Legacy Authentication
Legacy authentication methods were more of an authentication of capability (verification between two devices that they were valid 802.11 devices) and not so much an authentication of user identity.
They are of two types:
Open System Authentication
It provides authentication without performing any form of user verification
Involved a 2 way exchange between the client and the AP
- Client sent an Authentication Request
- AP replied with an Authentication response
Every client got authenticated and authorized into the network after association
This included an option to use static WEP for data frame encryption after association.
Lab – Open System Authentication without WEP
The aim of this lab is to study the packet exchange that occurs between an access point and a client when using Legacy Open System Authentication method.
In this Lab, I set my ASUS router (AsustekC) and my desktop (IntelCor) to allow for open system authentication and used Wireshark to capture communication between them.
Below is the whole conversation captured in Wireshark.
We should see 4 frames exchanges between the AP and the Client.
Authentication Request frame
Authentication request is sent by the station (laptop) to (Asus Router). The request subtype is 1011 which indicates an Authentication frame. The Sequence number 1 indicates that it is a Request.
Authentication Response frame
The router replies with an Authentication Response. The request subtype is 1011 which indicates an Authentication frame. The Sequence number 2 indicates that it is a Response.
Association Request frame
Association request is sent by a station (IntelCor) to associate to a BSS (CaptainSugar). The request subtype is 0000 which indicates an Association Request frame.
The client also sends it’s capabilities to the router. It is associating to a BSS named CaptainSugar. The client supports rates from 1,2 up to 54 Mbps.
The Client also sends it’s capabilities for 802.11n and other Vendor specific information
Association Response frame
In response to an Association Request, the Router sends an association Response Frame. The response subtype is 0001 which indicates an Association Response frame. We can see that the Client has successfully associated.
The AP also sends it’s capabilities and Vendor specific parameters.
At this point, the AP can now freely use the network.
Shared Key Authentication
It used WEP to authenticate clients. The static key had to be configured on both the AP and client stations.
Involved a 4 way exchange between the client and the AP
- Client sent an Authentication Request
- AP replied with an clear text challenge in the Authentication Response
- Client sent an Authentication Request containing an encrypted clear text challenge back to the AP using the static shared key
- AP decrypted the message and compared it with the challenge that it had sent. It sends an authentication frame containing a success/failure message.
If the keys did not match, authentication would not work.
The same static key would be used to encrypt the data after successful authentication.
This method is not recommended at all as it can be compromised by capturing the WEP key.
References:
- CWNA-106 Certified Wireless Network Administrator Study Guide by David D. Coleman and David A. Westcott.
- 802.11 frames : A starter guide to learn wireless sniffer traces
CyberSecFaith 