802.11 Wireless LANs

1
802.11 Wireless LANs

• Abhishek Karnik,
• Dr. Ratan Guha
• University Of Central Florida

2
OVERVIEW

• Introduction
• 802.11 Basics
• 802.11e for QoS
• WEP

3
INTRODUCTION

• In 1997 the IEEE adopted IEEE Std. 802.11-1997
• Defines MAC and PHY layers for LAN and wireless
  connectivity.
• Facilitate ubiquitous communication and
  location independent
• computing
• 802.11b operates at 11Mbps in the 2.4 GHz ISM
  Band (99)
• 802.11a operates at 54Mbps in the 5 GHz Band
  (99)
• 802.11g operates at 54Mbps in the 2.4 GHz Band
  (02)
• Increased deployment and popularity lead to
  introduction of QoS
• 802.11e for QoS Draft Supplement Nov 2002

4
802.11 BASICS

• Wireless LAN Station The station (STA) is any
  device that contains the functionality of the
  802.11 protocol, that being MAC, PHY, and a
  connection to the wireless media. Typically the
  802.11 functions are implemented in the hardware
  and software of a network interface card (NIC).
• Ex PC , Handheld , AP (Access Point)
• Basic Service Set (BSS) 802.11 defines the Basic
  Service Set (BSS) as the basic building block of
  an 802.11 wireless LAN. The BSS consists of a
  group of any number of stations.

5
IBSS (Independent Basic Service Set Ad-hoc Mode)
peer-peer connections
6
Infrastructure Basic Service Set
7
ESS (Extended Service Set)
BSS2
BSS1
8
Beacon
TBTT
PCF
DCF
Super Frame
DCF - Distributed Coordinated Function

(Contention Period - Ad-hoc Mode) PCF -
Point Coordinated Function
(Contention Free Period
Infrastructure BSS) Beacon - Management Frame
Synchronization of Local timers
Delivers protocol related
parameters TBTT - Target Beacon Transition Time
9
Distributed Coordinated Function (DCF)

• Also known as the Contention Period
• STAs form peer-peer connections. No central
  authority
• First listen and then speak
• Uses CSMA/CA (Carrier Sense Multiple Access
  with
• Collision Avoidance)
• ACK indicates successful delivery
• Each node has one output buffer

10
Inter-Frame Spacing DIFS - 34 µsec PIFS
- 25 µsec ( Used in PCF ) SIFS -
16 µsec Slot Time - 9 µsec DIFS SIFS (2
Slot Time) SIFS required for turn around of Tx
to Rx and vice versa
11
Data Transmission from Node A to B

• CW Contention Window. Starts only after DIFS.
  
• Random number r picked form range ( 0-CW )
• CWmin minimum value of CW
• CWmax maximum value the CW can grow to after
  collisions
• r can be decremented only in CW
• CW doubles after every collision

12
CWA
DIFS
DATAA
ACKB
ACK
DIFS
SIFS

• What if some node C wanted to send data while A
  was transmitting
• data to B ?
• What about during SIFS ?
• What if after ACK, more than one say B,C,D,E
  nodes are waiting
• to transmit data ?

13
Example rA 4 and rC 6
DIFS
DATAA
ACKB
ACK
DATAC
DIFS
SIFS

• What if rA and rC had both been picked as 4 ?
• What if rA and rC has collided and DATAA length
  was 10 while
• DATAC length were 15 ?

14
A Collision between nodes A and C
DATAC
DATAA
ACK
DIFS
SIFS
DIFS

• Length (DATAA) 10 Slot times
• Length (DATAC) 15 Slot times
• CW after Collision 1 ? 0 7
• CW after Collision 2 ? 0 15
• CW after Collision 3 ? 0 31
• CW after Collision 4 ? 0 63

15
NAV Network Allocation Vector
STAA
DATA
ACK
STAB
STAC
ACK
SIFS
DIFS
DIFS
NAVB and C
16
Hidden Node Problem and Exposed Node Problem
STAC
STAB
STAA
17

• RTS/CTS
• RTS (Request To Send) - (Approx 20 bytes)
• CTS (Clear To Send) - (Approx 16 bytes)
• Use of RTS/CTS is optional
• Solves two problems
• Hidden Node Problem
• Wastage of time due to collisions
• Maximum MSDU is 2304 bytes

18
Preventing a collision at STAB
RTS
CTS
C
B
A
CTS
CTS
D
19
DIFS
SIFS
SIFS
SIFS
DIFS
CW
STAA
RTS
DATA
STAB
CTS
ACK
ACK
NAV
STAC
STAD
NAV
New Node
NAV
20
Point Coordinated Function (PCF)

