In 802.11, data frames could be transmitted with encryption but management frames were always sent in the open (no encryption). The 802.11w standard amendment introduced management frame protection and the feature is deemed mandatory by the Wi-Fi alliance from 802.11ac onwards.
The Management Frame protection would incorporate management frames that are transmitted after the AP and Station have negotiated key exchange and both AP and Station have a valid set of keys. Management frames that are sent prior to a key exchange are still not encrypted.
The above paragraph entails that the below set of frames will not be sent encrypted
- Association frames (request/response)
- Beacon frames
- ATIM
- Authentication frames
- Probe request and response frames
- Spectrum Management action frames
The following frames will be protected
- Disassociation frames
- De-authentication frames
- Action management frames
Management Frame protection thus provides a level of security for denial of service (DoS) attacks for the above frames that it is able to protect.
Management Frame Protection introduced a new Key Integrity Group Temporal Key (IGTK) which would provide an integrity check by creating a MIC and a new algorithm – Broadcast Integrity Protocol (BIP) for protection of Broadcast and Multicast frames.
Unicast Management frames would be encrypted using the same Pairwise Transient Keys. We will look at the different MFP attributes in the following articles