Authentication ================= .. contents:: :local: :depth: 3 Overview -------- In IEEE 802.11b, **authentication** is the **first step** in establishing communication between a station (STA) and an Access Point (AP). It occurs before association and determines whether the STA is permitted to join the Basic Service Set (BSS). The standard defines two basic authentication algorithms: +-------------------+------------------+--------------------------------------------+ | Algorithm Number | Type | Description | +===================+==================+============================================+ | 0 | Open System | Default method; no key verification. | | 1 | Shared Key | Uses WEP-based challenge–response exchange.| +-------------------+------------------+--------------------------------------------+ Modern Wi-Fi networks (WPA/WPA2/WPA3) still begin with Open System authentication but perform **cryptographic authentication** at higher layers (802.1X/EAP or PSK). Authentication in the Association Workflow ------------------------------------------ The complete IEEE 802.11 join sequence is: .. code-block:: none 1. Scanning (Active or Passive) 2. Authentication (Open or Shared Key) 3. Association Request / Response 4. (Optional) WPA/WPA2 key exchange (4-way handshake) Only after successful authentication may a station send an Association Request to the AP. Authentication Frame Format --------------------------- All authentication frames are 802.11 **management frames** (Type = 0, Subtype = 11). | Field | Length | Description | |--------|---------|-------------| | Frame Control | 2 bytes | Type=Mgmt, Subtype=Authentication | | Duration | 2 bytes | NAV (usually 0) | | DA | 6 bytes | Destination (BSSID or STA) | | SA | 6 bytes | Source (STA or AP) | | BSSID | 6 bytes | Basic Service Set Identifier | | Sequence Control | 2 bytes | Sequence number | | **Authentication Algorithm Number** | 2 bytes | 0 = Open, 1 = Shared Key | | **Transaction Sequence Number** | 2 bytes | 1–4 depending on message | | **Status Code** | 2 bytes | 0 = Success, non-zero = failure | | **Challenge Text** | Variable | Present only in Shared Key authentication | --- Open System Authentication -------------------------- **Algorithm Number = 0** Open System authentication is the simplest method. It provides no cryptographic verification but serves as the required first step in joining a BSS. Exchange Sequence ~~~~~~~~~~~~~~~~~ .. code-block:: none STA → AP: Authentication Request (Algorithm=0, Seq=1) AP → STA: Authentication Response (Algorithm=0, Seq=2, Status=0) Frame Details ~~~~~~~~~~~~~ **Authentication Request** - Algorithm Number: 0 - Transaction Sequence: 1 - Status Code: 0 - No Challenge Text **Authentication Response** - Algorithm Number: 0 - Transaction Sequence: 2 - Status Code: 0 (success) or non-zero (failure) Timing ~~~~~~ - Uses standard DCF rules (DIFS + backoff). - Retransmissions occur if response not received within timeout. - Upon success, STA transitions to the *authenticated* state and proceeds to association. Summary ~~~~~~~ Open System authentication is essentially "null authentication." Security relies on higher-layer encryption (e.g., WPA/WPA2). --- Shared Key Authentication ------------------------- **Algorithm Number = 1** Used in early 802.11b networks employing WEP. It authenticates by verifying possession of a shared secret key. Message Flow (Four-Step Handshake) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .. code-block:: none 1. STA → AP: Authentication Request (Seq=1) 2. AP → STA: Authentication Response (Seq=2, includes Challenge Text) 3. STA → AP: Authentication Request (Seq=3, includes Encrypted Challenge) 4. AP → STA: Authentication Response (Seq=4, Status=0 if valid) Step-by-Step Description ~~~~~~~~~~~~~~~~~~~~~~~~ **Step 1 — STA → AP (Request)** - Algorithm: 1 (Shared Key) - Transaction Seq: 1 - No Challenge field. **Step 2 — AP → STA (Challenge)** - Algorithm: 1 - Seq: 2 - Status: 0 - Challenge Text: Random 128-byte value - AP stores challenge for later verification. **Step 3 — STA → AP (Encrypted Challenge)** - STA encrypts challenge text using WEP with shared key. - Algorithm: 1 - Seq: 3 - Includes Encrypted Challenge field. **Step 4 — AP → STA (Verification Result)** - AP decrypts received text using same WEP key. - Compares with original plaintext challenge. - If match → Status=0 (success). - If mismatch → Status≠0 (failure). Handshake Summary ~~~~~~~~~~~~~~~~~ .. code-block:: none STA → AP: AuthReq(seq=1) AP → STA: AuthResp(seq=2, Challenge) STA → AP: AuthReq(seq=3, EncryptedChallenge) AP → STA: AuthResp(seq=4, Status=0) Security Limitations ~~~~~~~~~~~~~~~~~~~~ - Challenge text transmitted **in plaintext**. - Attacker can capture both plaintext and ciphertext, enabling key recovery. - Vulnerable to replay and WEP key cracking. - Deprecated in all modern deployments. --- Status Codes ------------ The **Status Code** field in the Authentication Response frame indicates the result of the authentication attempt. +------+--------------------------------------------------+ | Code | Meaning | +======+==================================================+ | 0 | Successful authentication | | 1 | Unspecified failure | | 13 | Algorithm not supported | | 14 | Sequence number out of order | | 15 | Challenge failure | | 16 | Timeout | | 17 | Authentication rejected due to AP policy | +------+--------------------------------------------------+ --- Authentication Timing Parameters (802.11b) ------------------------------------------ +------------------+-------------------------+ | Parameter | Typical Value | +==================+=========================+ | Slot Time | 20 µs | | SIFS | 10 µs | | DIFS | 50 µs | | Retry Interval | ≈ 500 ms (management) | | WEP IV Size | 24 bits (per frame) | +------------------+-------------------------+ --- Authentication and Association Sequence --------------------------------------- .. code-block:: none 1. [Scan] STA discovers APs via Beacons or Probe Responses. 2. [Auth] STA authenticates with selected AP. 3. [Assoc] STA sends Association Request → AP responds. 4. [Data] Encrypted data exchange begins. --- Message Diagram — Shared Key Authentication ------------------------------------------- .. code-block:: none STA AP --- --- Authentication Req (Alg=1, Seq=1) ---> <--- Authentication Resp (Seq=2, Challenge) Authentication Req (Seq=3, Encrypted Challenge) ---> <--- Authentication Resp (Seq=4, Status=0) --- Security Comparison ------------------- +------------------------+---------------------+-------------------------+ | Feature | Open System | Shared Key | +========================+=====================+=========================+ | Challenge Mechanism | None | WEP-based 4-way exchange | | Encryption | None | WEP encryption on step 3 | | Security Strength | None (neutral) | Weak (easily broken) | | Modern Usage | WPA/WPA2 baseline | Deprecated | | Frames Exchanged | 2 | 4 | +------------------------+---------------------+-------------------------+ --- IBSS (Ad Hoc) Authentication ---------------------------- In ad hoc (IBSS) networks: - Each STA acts as both client and authenticator. - Authentication occurs peer-to-peer using the same mechanisms (Algorithm 0 or 1). - Once mutual authentication succeeds, stations exchange data directly. --- Retry and Timeout Behavior --------------------------- - If STA receives no response → retransmit after timeout. - After several failures → report authentication failure. - STA may attempt a new AP if available. --- Management Frame Protection (Later Enhancements) ------------------------------------------------ - 802.11b does **not** protect authentication frames. - Frames can be spoofed (e.g., fake Deauth attacks). - IEEE 802.11w later introduced **Management Frame Protection (MFP)**, adding integrity protection to management exchanges. --- Implementation Guidelines -------------------------- - Use **Open System** authentication exclusively. - Always secure data with higher-layer encryption (WPA/WPA2/WPA3). - Disable **Shared Key** authentication to avoid WEP vulnerabilities. - Ensure proper timeout handling and retransmission limits. --- References ---------- - IEEE Std **802.11-2020**, Clause **9.3.3 (Authentication Frames)** - IEEE Std **802.11b-1999**, Clause **18.2.3.7 (Authentication Procedure)** - Gast, M. *802.11 Wireless Networks: The Definitive Guide*, O’Reilly - Tanenbaum & Wetherall, *Computer Networks* (5th Edition) - Fluhrer, Mantin, Shamir. *Weaknesses in the Key Scheduling Algorithm of RC4* (WEP attack) Figures -------- .. figure:: _static/auth_open_system.svg :align: center :alt: Open System authentication sequence Open System authentication (2-frame exchange). .. figure:: _static/auth_shared_key.svg :align: center :alt: Shared Key authentication 4-frame sequence Shared Key authentication using WEP challenge–response exchange.