Wireless LANs Abhishek Karnik, Dr. Ratan Guha University Of Central Florida
OVERVIEW Introduction Basics e for QoS WEP
In 1997 the IEEE adopted IEEE Std Defines MAC and PHY layers for LAN and wireless connectivity. Facilitate ubiquitous communication and location independent computing b operates at 11Mbps in the 2.4 GHz ISM Band (‘99) a operates at 54Mbps in the 5 GHz Band (’99) g operates at 54Mbps in the 2.4 GHz Band (’02) Increased deployment and popularity lead to introduction of QoS e for QoS – Draft Supplement – Nov 2002 INTRODUCTION
Wireless LAN Station The station (STA) is any device that contains the functionality of the protocol, that being MAC, PHY, and a connection to the wireless media. Typically the functions are implemented in the hardware and software of a network interface card (NIC). Ex : PC, Handheld, AP (Access Point) Basic Service Set (BSS) defines the Basic Service Set (BSS) as the basic building block of an wireless LAN. The BSS consists of a group of any number of stations BASICS
STA IBSS (Independent Basic Service Set – Ad-hoc Mode) peer-peer connections
AP Wired Backbone Infrastructure Basic Service Set
AP Wired Backbone AP ESS (Extended Service Set) BSS1 BSS2
PCFDCF Super Frame DCF - Distributed Coordinated Function (Contention Period - Ad-hoc Mode) PCF - Point Coordinated Function (Contention Free Period – Infrastructure BSS) Beacon - Management Frame Synchronization of Local timers Delivers protocol related parameters TBTT - Target Beacon Transition Time BeaconTBTT
Distributed Coordinated Function (DCF) Also known as the Contention Period STAs form peer-peer connections. No central authority First listen and then speak Uses CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance) ACK indicates successful delivery Each node has one output buffer
Inter-Frame Spacing : DIFS - 34 µsec PIFS - 25 µsec ( Used in PCF ) SIFS - 16 µsec Slot Time - 9 µsec DIFS = SIFS + (2 * Slot Time) SIFS required for turn around of Tx to Rx and vice versa
DATA A ACK B ACK DIFSSIFS DIFS CW A Data Transmission from Node A to B CW – Contention Window. Starts only after DIFS. Random number ‘r’ picked form range ( 0-CW ) CW min minimum value of CW CW max maximum value the CW can grow to after collisions ‘r’ can be decremented only in CW CW doubles after every collision
DATA A ACK B ACK DIFSSIFS DIFS CW A What if some node C wanted to send data while A was transmitting data to B ? What about during SIFS ? What if after ACK, more than one say B,C,D,E nodes are waiting to transmit data ?
Example : r A = 4 and r C = 6 DATA A ACK B ACK DIFSSIFS DIFS DATA C What if r A and r C had both been picked as 4 ? What if r A and r C has collided and DATA A length was 10 while DATA C length were 15 ?
