With the trend of mobile Internet, people have a huge demand to enjoy faster, lower cost or even free network access anytime, anywhere. The high-bandwidth and low-cost characteristics of wireless WLAN are just the access technology for high-speed wireless networking to meet this huge demand, so that more and more areas provide wireless WLAN access services. As an open public service, and through an open medium (air), electromagnetic waves are used as a carrier to transmit data signals, and the two parties of wireless communication are not connected by physical cables. The risk of data transmission is greatly increased if the wireless signal is not properly encrypted during the air transmission. At the hacker conference in Las Vegas in 2001, security experts pointed out that wireless networks will become another hot spot for hackers. Therefore, it is particularly important to ensure the security of the transmitted signal in the WLAN.

The wireless security performance provided by the 802.11 protocol can be well protected against general network attacks, but there are still a few hackers who can invade the wireless network and cannot adequately protect the network containing sensitive data. In order to better prevent unauthorized users from accessing the network, an advanced security mechanism with higher performance than 802.11 needs to be implemented.

Data security of WLAN service:

1. Plaintext data

This service is essentially a WLAN service without security protection, and all data packets are Not processed through encryption.

2. WEP Wired Equivalent Encryption

It is used to protect the confidentiality of data exchanged by authorized users in the wireless local area network and prevent these data from being randomly eavesdropped. WEP uses the RC4 encryption algorithm to ensure the confidentiality of data, and uses shared keys to achieve authentication, which theoretically increases the difficulty of network interception, session interception and other attacks. Although WEP104 improves the security of WEP encryption to a certain extent, but Restricted by the RC4 encryption algorithm, too short initial vector and static configuration key, WEP encryption still has a relatively large security risk.

WEP is a MAC layer encryption algorithm, which protects the security base between the terminal and the AP, and is based on the symmetric key RC4 algorithm. WEP encryption uses a static key, and all STAs use the same key to access the wireless network. WEP encryption can be used in Open system and Shared key link authentication methods.

3. TKIP encryption (Temporary Key Integration Protocol)

A transitional scheme designed to enhance the WEP encryption mechanism. It also uses the RC4 algorithm like the WEP encryption mechanism, but compared with the WEP encryption mechanism, the TKIP encryption mechanism can provide more secure protection for WLAN services, mainly reflected in the following points: the static WEP key is manually configured, and All users in a service area share the same key, and the key of TKIP is generated by dynamic negotiation, and each transmitted data packet has a unique key; TKIP sets the length of the key by 40 of WEP. The bit length is increased to 128 bits, and the length of the initialization vector IV is increased from 24 bits to 48 bits, which improves the security of WEP encryption; TKIP supports MIC authentication (Message Integrity Check, message integrity check) and prevents replay attacks. The sender will use the encryption algorithm to calculate a MIC (message integrity code, message integrity code). TKIP only needs to append the MIC to the MSDU before the MSDU is fragmented to form a new MSDU. Fragmentation, it does not matter , that's the MPDU thing. After receiving the MPDU fragments, the receiver will first reassemble them into an MSDU, and then perform MIC verification.

4, CCMP protocol

CCMP encryption mechanism is CCM (Counter-Mode/CBC-MAC, block password chain based on AES (Advanced Encryption Standard, Advanced Encryption Standard) encryption mechanism - information authenticity check code) method. CCM combines CTR (Counter mode, counter mode) for confidentiality verification, and combines with CBC-MAC (Block Cipher Chain-Information Authenticity Check Code) for authentication and integrity verification. CCM can protect the integrity of the MPDU data segment and selected fields in the IEEE 802.11 header. All AES processing in CCMP uses a 128-bit key and a 128-bit block size. Each session in CCM requires a new ephemeral key. The CCM also needs to determine a unique nonce for each frame encrypted with a given ephemeral key. CCMP uses a 48-bit PN (packet number) for this purpose. Reusing the PN for the same ephemeral key invalidates all security guarantees.

User access authentication:
1. PSK

PSK authentication needs to configure the same pre-shared key on the wireless client and device. If the key is the same, PSK access authentication succeeds; if the keys are different, PSK access authentication fails.

2. MAC access authentication

MAC address authentication is an authentication method that controls users' network access rights based on ports and MAC addresses. By manually maintaining a list of MAC addresses that are allowed to access, the physical address of the client can be filtered. However, the efficiency of this method will decrease with the increase of the number of terminals. Therefore, MAC address authentication is suitable for occasions with low security requirements, such as Home, small office and other environments.

MAC authentication is divided into local MAC authentication and Radius server authentication.

3, 802.11X authentication

802.1x protocol is a port-based network access control protocol, and this technology is also a solution for WLAN to increase network security. After the client associates with the AP, whether it can use the wireless service provided by the AP depends on the 802.1x authentication result. If the client can pass the authentication, it can access the resources in the WLAN; if it cannot pass the authentication, it cannot access the resources in the WLAN.

Holding IT certification requires choosing the certification, studying for the exam, and passing it. EveDumps could possibly be your finest ally if you’re considering obtaining a certification. Professional and real CCNP 300 710 SNCF Dumps at EveDumps, you will discover everything you need.


Leave a comment