802.11w also introduced an association spoofing protection mechanism. It was to prevent replay attacks from tearing down an existing client association. It consists of two mechanisms –
- 1) Association comeback time
- 2) SA-Query Procedure
Association comeback time
When an Access Point (AP) receives an association request from a Client which has an existing association table entry in the AP Association table, the Access point rejects the association with the reason “association rejected temporarily”. It also incorporates an association comeback time in the association rejection frame. It is shown pictorially below.
FIG COURTESY: 802.11w Protected Management Frames – Cisco
The Time-out interval is in milliseconds and in the above example – a timeout interval of 10 seconds is placed. After Sending an association rejection message – the Access Point will send an SA Query to the 802.11 Client. If the SA Query is successfully negotiated, then it allows the Client to connect to the Access Point by sending another association frame to the Access Point.
SA Query Procedure
The Security association procedure is a mechanism that is introduced the 802.11w amendment of the 802.11 standard for preventing replay attacks from tearing down an existing session.
The frames that are used in the SA Query procedure are the SA Action frames and are shown below:
Fig Courtesy: 802.11 Standard
The category field is set to SA Query (decimal 8)
The SA Query Action field takes the following values
- 0 – SA Query request
- 1 – SA Query response
The transaction identifier is a 16 bit non-negative value which is maintained the same across the SA query request and response
We shall look at different scenarios of how the SA Query Procedure will protect against replay attacks