Wi-Fi is almost everywhere, but in most cases, even if you can scan the wireless signal, no access is not certified. Our mobile wireless network SSID list below, some will show "by WPA2 protection," "protected by 802.1X" and other similar information, it is because of these wireless networks use the issue we want to share WLAN security policy.
First, why the need for WLAN security policy?
As the entrance area needs access cards, safe password is required ...... our life there are too many places need security protection. WLAN because of its flexibility, mobility and other advantages are more and more popular, but because of its own characteristics, vulnerable to attack, and the user can easily leak information, thereby improving safety has become an important subject of WLAN. So WLAN security policy came into being.
We pick up the phone to open the WLAN, select the SSID of the network to be accessed, enter the password (some may also need to enter a user name such as the authentication mode), the connection is successful, the Internet. In the meantime, the successful application of the system WLAN security policy, contains a complete set of security mechanisms, involving link authentication, access authentication, key negotiation and data encryption.
Link authentication for the terminal device hardware, only by the link authentication, the terminal can connect AP. If open system authentication, users do not have to do anything, so not perceive this certification. If the shared key authentication, the need for link authentication key set in advance in the STA.
The access authentication typically requires the user to enter a password for authentication and other documents, as will be appreciated by requiring authentication using a link authentication device person. If the device is certified by the link, but the person is not authorized (no password), also not on the network. Access authentication ensures that only people who know the correct password to access the wireless network.
Our Internet operations will generate a lot of data exchange and transmission of data encryption before transmission, so that the data can not easily be stolen or tampered with during transmission, information security and personal privacy. It is generally used to encrypt the terminal and the access device previously negotiated by the dynamic interaction. For data encryption and password consultations are done automatically, users do not need to do anything.
With this set of security mechanisms, WLAN will have a basic security.
Two, WLAN security policies which have?
WLAN security policy include WEP, WPA, WPA2 and WAPI, let's look at WLAN security policy has experienced how kind of evolution.
1、WEP
WEP (Wired Equivalent Privacy), i.e., Wired Equivalent Privacy protocol is a security protocol of the WLAN defined by the 802.11 standard, using the RC4 encryption algorithm. RC4 is a variable key length stream encryption algorithm, the system generates the initial vector 24, 40 arranged on the WLAN service and client 104-bit or 128-bit key, both to obtain a final checksum is used to encrypt 64-bit, 128-bit or 152.
WEP security strategy involves link authentication and data encryption, it does not involve access authentication and key agreement.
Link authentication
WEP link supports two authentication methods: open system authentication and shared key authentication.
- Open system authentication, understood as virtually no authentication. Any STA said AP "request verification", AP replies are "validated."
For example, if you want to connect to the search of a wireless network, if the wireless network using open system authentication, you do not need to enter any authentication credentials, the system will prompt you already linked on the wireless network.
- For shared key authentication, STA, and the same AP to be pre-arranged keys, AP verification key are the same on both sides of the link authentication process. If matched, the authentication is successful; otherwise, authentication fails.
???????
Note that, here STA configured authentication key is only used for independent link, and the access authentication. Any user configured with the correct use of the shared secret STA on the wireless network can be associated. However, if the wireless network is configured with access authentication, then the user will need to enter SSID of the access password (assuming that STA does not automatically record SSID of the access password) to the Internet.
( If you want more information about the link authentication, see [WLAN from entry to the master - Basics] No. 8 --STA access procedure .)
data encryption
-
? If you select open system authentication, after a user logs in, you can choose whether to configure the service to encrypt data. Select the encryption, the encryption key needs to be configured.
For example, for WLAN V200R005 version:
Run WEP-Open System authentication-Method , arranged open system authentication, the packet data is not encrypted;
Run WEP authentication Method-Open System- Data-the encrypt , arranged open system authentication, and encrypted data packets.
-
If the key is authenticated, the user choose to share the line, using the shared key to encrypt the data traffic .
WEP data encryption security policies, all users are using the same encryption key.
Currently in practical application, select if you use WEP Open System security policy authentication method, often used in conjunction with Portal authentication or MAC authentication, user access control, improve network security.
(This issue we simply look at the MAC Portal authentication and certification, more detail about NAC, see [switch] rivers and lakes in the twenty-eight chapters the story of a guard (a) .)
