The 802.11i security procedures 

Context in source publication

Context 1

... several security weaknesses were found following the original 802.11 networks. The new standard includes a Robust Security Network (RSN) with two newly introduced protocols, the 4-Way Handshake and the Group Key Handshake. They both make usage of the authentication services and port access control, described in IEEE 802.1X, in order to create and alter the appropriate cryptographic keys. The 802.11i specification provides two classes of security algorithms: Robust Security Network Association (RSNA), and Pre-RSNA. The latter consists of the Wired Equivalence Privacy (WEP) and the basic 802.11 entity authentication, while the RSNA security algorithm offers two data confidentiality protocols, called the Temporal Key Integrity Protocol (TKIP), and the Counter- mode/CBC-MAC Protocol (CCMP), as well as the RSNA establishment procedure including authentication and key management protocols [4]. The SMS4 block cipher is a Generalized Feistel Network (GFN) cipher utilizing an unbalanced and homogeneous Feistel network structure. The encryption and the key scheduling algorithms are nearly identical, whereas the decryption method uses same keys as encryption but in a reversed order. The only computational operations that SMS4 makes use are XOR, circular shifts, and repeated 8-bit S-Box applications. Since SMS4 algorithm was made public in January 2006, the cipher has undergone an extensive cryptanalysis research. Several known and newest forms of attacks like rectangle, differential and linear have been tested on this block cipher to bring to light the security resistance of the SMS4 as well as other cryptographic observations related to it.[5-8] In this paper, architectural optimizations for this standard, regarding performance, allocated resources, and covered area for the efficient hardware implementation of it, are presented. Hardware integrations of the proposed architectures are introduced based on the FPGA implementation platform. The proposed integrations are fully compared in detail, with similar published works, of this WLAN standard as well as with AES also. II. T HE IEEE 802.11 I S ECURITY S PECIFICATION The IEEE 802.11i framework proposes three data confidentiality protocols: Wired Equivalent Privacy (WEP), Temporal Key Integrity Protocol (TKIP), and the Counter- mode/CBC-MAC Protocol (CCMP). Because the security vulnerabilities of WEP and TKIP have been extensively studied in the bibliography, we will focus on the security analysis of CCMP. While WEP and TKIP have used the RC4 stream cipher, CCMP utilizes the CCM (Counter with CBC-MAC) operation mode of the well-known AES encryption algorithm with a key size of 128-bit and a 128-bit block size. The reason why CCMP should be used for data confidentiality is because WEP and TKIP have severe weaknesses. For increased data confidentiality purposes the CCMP combines the counter mode (CTR) with the Cipher Block Chaining Message Authentication Code (CBC-MAC), for increased data integrity, respectively, using an 8-byte MIC (Message Integrity Code) and a 2-byte length field. Assuming that the 128-bit key is adequately secure against most forms of attacks on AES, it is possible with this standard to use this key size to encrypt all packets, eliminating the problems with key scheduling algorithms of WEP and TKIP. As mentioned earlier, due to the several security weaknesses that emerge from the original 802.11 entity authentication, the enhanced 802.11i proposes the Robust Security Network Association (RSNA) establishment procedure to provide adequate mutual authentications, on the one hand, and to generate new TKs for the data confidentiality protocols, on the other. Three entities are involved during the RSNA establishment procedure: the Supplicant (the Wireless Station), the Authenticator (the Access Point), and the Authentication Server. We can distinguish 6 stages of the complete handshakes for this establishment: the network and security capability discovery , the 802.11 authentication and association , the EAP/802.1X/RADIUS Authentication , the 4- way handshake , the Group-key handshake , and the secure data communication stage, as they are illustrated in Figure 1 [6]. Perhaps one of the most essential component entities of the total RSNA establishment procedure is the 4-Way Handshake. It is mainly aimed to ensure the possession of the shared secret key PMK (Pairwise Master key) in the authenticator and the supplicant, and to further produce another key called PTK (Pairwise Transient Key) for seamless data communication purposes. The generated key, product of the concatenation of the PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address, is being inputted into a cryptographic hash function. The Handshake procedure also outputs the GTK (Group Temporal Key), used for decrypting multicast or broadcast data traffic. We can clearly see in Figure 2 the actual message exchange during this procedure. Finally, as soon as the PTK is obtained from the previous procedure it is being divided into five separate keys. The GTK used in the network may sometimes need to be updated due to the expiry of a specific preset timer. Additionally, when a device leaves the network, the GTK also needs update. This is to prevent the case when a device receives any more multicast or even broadcast messages from the AP. III. S TRUCTURE OF SMS4 The SMS4 is a block cipher that mainly accepts a 128-bit plaintext block P, and a 128-bit master key K. The latter key is used as input to the key scheduling algorithm to produce a set of thirty-two 32-bit round subkeys. In each adjacent round, the least significant three bytes of the state are XORed with the round key and the result forms the S transformation. The S transformation then uses an 8-bit to 8-bit bijective Sbox four times in parallel to process each byte, and the concatenated bytes are processed using a linear transformation L. The encryption algorithm, which consists of 32 applications of the round function, then, uses the plaintext block and the round subkeys as input to produce the ciphertext block C. Let as assume that P = (X 0 , X 1 , X 2 , X 3 ) defines the 128-bit plaintext block formed from the concatenation of four 32-bit words X i . Let K i denote the 32-bit i-th round subkey derived from the 128-bit master key K. Let also T = L●S define the function composed of the non-linear transformation S and the linear transformation L . Afterwards, the i-th round function of the encryption algorithm can be described as ...