DATA A ACK DIFS DATA C SIFS DIFS A Collision between nodes A and C Length (DATA A ) = 10 Slot times Length (DATA C ) = 15 Slot times CW after Collision 1 0 – 7 CW after Collision 2 0 – 15 CW after Collision 3 0 – 31 CW after Collision 4 0 – 63
NAV – Network Allocation Vector DATA ACK STA A STA B STA C ACK DIFS SIFS DIFS NAV B and C
STA A STA B STA C Hidden Node Problem and Exposed Node Problem
RTS/CTS : RTS (Request To Send) - (Approx 20 bytes) CTS (Clear To Send) - (Approx 16 bytes) Use of RTS/CTS is optional Solves two problems : 1.Hidden Node Problem 2.Wastage of time due to collisions Maximum MSDU is 2304 bytes
A C D B RTS CTS Preventing a collision at STA B
RTS STA A STA B STA C STA D CTS DATA ACK NAV New Node DIFSSIFS DIFSCW
Point Coordinated Function (PCF) Also known as the CFP (Contention Free Period) Operation in an Infrastructure BSS STAs communicate using central authority known as PC (Point Coordinator) or AP (Access Point) No Collisions take place AP takes over medium after waiting a period of PIFS Starts with issue of a Beacon
PCFDCF Super Frame BeaconTBTT Beacon Management Frame Synchronization of Local timers Delivers protocol related parameters TBTT - Target Beacon Transition Time
DATAA DIFS SIFSDIFS PIFS B DIFS - 34 µsec PIFS - 25 µsec SIFS - 16 µsec Slot Time - 9 µsec B - Beacon AP taking over the Wireless medium using PIFS
BD1 + Poll U1 + ACK D2 + ACK + Poll U1 + ACK CF_End Operation in CFP CP CFP SIFS
Admission Control Purpose of having separate DCF and PCF Different Working groups a (54Mpbs in 5GHz Band) b (11 Mbps in 2.4 GHz Band) c Wireless AP Bridge Operations d Internationalization e (QoS) f Inter-vendor AP hand-offs h Power control for 5Ghz region g (54Mbps in 2.4 GHz Band) i (Security)
802.11e for QoS QoS (Quality of Service) e for QoS – Draft Supplement – Nov 2002 Introduction of new QoS mechanism for WLANs
PC BSS (Basic Service Set) QBSS (Basic Service Set for QoS) HC ( Enhanced Station ) HCCAEDCAPCFDCF
QoS Support Mechanisms of e : EDCA : Introduction of 4 Access Categories ( AC ) with 8 Traffic Classes ( TC ) MSDU are delivered through multiple back offs within one station using AC specific parameters. Each AC independently starts a back off after detecting the channel being idle for AIFS After waiting AIFS, each back off sets counter from number drawn from interval [1,CW+1] newCW [AC] >= ((oldCW[TC] + 1 ) * PF ) - 1
Prioritized Channel Access is realized with the QoS parameters per TC, which include : AIFS[AC] CWmin[AC] PF[AC] AC_VO [0]AC_VI [1]AC_BE [2]AC_BK [3] AIFSN2237 CWmin3715 CWmax
EDCA Virtual Collision AC1AC2AC3AC4TC
ACK BackOff[AC0] + Frame BackOff[AC1] + Frame BackOff[AC2] + Frame AIFS[AC0] AIFS[AC1] AIFS[AC2] BackOff[AC3] + Frame AIFS[AC3 ] Access Category based Back-offs
Element ID CWmin[AC] CWmin[0]….CWmin[3] CWmax[AC] CWmax[0]….CWmax[3] AIFSN[AC] AIFSN[0]….AIFSN[3] TxOPLimit[AC] TxOP[0]….TxOP[3] QoS Parameter Set Element Format AIFS [AC] = AIFSN [AC] * aSlotTime + SIFS
HCCA ( Hybrid Coordination Function Controlled Channel Access ) Extends the EDCA access rules. CP : TxOP After AIFS + Back off QoS Poll ; After PIFS CFP : TxOP Starting and duration specified by HC using QoS Poll.
