802.11i and wep
Last Post: October 19, 2006:
-
Hi Fmedina:
You quote from section 7.3.2.25 which describes what is permissible regarding the contents of an RSN information element. The RSN information element is used in both RSNs and TSNs.
"3.126 robust security network (RSN): A security network that allows only the creation of robust security network associations (RSNAs). An RSN can be identified by the indication in the RSN information element (IE) of Beacon frames that the group cipher suite specified is not wired equivalent privacy (WEP)."
"3.156 transition security network (TSN): A security network that allows the creation of pre-robust security network associations (pre-RSNAs) as well as RSNAs. A TSN can be identified by the indication in the robust security network (RSN) information element of Beacon frames that the group cipher suite in use is wired equivalent privacy (WEP)."
When used in TSNs, some older non-AP stations may not be able to read this information and their security configuration will be controlled instead by legacy WEP configuration methods. Typically this means one WEP key used by the station to decrypt both unicast and multicast frames arriving from the AP and to encrypt unicast frames directed to the AP.
To support these legacy stations the RSN equipment agree through their exchange of RSN information elements to use the same WEP cipher suite for their group cipher suite and use the same WEP key installed in the same old way to encrypt and decrypt multicast frames. Additionally the APs use this cipher suite and WEP key to encrypt unicast frames destined for the WEP stations.
The rest of the time the RSN capable equipment use the list of pairwise cipher suites and AKM (authentication and key management) suites for their security associations. These include TKIP, CCMP, and the exotic "use group key" for pairwise ciphers, and 802.1X, PMKSA caching, and PSK for AKM. While there is no choice of WEP here, the stations capable of no more than WEP never notice as they go merrily on their WEP way.
IEEE provides no way for WEP keys to be derived from 802.1X or the 4-Way Handshake. Fingers and client utilities are the order of the day supplemented perhaps by vendor proprietary automation.
The designer of a BSS must decide what the TSN policy is going to be. If a legacy WEP station is going to be allowed to join then all RSNA capable equipment must use a WEP group cipher and common manually installed WEP key from the get go. Ugh.
I hope this helps. Thanks. /criss
- 1