How to deploy and operate WAPI on telecom networks

The WEP Security Mechanism defined in 802.11 protocol standards has defects in data security and user key management, which is a major obstacle for large-scale WLAN operation.

WAPI was released in China's national standard GB15629.11-2003 for wireless LAN, which consists of WAI and WPI, the concept of peer-to-peer access control is proposed to implement triple authentication for AE, ASUE, and ASE.

WAPI user roaming

Because WLAN users are millions of users, it is impossible to set up a wapi as server in China. The AS server must be set up at the provincial company level or the local network level based on the number of users. Users must be authenticated in different AS domains, that is, the roaming of WAPI users.

Specifically, there are two modes: Remote Authentication and local authentication.

Remote Authentication mode, that is, the user requires certificate authentication in other AS domains. AS discovers this user is not a local user through the Issuername field of the digital certificate, the WAI packet is immediately forwarded to the user's AS in the same region for authentication. Local Authentication mode, that is, AS directly authenticates the validity of the digital certificate, and checks whether the certificate is in the "Blacklist" to determine whether to allow the user to pass the authentication.

WAPI user authentication and Billing

The user's WLAN business must undergo triple authentication: wireless link encryption authentication, access authentication, and business authentication. When a wireless user terminal discovers that the WLAN network has the WAPI authentication function, it submits its own WAPI certificate information. After the WLAN device adds its own authentication information, it submits the AS together, AS authenticates the information of both devices and notifies the WLAN device and wireless user terminals of the authentication result. digital signatures are used throughout the authentication process, the Communication Key is negotiated between the WLAN device and the wireless user terminal. The entire wireless link encryption and authentication process runs in the background, and users do not need to participate manually.

If you use digital certificate authentication to replace the existing DHCP + Portal access authentication, the main problem is that you cannot achieve normal billing: After the wireless link encryption authentication is passed, the AC opens a controlled port, the data stream is allowed to enter the public network, but the AC cannot know when the user starts to use the network and cannot provide the billing start information. At the same time, the user does not have the proper offline means, and the system cannot detect whether the user is offline abnormally, unable to provide billing end information. In this way, you can only provide monthly subscription services.

Therefore, whether multiple authentication methods are unified must be differentiated between different users and different wireless user terminals.

Issuance and Management of WAPI digital certificates

Identity Authentication, certificate publishing, revocation, and other work is not simple.

Based on the certificate mechanism, the core components of PKI include:

CA (Certificate Authority, Certificate Certification Center)

CA is the core component of PKI. It is responsible for accepting users' requests, issuing and managing digital certificates, providing certificate query, accepting certificate cancellation requests, and providing CRL.

RA (Registration Authority, certificate Registry)

RA directly handles certificate application and management requests from end customers.

CRL (Certificate RevocationList, void Certificate List)

The list of void certificates, usually signed by the same issuing entity. When the owner of the public key loses the private key or changes the name, the original certificate must be voided.

Repository)

An electronic site stores the list of certificates and void certificates, the certificate used by the CA, And the void certificate.

User (Subscriber)

The user is the entity that signs the certificate as the subject and uses the certificate and the corresponding key according to the policy.

Root CA system

The Root CA system consists of the root certificate issuing system and root CRL. The root CA does not participate in the issuance of various user certificates after the system is officially run. Therefore, the Root CA is usually offline.

Level 2 CA system

The level-2 CA system is the most important part of the entire PKI/CA system and has the highest security requirements. It mainly includes: digital certificate issuing system, digital certificate application system, digital certificate service system, customer service system, and digital certificate management system.

RA Institution

The certificate Registry (RA) is distributed across different regions to meet the needs of certificate users in different regions for application, registration, review and issuance.

RA acceptance agency (RAT)

If the above RA organization still does not meet the work requirements of user dispersion, you can set up a RAT under the RA organization in the region. A ca root center is set up by a telecom operator to generate a second-level CA center for each provincial company, and then RA or RAT is set up on each regional network (see figure 1 ).

WAPI Digital Certificate acquisition and storage

The user's private key is very important and must be protected to ensure that the user's private key is not lost. If the certificate is lost, the CA must notify the CA to revoke its certificate to prevent other users from trusting the leaked certificate and causing unnecessary losses. According to different security requirements, users' certificates and their private keys can be stored in hard disks, smart cards, USB tokens, and other storage media:

Hard Disk (fixed storage medium)

The private key is protected by a password and encrypted and stored in the hard disk. The advantage of this method is that it does not require additional costs and is easy to use. Its disadvantage is its low security and does not support mobile office work. This method is very suitable for environments with low security requirements or with strong security protection. For mobile terminals, the certificate is installed in its flash memory.

Smart Card + card reader (dedicated portable storage medium)

Smart Card is a safe and reliable storage device. It uses an IC chip and Its Operating System (COS) to prevent attackers from stealing confidential information in the card. The advantage of this method is that it is highly secure and can be roaming on machines with card readers. The disadvantage is that it requires additional hardware investment and software installation.

USB-Key (General portable storage medium)

The advantage of this method is that it is highly secure and allows roaming on all machines (with USB interfaces). The disadvantage is that it requires additional hardware investment and corresponding software drivers.

Telecom operators provide users with two types of storage media: (1) and (3). Users can choose one. Select (1) storage medium. Except for low security, you must apply for a new certificate after changing the terminal or reinstalling the system. Select (3) storage medium, it has high security, but has high requirements on storage media. In particular, it must support the elliptic curve encryption algorithm (ECC) specified by WAPI digital signature ).

You can apply for a digital certificate from the Business Office (RA/RAT) or download it from the Internet using your computer or mobile phone. The former is suitable for providing digital certificates with Long validity periods, and the latter is suitable for providing short-term and temporary digital certificates.

1. WAPI multi-point attack on domestic wireless standards to be unified
2. Leveraging the wireless city plan, China's wireless standard WAPI will go to the front-end