University of Kansas

Motivation

802.2 Logical link control (LLC)

OSI Model

Network

Data Link

802.3MAC

802.3PHY

802.3CSMA/CD

802.11 MAC

Physical

802.11

802.11FHSSPHY

802.11DSSSPHY

802.11aOFDMPHY

802.11bHR/DSSS

PHY

802.1 Management and Internetworking

802 Family

Wireless networks based on the IEEE 802.11 standard require lengthy layer two configuration parameters to be set

SSID (Network Name)WEP Encryption Keys

Embedded devices with limited input capabilities are unable to join the wireless

network until properly configured

Traditional layer three configurations protocols like DHCP can be utilized once data layer communication is established

University of Kansas

802.11 Encapsulation• 802.11 headers are unencrypted

• Access Points copy MAC addresses during the bridging process

• Data portion encrypted – No use to a station without keys

• Source address - 6 octets of data

• Broadcast

FrameControl

Addr 4SeqAddr 3Addr 2Addr 1Duration/

ID

DestinationMACEthernet

SourceMAC

0xAA 0x030xAARFC 1042

encapsulation0x00-00-00

TYPE

TYPE DATA

DATA FCS

SNAP Header

802.11 Header 802.11 Data

University of Kansas

Wi-Fi-Co Protocol

The Configurator host sends wireless network parameters to an embedded device via broadcast packets

FrameControl

Addr 1Duration Addr 4Addr 3Addr 2 Seq

802.11 MAC HeaderWEP IV DATA FCS

Cleartext Encrypted Cleartext

SSIDIntegrityCheck

DefaultKey

WEP KEY(s)Header

I I I SEQ D D

ff ff ff ff ff ff

MAC Source Address

MAC Destination Address

Broadcast

Const. Identifer Data

Wi-Fi-Co Configuration Buffer

Configuration data is embedded in the source MAC address

A Wi-Fi station is able to capture the configuration frames and assemble the data from the cleartext 802.11 headers

University of Kansas

Wi-Fi-Co Timing Diagram

Configurator Target

Configuration Message 2

Configuration Message 1

Configuration Message M

Target ConfigurationComplete

Socket connection back toConfigurator

0.0

0.05105

0.05710

0.09105

0.11105

0.68905

1.21105

1.23111

1.31710

1.28915

1.25204

2.41241

2.43141

2.45870

2.46014

• Configurator constantly broadcasts configuration data in fragmented packets

• The target assembles configuration data and decodes link level parameters

• Must “hop” Wi-Fi channels to guarantee that configuration data will be received

University of Kansas

Protecting WEP Keys

• Broadcast packets easily intercepted• On wired Ethernet network portion• On wireless network portion

• Configuration data Encrypted• Shared key symmetric cipher • Embedded devices ship with

unique, pre-programmed key• Certificate with product code• Additional input required on

the Configuration host where it is much easier than input to embedded device

University of Kansas

Applications