• Also known as the CFP (Contention Free Period)
• Operation in an Infrastructure BSS
• STAs communicate using central authority known
  as PC
• (Point Coordinator) or AP (Access Point)
• No Collisions take place
• AP takes over medium after waiting a period of
  PIFS
• Starts with issue of a Beacon

21

• Beacon
• Management Frame
• Synchronization of Local timers
• Delivers protocol related parameters
• TBTT - Target Beacon Transition Time

Beacon
TBTT
PCF
DCF
Super Frame
22
AP taking over the Wireless medium using PIFS
PIFS
DATA
A
B
DIFS
SIFS
DIFS
DIFS - 34 µsec PIFS - 25 µsec
SIFS - 16 µsec Slot Time - 9 µsec B
- Beacon
23
Operation in CFP
CP
CFP
B
D1 Poll
D2 ACK Poll
CF_End
U1 ACK
U1 ACK
SIFS
24

• Admission Control
• Purpose of having separate DCF and PCF
• Different 802.11 Working groups
• 802.11a (54Mpbs in 5GHz Band)
• 802.11b (11 Mbps in 2.4 GHz Band)
• 802.11c Wireless AP Bridge Operations
• 802.11d Internationalization
• 802.11e (QoS)
• 802.11f Inter-vendor AP hand-offs
• 802.11h Power control for 5Ghz region
• 802.11g (54Mbps in 2.4 GHz Band)
• 802.11i (Security)

25
802.11e for QoS

• QoS (Quality of Service)
• 802.11e for QoS Draft Supplement Nov 2002
• Introduction of new QoS mechanism for WLANs

26
HC
PC
( Enhanced Station )
BSS (Basic Service Set)
QBSS (Basic Service Set for QoS)
HCCA
EDCA
PCF
DCF
27

• QoS Support Mechanisms of 802.11e
• EDCA
• Introduction of 4 Access Categories ( AC )
  with 8 Traffic
• Classes ( TC )
• MSDU are delivered through multiple back
  offs
• within one station using AC specific
  parameters.
• Each AC independently starts a back off after
• detecting the channel being idle for AIFS
• After waiting AIFS , each back off sets
  counter from
• number drawn from interval 1,CW1
• newCW AC gt ((oldCWTC 1 ) PF ) - 1

28

• Prioritized Channel Access is realized with the
  QoS parameters per TC, which include
• AIFSAC
• CWminAC
• PFAC

29
EDCA
AC1
AC2
AC3
AC4
TC
Virtual Collision
30
Access Category based Back-offs
AIFSAC3
AIFSAC2
AIFSAC1
AIFSAC0
BackOffAC3 Frame
BackOffAC2 Frame
BackOffAC1 Frame
ACK
BackOffAC0 Frame
31
QoS Parameter Set Element Format
Element ID
CWminAC CWmin0.CWmin3
CWmaxAC CWmax0.CWmax3
AIFSNAC AIFSN0.AIFSN3
TxOPLimitAC TxOP0.TxOP3
AIFS AC AIFSN AC aSlotTime SIFS
32

• HCCA ( Hybrid Coordination Function Controlled
  Channel Access )
• Extends the EDCA access rules.
• CP TxOP
• After AIFS Back off
• QoS Poll After PIFS
• CFP TxOP
• Starting and duration specified by HC using
• QoS Poll .

33
Hybrid Coordinator
HC
PIFS
HCCA
EDCA
PIFS
DATA
A
DATA
AIFS
SIFS
AIFS
34

• 802.11e Operation in the CFP
• Guaranteed channel access on successful
  registration
• Each node will receive a TxOP by means of
  polls granted
• to them by the HC
• TxOP based on negotiated Traffic specification
  (TSPEC) and
• observed node activity
• TxOP is at least the size of one Maximum sized
  MSDU at the
• PHY rate.
• Access Point advertises polling list

35
Traffic Specification (TSPEC)
Element ID (1)
Length (1)
Maximum MSDU size (2)
TS info (2)
Nominal size MSDU (2)
Minimum Service Interval (4)
Maximum Service Interval (4)
Mean Data Rate (4)
Inactivity Interval (4)
Minimum Data Rate (4)
Maximum Burst Size (4)
Minimum PHY Rate (4)
Surplus Bandwidth Allowed (2)
Peak Data Rate (2)
Delay Bound (2)
36
Example
37
AIFSAC AIFSNAC aSlotTime SIFS
PIFS - 25 µsec ( Used in HCCA) SIFS -
16 µsec Slot Time - 9 µsec AIFS0 (2
9) 16 34 µsec DIFS AIFS1 (4 9) 16
52 µsec ? (52 34) / 9 18/9 2
Slots AIFS2 (7 9) 16 79 µsec ? (79
34) / 9 45/9 5 Slots
38
Back-off Algorithm
802.11 CWRANGE 0 , 2 2i 1
802.11e newCWAC (oldCWAC 1)
PF - 1
39
WEP (Wired Equivalent Privacy)

