beautypg.com

Wlan data security – H3C Technologies H3C MSR 50 User Manual

Page 43

background image

34

d.

The AP uses the shared key to de-encrypt the challenge and compares the result with that

received from the client. If they are identical, the client passes the authentication. If not, the
authentication fails.

Figure 12 Shared key authentication process

WLAN data security

Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN

devices share the same medium and thus every device can receive data from any other sending device.
Plain-text data is transmitted over the WLAN if there is no security service.
To secure data transmission, 802.11 protocols provide some encryption methods to ensure that devices

without the right key cannot read encrypted data.

1.

WEP encryption
Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized
users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a stream

encryption method) for confidentiality and supports WEP40, WEP104, and WEP128 keys.
Although WEP encryption increases the difficulty of network interception and session hijacking, it

still has weaknesses due to limitations of RC4 encryption algorithm and static key configuration.

2.

TKIP encryption
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has several
advantages over WEP, and provides more secure protection for WLAN as follows:

{

First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption,
TKIP encryption uses 128-bit RC4 encryption algorithm, and increases the length of IVs from 24

bits to 48 bits.

{

Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces

a single static key with a base key generated by an authentication server. TKIP dynamic keys
cannot be easily deciphered.

{

Third, TKIP offers MIC and countermeasures. If a packet fails the MIC, the data might be
tampered, and the system might be attacked. If two packets fail the MIC in a certain period, the

AP automatically takes countermeasures. It will not provide services in a certain period to

prevent attacks.

3.

AES-CCMP encryption
CTR with CCMP is based on the CCM of the AES encryption algorithm. CCM combines CTR for
confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both
the MAC Protocol Data Unit (MPDU) Data field and selected portions of the IEEE 802.11 MPDU

AP

Client

Authentication Request

Authentication Response(Challenge)

Authentication(Encrypted Challenge)

Authentication Response(Success)

This manual is related to the following products: