Service set identifier
Encyclopedia
A service set is all the devices associated with a local or enterprise IEEE 802.11
wireless local area network
(WLAN).
within range advertising their SSIDs. The client device can then either manually or automatically—based on configuration—select the network with which to associate. The SSID can be up to 32 characters long. As the SSID displays to users, it normally consists of human-readable characters. However, the standard does not require this. The SSID is defined as a sequence of 2–32 octets
each of which may take any value.
It is legitimate for multiple access points to share the same SSID if they provide access to the same network as part of an extended service set.
Some wireless access points support broadcasting multiple SSIDs, allowing the creation of virtual access points, partitioning a single physical access point into several virtual access points, each of which can have a different set of security and network settings. This is not yet part of the 802.11 standard.
s (STAs) is called a BSS. This is not to be confused with the coverage of an access point, which is called basic service area (BSA). An access point acts as a master to control the stations within that BSS. In ad hoc mode a set of synchronized stations, one of which acts as master, forms a BSS. Each BSS is identified by a BSSID. The most basic BSS consists of one access point and one station.
of client devices without a controlling access point called an independent basic service set (IBSS), in which case the SSID is chosen by the client device that starts the network, and broadcasting of the SSID is performed in a pseudo-random order by all devices that are members of the network.
layer at any station associated with one of those BSSs.
The set of interconnected BSSs must have a common service set identifier (SSID). They can work on the same channel, or work on different channels to boost aggregate throughput
.
of the wireless access point
(WAP). In an IBSS, the BSSID is a locally administered MAC address generated from a 46-bit random number. The individual/group bit of the address is set to 0 (individual). The universal/local bit of the address is set to 1 (local).
A BSSID with a value of all 1s is used to indicate the broadcast BSSID. A broadcast BSSID may only be used during probe requests.
Unfortunately, turning off the broadcast of the SSID may lead to a false sense of security. The method discourages only casual wireless snooping, but does not stop a person trying to attack the network.
It is not secure against determined crackers, because every time someone connects to the network, the SSID is transmitted in cleartext even if the wireless connection is otherwise encrypted. An eavesdropper can passively sniff
the wireless traffic on that network undetected (with software like Kismet), and wait for someone to connect, revealing the SSID. Alternatively, there are faster (albeit detectable) methods where a cracker spoofs a "disassociate frame" as if it came from the wireless bridge, and sends it to one of the clients connected; the client immediately re-connects, revealing the SSID.
As disabling SSID does not offer protection against determined crackers, proven security methods should be used such as requiring 802.11i/WPA2
.
Microsoft discourages SSID-hiding because it leads to clients probing for the SSID in plain text. This not only exposes the SSID that was meant to be hidden but also allows a fake accesspoint to offer a connection.
Programs that act as fake accesspoints are freely available. For example "airbase-ng"
and "Karma".
IEEE 802.11
IEEE 802.11 is a set of standards for implementing wireless local area network computer communication in the 2.4, 3.6 and 5 GHz frequency bands. They are created and maintained by the IEEE LAN/MAN Standards Committee . The base version of the standard IEEE 802.11-2007 has had subsequent...
wireless local area network
Wireless LAN
A wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...
(WLAN).
Service set identifier (SSID)
A service set identifier (SSID) is a name that identifies a particular 802.11 wireless LAN. A client device receives beacon messages from all access pointsWireless access point
In computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...
within range advertising their SSIDs. The client device can then either manually or automatically—based on configuration—select the network with which to associate. The SSID can be up to 32 characters long. As the SSID displays to users, it normally consists of human-readable characters. However, the standard does not require this. The SSID is defined as a sequence of 2–32 octets
Octet (computing)
An octet is a unit of digital information in computing and telecommunications that consists of eight bits. The term is often used when the term byte might be ambiguous, as there is no standard for the size of the byte.-Overview:...
each of which may take any value.
It is legitimate for multiple access points to share the same SSID if they provide access to the same network as part of an extended service set.
Some wireless access points support broadcasting multiple SSIDs, allowing the creation of virtual access points, partitioning a single physical access point into several virtual access points, each of which can have a different set of security and network settings. This is not yet part of the 802.11 standard.
