Client access authentication – H3C Technologies H3C WA2600 Series WLAN Access Points User Manual
Page 18
5-3
Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized users in
a wireless LAN from casual eavesdropping. WEP uses RC4 encryption for confidentiality. WEP
encryption falls into static and dynamic encryption according to how a WEP key is generated.
z
Static WEP encryption
With Static WEP encryption, all clients using the same SSID must use the same encryption key. If the
encryption key is deciphered or lost, attackers will get all encrypted data. In addition, periodical manual
key update brings great management workload.
z
Dynamic WEP encryption
Dynamic WEP encryption is a great improvement over static WEP encryption. With dynamic WEP
encryption, WEP keys are negotiated between client and server through the 802.1X protocol so that
each client is assigned a different WEP key, which can be updated periodically to further improve
unicast frame transmission security.
Although WEP encryption increases the difficulty of network interception and session hijacking, it still
has weaknesses due to limitations of RC4 encryption algorithm and static key configuration.
3) TKIP
encryption
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has many
advantages over WEP, and provides more secure protection for WLAN as follows:
z
First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption,
TKIP encryption uses 128–bit RC4 encryption algorithm, and increases the length of IVs from 24
bits to 48 bits.
z
Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a
single static key with a base key generated by an authentication server. TKIP dynamic keys cannot
be easily deciphered.
z
Third, TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the MIC,
the data may be tampered, and the system may be attacked. If two packets fail the MIC in a certain
period, the AP automatically takes countermeasures. It will not provide services in a certain period
to prevent attacks.
4) CCMP
encryption
CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM
combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the
integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The AES
block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP contains a
dynamic key negotiation and management method, so that each wireless client can dynamically
negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP
encryption mechanism. During the encryption process, CCMP uses a 48-bit packet number (PN) to
ensure that each encrypted packet uses a different PN, thus improving the security to a certain extent.
Client Access Authentication
After a wireless client sets up a wireless link with an AP, the wireless client is considered as having
accessed the wireless network. However, for the security and management of the wireless network, the
wireless client can access the network resources only after passing subsequent authentication. Among
the authentication mechanisms, preshared key (PSK) authentication and 802.1X authentication
accompany the dynamic key negotiation and management of the wireless link, and therefore, they are
closely related to wireless link negotiation. However, they are not directly related to the wireless link.