Beruflich Dokumente
Kultur Dokumente
A
Foreign AP ABSTRACT WEP is known to be vulnerable, 802.11i is speci-
fying enhanced encryption to provide stronger
A This article reviews wireless LAN security privacy. 802.11i also incorporates IEEE 802.1X
with a focus on the evolving new IEEE 802.11i [3] as its authentication enhancement. 802.1X is
A standard. The major security enhancements in now widely deployed in many IEEE 802 series
encryption and authentication defined by 802.11i standards with the Remote Authentication Dial
are illustrated. In addition, the newly introduced In User Service (RADIUS, Internet Engineering
C key management in 802.11i is discussed.A Because Task Force, IETF, RFC 2865) as the authentica-
802.11i incorporates IEEE 802.1X as its authen- tion server. RADIUS could provide authentica-
tication enhancement, 802.1X with consideration tion, authorization, and accounting (AAA)
Authentication of roaming users is depicted. Both intrasubnet services, but is still unlikely to resolve all security
server and intersubnet roaming are illustrated. threats in wireless networks. Therefore, Diame-
ter (IETF RFC 3588) is evolving to improve
INTRODUCTION RADIUS to provide better security.
This article first discusses 802.1X with consid-
Conventional Internet users have been bound to eration of roaming users. It then reviews:
In order to enhance wired connections. Wireless communications, • Authentication enhancement
however, have broken this restriction and pro- • Key management and establishment
security of the IEEE vide ubiquitous access to the Internet. In addi- • Encryption enhancement
tion, increased flexibility strongly motivates as defined in the IEEE 802.11i draft.1
802.11H
standard, a wireless network technologies. Today, the
new standard called
deployment of wireless local area networks IEEE 802.1X
(WLANs) is sometimes even more economical
and efficient than installing wired networks in a The IEEE 802.1X standard defines a mechanism
IEEE 802.11i is whole building. With promotion of wireless net- for port-based network access control to provide
working technologies and their market, services compatible authentication and authorization
being developed. and applications are growing tremendously. The mechanisms for devices interconnected by vari-
IEEE 802.11 standard [1] for WLANs is one of ous 802 LANs. It could also be used to distribute
In addition to the most widely adopted standards for broad- security keys for 802.11 WLANs by enabling
band wireless Internet access. public key authentication and encryption
introducing key However, security over a wireless environ- between access points (APs) and mobile nodes
ment is more complicated than in a wired envi- (MNs). In 802.1X, the port represents the associ-
management and ronment. Due to the wide open nature of ation between MN and AP. There are three
wireless radio, many attacks could make the net- main components in the 802.1X authentication
establishment, it also work insecure. The IEEE 802.11 standard has system: supplicant, authenticator, and authentica-
defined the following two basic security mecha- tion server (AS). A supplicant is usually an MN
defines encryption nisms for secure access to IEEE 802.11 net- requesting WLAN access. An authenticator rep-
works: resents the network access server (NAS). In
and authentication • Entity authentication, including open system 802.11 networks it is normally an AP. A
and shared key authentication RADIUS server is commonly used as the authen-
improvements. • Wired Equivalent Privacy (WEP) tication server, although other types of AAA
Both have proved to be vulnerable. servers such as Diameter could also serve as the
In order to enhance security of IEEE 802.11, authentication server. In 802.11, the authentica-
a new standard called IEEE 802.11i [2] is being tion server might be physically integrated into an
developed. The objective of 802.11i is to enhance AP.
the 802.11 security aspects. In addition to intro-
ducing key management and establishment, it also THE IEEE 802.1X FRAMEWORK
defines encryption and authentication improve- As indicated in Fig. 1 [3], both supplicant and
1IEEE 802.11i is still ments. In order to manage security keys auto- authenticator have a port access entity (PAE)
evolving; only its draft was matically, 802.11i defines key management and that operates the algorithms and protocols asso-
available when this article establishment algorithms, which are first intro- ciated with the authentication mechanisms. The
was completed. duced in the 802.11 standards. As conventional authenticator PAE controls the authorized/unau-
to backend networks
to acquire the n Figure 1. IEEE 802.1X framework.