Basic service set
The basic service set (BSS) is the basic building block of an 802.11 wireless LAN. In infrastructure mode, a single access point (AP) together with all associated stationStation (networking)
In IEEE 802.11 terminology, a station is a device that has the capability to use the 802.11 protocol. For example, a station may be a laptop, a desktop PC, PDA, access point or Wi-Fi phone. A STA may be fixed, mobile or portable...
s (STAs) is called a BSS. This is not to be confused with the coverage of an access point, which is called basic service area (BSA). An access point acts as a master to control the stations within that BSS. In ad hoc mode a set of synchronized stations, one of which acts as master, forms a BSS. Each BSS is identified by a BSSID. The most basic BSS consists of one access point and one station.
Independent basic service set (IBSS)
With 802.11, it is possible to create an ad-hoc networkWireless ad-hoc network
A wireless ad-hoc network is a decentralized type of wireless network. The network is ad hoc because it does not rely on a preexisting infrastructure, such as routers in wired networks or access points in managed wireless networks...
of client devices without a controlling access point called an independent basic service set (IBSS), in which case the SSID is chosen by the client device that starts the network, and broadcasting of the SSID is performed in a pseudo-random order by all devices that are members of the network.
Extended service set
An extended service set (ESS) is a set of one or more interconnected BSSs and integrated local area networks that appear as a single BSS to the logical link controlLogical Link Control
The logical link control data communication protocol layer is the upper sub-layer of the data link layer in the seven-layer OSI reference model...
layer at any station associated with one of those BSSs.
The set of interconnected BSSs must have a common service set identifier (SSID). They can work on the same channel, or work on different channels to boost aggregate throughput
Throughput
In communication networks, such as Ethernet or packet radio, throughput or network throughput is the average rate of successful message delivery over a communication channel. This data may be delivered over a physical or logical link, or pass through a certain network node...
.
Basic service set identification (BSSID)
A related field is the basic service set identification (BSSID), which uniquely identifies each BSS (the SSID however, can be used in multiple, possibly overlapping, BSSs). In an infrastructure BSS, the BSSID is the MAC addressMAC address
A Media Access Control address is a unique identifier assigned to network interfaces for communications on the physical network segment. MAC addresses are used for numerous network technologies and most IEEE 802 network technologies, including Ethernet...
of the wireless access point
Wireless access point
In computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...
(WAP). In an IBSS, the BSSID is a locally administered MAC address generated from a 46-bit random number. The individual/group bit of the address is set to 0 (individual). The universal/local bit of the address is set to 1 (local).
A BSSID with a value of all 1s is used to indicate the broadcast BSSID. A broadcast BSSID may only be used during probe requests.
Security gains of SSID hiding
Many access points allow a user to turn off the broadcast of the SSID. With many network client devices, this results in the detected network displaying as an unnamed network and the user would need to manually enter the correct SSID to connect to the network.Unfortunately, turning off the broadcast of the SSID may lead to a false sense of security. The method discourages only casual wireless snooping, but does not stop a person trying to attack the network.
It is not secure against determined crackers, because every time someone connects to the network, the SSID is transmitted in cleartext even if the wireless connection is otherwise encrypted. An eavesdropper can passively sniff
Packet sniffer
A packet analyzer is a computer program or a piece of computer hardware that can intercept and log traffic passing over a digital network or part of a network...
the wireless traffic on that network undetected (with software like Kismet), and wait for someone to connect, revealing the SSID. Alternatively, there are faster (albeit detectable) methods where a cracker spoofs a "disassociate frame" as if it came from the wireless bridge, and sends it to one of the clients connected; the client immediately re-connects, revealing the SSID.
As disabling SSID does not offer protection against determined crackers, proven security methods should be used such as requiring 802.11i/WPA2
Wi-Fi Protected Access
Wi-Fi Protected Access and Wi-Fi Protected Access II are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks...
.
Microsoft discourages SSID-hiding because it leads to clients probing for the SSID in plain text. This not only exposes the SSID that was meant to be hidden but also allows a fake accesspoint to offer a connection.
Programs that act as fake accesspoints are freely available. For example "airbase-ng"
and "Karma".