IEEE 802.11i is the amendment to the IEEE 802.11 standard, specifying security mechanisms for WiFi networks. With this amendment, the previous security measure wired equivalent privacy (WEP), has been replaced with more robust encryption technique. 802.11i protocol (WPA2) uses this new encryption technique for data packets exchanged between AP and clients. IEEE 802.11w, currently being developed, extends the 802.11i protocol to some of the management packets, mitigating some (but not all) denial-of-service (DoS) attacks on WiFi networks.

Before 802.11i, WEP was the technique used for encryption based on RC4 stream ciphers. It is well known that WEP has serious security and management flaws and WEP gives a false sense of security. Attacks like Café Latte, bit flipping, RC4 related flaws, pseudo-predictable nature of key stream etc., can crack the WEP key as quickly as 5-10 minutes. In light of WEP’s weaknesses, the WiFi Alliance introduced the WiFi Protected Access (WPA) mechanism as a intermediate solution. WPA uses the Temporal Key Integrity Protocol (TKIP) for encryption that is based on RC4 stream cipher, so that legacy hardware can be reused.

The IEEE 802.11i architecture contains the following components: 802.1x for authentication (entailing the use of EAP and an authentication server), RSN for keeping track of associations and AES-based CCMP to provide confidentiality, integrity and origin authentication. Another important element of the authentication process is the four-way handshake.

Once the authentication handshake takes place, a 4-way handshake is performed with the actual keys used for encryption. For protecting broadcast and multicast packets group key handshake takes place. In this whole process the Master Key (MK) is available with Supplicant and Authenticator server and is never sent on the medium.