necessary services. thorized state of its controlled port depending on After the MN and AP complete the 802.11
the outcome of the authentication processes. association, both the MN and AP will transit to
Before the supplicant is authenticated, the the CONNECTING state in their PAE state
authenticator uses an uncontrolled port to com- machines. However, the port is unauthorized at
municate with the supplicant PAE. The authen- this moment, and the 802.1X authentication
ticator will block all traffic except 802.1X process just starts. As indicated in Fig. 2, the
messages before the supplicant is authenticated. MN (supplicant) sends an EAPOL-Start frame
The 802.1X standard leverages Extensible to the AP (authenticator) to initialize the
Authentication Protocol (EAP, IETF RFC 2284) authentication process. When the AP receives
to provide a number of authentication schemes, EAPOL-Start, it replies with an EAP-
including Message Digest 5 (MD5, IETF RFC Request/Identity to obtain the MN’s identity.
1321), Transport Layer Security (TLS, IETF The MN transits to the ACQUIRED state
RFC 2716), Tunneled TLS (TTLS) [4], Protect- when it receives EAP-Request/Identity from
ed Extensible Authentication Protocol (PEAP) the AP. The MN then sends back an EAP-
[5], and smart cards such as EAP SIMs [6]. Response/Identity containing the MN’s identity
802.1X also defines EAP over LANs (EAPOL) in response to the EAP-Request/Identity. If
that encapsulates EAP messages between the the AP receives the EAP-Response/Identity,
supplicant and authenticator. EAP messages the authenticator PAE state will transit to the
from the supplicant are relayed to the authenti- AUTHENTICATING state. In the AUTHEN-
cation server by the authenticator PAE. In order TICATING state, the authenticator PAE
to let the RADIUS server authenticate users encapsulates the EAP-Response/Identity mes-
using EAP, the authenticator PAE encapsulates sage in RADIUS-Access-Request as an
the same EAP messages in RADIUS packet for- attribute (EAP-Message attribute) and sends it
mat and sends them to the RADIUS server, to the RADIUS server. In response to the
assuming it has been adopted as the authentica- RADIUS-Access-Request, the RADIUS server
tion server. The encapsulation is known as will challenge the MN by sending a RADIUS-
RADIUS-encapsulated EAP with the EAP-Mes- Access-Challenge to the AP, which then relays
sage attribute, which is defined in RADIUS the message in the form of EAP-Request/Auth
Extensions (IETF RFC 2869) for supporting to the MN. When the MN receives EAP-
EAP within RADIUS. Once the supplicant is Request/Auth, the supplicant PAE state tran-
authenticated successfully, the controlled port in sits to the AUTHENTICATING state and
the authenticator is authorized. Packets from the replies with an EAP-Response/Auth, which is
supplicant will now go through the controlled also relayed to the RADIUS server by the AP
port of the authenticator to backend networks to in the format of RADIUS-Access-Request.
acquire the necessary services. Depending on the authentication scheme, there
Figure 2 depicts a typical 802.1X message might be some more message exchanges. The
exchange with both the supplicant PAE and RADIUS server then determines whether the
authenticator PAE state transitions. The suppli- MN should be accepted or denied access to the
cant and authenticator PAE state machines are network services. Figure 2 depicts three cases
shown in Figs. 3 and 4, respectively. In Fig. 2 the thereafter that are separated by dotted lines. If
digits associated with each flow do not represent authentication succeeds, the RADIUS server
the order of the flow. Instead, the digits in rect- sends a RADIUS-Access-Accept to the AP. On
angles refer to the supplicant PAE state in Fig. receipt of RADIUS-Access-Accept the authen-
3, and the digits in circles refer to the authenti- ticator PAE state transits to the AUTHENTI-
cator PAE state in Fig. 4. CATED state and sends an EAP-Success
EAP-logoff Logoff
1 2
message to the MN to indicate the success of large amounts of data such as medium access
authentication. The controlled port of the AP control (MAC) addresses, user names, and pass-
shown in Fig. 1 is thus authorized. After receiv- words. Administrators would not need to config-
ing EAP-Success, the MN transits to the ure APs frequently when users are added or
AUTHENTICATED state and the whole removed from the system. In addition, proxy
authentication process is completed. On the RADIUS is also able to relay authentication
other hand, RADIUS-Access-Reject is sent by messages to other RADIUS servers to authenti-
the RADIUS server and relayed to the MN by cate users with profiles maintained in other
the AP in the message of EAP-Failure if the servers.
