Authentication

Overview

In IEEE 802.11b, authentication is the first step in establishing communication between a station (STA) and an Access Point (AP). It occurs before association and determines whether the STA is permitted to join the Basic Service Set (BSS).

The standard defines two basic authentication algorithms:

Algorithm Number

Type

Description

0 1

Open System Shared Key

Default method; no key verification. Uses WEP-based challenge–response exchange.

Modern Wi-Fi networks (WPA/WPA2/WPA3) still begin with Open System authentication but perform cryptographic authentication at higher layers (802.1X/EAP or PSK).

Authentication in the Association Workflow

The complete IEEE 802.11 join sequence is:

1. Scanning (Active or Passive)
2. Authentication (Open or Shared Key)
3. Association Request / Response
4. (Optional) WPA/WPA2 key exchange (4-way handshake)

Only after successful authentication may a station send an Association Request to the AP.

Authentication Frame Format

All authentication frames are 802.11 management frames (Type = 0, Subtype = 11).

Field | Length | Description |

|--------|———|-------------| | Frame Control | 2 bytes | Type=Mgmt, Subtype=Authentication | | Duration | 2 bytes | NAV (usually 0) | | DA | 6 bytes | Destination (BSSID or STA) | | SA | 6 bytes | Source (STA or AP) | | BSSID | 6 bytes | Basic Service Set Identifier | | Sequence Control | 2 bytes | Sequence number | | Authentication Algorithm Number | 2 bytes | 0 = Open, 1 = Shared Key | | Transaction Sequence Number | 2 bytes | 1–4 depending on message | | Status Code | 2 bytes | 0 = Success, non-zero = failure | | Challenge Text | Variable | Present only in Shared Key authentication |

Open System Authentication

Algorithm Number = 0

Open System authentication is the simplest method. It provides no cryptographic verification but serves as the required first step in joining a BSS.

Exchange Sequence

STA → AP: Authentication Request (Algorithm=0, Seq=1)
AP  → STA: Authentication Response (Algorithm=0, Seq=2, Status=0)

Frame Details

Authentication Request - Algorithm Number: 0 - Transaction Sequence: 1 - Status Code: 0 - No Challenge Text

Authentication Response - Algorithm Number: 0 - Transaction Sequence: 2 - Status Code: 0 (success) or non-zero (failure)

Timing

  • Uses standard DCF rules (DIFS + backoff).

  • Retransmissions occur if response not received within timeout.

  • Upon success, STA transitions to the authenticated state and proceeds to association.

Summary

Open System authentication is essentially “null authentication.” Security relies on higher-layer encryption (e.g., WPA/WPA2).

Shared Key Authentication

Algorithm Number = 1

Used in early 802.11b networks employing WEP. It authenticates by verifying possession of a shared secret key.

Message Flow (Four-Step Handshake)

1. STA → AP: Authentication Request (Seq=1)
2. AP  → STA: Authentication Response (Seq=2, includes Challenge Text)
3. STA → AP: Authentication Request (Seq=3, includes Encrypted Challenge)
4. AP  → STA: Authentication Response (Seq=4, Status=0 if valid)

Step-by-Step Description

Step 1 — STA → AP (Request) - Algorithm: 1 (Shared Key) - Transaction Seq: 1 - No Challenge field.

Step 2 — AP → STA (Challenge) - Algorithm: 1 - Seq: 2 - Status: 0 - Challenge Text: Random 128-byte value - AP stores challenge for later verification.

Step 3 — STA → AP (Encrypted Challenge) - STA encrypts challenge text using WEP with shared key. - Algorithm: 1 - Seq: 3 - Includes Encrypted Challenge field.

Step 4 — AP → STA (Verification Result) - AP decrypts received text using same WEP key. - Compares with original plaintext challenge. - If match → Status=0 (success). - If mismatch → Status≠0 (failure).

Handshake Summary

STA → AP: AuthReq(seq=1)
AP  → STA: AuthResp(seq=2, Challenge)
STA → AP: AuthReq(seq=3, EncryptedChallenge)
AP  → STA: AuthResp(seq=4, Status=0)

Security Limitations

  • Challenge text transmitted in plaintext.

  • Attacker can capture both plaintext and ciphertext, enabling key recovery.

  • Vulnerable to replay and WEP key cracking.

  • Deprecated in all modern deployments.

Status Codes

The Status Code field in the Authentication Response frame indicates the result of the authentication attempt.

Code

Meaning

0 1 13 14 15 16 17

Successful authentication Unspecified failure Algorithm not supported Sequence number out of order Challenge failure Timeout Authentication rejected due to AP policy

Authentication Timing Parameters (802.11b)

Parameter

Typical Value

Slot Time SIFS DIFS Retry Interval WEP IV Size

20 µs 10 µs 50 µs ≈ 500 ms (management) 24 bits (per frame)

Authentication and Association Sequence

1. [Scan]       STA discovers APs via Beacons or Probe Responses.
2. [Auth]       STA authenticates with selected AP.
3. [Assoc]      STA sends Association Request → AP responds.
4. [Data]       Encrypted data exchange begins.

Message Diagram — Shared Key Authentication

STA                                  AP
---                                  ---
Authentication Req (Alg=1, Seq=1)  --->
                                    <--- Authentication Resp (Seq=2, Challenge)
Authentication Req (Seq=3, Encrypted Challenge) --->
                                    <--- Authentication Resp (Seq=4, Status=0)

Security Comparison

IBSS (Ad Hoc) Authentication

In ad hoc (IBSS) networks: - Each STA acts as both client and authenticator. - Authentication occurs peer-to-peer using the same mechanisms (Algorithm 0 or 1). - Once mutual authentication succeeds, stations exchange data directly.

Retry and Timeout Behavior

  • If STA receives no response → retransmit after timeout.

  • After several failures → report authentication failure.

  • STA may attempt a new AP if available.

Management Frame Protection (Later Enhancements)

  • 802.11b does not protect authentication frames.

  • Frames can be spoofed (e.g., fake Deauth attacks).

  • IEEE 802.11w later introduced Management Frame Protection (MFP), adding integrity protection to management exchanges.

Implementation Guidelines

  • Use Open System authentication exclusively.

  • Always secure data with higher-layer encryption (WPA/WPA2/WPA3).

  • Disable Shared Key authentication to avoid WEP vulnerabilities.

  • Ensure proper timeout handling and retransmission limits.

References

  • IEEE Std 802.11-2020, Clause 9.3.3 (Authentication Frames)

  • IEEE Std 802.11b-1999, Clause 18.2.3.7 (Authentication Procedure)

  • Gast, M. 802.11 Wireless Networks: The Definitive Guide, O’Reilly

  • Tanenbaum & Wetherall, Computer Networks (5th Edition)

  • Fluhrer, Mantin, Shamir. Weaknesses in the Key Scheduling Algorithm of RC4 (WEP attack)

Figures

Open System authentication sequence

Open System authentication (2-frame exchange).

Shared Key authentication 4-frame sequence

Shared Key authentication using WEP challenge–response exchange.