2005 Wireless Telecommunications Symposium

Lightweight Packet Authentication in IEEE 802.11

KeunSoon Lee, HyoJin Kim, and JooSeok Song
Dept. of Computer Science, Yonsei Univ,
{ soonlee, hyojin, jssong] @emeraLd.yonsei.ac.kr

Abstract
Due to the lack of security in IEEE 802.11b, 1EEE
802.I I i that can provide strung secun.9 is proposed.
However, most users use WLAN (Wireless Local Area
Networks) to do web-sutjing so that 1EEE 802. I I i has
needless de1u.w and computational overheads. And
eveti though the rtode authentication is performed in
wireless domain between !jtatiun (STA) ami Access
Poirit (AP) in IEEE 802.1 I, rhe nialicious iiode can
masquerade itself as if the authenticated STA, and then
it can transmit puckers to the AP. Although TKiP
(Temporul Key Integrity Protocol) and CCMP (CTR
with CBC-MAC Protocol) w e used in IEEE 802.lli,
they huve treedless features for device with limited
abilip. Therefi)re, iu this paper, she Lightweight
Packet Authenticdm (LIPA) is proposed arid whose
pelformance is compared with those of TKIP und

CCMP.

1. Introduction
Even though IEEE 802.lIb [I] is a popular
technology and have been studied since wireless
networks are developed, it has still some security
vulnerabilities [2] so that IEEE 802.1 l i [3] is proposed
to provide higher security for WLAN (Wireless Local
Area Network). IEEE 802.1 l i can provide higher
security, but it has a lot of delays and computational
overheads for do that. So it is not suitable for mobile
equipments which have limited battery and computing
power. Most users use WLAN simply to do websurfing with short time delay [4], while the Internet
banking needs higher security.
in wireless environments including IEEE 802.1 1,
the first-hop [5] of between Station (STA) and Access
Point (AP)is implemented by the wireless equipments
as shown in Figure I ; therefore, anyone can attach to
AP without any special physical line. The node
authentication is needed to check whether
authenticated users or not, but an opponent can pretend

to be an authenticated STA and sends packets to AP.

Thereby, AP needs to check whether the arrived
packets are from the authenticated STA or not. This
procedure is called to the packet authentication.
For the packet authentication, IEEE 802.1 li uses
TKIP (Temporal Key Integrity Protocol) and CCMP
(CTR with CBC-MAC Protocol) [3]. Because TKLP is
based on WEP (Wired Equivalent Privacy) [2] of IEEE
802.1 l b security, it does not change the hardware but
is more vulnerable than CCMP in the related message
attack [3] [6]. CCMP can provide higher security, but
it has to replace the hardware and a lot of overhead. In
addition, TIUP and CCMFj encrypt the encrypted
packet for end-to-end security again, they have very
long delays.
In this paper, the Lightweight packet authentication
(LIPA) is proposed to have lower overhead for simple
web-surfing in IEEE 802.1 li. In Section 2, TKIP and
CCMP of the packet authentication in IEEE 802.1 l i
are briefly introduced, and in Section 3, the operation
of LIPA is specifically described. In Section 4, the
security and performance of LIPA are compared with
those of CCMP. Finally, Section 5 concludes this
paper.

2. Packet Authentication in IEEE 802.11i

2.1. Temporal Key Integrity Protocol (TKIP)
TUP is one of the access control mechanisms in
IEEE 802. I l i and made for the node using not CCMP
but WEP. TIUP can be easily implemented by
updating the firm-ware without replacing the
hardware, but it is much weaker than CCMP in attacks
131

[a

0-7803-8856-91051$20.00 02005 LEEE.

268

flA

<

~p

Router

Intcrnct

Router

Destination

TA

M+LA+Mh+

First-hap

End-bEnd security

>

bend MSW DATA

FrugmenMlsl

MIC key

MSDU + MIC

Figure 1 First-hop and End-to-End Security.

As Figure 2, TKlP is performed as followings 131:
1) Source calculates the Michael using SA (Source
Address), DA (Destination Address), priority, plaintext
of the MSDU (Medium Access Control Service Data
Units), and M K (Message lntegrity Code) key.
2) After appending the calculated Michael to the
MSDU, the MSDU is partitioned into several MPDU
(Medium Access Control Protocol Dala Unit).
3) After increasing TSC (TIUP Sequence Counter)
and appending to each MPDU, it is encrypted by WEP
and then it is sent to the receiver.
4) The receiver collects the MPDUs, which have
the same 1V (Initialization Vector) separated by one
MSDU. After that, the MSDU that has not a valid MIC
is discarded after h e Michael is calculated.
5) If the invalid Michael is calculated twice in 60
seconds, TIUP cannot receive any data so that the
opponent cannot try to several forgery attacks.

Figure 2 TKlP EncapsulationBlock Diagram.

