Q

How can I calculate the value for reauthorizations for different encryption methods?

I am kind of new to the wireless stuff and I have a question on encryption and dot1x reauthorization timers. Do you know if there is a calculator that will calculate the value for reauthorizations for the different encryption methods? It is my understanding that the Achilles heel for encryption is the reuse of keys. For example, I would like to know if I am using TKIP with an 11MB connection that is 50% utilized, how many packets would be sent before the key is reused?
Encryption key reuse WAS the big problem for WEP. WEP combined a static key with a 24-bit initialization vector; that's 16,777,216. At 802.11b data rates, a fully utilized WLAN could theoretically send that many frames in an hour. Some implementations made this worse by starting the IV from the same value, guaranteeing (IV+key) reuse.

Dynamic WEP (WEP with 802.1X) avoids this by refreshing keys before the IV space is exhausted. Appropriate refresh intervals should be determined by looking at actual frame counts in your WLAN.

Encryption keys are never re-used by TKIP. TKIP combines a temporal key, the transmitter's address and TKIP Sequence Counter (TSC) to generate per-packet keys. If the TSC is exhausted, the standard requires communication to be discontinued or the temporal key to be regenerated. The TSC is 48 bits long, or 281,474,976,710,656. That's a very large number of frames. How long will it take for your WLAN to generate this many frames? At 802.11b data rates, you're talking many years.

The 802.11i standard specifies a maximum lifetime for temporal keys, defined as the minimum of any configured Pairwise Master Key Lifetime and any session timeout carried by RADIUS accept messages returned via 802.1X. That lifetime can cause the temporal key to be refreshed at regular intervals. But you don't need to set that lifetime based on TKIP key reuse. Think in terms of how long a user should really be authorized before requiring reauthentication.

This was first published in August 2004

Dig deeper on Mobile Authentication and Encryption

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchConsumerization

SearchNetworking

SearchTelecom

SearchUnifiedCommunications

SearchSecurity

Close