For a user terminal can not be installed 802.1X client and 802.1X can be performed without having to install a mobile telephone dialing 802.1X client MAC authentication is generally used. Authentication is based on MAC ports and MAC addresses of the network access authority of a user authentication control method, the user simply add the MAC address of the STA in the authentication server, any authentication information without having to enter the authentication can be done automatically.
MAC authentication may be performed by the access device, it may be performed by a dedicated authentication server. And for safety considerations, usually the latter.
Below, we look at the MAC certification process. (Note: All illustrations herein are AC FIT AP architecture, for example.)
?
As shown above, the AC user name and password (typically the MAC address) sent to the authentication server, if the authentication is successful, the AC in the port authorization, the STA to the access port over the network.
If you only want to allow users to access authentication via the Web interface, you can use the Portal authentication function. Portal authentication is also called the Web authentication, you need to enter authentication information when users access the portal, and then complete the authentication of the user by the authentication server. Portal authentication is not required to install the authentication client, only to have the browser, whether it is a computer or mobile phone can be used to respect.
I do not know if you noticed, there are a lot of wireless network encryption itself is not in public, but when you visit the web page will pop up asking you to enter a user name and password, if not certified, you can only access the specified page. This indicates that these wireless networks use the Portal authentication.
For example, the following is a campus network to authenticate users of Portal authentication page .
In WLAN WEP to some extent on the early stages of development to protect the security of wireless networks, but there are many hidden dangers, such as:
- Static key, i.e., the access to all the same STA at the same keys to access the wireless network SSID. STA of a key compromise will lead to other user's key leakage.
- 24-bit initialization vector is easy to reuse, and transmitted in clear text, if *** collected by the wireless packet contains specific information about the initial vector and parse it is likely to break a complete key.
- RC4 WEP encryption algorithm is used to prove the existence of a security breach.
WEP encryption mechanism or in terms of the encryption algorithm itself, are vulnerable to security threats, it's many shortcomings make customized 802.11 organizations began new safety standards.
2、WPA/WPA2
In order to solve the problem of WEP security policy, in the absence of a formal launch of greater security security policy, Wi-Fi Alliance launched the WPA security policies. WPA uses the Temporal Key Integrity Protocol TKIP (Temporal Key Integrity Protocol) encryption algorithm, provides key reset the mechanism and enhance the effective key length, to a large extent make up for the deficiencies of WEP.
Then 802.11i security standards body has launched an enhanced version of WPA2. WPA2 chain using cryptographic block - a plausibility check code information protocol CCMP (Counter Mode with CBC-MAC Protocol) encryption mechanism, the encryption mechanism used AES (Advanced Encryption Standard) encryption algorithm is a symmetric block encryption, TKIP than harder to crack.
Currently, WPA and WPA2 can use TKIP or AES encryption algorithms to achieve better compatibility, they are almost no difference in safety.
WPA / WPA2 security strategy involves link authentication, access authentication, key negotiation and data encryption.
Link authentication
WPA / WPA2 support only open system authentication (WEP speak with the above security policy in open system authentication).
Access Authentication
WPA / WPA2 provides two access authentication mode:
- WPA / WPA2 Enterprise Edition: In a large corporate network, usually the 802.1X access authentication. 802.1X authentication is based on a network access control, the user interface provides the desired authentication credentials, such as username and password, through specific user authentication server (typically a RADIUS server) and the extensible authentication protocol EAP (Extensible Authentication Protocol) implement authentication of the user.
?
?
EAP-TLS based on the PKI certificate system, and EAP-PEAP does not require the deployment of PKI systems to ensure safety while reducing costs, reducing the complexity. Practical applications, we do not need to know the details of the authentication process, only need 802.1X select authentication client, the other by the authentication server for processing.
- WPA / WPA2 Personal Edition: for small and medium enterprise network or home users, the deployment of a dedicated authentication server costs too expensive, maintenance is also very complex, often using WPA / WPA2 pre-shared key mode, and WLAN equipment in advance STA end configured with the same pre-shared key, and whether the message is decrypted by the successful negotiation to determine whether a pre-shared key is pre-configured and WLAN devices share the same key STA configuration, thereby completing the access authentication of the STA.
