You must know the security technology system of WLAN

With the tide of mobile Internet, there is a huge demand for people to enjoy faster, lower and even free network access anytime, anywhere.

The high-bandwidth and low-cost characteristics of wireless WLAN are precisely the access technology for high-speed wireless networking that meets this huge demand, making wireless WLAN access services available in more and more areas. As an open public service, and through an open medium (air), using electromagnetic waves as a carrier to transmit data signals, the wireless communication parties are not connected by physical cables.

If the wireless signal transmission in the air does not take proper encryption protection, the risk of data transmission will increase greatly. At the 2001 Hackers Conference in Las Vegas, security experts pointed out that wireless networks will become another hot spot for hackers. Therefore, it is particularly important to ensure the safety of transmitted signals in WLAN.

The wireless security performance provided by the 802.11 protocol can well resist general network attacks, but there are still a few hackers who can invade the wireless network, which cannot fully protect the network containing sensitive data. In order to better prevent unauthorized users from accessing the network, an advanced security mechanism with a performance higher than 802.11 needs to be implemented.

Data security for WLAN services:

1. Clear text data

This kind of service is essentially a WLAN service without security protection, and all data packets are not encrypted.

2. WEP cable equivalent encryption

It is used to protect the confidentiality of the data exchanged by authorized users in the wireless local area network and prevent the data from being eavesdropped randomly. WEP uses the RC4 encryption algorithm to ensure data confidentiality and achieve authentication through shared keys. Theoretically increases the difficulty of attacks such as network interception and session interception. Although WEP104 improves the security of WEP encryption to a certain extent, but Limited by RC4 encryption algorithm, too short initial vector and static configuration key, WEP encryption still has a relatively large security risk.

WEP is a MAC layer encryption algorithm that protects the security base between the terminal and the AP, and is based on the RC4 algorithm for symmetric keys. WEP encryption uses a static key, and all STAs use the same key to access the wireless network. WEP encryption can be used in Open system and Shared key link authentication methods.

3. TKIP encryption (Temporary Key Integration Protocol)

A transition plan designed to enhance the WEP encryption mechanism. It also uses the RC4 algorithm as the WEP encryption mechanism, but compared to the WEP encryption mechanism, the TKIP encryption mechanism can provide more secure protection for WLAN services.

Mainly reflected in the following points: the static WEP key is manually configured, and all users in a service area share the same key, and the TKIP key is generated by dynamic negotiation, and each transmitted data packet has Unique key; TKIP increases the length of the key from 40 bits of WEP to 128 bits, and the length of the initialization vector IV from 24 bits to 48 bits, which improves the security of WEP encryption;

TKIP supports MIC authentication (Message Integrity Check, message integrity check) and replay attack prevention functions. The sending end will use an encryption algorithm to calculate a MIC (message integrity code, message complete code). TKIP just needs to append the MIC to the MSDU before the MSDU is fragmented to form a new MSDU. , That's the MPDU thing. After receiving the MPDU fragments, the receiving end will first reassemble them into an MSDU, and then check the MIC.

4. CCMP protocol

The CCMP encryption mechanism is a CCM (Counter-Mode / CBC-MAC, block password chain-information check code) method based on the AES (Advanced Encryption Standard) encryption mechanism. CCM combines CTR (Counter mode, counter mode) for confidentiality verification and CBC-MAC (block cipher chain-information authenticity check code) for authentication and integrity verification.

CCM can protect the integrity of the selected field in the MPDU data segment and IEEE 802.11 header. All AES processes in CCMP use a 128-bit key and a 128-bit block size. Each session in CCM requires a new temporary key. For each frame encrypted by a given temporary key, the CCM also needs to determine a unique random value (nonce).

CCMP uses a 48-bit PN (packet number) for this purpose. For the same temporary key, repeated use of PN will invalidate all security guarantees.

User access authentication:

1. PSK

PSK authentication requires that the same pre-shared key is configured on the wireless client and device. If the keys are the same, PSK access authentication succeeds; if the keys are different, PSK access authentication fails.

2. MAC access authentication

MAC address authentication is an authentication method that controls users' network access rights based on ports and MAC addresses. By manually maintaining a set of allowed MAC address lists, the client's physical address is filtered, but the efficiency of this method will decrease as the number of terminals increases, so MAC address authentication is suitable for occasions where the security requirements are not high, such as Home, small office and other environments.

MAC authentication is divided into local MAC authentication and Radius server authentication.

3. 802.11X certification

The 802.1x protocol is a port-based network access control protocol, which is also a solution for WLAN to increase network security. After the client associates with the AP, whether the wireless service provided by the AP can be used depends on the authentication result of 802.1x. If the client can pass the authentication, it can access the resources in the WLAN; if it cannot pass the authentication, it cannot access the resources in the WLAN.

The above is the news sharing from the PASSHOT. I hope it can be inspired you. If you think today' s content is not too bad, you are welcome to share it with other friends. There are more latest Linux dumps, CCNA 200-301 dumps, CCNP Written dumps and CCIE Written dumps waiting for you.