4-1) By encrypting the first block (16 octets) of
the plaintext MPDU using AES, IV of CBC mode
is generated.
4-2) After partitioning the blocks of MPDU
header and plaintext MPDU data, the blocks are
used by AES operation of CBC-MAC mode.
4-3) From the result of 4-2 step, the next block
is exclusive OR (XOR) and AES operation.
4-4) 4-2 and 4-3 steps are performed until no
more separated blocks are remained.
4-5) The MIC of the result 4-4 step is appended
to the plaintext MPDU.
5) Using the plaintext MPDU with appending
MIC, TK, and the counter of MPDU, the encrypted
MPDU is calculated.
5-1) The CTR Preload is generated by 1-byte
flag, I-byte Quality of Service (QoS) information,
6-byte address field, 6-byte PN, and 2-byte counter.
5-2) AES operations are performed using the
CTR Preload.
5-3) After partitioning the plaintext MPDU with
MIC to blocks (I6 octets), the ciphertext block is
generated by XOR with the result of AES.
5-4) Until the remaining blocks, 5-2 and 5-3
steps are repeated.
5-5) The encrypted MPDU is obtained by
connecting to the ciphertext blocks of plaintext
MPDU.

TKIP contains TSC variables to prevent the repIay

attack. Therefore, the repeating in a session is
prevented when MPDU is sent. The receiver discards
MPDU, which has smaller TSC than the contained
replay counter. In addition, the receiver calculates the
1V of WEP using TSC.

2.2. CTR with CBC-MAC Protocol (CCMP)

CCMP is a method of lEEE 802. I l i to provide
confidentiality, authentication, integrity, and replay
protection using CCM (Counter with CBC-MAC) of'
AES (Advanced Encryption Standard).

Although CCMP cart provide higher security than

TIUP, it has a lot of overhead and has to replace the
hardware. In addition, it is a lot of delays siace the
encrypted packet for the end-to-end
encrypted again.

As Figure 3, CCMP is performed as followings [3]:

1) The sender increases the PN (Packet Number)
when sending the MPDU. Because PN is not
repeated in a session, the replay attack can be
prevented.
2) The header of MPDU generates AAD
(Additional Authentication Data) so that it can
prevent the replay attack to other receivers.
3) The nonce is calculated by I",A2 (Address 2),
and priority of MPDU.
4) The MIC is calculated by TK (Temporal Key),
PN, AAD, and nonce.

security is

3. Lightweight Packet Authentication

(LIPA)
In this Section, we proposed the Lightweight Packet
Authentication (LIPA) which has less overheads and
shorter delays than TKIP and CCMP. LIPA has to be
used when it does not need higher security such as
web-surfing because it does not encrypt the packet for
fast communications.

269

MPW

Kcyld

F2

Plaintex1

x,

= (TK)Z

0
i= 1

CCMP
huwlcr

Figure 3 CCMP encapsulation block diagram.

3.1. Assumption of LIPA

In LIPA, the sender and the receiver are chosen due

to the packet movement. Thus, when STA sends
packets to AP, STA is the sender and AP is the
receiver; otherwise is reversed.
LIPA has following assumptions and the preoperations:
1) The sender and the receiver authenticate each
other by using the authentication method of IEEE
802.1l i [3] and share the same session key.
2) When the session is started, the sender and the
receiver perform the followings:
2-1) TK is computed using the session key.
2-2) As shown in Figure 4, TK is caIculated by
the seed of the BBS (Blum-Blum-Shub) [73
generator.
2-3) The 1024-byte Authentication Stream is
generated.

L*/2,z'
I

:Authenticah

Figure 4 flowchart of the BBS generator.

The sender performs the packet authentication
generation procedure for the packet authentication as
shown in Figure 6.
Packet Authentication Generatkm Procedure

1) The SKey value is generated by the AES

operation with the sending packet's Sequence Number
field value of TK as a key.
2) As Figure 5, the sender selects the 8-byte
AStream which starts with the spot of SKey in
Authentication Stream. For example, if SKey is I , the
8-byte AStream is seIected by the starting with the first
bit of the Authentication Stream.
3) The calculated AStream is appended to the
packet and transmitted. Equation (1) is described the
generation procedure

The Procedures of the Packet

A uthentication
0
First of all, h e sender makes the IEEE 802.1 1
packet without considering the packet authentication.
in the header of this packet, the Sequence Number
(SN) field of the Sequence Control field is contained to
the packet authentication as shown in Figure 5 . Both
STA and AP maintain the single modulo 4096 counter
[ I ] and increase the counter whenever they send a
packet. Each packet contains the Sequence Number

3.2.

$Key = AES(Seqi4enceNumber TK)

Authenticatiun Stream = BBS(TK)
A StreanlS,~U'"C,N~"hpT(8byteS)
= Authentication Stream(SKey)

field.

