When the WPA system is working, the AP first publishes its own WPA support to the outside, and uses the newly defined WPA information element in beacons, probe response, and other reports ), these information elements contain AP security configuration information (including encryption algorithm and Security Configuration ). Sta selects the corresponding security configuration based on the received information, and displays the selected security configuration in the Association Request and re-association request messages it sends. In this way, WPA implements the encryption algorithm and key management negotiation between the STA and AP. An AP that supports WPA must be associated with an AP in WPA mode in the open system authentication mode. If a RADIUS server is used as the authentication server in the network, then, the sta authenticates using 802.1x. If there is no radius in the network, the STA and the AP use the pre-shared key (PSK, pre-shared key. After the sta passes 802.1x authentication, the AP will get the same session key as the STA, and the AP and STA will use the session key as the PMK (pairwise master key, for pre-shared keys, PSK is PMK ). Then the AP and sta through the EAPOL-KEY WPA four handshakes (4-way handshake) process ,. In this process, the AP and sta both confirm whether the other party holds the same PMK as their own. If they are inconsistent, the four handshakes fail. To ensure the integrity of the transmission, the verification code named mic (message integrity code) is used during the handshake. During the four handshakes, the AP and sta negotiate and calculate a 512-bit PTK (pairwise transient Key), and divide the PTK into five key pairs for different purposes ,: Among them, the first 128 bits are used for calculating and verifying the Mic key of the EAPOL-KEY message, and the subsequent 128 bits are used as the key to encrypt the EAPOL-KEY; the next 128 bits serve as the basic key for the encryption key for the AP to communicate with the sta (that is, the key obtained after the key is calculated as the key between the two ); the last two 64-bit keys are used as the mic computing and verification keys for the packets between the AP and the sta respectively. The five keys decomposed by the PTK are the keys used between the AP and the sta (so each user key is also called, used to encrypt a single broadcast between the AP and the STA). These keys will never appear in any form on the wireless network. After confirming that the PMK held by both parties is consistent, the AP will instruct the sta to install and use the private key of each user based on its own ability to support each user key. In order to enable the existing devices to implement WPA through software/firmware upgrades, the Protocol stipulates that the AP may not adopt the PTK method, instead, the GTK to be described below is used as the key used by the AP to send a single message to the STA. If the AP notifies the sta to install and use the PTK, the sta installs the corresponding key into the wireless network card after sending a EAPOL-KEY packet to the AP. After the four handshakes are successful, the AP generates a 256-bit GTK (group transient Key), which is a group of global encryption keys, all Stas associated with the AP use the same GTK. The AP uses this GTK to encrypt all the Stas communication packets associated with the AP, sta uses this GTK to decrypt the packets sent by the AP and verify its MIC. The key can be divided into three key types for different purposes. The first 128 bits serve as the base key for constructing the global "per packet key" (Per-packet encryption key ), the next two 64-bit keys serve as the mic keys for calculating and verifying WPA data packets respectively. The AP uses the EAPOL-KEY encryption key to encrypt GTK and sends it to the STA, specifying whether the GTK allows Stas to send messages. After the sta successfully receives the message and decrypts GTK, sends a response packet to the AP and installs the corresponding location of the wireless network adapter according to the key index indicated by the AP. If the AP uses GTK as the key for unicast transmission to a STA, then, the sta also needs to use GTK as the key to send a single broadcast message to the AP. TKIP does not directly use the key decomposed by PTK/GTK as the key to encrypt packets, but uses the key as the base key. After two phases of key mixing, to generate a new key that is different for each packet transmission. This key is used for direct encryption. This method can further enhance the security of WLAN. Key Generation Method: In WPA, AP supports hybrid access between WPA and WEP wireless clients. When a sta is associated with an AP, the AP can determine which clients support the use of WPA based on the existence of WPA information elements in the sta Association Request. However, in hybrid access, WEP is used for all the encryption algorithms used by WPA clients, which reduces the overall security of the wireless LAN. |