authentication fails. In this case, both the AP
and MN transit to the HELD state, and the IEEE 802.1X WITH ROAMING USERS
whole authentication fails. The controlled port
is thus still unauthorized. If the MN is authen- This section discusses the mobility issues in
ticated and wants to perform a logoff proce- 802.1X-enabled networks in terms of intrasubnet
dure from the current AP, the MN originates and intersubnet roaming, respectively. In intra-
an EAPOL-Logoff packet to the AP. After subnet roaming, an MN hands off to a different
that, the controlled port of the current AP AP within the same IP subnet. It would need to
transits to unauthorized state immediately. The re-authenticate with the new AP. Because the
supplicant and authenticator will transit to the MN is still in the same IP subnet, it does not
LOGOFF state and DISCONNECTED state, involve a change of IP address. Intersubnet
respectively. handoff, however, would need to get a new IP
Usually there are several APs connected to address and keep the ongoing IP connections
the same authentication server. Because user alive. This article uses Mobile IP (IETF RFC
profiles are stored in a centralized database, APs 3344) as an example to illustrate intersubnet
in the system could lighten the load of storing handoff in IEEE 802.1X networks.
as described earlier,
txLogoff; logoffSent=TRUE; eapSuccess=FALSE; heldWhile=heldPeriod;
both the MN and the suppStatus=Unauthorized; eapFail=FALSE;
startCount=0;
eapFail=FALSE;
eapSuccess=FALSE;
logoffSent=FALSE; suppStatus=Unauthorized;
AP are in the !userLogoff
previousId=256;
suppStatus=Unauthorized
Connecting
Authenticated
IP registration
(startWhen==0)&& startWhen=startPeriod;
eapSucceed=FALSE;
messages and eapFail=FALSE;
(StartCount>=maxStart) startCount=startCount+1;
reqld=FALSE; txStart;
(startWhen==0)&&
(StartCount<maxStart)
suppStatus=Authorized;
perform subsequent reqld
reqld
Mobile IP procedures.
Thus, IEEE 802.1X 4
5
Intrasubnet roaming: According to IEEE earlier. Both the foreign AP and the MN will
802.1X, an MN should re-authenticate with a proceed to the AUTHENTICATED state even-
new authenticator or authentication server when tually if the MN is authenticated successfully.
it roams to another 802.1X-enabled network. Re-authentication then is completed.
Figure 5 depicts a typical architecture in which Intersubnet roaming: When roaming to a
an MN moves from a home AP to a foreign AP new IP subnet, the MN’s IP address in the old
within the same IP subnet. Figure 5 also indi- subnet is invalid in the new subnet. With only
cates the state transitions of the supplicant and 802.1X re-authentication, the MN is able to
authenticator during handoff. reassociate with the foreign AP, but it cannot
Assuming the MN is already authenticated connect to the new IP subnet. Therefore, a pro-
successfully with its home AP, both supplicant tocol such as Mobile IP should be used to sup-
and authenticator PAE states are in the port mobility management in the IP layer. After
AUTHENTICATED state, as indicated in Fig. 802.1X authentication with the foreign AP is
5. When MN roams to a foreign AP, it first pro- completed, as described earlier, both the MN
ceeds to do the 802.11 reassociation process with and AP are in the AUTHENTICATED state.
the foreign AP. The PAE state machine of the Therefore, the MN is able to send Mobile IP
foreign AP will transit to the CONNECTING registration messages and perform subsequent
state once the reassociation is successfully com- Mobile IP procedures. Thus, 802.1X and Mobile
pleted. The foreign AP then sends an EAP- IP could work independently.
Request/Identity to the MN. After receiving the
EAP-Request/Identity, the MN will transit from IEEE 802.1X WITH DIAMETER
the AUTHENTICATED to the ACQUIRED Because network entities have increased in com-
state. It then sends back an EAP-Response/Iden- plexity, the deficiencies in RADIUS have been
tity. Afterwards, the message exchange follows identified (IETF RFC 3127). Because IEEE
the standard 802.1X authentication described 802.1X does not mandate the type of authentica-
rxRespId &&
weaknesses in Radius.