Sending packet
= original packet 11
AStreamSeqrrcnceNumber

Equation (1)
On receiving the packet, the receiver checks the
packet authentication by the packet authentication
verification.
Generally, iEEE 802.11 does not support the
reordering mechanism of the unicast packet. The
receiver checks out the Sequence Number of the
receiving packet, and the packet is discarded if it is

270

Even though LIPA authenticates the origin of

messages because it does not encrypt the packet's
contents, it cannot provide confidentiality. Therefore,
LIPA is very suitable for having the less security
constraints such as web-surfing in wireless
environment, which has limited battery and computing
power and needs high speed.

not the next of the received packet just before. From

the procedure, the replay attack can be prevented.

4. Performance Analysis
i
Fram

Cimtrol

Duration A d d m
nD
1

Addrcw

Addm

Sequence

Control

AE3
m

Add-

Pxket

"S

Figure 6 Packet Authentication Generation

Procedure of LIPA.0
In this Section, the LPA's security and
authentication speed are compared with those of T U P
and CCMP when the wireless environment does not
need higher security.

Figure 5 Medium Access Control packet

header of IEEE 802.11.
One of the advantages of LIPA is that AStream
can be pre-calculated before the packet is generated.

In case of T U P and CCMP, the tag is calculated by

the sending packet, so the encapsuhtion is performed
only after the packet is generated. Thus, to transmit the
packe!, each node has to wait not only for generating
the packet but also for calcuhting TKIP or CCMP.
However, in LIPA, each packet's AStream can be
pre-computed before the packet is generated; there is
no delay for LIPA computation. From that reason, the
more the packets are being sent per each session, LIPA
tends to be faster than TIUP or CCMP.
LIPA also reduces overhead of AES operation. If
the 58 bytes-message is authenticated by CCMP and
LIPA, seven times of AES operation are needed for
making MIC and five times of AES operation are
needed for encrypted MPDU in CCMP. However,
LIPA needs AES operation only once to generate
SKey regardless of message length. As the longer
message length, the number of times of AES operation
is very different.
Finally, hardware replacements are not necessary
for operating LIPA. CCMP must replace hardwares for
AES operation, because CCMP calculates a lot of AES
operation per a packet to encrypt a whole message.
LIPA uses AES operation like CCMP, but LIPA uses it
only once per a packet so that il does not have an great
effect on calculation speed weather there is hardware
for AES operation or not. If LIPA operates under
CCMP base, it can use AES hardware; otherwise,
LIPA uses only software implements to calcuIate AES
operation under based on TKLP.

4.1. LIPA's Security

4.1.1. Security against the Replay Attack.
Generally, the unicast packet of IEEE 802.1 I does not
support the reordering, and the sender does not
transmit any packets without receiving the ACK
(Acknowledgement) [ 11.
Therefore, the packet with the larger Sequence
Number cannot reach to the receiver before the packet
with the smaller Sequence Number. In addition, the
Sequence Number is not repeated in a session as PN of
CCMP and LIPA, and it.uses Sequence Number field
of the packet header. From the reason, LIPA can
protect the replay attack.

4.1.2. Security against the Brute-force Attack.

T U P uses various schemes to improve the weakness
of WEP. The length of WEP seed becomes 128 bits,
much Iarger than that of the initial WEP seed of 40 bits
or 104 bits. But the length of 1V is not larger than that
of the initial WEP IV. So TKIP has the same flaw of
initial WEP that IV for each packet can be overlapped
because the selection space of 1V is too small. In this
case, TKIP is vulnerable to brute-force attack.
The symmetric key encryption aIgorithm usually
has less computational overheads than the public-key
encryption algorithm [8]; it is suitable for the wireless
equipment with limiting battery and computing
capacity. However, the most famous symmetric key

27 1

Figure 8 Cumulative Delays per Number of

Packets per a Session.
.-0
.--.~

encryption algorithm, DES (Data Encryption Standard)

has onIy 56-but key so that we can use only 7.2 x 1016
keys on average. Thus, it is very weak for the bruteforce attack and the known-plaintext attack. AES is
developed from DES. The security Q ~ A E depends
S
on
the complexity of the round key expansion and has
128-bit key. Therefore, it is not vulnerable to the bruteforce attack in current computing environment [XI.

. X ^

~"

/ Start bit of Asham: %byte

,,

,,

,.

,.

.,

.,

..............................................................

~~

Stream
(a) S k e y d

lRZbhwk
-,--

Authmtication

__L1_(
[77 ..*1 -

End bit of AS-:

&byte

...
I

Stream

Figure 9 Delays per Number of Packets per a

Session.
4.2. The Packet Authentication Speed and

(b) SkeySIOI

Figure 7 Authentication Stream Selections.

