Wlan data security – H3C Technologies H3C MSR 50 User Manual
Page 43
34
d.
The AP uses the shared key to de-encrypt the challenge and compares the result with that
received from the client. If they are identical, the client passes the authentication. If not, the
authentication fails.
Figure 12 Shared key authentication process
WLAN data security
Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN
devices share the same medium and thus every device can receive data from any other sending device.
Plain-text data is transmitted over the WLAN if there is no security service.
To secure data transmission, 802.11 protocols provide some encryption methods to ensure that devices
without the right key cannot read encrypted data.
1.
WEP encryption
Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized
users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a stream
encryption method) for confidentiality and supports WEP40, WEP104, and WEP128 keys.
Although WEP encryption increases the difficulty of network interception and session hijacking, it
still has weaknesses due to limitations of RC4 encryption algorithm and static key configuration.
2.
TKIP encryption
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has several
advantages over WEP, and provides more secure protection for WLAN as follows:
{
First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption,
TKIP encryption uses 128-bit RC4 encryption algorithm, and increases the length of IVs from 24
bits to 48 bits.
{
Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces
a single static key with a base key generated by an authentication server. TKIP dynamic keys
cannot be easily deciphered.
{
Third, TKIP offers MIC and countermeasures. If a packet fails the MIC, the data might be
tampered, and the system might be attacked. If two packets fail the MIC in a certain period, the
AP automatically takes countermeasures. It will not provide services in a certain period to
prevent attacks.
3.
AES-CCMP encryption
CTR with CCMP is based on the CCM of the AES encryption algorithm. CCM combines CTR for
confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both
the MAC Protocol Data Unit (MPDU) Data field and selected portions of the IEEE 802.11 MPDU
AP
Client
Authentication Request
Authentication Response(Challenge)
Authentication(Encrypted Challenge)
Authentication Response(Success)