4 (reAuthCount<=reAuthMax)
Authenticated Aborting
Authenticating
portStatus=Authorized; authAbort=TRUE;
reAuthCount=0; inc(currentId);
inc(currentId);
authSuccess=FALSE;
authFail=FALSE;
authTimeout=FALSE; reAuthenticate ||
authStart=TRUE; eapStart ||
eapLogoff ||
eapStart || auth Timeout eapLogoff
reAuthenticate authSuccess authFail && !authAbort
eapLogoff
tion server, Diameter (IETF RFC 3588) could creation of robust security network associations
be used to improve the security weaknesses in (RSNAs). That is, in an RSN the associations
RADIUS. between all stations including APs are built on a
Diameter provides a base protocol that can strong association/authentication called an
be extended from various applications to support RSNA, which is also defined by the 802.11 TGi
AAA services. The Diameter-EAP application as: an RSNA depends on 802.1X to transport its
[7] could be employed for an 802.1X network. authentication services and deliver key manage-
Usage of Diameter in an 802.1X system is simi- ment services. A security association is defined as
lar to that of RADIUS. The major difference is the context providing the state (cryptographic keys,
in the replacement of RADIUS messages with counters, sequence spaces, etc.) needed for correct
Diameter messages. For intersubnet roaming, operation of the IEEE 802.11 cipher suites. RSNA
Diameter also specifies a Mobile IPv4 applica- includes a novel four-way handshake mechanism
tion [8]. to provide robust session key management. By
leveraging IEEE 802.1X, the four-way hand-
IEEE 802.11I shake, and the enhanced cryptographic algo-
rithms, communication links in 802.11 wireless
The IEEE 802.11 Working Group has been are securely protected.
working on MAC enhancement for several years.
In May 2001, the MAC enhancement was split THE IEEE 802.11I FRAMEWORK
into different task groups. Task Group E (TGe) The 802.11i standard defines two classes of secu-
is responsible for quality of service (QoS). Task rity framework for 802.11 WLANs: RSN and
Group I (TGi) is working on security. pre-RSN. A station is considered RSN-capable
One of the major missions of 802.11 TGi is to equipment if it is capable of creating RSNAs.
define a robust security network (RSN). The Otherwise, it is pre-RSN equipment. A network
definition of an RSN according to IEEE 802.11i that only allows RSNA in associations with RSN-
draft [2] is a security network that only allows the capable equipments is called an RSN security
A station is Authenticating
2. EAP-response/Id
Acquired
MN
considered to be Connecting Acquired
1. EAP-request/Id
RSN-capable
Authentication
equipment if it is server Foreign
capable of creating
RSNAs. Otherwise, Home
it is pre-RSN
Authenticated Authenticated
equipment. Authorized
Home AP MN
framework. A network that allows pre-RSNA between the AS and AP is not specified by
associations between stations is called a pre- 802.11i, there should be a secure channel such as
RSN security framework. The major difference TLS (IETF RFC 2246) or IPSec (IETF RFC
between RSNA and pre-RSNA is in the four- 2401) between the AP and AS. An EAP that
way handshake. If the four-way handshake is not supports mutual authentication should be used
included in the authentication/association proce- in an RSN. That is, the authentication requester
dures, stations are said to be pre-RSNA. and responder must be able to authenticate each
Pre-RSN: Pre-RSN security consists of two other. EAP-MD5, for instance, cannot meet this
security subsystems: requirement.
• IEEE 802.11 entity authentication Key management and establishment: Two
• WEP ways to support key distribution are introduced
The IEEE 802.11 entity authentication in 802.11i: manual and automatic key manage-
includes open system authentication and shared ment. Manual key management requires the
key authentication. In open system authentica- administrator to manually configure the key.
tion, there is no authentication algorithm. A sta- Automatic key management is available only in
tion is authenticated simply based on its identity. an RSNA. It relies on 802.1X to support key
Shared key authentication, on the other hand, management services. More specifically, a four-
authenticates a station based on a secret key way handshake is used to establish each tran-
known to the authentication requester and sient key for packet transmission.
responder. It requires the privacy mechanism to Encryption enhancement: In order to
be implemented in WEP. enhance confidentiality, two advanced crypto-
RSN: In addition to enhancing the security in graphic algorithms are developed: Counter-
pre-RSN, RSN security defines key management Mode/CBC-MAC Protocol (CCMP) and
procedures for 802.11 networks. It also enhances Temporal Key Integrity Protocol (TKIP). In
the authentication and encryption in pre-RSN. RSN, CCMP is mandatory. TKIP is optional and
Authentication enhancement: 802.11i utilizes recommended only to patch pre-RSNA equip-
802.1X for its authentication and key manage- ment.
