Wlan data security – H3C Technologies H3C WA3600 Series Access Points User Manual

259

•

Receiving a data frame from a client which is unauthenticated.

•

Receiving a PS-poll frame from a client which is unauthenticated.

2.

Dissociation

A dissociation frame can be sent by an AP or a wireless client to break the current wireless link. In the

wireless system, dissociation can occur due to many reasons, such as:

•

Receiving a data frame from a client which is authenticated and unassociated.

•

Receiving a PS-Poll frame from a client which is authenticated and unassociated.

WLAN data security

Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN

devices share the same medium and thus every device can receive data from any other sending device.
If no security service is provided, plain-text data is transmitted over the WLAN.
To secure data transmission, 802.11 protocols provide some encryption methods to ensure that devices

without the right key cannot read encrypted data.

1.

WEP encryption

Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized users in

a wireless LAN from casual eavesdropping. WEP uses RC4 encryption for confidentiality. WEP
encryption falls into static and dynamic encryption according to how a WEP key is generated.

•

Static WEP encryption

With Static WEP encryption, all clients using the same SSID must use the same encryption key. If the

encryption key is deciphered or lost, attackers get all encrypted data. In addition, periodical manual key

update brings great management workload.

•

Dynamic WEP encryption

Dynamic WEP encryption is a great improvement over static WEP encryption. With dynamic WEP
encryption, WEP keys are negotiated between client and server through the 802.1X protocol so that each

client is assigned a different WEP key, which can be updated periodically to further improve unicast

frame transmission security.
Although WEP encryption increases the difficulty of network interception and session hijacking, it still has
weaknesses due to limitations of RC4 encryption algorithm and static key configuration.

2.

TKIP encryption

Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has many

advantages over WEP, and provides more secure protection for WLAN as follows:

•

First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption, TKIP
encryption uses 128–bit RC4 encryption algorithm, and increases the length of IVs from 24 bits to

48 bits.

•

Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a
single static key with a base key generated by an authentication server. TKIP dynamic keys cannot

be easily deciphered.

•

Third, TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the MIC,
the data may be tampered, and the system may be attacked. If two packets fail the MIC in a certain

period, the AP automatically takes countermeasures. It does not provide services in a certain period

to prevent attacks.

3.

CCMP encryption