HCCAEDCA HC PIFS DATAA AIFSSIFSAIFS PIFS DATA Hybrid Coordinator
802.11e Operation in the CFP Guaranteed channel access on successful registration Each node will receive a TxOP by means of polls granted to them by the HC TxOP based on negotiated Traffic specification (TSPEC) and observed node activity TxOP is at least the size of one Maximum sized MSDU at the PHY rate. Access Point advertises polling list
Traffic Specification (TSPEC) Element ID (1) Length (1) Maximum MSDU size (2) TS info (2) Nominal size MSDU (2) Minimum Service Interval (4) Maximum Service Interval (4) Mean Data Rate (4) Inactivity Interval (4) Minimum Data Rate (4) Maximum Burst Size (4) Minimum PHY Rate (4) Surplus Bandwidth Allowed (2) Peak Data Rate (2) Delay Bound (2)
AC[0]AC[1]AC[2] AIFSN247 CWmin71015 CWmax PF122 Example :
AIFS[AC] = AIFSN[AC] * aSlotTime + SIFS PIFS - 25 µsec ( Used in HCCA) SIFS - 16 µsec Slot Time - 9 µsec AIFS[0] = (2 * 9) + 16 = 34 µsec = DIFS AIFS[1] = (4 * 9) + 16 = 52 µsec (52 – 34) / 9 = 18/9 = 2 Slots AIFS[2] = (7 * 9) + 16 = 79 µsec (79 – 34) / 9 = 45/9 = 5 Slots
Back-off Algorithm : : CW RANGE = [ 0, 2 2+i – 1 ] e : newCW[AC] = [(oldCW[AC] + 1) * PF] - 1 Collision1Collision2Collision3 AC[0][(7+1)*1]-1 = 7 ( ) AC[1][(10+1)*2]-1 = 21 ( ) [(21+1)*2]-1 = 43 ( 0 – 31 ) AC[2][(15+1)*2]-1 = 31 ( 0 – 31 ) [(31+1)*2]-1 = 63 ( 0 – 63 ) [(63+1)*2]-1 = 127 ( 0 – 127 )
WEP (Wired Equivalent Privacy) Optional in WLANS Uses the RC4 (Rivest Cipher 4) Stream Cipher generated with a 64bit/128 bit Key Key composed of 24 bit IV (Initialization Vector) Key = (24 Bit IV, 40 Bit WEP Key) = 64 Bits Key = (24 Bit IV, 104 Bit WEP Key) = 128 Bits Goal to provide authentication, confidentiality and data integrity Secret Key is shared between communicators The encrypted packet is generated with a bitwise exclusive OR (XOR) of the original packet and the RC4 stream. 4-byte Integrity Check Value (ICV) is computed on the original packet and appended to the end which is also encrypted with the RC4 cipher stream. Encryption done only between stations.
Encrypted WEP Frame
Encryption / Decryption : M – Original Data Frame CRC-32 (c) applied to M to obtain c (M) c (M) and M are concatenated to get Plain Text P = (M, c (M)) WEP produces a Key-stream as a function 24 bit IV and 40-bit WEP Key using RC4; equal to the length of P. Key Stream and the Plaintext are XORed to produce the Cipher Text The IV is transmitted in the clear (unencrypted) The receiver uses the IV and the shared key to decrypt the message
Draw Backs of WEP: A number of attacks can be used against WEP Passive Attacks based on statistical analysis Active Attacks based on known plain text WEP relies on a Shared Key to ensure that packets are not modified in transit. There is no discussion on how these keys are distributed and hence usually a single key is used which is shared amongst all STA’s and the AP
Shared Key is long lived – May last a week, month, even a year or more Consider a busy AP which constantly sends packets of length 1500 bytes at 11Mbps Since IV on 24 bits in length and Shared key is unchanged, IV gets exhausted after 2^24 * (1500 * 8) / (11 * 10^6) = secs = 5 hours Lucent wireless cards All in a days work :
PT Key CT CT Key PT XOR : 00 0 01 1 10 0 XORing a Bit with itself gives 0
Sender PT K CT 00 0 01 1 10 1 11 0 Receiver CT K PT 00 0 11 0 10 1 01 1 PASSIVE ATTACK
MSG1 K C ( MSG1 ) MSG2 K C ( MSG2 ) IV repeats generating K Identical K used to encrypt MSG1 and MSG2 Obtain C( MSG1) and C( MSG2) and XOR them XORing causes Key Stream to cancel which yields the XOR of MSG1 and MSG2 i.e. XOR of Plain Text packets This XOR can now be used to apply Statistical Analysis
Example : MSG1 MSG2 MSG1 PT1 K CT1 00 0 01 1 10 1 11 0 MSG2 PT2 K CT2 10 1 01 1 10 1 11 0
CT1 XOR CT2 CT1 CT2 01 1 11 0 00 0 MSG1 XOR MSG2 MSG1 MSG2 01 1 00 0 11 0 Apply Statistical analysis on last three bits and educated guess on the rest
Attacker AP Wired Network Hi xx
Active Attack : Attacker knows exact plain text for one encrypted packet Use this knowledge to construct correct encrypted packet Construct a new message, calculate CRC-32 and perform bit flips on original encrypted packet to change the plaintext to the new message.