ment services. It incorporates two components IEEE 802.11i specifies an RSN information
into the 802.11 architecture: the 802.1X port and element (RSN IE) that carries RSN security
authentication server (AS). The 802.1X port rep- information including RSN capabilities,
resents the association between two peers. There authentication, and cipher key selectors. An
is a one-to-one mapping between the 802.1X RSN IE could be used to distinguish pre-RSN
port and the association. As discussed earlier, an stations and RSN-capable stations. RSN-capa-
802.1X port will allow general traffic to pass only ble stations shall include the RSN IE in bea-
when the authentication is successfully complet- cons, probe response, association and
ed. The AS could be a standalone server or inte- reassociation request, and the second and third
grated into an AP. Although the protocol messages of the four-way handshake. On the
other hand, there is no RSN IE in messages transient key (PTK). Therefore, the session key
sent by pre-RSN stations. As shown in Fig. 6, between the supplicant and authenticator is
the RSN IE contains a list of authentication guaranteed to be fresh. After that, the group
and cipher selector fields for communications. key handshake proceeds as indicated in flow 9.
The value of the Element ID field in Fig. 6 The group key handshake is used to generate
should always be 48 in decimal. The Length and refresh the group key, which is shared
field indicates the number of octets in the between a group of stations and APs. By using
information fields excluding the Element ID this key, broadcast and multicast messages can
and Length fields. The Version field shows the be securely exchanged over the air.
version number of the RSNA protocol. The The following sections review the authentica-
Pairwise Key Cipher Suite Count indicates the tion enhancement, key management and estab-
number of pairwise key cipher suites contained lishment, and encryption enhancement,
in the Pairwise Key Cipher Suite List field. The respectively, defined in IEEE 802.11i.
Pairwise field refers to two entities that are
associated with each other. The Pairwise Key AUTHENTICATION ENHANCEMENT
Cipher Suite, therefore, is the cipher suite In the original 802.11 standard, a station should
being or to be associated between communicat- first associate with an 802.11 AP. It then is able
ing peers. Similarly, the Authentication and Key to access the WLAN service. An example of the
Management Suite Count indicates the number process is shown by flows 1–6 in Fig. 7. After
of authentication and key management suites finding an AP by receiving the Probe Response,
contained in the Authentication and Key Man- the mobile station needs to proceed to the fol-
agement Suite List field. In the RSN Capabilities lowing two steps: 802.11 entity authentication and
field, the requested or advertised capabilities association. Before associating with an AP, the
are filled in. By using this field, the receiver station needs to accomplish 802.11 entity authen-
can know the security mechanisms the sender tication. As discussed earlier, there are two
supports or is requesting. authentication schemes: open system and shared
Generally speaking, the RSN IE carries key authentication. Open system authentication
robust security information that indicates the allows a station to be authenticated without hav-
authentication and cipher algorithms the com- ing a correct WEP key. There are two message
municating parties will use. Stations and APs can exchanges. The first message sending from sup-
learn the security capabilities of the communi- plicant (mobile station) to authenticator (AP) is
cating peers and negotiate with each other by used to expose the identity of the station. Based
the RSN IE carried in an association/reassocia- on the identity, the authentication result is sent
tion request, probe response, beacons, or other from the authenticator back to the station. There
messages. Correspondent security procedures is no authentication algorithm. In shared key
will then be executed. authentication, there are four message
Figure 7 shows an example of establishing an exchanges. The first message containing the
RSNA between a supplicant (station) and an identity of the station is delivered from the sta-
authenticator (AP) in a basic service set (BSS). tion to the AP. The AP will then send a chal-
It assumes there is no preshared key. Flows 1–6 lenge packet to the mobile station. The mobile
are the 802.11 association and authentication station is required to encrypt the challenge pack-
process prior to attaching to the authenticator. et using the shared WEP key and send the
During the process, security information and encrypted result back to the AP. If the challenge
capabilities can be negotiated using the RSN IE. packet is encrypted correctly, the supplicant is
The authentication in flows 3 and 4 refers to authenticated successfully. The authentication
802.11 open system authentication. After the result is sent to the station in the fourth mes-
802.11 association is completed, the 802.1X sage. If the station is authenticated successfully,
authentication indicated in flow 7 of Fig. 7 is it proceeds to the 802.11 association. The mobile
initiated. EAP messages will be exchanged station should transmit an Association Request
between the supplicant, authenticator, and to the AP. The AP then sends back an Associa-
authentication server, although the authentica- tion Response to the station.
