Connectivity and Data Protection
AES encryption algorithm. The CCM mode combines Counter Mode
(CTR) for confidentiality and Cipher Block Chaining Message
Authentication Code (CBC-MAC) for authentication and integrity.
CCM protects the integrity of both the MSDU and selected portions of
the 802.11 MPDU header, although only the MSDU is encrypted. All
Advanced Encryption Standard (AES) processing used within CCMP
uses AES with a 128 bit key and a 128 bit block size. The AES
algorithm is defined in FIPS PUB 197.
CCMP processing expands the original MPDU size by 16 octets, 8
octets for the CCMP Header and 8 octets for the Message Integrity
Code (MIC) as shown in Figure 3.12. Note that CCMP does not use
the WEP ICV.
FIGURE 3.12
Data Frame Body Format Using CCMP
802.1X/EAP
For authentication, WPA uses a combination of 802.11 Open System
authentication and 802.1X/EAP just as with most 802.1X/EAP
implementations. Initially, the station authenticates with the access
point using Open System authentication, then associates which
authorizes the client to send frames to the access point. Next, WPA
performs user-level authentication with 802.1X/EAP as we have shown
in Figure 3.2.
Since WPA uses 802.1X/EAP, it must interface with an authentication
server, such as RADIUS, in an enterprise environment. WPA is also
capable of operating in what's known as "pre-shared key (WPA-PSK)”
mode if no external authentication server is available, such as in homes
and small offices. WPA-PSK requires only a shared passphrase (shared
key) on each end of the link. Operationally, WPA-PSK is not much