LLPA operates AES key expansion only using SKey
because AES encryption algorithm for the message
encryption has larger overheads. Therefore, it has less
computational overheads than CCMP, which encrypts
AES by the message itself and key. In addition, AES

Overhead of LIPA
Because CCMP encrypts message itself and key
using AES operation, it has larger overheads for the
packet authentication and longer delays, so that it has
slower speed, especially when the message is very long
and many messages. On the other hand, LIPA encrypts
only SKey by AES and uses simple shifting operation
so that it has much less overheads and higher packet
authentication than CCMP.
Figure 8 shows the cumulative delay as the
transmitted number of packets in a session. As the
number of transmitting packets is getting larger, LIPA
has less delay. The message length is assumed to be
260 bytes.
The delay per the number of transmitting packet in
a session is shown in Figure 9. LIPA has less delay
than CCMP because CCMP, has longer operation
delays than LIPA. LIPA needs once AES operation per
a message.

has the high computational efficiency in computation.

Therefore, LIPA is suitable for the high-speed
application.

4.1.3. Security of Authentication Stream.

Because BBS PRBG (Blum-Blum-Shub Pseudo
Random Bits Generator) is a one-way function through
the statistical test [9], an opponent cannot recover the
whole of Authentication Stream in a valid time even
though he can obtain several AStreams.
Even though an opponent recovers Authentication
Stream, he cannot know SKey without TK. Because
SKey is obtained by AES, an opponent cannot know
TK even though he obtains SN (Sequence Number) by
sniffing the packet.

272

wireless environment, AP needs the packet

authentication for checking that the receiving packet is
from the authenticated STA.
Therefore, this paper proposed LIPA to provide less
overheads and delays to the wireless equipment and
packet authentication between AP and STA, And then,
the security and performances of LIPA are compared
with those of CCMP.

6. References
[ I ] "Networks-specific Requirements-part I I: Wireless Lan
Medium Access Control (MAC) And Physical Layer (PHY)
Specifications, " IEEE STD 8UZ.lI-1997,Nov. 18, 1997, pp.

i-445.
[2] N. Cam-Winget, R. Housley, D.Wagner, and J. Walker,
"Wirelcss networking security: Security flaws in 802.1 I data
link protocols, '' Communicutions of tlir ACM, May 2003,
vol. 46, no. 5, pp. 35-39.
[3] "IEEE Standard for Infomation technologyTelecommunications and information exchange between
systems- Local and metropolitan area networks- Specific
requirements Part 1 I: Wireless LAN Medium Access
Control (MAC) and Physical Layer (PHY) specifications
Amendment 6: Medium Access Control (MAC) Security
Enhancements, " IEEE Std 802.I I i-ZOW, 2004, pp. 0-1- 175.
[4] Korea Internet Information Center, "The end of 2003
state of informal report (Summary)," M i n i s f q ufInfurnzirriun
and cvmrnunication republic uf Korea, site ut:
hrrp://www.mic.go.kr/noticr/ind~.~-view.j~p
?idx=3400&puge
-no= I&node=&FetOption= &kevword=.

Figure 10 shows the cumulative delay of message

length. CCMP has many times of AES operation per
message length, but LIPA has the same delay even
though the message length i s very long because LIPA
does not include the message to the operation.
Figure 1 1 shows the delay per message length bytes.
Even though message length is longer, CCMP has
longer delay per a byte than LIPA.

[ 5 ] L. Qiu, V. Bahl, and A. Adya, "The Effect o f First-Hop

Wireless Bandwidth Allocation on End-to-End Network
Performance," Proceeding of the l2rh lntemutianal
Workshop on Network and Operating Systems Support for
Digifal Audio and Video (NOSSDAV), Miami Beach, FL,
May 2002.

[6] A. Wool, "A Note on the Fragility of the "Michael"

Message Integrity Code," IEEE Transnctiuns on Wireless
Cummunicaiirms, Sep. 2004, vol. 3, no. 5, pp. 1459-1462.

5. Conclusion

[7]

L. Blum, M. Blum, and M. Shub, "A Simple

Unpredictable Pseudo-Random Number Generator," SIAM

From the wireless equipment, which has limited

battery and computing capacity, lEEE 802.1 l i has
much higher overheads and delays. In addition, the
previous LEEE 802.1 l i packet authentication methods
encrypt the encrypted packet for end-to-end security
for authenticating the AP and STA so that it has longer
delays.
Even though the node authentication for checking
the authenticated user between AP and STA, any one
who can aitach the AP because of the property of the

Juumal on Computing, vol. 15, no. 2, 1996, pp. 364-383.

[S] W. Stallings, Cqptogruphp und Network Security
Principles and Practice, Prentice Hall, 2nd ed., 1999, pp. 7475.

191 A. Menezes, P. van Oorschot, and S. Vanstone,

Hundbauk of Applied Cvptography, CRC Press Inc., 1st ed.,
1997, pp. 175- 184.

273