802.11w Protected Management Frames (PMF)

-

802.11w Protected Management Frames


Why?

As you are aware that Management Frames are not encrypted in WLAN networks and this causes WLAN networks to be vulnerable to Denial of Service Attacks (DoS). Let us see a few of the Denial of Service attacks which Attackers can use to disrupt few or all of the users in a WLAN network.

DoS Attacks
Following frames can break the existing wireless connection (without PMF support) and will lead to Denial of Service attack.
Sending Deauth or Disassoc notification to AP
Sending (Re) Association request to AP.
Sending Auth frame to AP.
Sending Deauth or Disassoc notification to Station
Sending Channel switch announcement to Station.


How to solve the problem?

Once the 4 way Handshake is done, the AP and the STA have the PTK and GTK to encrypt data. The same keys can now be used to encrypt Management frames to provide a certain level of Protection against DoS Attacks.

Access Point and the Station both needs to have support for 802.11w for it to work. 802.11w can either be made "Optional" or "Mandatory" for clients.
With Optional, both 802.11w supported and non supported clients can connect to the AP, whereas,
With Mandatory, only 802.11w supported clients can connect to the AP.

Once 802.11w is enabled in the AP, it will advertise this in the RSNIE. There are 2 fields for PMF:

If 802.11w is supported by access point then "Management Frame Protection Capable" field is set.
If 802.11w is configured as mandatory then "Management Frame Protection Required" field is set.

Note: Since this information is in RSNIE, it makes it very clear that 802.11w is supported by only WPA2 clients (both Personal and Enterprise). Even Open Network does NOT support PMF

How is the Encryption done on Management Frames?

These are the mechanisms used to protect unicasts as well as multi-/broadcasts:

Unicast Management Frames:

  • Use same PTK as for data frames
  • Protect the previously unencrypted frame header via additional authentication data (AAD)
  • Extended AES-CCM to handle unicast management frames
  • Separate Receive Sequence Counter (RSC) for replay protection
Broad-/Multicasts Management Frames:

  • Use new Integrity Group Temporal Key (IGTK) received during WPA key handshake
  • New Algorithm: Broadcast Integrity Protocol (BIP)
  • New Information Element: Management MIC IE with Sequence Number + Cryptographic Hash (AES128-CMAC based)
Here is an example for a protected and valid Disassociate with the protected flag set and a valid management sequence counter:


Great Attack Scenarios Explained:

This Blog will give you a better Understanding of how 802.11w can protect against attacks:


Comments

  1. Unknown24 February 2020 at 21:56

    Did you hear there's a 12 word phrase you can speak to your crush... that will trigger intense emotions of love and impulsive attractiveness for you buried inside his chest?

    That's because hidden in these 12 words is a "secret signal" that fuels a man's instinct to love, worship and care for you with all his heart...

    ====> 12 Words Will Fuel A Man's Love Response

    This instinct is so built-in to a man's genetics that it will drive him to work harder than before to build your relationship stronger.

    In fact, triggering this all-powerful instinct is absolutely essential to achieving the best ever relationship with your man that the second you send your man one of the "Secret Signals"...

    ...You will soon notice him expose his mind and soul for you in a way he never expressed before and he'll distinguish you as the one and only woman in the universe who has ever truly understood him.

    ReplyDelete

Post a Comment

Popular posts from this blog

Wifi Roaming Techniques : Pre-Authentication, PMK Caching, OKC, Fast Transition - 11r

-
Image
Wifi Roaming Techniques: Roaming is one of the most crucial aspect of Wifi. Roaming in simple terms is Handing off Client connectivity from one Access point to another without losing connectivity. When the Client sees that the RSSI ( signal Strength ) of connected AP is decreasing, the Client does a roam Scan and sees if there are other APs with better RSSI. Once it identifies the better AP, it starts association with this AP. This process is called Roaming. Why is Roaming Important: Wifi is mostly used in devices which are mobile such as mobile phones, Laptops etc. User intend to use these device while moving from one place to another and it is expected that the devices are always connected to wifi and the user can continue his work seamlessly. It would not be desirable that wifi keeps disconnecting and connecting to other Access Point while the user is moving, there should be a way where in the client can remain connected to wifi network while it moves. This issue is add
Read more

Power Saving Techniques

-
Image
Why it is so Important? As you are aware that most of the Wifi Devices are Battery Operated such as Mobile Phones, Laptops etc. It is very important to consider the Power consumed of every component of such devices. If the device drains its battery too often, then it limits it mobility capability. It is very essential to conserve the battery when the device is not using any of such components. For Ex: Screen times out if there is no activity by User. Similarly when there is no active data transfer over Wifi, it is best to put it in a low power consumption mode to avoid Battery Wastage. Basic Mechanism: 1. STA sends out a packet to AP indicating that it is going to sleep mode. 2. AP Start buffering data for the client and indicates that there is data buffered in Beacon. 3. STA wakes up, listens to Beacon and sees if there is any data buffered for it. If no, go back to sleep. If yes, send a packet to AP to say that it is awake and send the buffered data. 4. AP after sending th
Read more