• Optional in WLANS
• Uses the RC4 (Rivest Cipher 4) Stream Cipher
  generated with a
• 64bit/128 bit Key
• Key composed of 24 bit IV (Initialization Vector)
• Key (24 Bit IV, 40 Bit WEP Key) 64 Bits
• Key (24 Bit IV, 104 Bit WEP Key) 128 Bits
• Goal to provide authentication, confidentiality
  and data integrity
• Secret Key is shared between communicators
• The encrypted packet is generated with a bitwise
  exclusive OR (XOR) of the original packet and the
  RC4 stream.
• 4-byte Integrity Check Value (ICV) is computed on
  the original packet and appended to the end which
  is also encrypted with the RC4 cipher stream.
• Encryption done only between 802.11 stations.

40
Encrypted WEP Frame
http//www-106.ibm.com/developerworks/security/lib
rary/s-wep/
41

• Encryption / Decryption
• M Original Data Frame
• CRC-32 (c) applied to M to obtain c (M)
• c (M) and M are concatenated to get Plain Text P
  (M, c (M))
• WEP produces a Key-stream as a function 24 bit
  IV and 40-bit WEP Key
• using RC4 equal to the length of P.
• Key Stream and the Plaintext are XORed to
  produce the Cipher Text
• The IV is transmitted in the clear (unencrypted)
• The receiver uses the IV and the shared key to
  decrypt the message

42

• Draw Backs of WEP
• A number of attacks can be used against WEP
• Passive Attacks based on statistical analysis
• Active Attacks based on known plain text
• WEP relies on a Shared Key to ensure that
  packets are not
• modified in transit.
• There is no discussion on how these keys are
  distributed and
• hence usually a single key is used which is
  shared amongst
• all STAs and the AP

43
All in a days work

• Shared Key is long lived May last a week,
  month,
• even a year or more
• Consider a busy AP which constantly sends
  packets
• of length 1500 bytes at 11Mbps
• Since IV on 24 bits in length and Shared key
  is
• unchanged, IV gets exhausted after
• 224 (1500 8) / (11 106)
• 18000 secs 5 hours
• Lucent wireless cards

44
PT ? Key ? CT CT ? Key ?
PT

• XOR
• 0 0 ? 0
• 0 1 ? 1
• 0 ? 1
• 1 1 ? 0
• XORing a Bit with itself gives 0

45
PASSIVE ATTACK
Sender PT K
CT 0 0 ? 0 0 1 ? 1 1 0 ? 1 1 1 ? 0
Receiver CT K
PT 0 0 ? 0 1 1 ? 0 1 0 ? 1 0 1 ? 1
46

• IV repeats generating K
• Identical K used to encrypt MSG1 and MSG2

MSG1 ? K ? C ( MSG1 )
MSG2 ? K ? C ( MSG2 )

• Obtain C( MSG1) and C( MSG2) and XOR them
• XORing causes Key Stream to cancel which
  yields
• the XOR of MSG1 and MSG2 i.e. XOR of Plain
  Text packets
• This XOR can now be used to apply Statistical
  Analysis

47
Example MSG1 ? 0 0 1 1 MSG2 ? 1 0 1 1
MSG2 PT2 K
CT2 1 0 ? 1 0 1 ? 1 1 0 ? 1 1 1 ? 0
MSG1 PT1 K
CT1 0 0 ? 0 0 1 ? 1 1 0 ? 1 1 1 ? 0
48
CT1 XOR CT2 CT1 CT2
0 1 ? 1 1 1 ? 0 1 1 ? 0 0 0 ? 0
MSG1 XOR MSG2 MSG1 MSG2
0 1 ? 1 0 0 ? 0 1 1 ? 0 1 1 ? 0
Apply Statistical analysis on last three bits and
educated guess on the rest
49
AP
Wired Network
xx
Hi
Attacker
50

• Active Attack
• Attacker knows exact plain text for one
  encrypted packet
• Use this knowledge to construct correct
  encrypted packet
• Construct a new message , calculate CRC-32 and
  perform
• bit flips on original encrypted packet to
  change the plaintext
• to the new message.