WPA2 - RSN Information Element

Within certain WLAN management frames (Beacons, Probe Response, Association Request, and Reassociation Request), there is the Robust Security Network Information Elements (RSN IE) in Wi-Fi Protect Access 2 (WPA2) capable networks. It sits in the Tagged Parameters part of the frame and displays the security capabilities of its associated Basic Service Set (BSS). Robust Secure Network (RNS) was created within the 802.11i amendment, Wired Equivalent Privacy (WEP) is not considered a valid Robust Secure Network (RSN) due to security vulnerabilities which is one of the main reasons for 802.11i being created in the first place and a result will not contain any RSN information.

There are three sections that we are going to look at today those being the Pairwise Cipher Suite, Group Cipher Suite, and the Authenticated Key Management (AKM) suite with the overall layout of all three shown below from a packet capture I did. Depending on the configuration of the BSS (Personal and Enterprise) these variables will change, and I'll include examples of each as we go through.

  

Starting with the Pairwise Cipher Suite, this shows the encryption methods that are supported by the BSS. As you can see below there is two cipher suites listed, TKIP (2) and CCMP/AES (4). This shows that the BSS is capable of both suites and if a device is not capable of using CCMP/AES it can use TKIP instead. TKIP is included to allow for backward compatibility with older devices even though it still possesses vulnerabilities. As a network is only as secure as its weakest form of security, which in this case is TKIP, it should be changed if possible, to only use CCMP/AES. 

 

Here we have only CCMP/AES (4) shown and as such is the only supported cipher that is allowed when connecting to this BSS. 

Second, we have the Authenticated Key Management (AKM) suite list, this section shows what type of authentication method is configured. An example being Pre-Shared Key (PSK) known as personal mode shown by being type 2 or 802.1X/EAP known as enterprise mode by type 1. Again, the protocol analysers do a good job of showing which method is used in conjunction with the numbering scheme used as well.

Below you can see a BSS that is configured for PSK. Thiis will only allow the user to authenticate using a password and solely used in WPA2-Personal and widely used in the home environment.


Here we have a BSS configured for WPA2-Enterprise. This is shown with the type (1) and will only allow one of the 802.1X EAP types for authentication such as EAP-TLS or PEAP. You'll tend to find this in an office environment due to requirements for additional hardware and knowledge to setup said systems.

 
      

What happens if you are still using a legacy protocol such as WEP? As mentioned earlier this is not included in the RSN due to its vulnerabilities and will not display any of the RSN IE shown but you can still find the capabilities in the same management frames. Shown below is WEP BSS that I managed to grab showing its required security standard in the Capabilities Information part of the frame. Note the differences from the above sections compared to its Capabilities Information.


Finally, the Group Cipher Suite. This shows the encryption type that the BSS will use for frames sent to the entire wireless medium such as broadcasts or multicasts. This will use the lowest level of encryption used from the Pairwise Cipher Suites. This is to allow for all devices associated to receive the frames sent. 

Example below shows the suite being TKIP which will be the lowest level of encryption used and will be the encryption type used for all packets sent. Remember that even if all the devices currently associated are CCMP/AES capable, the Access Point (AP) will still send out the broadcasts with TKIP.

 

Here we have only CCMP/AES only, this shows that there is no TKIP configured and you would expect to see the same in the Pairwise Cipher as well.

 
 
 
Thank you for reading this blog post, it’s been really interesting going over the packet captures, and it is helping hugely when it comes to prepping for my CWSP exam. If you have any questions - give me a shout.

Comments

Post a Comment

Popular posts from this blog

Wireless Modulation - BPSK, QPSK and QAM

Image
Modulation is one of the key components relating to how your network traffic is translated into a format that is traversable over  any network infrastructure either wired or (and the topic of this post) wireless connections.  Modulation sits at the lowest level of the OSI model, the Physical Layer (Layer 1).  Think of modulation in a real world example, as a translator. Preparing the data received from the higher layers of the OSI model into a more accessible and easily transmitted format across the network and more specifically relating to Wi-Fi, across the antennas transmitters/receiver hardware.   Wi-Fi modulation has seen many changes across its evolution from it's first initial standard in 1997 and is still changing even now with the currently in development standard Wi-Fi 7 (11be) which we will also cover in terms of it's changes to modulation.   There is three main ways that modulation takes place in Wi-Fi, and they're as follows, Binary Pha...
Read more

Wi-Fi 6E (6Ghz) Design Considerations

Image
Wi-Fi 6E capable networks are few and far between from what I've seen in the wireless world. We have seen a huge uplift of devices capable of accessing this previously unused spectrum. However I've found that wireless networks are still playing catch up when it comes to deploying a 6Ghz capable network.  So to educate a few people and to refresh my own knowledge, this blog post will cover off a bit of background information when it comes to the new 6Ghz spectrum. I'll go over the EU, UK and US standpoints and their differences, client connectivity and overall the challenges that you may come across when designing a 6Ghz capable network (most likely) alongside your existing 2.4Ghz and 5Ghz networks.  The certification was ratified by the Wi-Fi Alliance in 2021, not long after the Wi-Fi 6 standard itself was approved by the IEEE back in 2020. 6E (as I will call it going forward), as previously mentioned allows the use of the 6Ghz spectrum previously unused within the Wi-Fi sp...
Read more

802.11 Frame Types - Management Frames

Image
802.11 Management Frames are used primarily as the name might suggest, to manage the wireless medium. The type of value regardless of which management subtype you see (covering this shortly) will always be shown as Type 00 as highlighted in the image below. This helps identify to the wireless device that the packet is a management frame; the same function happens for the control "01" and data frames "10".  Management frames come in different shapes and sizes but some of the most important are as follows: Beacon: Beacon frames are transmitted by the Access Point to announce the existence of a Basic Service Set. This will contain information about the BSS such as the SSID, supported data rates, country and (due to most APs being 11n and 11ac capable) 11n and 11ac capabilities and information. It's worth noting beacons are transmitted at set intervals, this can be configured to either increase or decrease the time frame in between ...
Read more