a for the ISM 2.4GHz band

Designed to be backwards compatible to 802.11b

Enabled widespread adoption of WLAN

significant improvement of throughput

Backwards compatible to 802.11g and 802.11a

Multiple Input Multiple Output OFDM (MIMO-OFDM): Exploits path diversity when using multiple antennas, 1 x 4 x 4 MIMO

Achieves maximum data rate of 600Mb/s

even more throughput

limited to 5GHz only

up to 256-QAM

MIMO-OFDM is used per default with up to 2 sets of up to 4 spatial streams 2 x 4 x 4 MIMO

data rates in excess of 1Gb/s

Eine Phased-Array-Antenne (von englisch phased array‚ phasengesteuertes Feld) ist ein amplituden- und phasengesteuertes, horizontales und/oder vertikales Antennen-Array

Durch die vertikale und horizontale Anordnung der einzelnen Antennenelemente, sowie die phasen- und amplituden-gerechte Ansteuerung der einzelnen Antennenelementen (Einzelstrahlern) oder als Arrays zusammengefassten Einzelantennen, die jeweils nur einen kleinen Antennengewinn und ein breites Antennendiagramm besitzen, ergibt sich durch Bündelung der Strahlungsenergie der einzelnen Antennenelemente im Fernfeld ein gemeinsames, gewünschtes Antennendiagramm in einer gewünschten Richtung und/oder Elevationswinkel mit höherem Antennengewinn, als die verwendeten einzelnen Antennenelemente

Can additionally use 6GHz band

uses MU-MIMO per default

Also supports 2.4GHz for compatibility

devices called Stations (STAs) with at least one Wireless Network Interface Card (WNIC)

different numbers and types of antennas, which significantly influence the throughput, range and reliability

STA is identified by its unique 48-bit MAC Address

Basic Service Set

defines a wireless network

consists of one or more STAs communicating in a specific RF channel

dentified by a unique BSSID

Independent BSS (IBSS)

Infrastructure BSS (iBSS)

Mesh BSS (MBSS)

communicating in a peer-to-peer fashion

also called an Ad-hoc network

BSSID is the MAC Address of the STA starting the IBSS

Access Point (AP) represents the BSS

AP relays all traffic, all other STAs communicate directly with the AP

BSSID is the MAC Address of the AP

added in 802.11s

STAs communicate in a peer-to-peer fashion and can route frames over multiple hops

allows two STAs to communicate even when not in RF range of each other, BSSID is not used

iBSS can be connected to a wired LAN

called a Distribution System (DS)

AP translates between WLAN and 802.3/Ethernet frames

Multiple iBSSs can be connected via DS to form an Extended Service Set (ESS)

roaming of mobile STAs when RF cells overlap

dentified by a separate SSID

responsible for providing all basic communication services of a STA

ayer performs one of the following “abstract” actions:

• Generating a MAC Protocol Data Unit (MPDU)—> WLAN frame without physical layer-specific information

• MPDU is referred to as a Physical Layer Service Data Unit (PSDU)

BSS discovery: STAs end out Beacon Frames containing information about BSS

BSS management

Coordination of access to shared RF medium

Reliable delivery of data frames

Quality of Service (QoS)

Security

controls access of STAs to RF medium

several Coordination Functions (CF) for regulating access to RF medium

Distributed CF

asynchronous, best-effort traffic, used as basis for all other CFs

using random access timers

Collisions are detected by missing Acknowledgements (ACKs)

prior to sending a clear channel assessment is done by listening to the RF medium (carrier sensing) then random backoff in Contention Window if somethins is sensed in the contention window a multiply is waited

STA can also reserve access time: use sparingly as additional handshake decreases throughput

Point CF

raffic requiring guaranteed minimum data rate and max. latency

Hybrid CF

BSS using QoS mechanisms

Mesh CF

in Mesh networks

Data Frames … for transporting payload of higher layers

Management Frames … for BSS management

Control Frames … for controlling data transfer and medium access

Beacon Frames … periodically sent by STA to announce BSS

Probe Request/Response … for actively searching a BSS

Association Request/Response … for joining a BSS

Disassociation … for leaving a BSS

Authentication Request/Response … for authenticating to another STA

Deauthentication … for terminating authenticated relation between STAs

Action Frame … for various services (e. g. power control)

Frame Control field (FC, 2 Byte)

Duration-ID (D-ID, 2 Byte) … in most frames contains the estimated time for sending frame and receiving ACK, used by STAs to optimise medium access

Address Fields 1, 2, 3 (6 Byte each) … contain MAC Addresses, interpretation depends on To-DS/From-DS bits and BSS types

Sequence Control (SC, 2 Byte) … contains sequence number for frames and fragment number for fragments

Address Field 4 (6 Byte, optional) … only used in Mesh networks

QoS Control field (QC, 2 Byte, optional) … for QoS related information in 802.11e networks, also contains the A-MSDU flag for indicating frame aggregation

HT Control Field (HTC, 4 Byte. optional) … used in 802.11n networks for optimising MIMO transfer

