How a Device Connects to an AP

 How a STA Connects to a BSS

An Overview of the .11 State Machine 


A Beacon

These Beacon things keep coming up, and thats because they are probably one of the most important frames in wireless communications. If the STA is not pre-configured with a SSID it should connect to, it will use beacons to learn about the networks in the vicinity. Once that happens, we can begin moving through the connection process also know as the State Machine.

The .11 State Machine

Below is a diagram of the steps we will go through as we move through the states. Ive included pieces of a packet capture I took of my phone connecting to my home network. We will also see the 4 way handshake used by PSK authentication. Without any security in place there will be 3 states and 6 frames. With security there will be an additional state, and 4 more frames for the handshake. .1x adds even more frames but basically it adds frames for verifying the client and server identities. Also we are not including the ACK frames in the counts but they are present. 

 

Probe Request

The state machine starts with a Probe Request sent by the STA wishing to join a BSS. The request will have the name (SSID) of the BSS it wishes to join. This name can come from one of two methods. Pre-configured on the STA or by learning it through Beacons. The STA is the TA/SA and the AP is the RA/DA. If multiple APs are on the same channel they should all send probe responses. If multiple APs with the same SSID exist on different channels, the STA will send requests on each channel and select the AP with the best RSSI (generally).
 


 

Probe Responses

Moving down the machine we are greeted with Probe Responses. These are very similar to Requests in that they contain similar information to a Request but with the capabilities of the AP. Both Requests and Responses can be used to determine compatibility/conficts if a STA fails to join an BSS. Responses are different from beacons however in that they do not contain the TIM field, QoS info, Channel reports, FMS Descriptor or the HCCA TxOP count.


Side note on the last two items. The FMS descriptor stands for Flexible Multicast Service and is related to delivering video traffic to multiple clients with varying power (think battery) capabilities. I was only able to find some research papers on the subject which leads me to believe it is not widely implemented (and possibly not very effective per this paper). I also found no overview in my CWNA or CWAP books.  
 
HCCA TxOp Count or HCF CCA or Hybrid Coordination Function Controlled Channel Access Transmit Opportunity Count refers to a channel access method that is not implemented in production today. In general this a channel access method that primarily resides in the AP allowing it to give itself more opportunities to use the medium. As stated, this method is not used today and we use EDCA which implements parts of DCF and PCF which gives the ability for STAs to have Frame Bursts inside a TxOP. Thus allowing QoS to be implemented end to end. 
 

Authentication Request and Response

This is NOT like user authentication (name/password) or other security methods. This is Open System Authentication which operates at the link layer. This two frame exchange starts with the STA sending a request to the desired BSSID and then getting a response from that BSSID indicating a success or failure to authenticate. If successful it moves on down the connection process, if it fails then the STA must try again or attempt to join another BSS. OSA is similar to plugging a network cable into a switch. It is used to verify that both devices are compatible .11 radios. OSA is a null authentication because no identity information is exchanged, as stated, it merely verifys each radios ability to communicate. 
 



Association Request and Response

Similar to Probes but instead lists out ALL capabilities of the STA and AP. These are sent at the minimum support basic rate, as that was learned during the Probing phase. If the Association is successful the STA will receive an Association ID (AID) which can be used for the TIM field in DTIM beacons for Power Save functions. This is also the third state of the .11 State Machine. If no other forms of security are required, the STA may now request an IP and move up the protocol stack to begin communications. If additional security is implemented, then we will move into State 4 and begin security negotiations. 
 


 
 

4-Way Handshake and RSN Exchanges 

When using WPA2/.1x we go through one additional state which once complete will encrypt data transmissions over the medium. The 4 way handshake is not new but it is very important and also quite robust. 
 
Beginning with Message 1 which follows a STAs Association to a BSS the Authenticator (AP) will send a message to the Supplicant (STA). This contains something called an ANonce and will be used in addition with other information for the STA to create a Pairwise Transient Key (PTK). 
 
 

Message 2 is sent from the STA and contains a SNonce which will be used (again along with some other info) by the AP to create its PTK. The STA will also send a RSNE (Robust Security Network Element) and a Message Integrity Check (MIC) so the AP can verify nothing was changed
 
 
 
Message 3 is sent from the AP, containing another ANonce, RSNE, MIC and a GTK (Group Temporal Key). The GTK will be used to encrypt multi and broadcast messages to STAs joined to the BSS. 
 
 
 
Message 4 confirms the STA installed the necessary keys and completes the 4 way handshake. 
 
 
 
After completion data traffic is now encrypted. Remember data is encrypted but we must leave other frame types unencrypted so devices not joined to the BSS can decipher them.
 
If you would like to learn more about the 4-Way Handshake check out this Blog Post which goes into more detail about it and how the keys are generated. 



Comments

Post a Comment

Leave a comment...

Popular posts from this blog

Capturing Roaming Events

Image
Finally! I scored a newer laptop to put Kali Linux on along with Windows to do some more wifi shenanigans. Before I was using a WLANPi on my desktop, which limited my mobility of course. Now I can follow devices and get closer to some of my other APs. Yes I know you can also use Pi as a remote capture device but that still didnt help with looking into roaming events. Now its been a few years since Ive used Kali and I was amazed at how polished its become. I think I used Backtrack about a decade ago to try and 'hack' my wifi with a WPA cracking tool. Needless to say that didnt launch my security career but it was quite interesting. There are plenty of tutorials on how to set you capture device in monitor mode so I wont go into that here. If you are curious here is the Airmon-ng website. Please note only certain chipsets are supported in Kali for this. Atheros cards seem to be the defacto standard for monitor mode support but I had a Comfast CF912 and TPLink Archer T9UH adapter ...
Read more

IoT and Smart Home Devices: Part 1

Image
  Source: https://www.sparkfun.com/products/17146                 This is going to be a multi part post going over a little IoT smart plug I picked up on clearance at Walmart. I'll make it clear I'm generally very skeptical about these types of devices so much that I don’t even want my roommates Alexa on the same network as mine. However with these things being so prolific it is best to understand them so we can better protect our networks. Ill start with a little background of the device, how I acquired it, and my research on the brand. I will then do my best to uncover any (hopefully) FCC filings and their documentation. From there we will explore a bit of the theory on how the majority of these cheaper devices connect to our networks. Lastly Ill do my best to capture packets during the join process but we will see how that goes with my limited setup.  I was looking to purchase a new Roku and since Walmart was the closest st...
Read more

Frame Exploration: Authentication Frames

Image
Authentication Frames in 802.11 are not about verifying the identity of clients or forming a secure connection. These frames are used to ensure each radio is actually a valid .11 device that can communicate on the network. It has been described similarly to plugging a network cable into the wall or switch.  Please note this is only valid for networks using WPA or WPA2. WPA3 introduces SAE (Simultaneous Authentication of Equals) and uses a 4 message exchange for authentication. We will be looking at Open System Authentication frames here.  In the above we have the two frame exchange between the client device and the AP. Each message is the essentially the same and contains a Sequence Number and Status Code to tell whether or not authentication was successful.  As with all other frames we can look at the FCF to verify what type of message it is too. And that's all there really is to it. If each radio can authenticate with one another they can proceed to the Association stag...
Read more