tion server is not depicted in Fig. 7. If the sup- Shared key authentication in 802.11 is not
plicant and authentication server authenticate adopted by 802.11i. Instead, it incorporates
each other successfully, both independently gen- 802.1X as the authentication solution for the
erate a pairwise master key (PMK). The authen- RSN. As depicted in Fig. 7, 802.1X is performed
tication server then transmits the PMK to the after 802.11 open system authentication and
authenticator through a secure channel (e.g., association. IEEE 802.1X provides a port-based
IPsec or TLS). The four-way handshake then network access control mechanism to protect
uses the PMK to derive and verify a pairwise against unauthorized access. Details of 802.1X
AP to inform the
new AP to start the n Figure 7. Example flows of RSNA establishment.
IEEE 802.1X
authentication, thus have been discussed. Please note that Fig. 7
depicts the establishment of an RSN. The two
tor. A nonce essentially is a random or pseudo-
random value. In the four-way handshake,
reducing handoff message exchanges of flows 3 and 4 for open sys-
tem authentication should not be replaced by
Anonce will never be reused. Therefore, the
RSN is safe against replay attack.
latency. the four message exchanges of shared key
authentication.
After receiving the first message, the suppli-
cant validates the message by checking the
IEEE 802.11i also specifies a more robust Replay Counter field in the message. The Replay
security framework utilizing 802.1X, a four-way Counter is a sequence number, which shall be
handshake, and a group key handshake to incremented by each EAPOL-Key message. If
authenticate and authorize stations. The four- the Replay Counter is less than or equal to the
way and group key handshakes are described in value kept in the supplicant, the supplicant dis-
the next section. After the station is authenticat- cards the message. Otherwise, the supplicant
ed successfully, the cryptographic keys are con- generates a new nonce called Snonce. By using
figured as well. The station is thus able to send an algorithm called Pseudo-Random Function
and receive unicast and broadcast frames in a (PRF) with Anonce, Snonce, PMK, and other
secure manner. Moreover, IEEE 802.11i also information as inputs, the supplicant derives a
supports pre-authentication. A station could pre- pairwise transient key (PTK). The supplicant then
authenticate with an AP before roaming. A sta- sends back the second message containing key
tion could initiate an EAPOL-Start message information, Snonce, the supplicant’s RSN IE,
through the serving AP to inform the new AP to and the message integrity code (MIC) back to the
start the IEEE 802.1X authentication, thus authenticator. The MIC is a cryptographic digest
reducing handoff latency. used to provide integrity service.
Upon receiving the second message, the
KEY MANAGEMENT AND ESTABLISHMENT authenticator validates the message by checking
This section discusses the four-way handshake the replay counter. The process is similar to that
and group key handshake, respectively. in the supplicant when receiving the first mes-
Four-way handshake: The RSNA defines a 4- sage. It then derives the PTK if the second mes-
way handshake to perform several functions such sage is validated. Because the authenticator uses
as confirming the liveness of the communicating the same algorithm and the same inputs, the
stations, guaranteeing the freshness of the ses- PTK derived by the authenticator will be the
sion key, installing the cryptographic key, and same as the one in the supplicant. The authenti-
confirming the installation of the key. The four- cator also verifies the MIC. The packet is dis-
way handshake is achieved using 802.1X. Specifi- carded silently if the MIC is not valid. In
cally, messages exchanged in the four-way addition, the authenticator compares the
handshake are in the EAPOL-Key format. received RSN IE bitwise with the one contained
EAPOL-Key is defined in IEEE 802.1X and in the Association/Reassociation Request
could be used to exchange cryptographic keying received earlier from the supplicant. If these are
information. Figure 7 depicts the message flows not exactly identical, the association is terminat-
of four-way handshake. ed. Otherwise, the authenticator sends the third
In a four-way handshake, the authenticator message to the supplicant. The third message
first sends out a message to the supplicant. The includes the key information, Anonce, MIC, and
first message contains key information and an the authenticator’s RSN IE.
Anonce. An Anonce is a nonce, which is also On reception of the third message, the sup-
called key material, generated by the authentica- plicant first verifies the message by checking the