WEP (Wired Equivalent encryption)
Although the name seems to be a security option for wired networks, this is not the case. The WEP standard has been created in the early stages of wireless networks and is designed to become a necessary security protection layer for WLAN in Wireless LAN. However, the performance of WEP is undoubtedly disappointing. It is rooted in design defects.
In WEP systems, data transmitted over wireless networks is encrypted using a random key. However, the method WEP uses to generate these keys is quickly discovered to be predictable, so that it is easy for potential intruders to intercept and crack these keys. Even a medium-tech wireless hacker can quickly crack WEP encryption within two to three minutes.
The dynamic Wired Equivalent Security (WEP) model of IEEE 802.11 was designed later in 1990s, when powerful encryption technology was used as an effective weapon to be strictly restricted by the U.S. exports. Wireless Network products are banned from being exported due to fear of cracking powerful encryption algorithms. However, two years later, the dynamic Wired Equivalent security mode was found to have serious disadvantages. However, the 1990s error should not be caused by wireless network security or IEEE 802.11 standard. The wireless network industry cannot wait for the association of Electrical and Electronics Engineers to revise the standard, therefore, they launched the temporary Key Integrity Protocol TKIP (Dynamic Wired Equivalent confidential patch version ).
Although WEP has been proven to be outdated and inefficient, it is still supported in many modern wireless access points and routers. In addition, it is still one of the most popular encryption methods used by individuals or companies. If you are using WEP encryption, if you pay great attention to the security of your network, do not use WEP as much as possible in the future, because it is really not very secure.
The WPA-PSK (TKIP)
Wireless Networks initially adopted the WEP (Wired Equivalent private) security mechanism, but later found that WEP was insecure. 802.11 organizations began to develop new security standards, that is, the later 802.11i protocol. However, it takes a long time for the establishment of standards to the final release, and considering that consumers will not give up their original wireless devices for the sake of network security, before the launch of the Wi-Fi Alliance standard, based on the draft 802.11i, a security mechanism called WPA (Wi-Fi procted access) is developed. It uses TKIP (temporary Key Integrity Protocol ), it uses the encryption algorithm RC4 used in WEP, so it does not need to modify the hardware of the original wireless device. WPA has the following problems in WEP: IV is too short, key management is too simple, and there is no effective protection for message integrity. The network security is improved through software upgrade.
The appearance of WPA provides users with a complete authentication mechanism. The AP determines whether to allow users to access the wireless network based on the user's authentication results; after successful authentication, You can dynamically change the encryption key of each access user based on multiple methods (the number of data packets transmitted, the time when the user accesses the network, and so on. In addition, perform mic encoding on the data packets transmitted by the user over the wireless network to ensure that the user data is not changed by other users. As a subset of the 802.11i standard, the core of WPA is ieee802.1x and TKIP (Temporal Key Integrity Protocol ).
WPA takes into account different users and different application security needs. For example, enterprise users require high security protection (enterprise level). Otherwise, very important commercial secrets may be leaked; home users usually only use the network to browse the Internet, send and receive e-mail, print, and share files. These users have relatively low security requirements. To meet the needs of users with different security requirements, WPA specifies two application modes: Enterprise mode and home mode (including small office ).
Based on the two different application modes, WPA authentication also has two different methods. For applications of large enterprises, "802.1x + EAP" is often used, and users provide the creden。 required for authentication. However, for some small and medium-sized enterprise networks or home users, WPA also provides a simplified mode that does not require dedicated Authentication servers. This mode is called "WPA pre-shared key (WPA-PSK)", which requires only one key in advance on each WLAN node (AP, wireless router, Nic, etc.
This key is only used for authentication, not for data transmission encryption. The data encryption key is dynamically generated after authentication. The system will ensure "one user and one password". There is no situation where the entire network shares an encryption key like WEP, therefore, the system security is greatly improved.
WPA2-PSK (AES)
After the publication of 802.11i, the Wi-Fi Alliance launched wpa2, which supports AES (Advanced Encryption Algorithm). Therefore, it requires new hardware support, it uses CCMP (full code protocol for block Chain messages in counter mode ). In WPA/wpa2, PTK generation depends on PMK, and PMK obtains two methods. One is the PSK form, which is the pre-shared key. In this mode, PMK = PSK, in another method, the authentication server and the site need to negotiate to generate the PMK.
IEEE 802.11 sets technical standards. The Wi-Fi Alliance sets commercial standards. The commercial standards set by Wi-Fi basically comply with the technical standards set by IEEE. WPA (Wi-Fi Protected Access) is actually a security standard developed by the Wi-Fi Alliance, the purpose of this commercial standard is to support the technology-oriented security standard IEEE 802.11i. Wpa2 is actually the second version of WPA. The reason why two versions of WPA appear is the commercial operation of the Wi-Fi Alliance.
We know that the mission team 802.11i was set up to create a safer Wireless LAN, so two new security encryption protocols-TKIP and CCMP-are standardized in the encryption project (some wireless network devices replace CCMP with AES and AES-CCMP ). Although TKIP has made significant improvements to WEP's weakness, it retains the RC4 algorithm and basic architecture. In other words, TKIP also has vulnerabilities inherent in RC4. Therefore, 802.11i creates a new encryption protocol-CCMP, which is more secure and suitable for applications in the wireless LAN environment. So before CCMP is ready, TKIP is complete.
However, it may take some time for the CCMP to complete the release of the IEEE 802.11i standard. In order to enable the deployment of new security standards as soon as possible, to eliminate users' concerns about the security of the wireless LAN, so that the wireless LAN market can be quickly expanded, we use the draft IEEE 802.11i draft 3 (IEEE 802.11i draft 3), which has completed TKIP, developed WPA. After IEEE completed and published the IEEE 802.11i Wireless LAN security standard, the Wi-Fi Alliance immediately announced the WPA 2nd (wpa2 ).
WPA = IEEE 802.11i draft 3 = IEEE 802.1x/EAP + WEP (selective project)/TKIP
Wpa2 = IEEE 802.11i = IEEE 802.1x/EAP + WEP (selective project)/TKIP/CCMP
The last encryption mode is WPA-PSK (TKIP) + WPA2-PSK (AES), which is currently the highest encryption mode in wireless routing, which is currently due to compatibility issues, it has not been used by many users. Currently, WPA-PSK (TKIP) and WPA2-PSK (AES) encryption modes are the most widely used. We believe that the encrypted wireless network will make our users feel at ease surfing the Internet.