Key Agreement
Access authentication phase generates a pairwise master key PMK (Pairwise Master Key) is generated pairwise transient key PTK (Pairwise Transient Key) and a group temporary key GTK (Group Temporal Key) according to. Wherein, PTK used to encrypt unicast packets, GTK for encrypting multicast and broadcast packets.
- Unicast key negotiation process is a four-way handshake process.
- Multicast key negotiation process is a second handshake process is performed after the unicast key negotiation process.
data encryption
After the above-described process is important, both the communication data transmission starts after the encryption process. Encryption algorithm TKIP or AES, an encryption key using the negotiated key key negotiation stage.
WPA / WPA2 WEP solve many problems, but the only way to achieve the identification of STA WLAN equipment, the WLAN device identity can not be authenticated.
3 , WHERE
WAPI (WLAN Authentication and Privacy Infrastructure), WLAN Authentication and Privacy Infrastructure, is a wireless security standard proposed by China. WAPI using digital certificates based on block cipher algorithm is SMS4 signature and ECDSA Elliptic Curve Cryptosystem Symmetric public key cryptosystem, respectively, for a wireless device, the cryptographic certificate authentication, key negotiation and transmission of data. By two-way authentication, digital certificates, credentials and improve the authentication protocol, providing stronger than WPA / WPA2 security.
WAPI security policy involves link authentication, access authentication, key negotiation and data encryption.
Link authentication
WAPI only supports open system authentication.
Access Authentication
WAPI access authentication provides two methods:
- Certificate-based methods: in large enterprise networks, usually based on a certificate. STA before the identification and must be pre-AC has its own certificate, and then identify the identity of the two sides by the authentication server.
- Based on pre-shared key way: for some small and medium enterprise network or home user, the system is too expensive to deploy the certificate, usually based on pre-shared key authentication speaking (with the above WPA / WPA2 Personal Edition pre-shared key authentication )
Key negotiation stage
After successful authentication, WLAN equipment will initiate a consultation process with key STA, first negotiate encryption for unicast packets unicast key, and then negotiate for encrypting multicast packets multicast key.
In addition to the dynamic key negotiation, WAPI also provides time-based and rekeying mechanism number of packets, STA avoid prolonged use of the same key potential safety problems.
Data encryption stage
After the above-described process is important, both the communication data transmission starts after the encryption process. Encryption algorithm SMS4, an encryption key using the key negotiation phase to negotiate a key.
Third, the choice of which WLAN security policy?
WLAN offers so much security policy, in the end what does this choice? The following table summarizes information about the various usage scenarios and security policy and other security.
| security strategy |
Link authentication |
Access Authentication |
Encryption Algorithm |
Recommended Scene |
Explanation |
| WEP-open |
Open system authentication |
Itself has no access authentication, authentication or the Portal supporting the MAC address authentication |
RC4 encryption or not |
User mobility airports, railway stations, business centers, conference venues and other public places. |
Unsafe when used alone, any wireless terminal can access the network for the authentication or configure Portal MAC address authentication. |
| WEP-share-key |
Shared Key Authentication |
not involving |
RC4 |
Lower network security requirements. |
WEP security is low, it is not recommended. |
| WPA/WPA2-PSK |
Open system authentication |
PSK authentication |
TKIP or AES |
Home users or small and medium enterprise networks. |
Safe to WEP- shared key authentication, no third-party servers, and low cost. |
| WPA/WPA2-802.1X |
Open system authentication |
802.1X authentication |
TKIP or AES |
High security requirements of large enterprise networks. |
Safe, but requires a third-party server, high cost. |
| WHERE-PSK |
Open system authentication |
PSK authentication |
Sns4 |
Home users or small and medium enterprise networks. |
Safe to WEP- shared key authentication, no third-party servers, and low cost. Only some terminals support the protocol, it is seldom used. |
| WAPI- certificate |
Open system authentication |
Certificate |
Sns4 |
High security requirements of large enterprise networks. |
Safe, we need a third-party server, high cost. Only some terminals support the protocol, it is seldom used. |
As can be seen from the table, need to scene, security requirements, cost and other aspects to consider when choosing a comprehensive security policy.
In addition to security policy, WLAN also provides additional security mechanisms, continue to share with you in the follow-up will be serialized, so stay tuned!