Frame Body (variable) … payload of higher layer protocols, max. length depends on frame type and security measures in use

Frame Check Sequence (FCS, 4 Byte) … CRC checksum over the whole MAC frame (excluding PLCP fields)

Protocol Version (2 bits) … always 0

Type & Subtype (2 & 4 bits) … specify type of frame

Type = 00 (Management), 01 (Control) or 10 (Data)

To-DS & From-DS bits … specify direction of frame transfer and how addresses of frame should be interpreted

More Fragment bit … set to 1 when frame is not the last fragment

Retry bit … set to 1 when frame is a retransmission

Power Management bit … indicates whether STA is in power save mode

More Data bit … indicates when AP or Mesh peer has buffered data for STA awaking from power save mode

Protected Frame bit … set to 1 when frame is protected via cryptographic means

Order bit … used only in special circumstances, usually 0

To-DS/From-DS-Bits

Both 0: transfer from STA to STA in an IBSS, address 1 = destination STA, address 2 = sender STA, address 3 = BSSID of IBSS

To-DS = 1, From-DS = 0: ransfer from STA to AP of iBSS or device in DS address 1 = AP, address 2 = sender STA, address 3 = destination STA in same iBSS or device in DS

To-DS = 0, From-DS = 1: Transfer from AP or device in DS to STA in iBSS, address 1= destination STA or multi/broadcast address, address 2 = AP, address 3 = sender STA in same iBSS or device in DS

Both 1: only used in mesh networks for frame routing, additional usage of address 4

MAC layer is designed to be independent from a specific physical sublayer

Each physical sublayer defines a “convergence” procedure to convert a MPDU/PSDU into a PPDU

formed by prepending the following fields to a MPDU/PSDU

PHY Preamble … contains “training sequences” of bits/bandpass symbols for aiding in synchronisation and carrier recovery at receiver, as well as a “Start-of-Frame Delimiter” in some cases

PHY Header … contains information necessary for demodulation of the MPDU/PSDU (e. g. data rate, modulation format) according to a physical sublayer, protected by a CRC in some cases

defined in original standard

officially called “pre-RSNA”

deprecated since the 2007 revision

made obsolete in 2020

Provides Confidentiality and Authentication

Key management and replay protection are not provided

Integrity Protection nominally supported, but implemented in a flawed way and practically not provided

added with 802.11i

Robust Security Network Association

new Authentication scheme from 802.11s

Upgrade of key lengths and cryptographic algorithms by the 802.11ac amendment

Wired Equivalent Privacy

provide the same level of implicit security as in a wired LAN

based on the RC4 stream cipher

proprietary stream cipher

choosen because of simplicity and speed

either 40-bit or 104-bit long keys

additional 24-bit Initialisation Vector (IV)

generate a pseudo-random key stream

Sender

1. The 40/104-bit WEP Key is concatenated with the 24-bit IV and fed into the RC4 stream cipher – this produces a pseudo-random Key Stream (KS) of arbitrary length

2. Prior to encryption, a 32-bit Integrity Check Value (ICV) is calculated over the frame body (the plaintext payload) The ICV is a CRC checksum calculated in the same way as the FCS, but only over the frame body

3. The ICV is appended to the frame body and the resulting plaintext is XOR-ed with the Key Stream, resulting in a ciphertext

4. The IV is prepended to the ciphertext and both are sent as payload of the frame to the receiver

Receiver

1. The IV is extracted from the received frame and, together with the respective WEP Key, fed into RC4 to recreate the same Key Stream as was used by the sender

2. The received ciphertext is XOR-ed with the generated Key Stream to decrypt it

3. An expected ICV value ICV’ is calculated over the decrypted frame body and compared with the decrypted ICV received from the sender

   1. If ICV ≠ ICV’, the received frame is discarded due to an integrity failure (e. g. attacker changed frame body)

   2. If ICV = ICV’, the decrypted frame body is accepted as valid and forwarded to the higher layers for processing

No Replay Protection

Key Stream reuse due to the short IV

Cryptographic flaws in the RC4 stream cipher

Ineffective integrity protection

Attacker captures WEP-encrypted frame and re-injects it into the WLAN

Enables many practical attacks in combination with other flaws

The key stream produced must be as random as possible (must have high entropy)

Each key stream must be used only once, as the IV is short it is easy to reuse the same IV

Attaker just needs two frames with the same IV for this attack to work and get plaintext

with extended eavesdropping the construction of an IV to key stream tabel makes it possible to easily decryot of any frames

depends solely on the secrecy of the WEP Key

Some IV values produce key streams, so-called “weak keys”, that disclose information about the WEP Key

Due to the design of RC4, correlations exist between the produced key stream and the WEP Key used as input

With a large number of known IV-key stream pairs, a statistical analysis can reveal the WEP Key with a high probability

WEP uses the encrypted ICV to protect the integrity of a frame

In combination with the (also linear) XOR-ing with the RC4 key stream, the integrity protection is completely nullified

Attacker is not limited in manipulating a captured frame, except for the length of the frame body