© 2004 Matt Welsh – Harvard University1CS263: Wireless Communicationsand Sensor NetworksMatt WelshLecture 5: The 802.11 StandardOctober 7, 2004© 2004 Matt Welsh – Harvard University2Today's LectureAll about 802.11CSMA/CD MAC and DCFWEP and 802.1x Security© 2004 Matt Welsh – Harvard University3802.11 / WiFiIEEE working group 802.11 formed in 1990●Now the most popular and pervasive Wireless LAN standardDistribution systemBasic service setAccess point© 2004 Matt Welsh – Harvard University4Infrastructure vs. Independent ModeIndependent mode:Nodes communicate directly witheach otherInfrastructure mode:All communications must be relayedby access point© 2004 Matt Welsh – Harvard University5Extended Service Set ModelDistribution systemCreate associationPropagate association informationEntire ESS looks like a single virtual LAN!© 2004 Matt Welsh – Harvard University6Extended Service Set ModelDistribution systemBAEntire ESS looks like a single virtual LAN!Transmit to node B© 2004 Matt Welsh – Harvard University7Distributed Coordination Function802.11 uses a variant of CSMA●Called the Distributed Coordination Function (DCF)●Access point controls when nodes can transmit.●No collision detection – rather, collision avoidance (CSMA/CA)Recall CSMA:●Before a node transmits, it listens for activity on the network●If medium is busy, node waits to transmit●After medium is clear, don't immediately start transmitting...●Otherwise all nodes would start talking at the same time!●Instead, delay a random amount of time (random backoff)© 2004 Matt Welsh – Harvard University8DCF IllustratedSenderReceiverChannelbusyWait Backoff TransmitACKBackoff TransmitACKInterframe space (IFS)time© 2004 Matt Welsh – Harvard University9Exponential BackoffACK-based scheme for reliability●Receiver sends ACK after each successful transmission●Sender will retransmit if no ACK is heard, after waiting for a random intervalBinary exponential backoff●First backoff interval between [0 ... 31] time slots●If collision occurs, new backoff interval chosen between [0 ... 63] slots●Repeat until backoff interval reaches [0...1023] slots.Why increase the backoff interval each time???© 2004 Matt Welsh – Harvard University10SIFS and DIFSDIFSSenderReceiverChannelbusyWait Backoff TransmitACKBackoff Transmit802.11 provides four different interframe spacing times●Provide different traffic “priorities”Standard IFS time is the “Distributed IFS” (DIFS)“Short IFS” (SIFS) used for higher priority frames●e.g., ACK packets from AP back to a node●Allows ACKs to “sneak in” before contention period beginsSIFSDIFS© 2004 Matt Welsh – Harvard University11Fragmentation and ReassemblytimeSenderReceiverChannelbusyWait BackoffTransmitframe 0Transmitframe 1ACK ACKBackoffLong messages broken into multiple frames●Node can transmit next frame in a sequence immediately after receiving ACK●But, must do backoff before sending next messageTransmitter “reserves the channel” using request to send (RTS)●Receiver transmits clear to send (CTS) to initiate transmission of long messageRTSCTS© 2004 Matt Welsh – Harvard University12Hidden Terminal ProblemNode C is not aware of Node A's transmissions!●Collisions can occur at Node BSolution: Network Allocation Vector (NAV)●Each message includes length of time other nodes must wait to send●Node B's CTS to Node A can be heard by Node C●CTS will prevent Node C from transmitting before Node A is doneABC© 2004 Matt Welsh – Harvard University13802.11 StandardsStandard Frequency Data rate Range802.11b 2.4 Ghz, DSSS 11 Mbps ~300 feet,Widely deployed and inexpensive ~100' indoors802.11g 2.4 Ghz, O-FDM 54 Mbps < 802.11bBackwards compatible with 802.11b802.11a 5 Ghz, O-FDM 54 Mbps ~80 feetUses UNII band, products emerging now© 2004 Matt Welsh – Harvard University14802.11b PHYOriginal 802.11 standard used Frequency Hopping, G-FSK●Divide 2.4 Ghz band into 78 channels, 1 MHz wide●Dwell time of 390 ms per channel●26 different, fixed (globally known) hop sequences802.11b standardized on DSSS with Q-PSK modulation●8-bit Complementary Code Keying (previous lecture)●Band divided into 14 channels, 5 MHz wide each●However, DSSS energy spread over a 22 MHz band!!!●This means that not all channels can be used simultaneously.Channel 1 Channel 6 Channel 1125 MHz© 2004 Matt Welsh – Harvard University15802.11 Security: WEPWireless networks are inherently a broadcast medium!●It is easy to intercept transmissions between end hosts●Compare to wired systems: Must physically tap into the wires●Nightmare for companies: Hacker in the parking lot with a laptopWired Equivalent Privacy (WEP)●Rather than provide 802.11 with a truly robust security solution, goal was to prevent “casual” snooping ●Problem: WEP was developed from scratch by a closed committee, standard not readily accessible for review by researchersWEP relies on a secret key being shared by end hosts and APs●Traffic between nodes is encrypted using this key●Requires key to be distributed in some fashion by system admins●Makes it very difficult to change the key later!© 2004 Matt Welsh – Harvard University16WEP WeaknessesIn 2001, researchers at UC Berkeley demonstrated that WEP was vulnerable to a range of attacks●40-bit encryption keys are susceptible to brute force attacks●WEP reuses portions of the random “keystring” making analysis possible●Attackers can modify contents of frames without necessarily decrypting themNot long afterwards, WEP cracking software was demonstrated●Adam Stubblefield, Rice undergrad doing internship at AT&T, wrote the code in less than a week on a Linux laptop●Open source AirSnort software now widely available●Can recover a WEP key after intercepting 5-10 million packetsBottom line: Don't depend on WEP!●“WEP is so flawed that it is not worth usingin many cases.” -- Matthew S. Gast, 802.11 Wireless Networks: The Definitive Guide© 2004 Matt Welsh – Harvard University17What to do?Industry is working on solutions based on new 802.1x standard●This is not without its problems, howeverBetter solution: End-to-end security●Don't depend on underlying network infrastructure to ensure security●Rather, perform authentication and encryption at the application levelCommon solution: SSL/TLS protocol●Same protocol used by Web browsers to talk to secure Web servers●Provides a range of authentication and