Nowadays, wireless LAN has become the mainstream in the market, and its security cannot be ignored. In a wireless LAN, data is transmitted through radio waves in the air. Therefore, data within the range of the transmitter can be received by any wireless LAN terminal. Installing a wireless LAN is like placing Ethernet interfaces anywhere. Therefore, the use of wireless LAN
Nowadays, wireless LAN has become the mainstream in the market, and its security cannot be ignored. In a wireless LAN, data is transmitted through radio waves in the air. Therefore, data within the range of the transmitter can be received by any wireless LAN terminal. Installing a wireless LAN is like placing Ethernet interfaces anywhere. Therefore, wireless LAN users are mainly concerned with network security, including access control and encryption. Unless the wireless LAN can provide security and management capabilities equivalent to the wired LAN, people still have concerns about using the wireless LAN.
1. Security of IEEE802.11b
The IEEE 802.11b standard defines two methods for access control and encryption of the wireless LAN: System ID (SSID) and wired peer-to-peer encryption (WEP ).
1. Authentication
Authentication is required before a site establishes a network connection with another site. The site that performs the authentication sends a management authentication frame to the corresponding site. The IEEE 802.11b standard defines two authentication services in detail:-open system authentication: it is the default authentication method for 802.11b. This authentication method is very simple, divided into two steps: first, the site that wants to authenticate the other site sends an authentication management frame containing the identity of the sending site; then, the receiving station sends back a frame reminding whether it identifies the authenticated site. -Shared Key Authentication: This authentication assumes that each site has received a secret sharing key through a secure channel independent of the 802.11 Network, then these sites pass the encryption and authentication of the shared key. The encryption algorithm is Wired Equivalent encryption (WEP ).
The process of shared key authentication is as follows:
(1) Request the workstation to send an authentication frame to another workstation.
(2) When a station receives the start authentication frame, it returns an authentication frame, which contains the question text of 128 bytes generated by the WEP service.
(3) request the workstation to copy the question text to an authentication frame, encrypt it with a shared key, and then send the frame to the response workstation.
(4) the receiving station decrypts the query text with the same key and compares it with the query text sent earlier. If they match each other, the corresponding workstation returns an authentication frame indicating the authentication is successful; if not, a failure authentication frame is returned.
Figure 1 Shared Key Authentication
The identifier used for authentication is a Service Group Identifier (SSID: Service Set Identifier). It provides a minimum access control. An SSID is a common network name in a wireless LAN subsystem. It serves the logical segments of the subsystem. Because the SSID itself is not secure, it is not safe to use the SSID as access control. The access point is used as the connection device of a wireless LAN user and is usually broadcasted as the SSID. 2. WEP
IEEE 802.11b specifies that an optional encryption is wired peer-to-peer encryption (WEP. WEP provides a security method for wireless LAN data streams. WEP is a symmetric encryption. the encryption and decryption keys and algorithms are the same. The goal of WEP is Access Control: to prevent unauthorized users from accessing the network. They do not have the correct WEP Key.
Encryption: data streams are protected by encryption and only allow users with the correct WEP Key to decrypt.
The IEEE 802.11b standard provides two WEP encryption schemes for wireless LAN. The first solution provides four default keys for all terminals to share-including all access points and customer adapters in a subsystem. After obtaining the default key, you can securely communicate with all users in the subsystem. The default key may compromise security when it is widely distributed. In the second solution, a key table is created for each customer adapter to contact other users. This solution is safer than the first solution, but it is difficult to assign keys to each terminal as the number of terminals increases.
Figure 2 WEP encryption process
The process of WEP encryption algorithm 2 is as follows:
(1) At the sender end, WEP first encrypts frame fields in MAC frames using a comprehensive algorithm to generate a comprehensive detection value of four bytes. The detection value is sent along with the data, and the detection value is checked at the receiving end to monitor illegal data changes.
(2) The WEP program will input the pseudo-random number generator with the shared key to generate a key order. The length of the key order is equal to the length of the plaintext and the comprehensive detection value.
(3) WEP performs a diplus operation on the plaintext and the comprehensive detection value to generate the ciphertext and encrypt the data. The pseudo-random number generator can allocate keys because each terminal only uses the shared key instead of the variable-length key sequence.
(4) at the receiving end, WEP uses the shared key for decryption and restores it to the Key sequence originally used to encrypt frames.
(5) The workstation calculates the comprehensive detection value, and then confirms whether the calculation result matches the value sent along with the frame. If the overall detection fails, the workstation will not send msdu (Media Service Unit) to the LLC (Logical Link Control) layer and send the failure statement back to the Mac manager.
Ii. Factors affecting security
1. Hardware
In existing WLAN products, a common encryption method is to allocate a static key to users, either stored on a disk or in the memory of the wireless LAN customer adapter. In this way, the customer adapter has a MAC address and a WEP Key and can be used to access the access point. If multiple users share one customer adapter, these users effectively share the MAC address and WEP Key.
When a customer adapter is lost or stolen, legal users cannot access the client without the MAC address or WEP key, but illegal users can. The network management system cannot detect this problem. Therefore, the user must immediately notify the network administrator. After receiving the notification, the network administrator must change the security table and WEP Key connected to the MAC address, and recode the static encryption key with the same key as the lost or stolen customer adapter. The more clients, the larger the number of re-encoding WEP keys.
2. False Access Points
The IEEE802.11b shared key authentication table adopts one-way authentication instead of mutual authentication. The access point identifies the user, but the user cannot identify the access point. If a false access point is placed in a wireless LAN, it can hijack a legitimate user's customer adapter to initiate a denial-of-service or attack.
Therefore, mutual authentication between the user and the authentication server is required, and each party proves that it is legal within a reasonable period of time. Because the user and the authentication server communicate through the access point, the Access Point must support mutual authentication. Mutual authentication makes it possible to detect and isolate false access points.
3. Other security issues
Standard WEP supports encryption for each group, but does not support authentication for each group. A hacker can reconstruct a data stream from the response and transmitted packets to form a fraudulent data packet. To mitigate this security threat, we often change the WEP Key.
By monitoring IEEE802.11b control channels and data channels, hackers can obtain the following information:
Client and Access Point MAC address
MAC address of the internal host
Internet Access time
Hackers can use this information to study detailed information provided to users or devices. To reduce such hacking activities, a terminal should use the WEP Key for each period.
3. Complete Security Solutions
The complete Wireless LAN security solution is based on IEEE802.11b. It is a standard open security solution that provides users with the strongest security assurance and ensures effective and centralized management from the control center. Its core part is:
Extensible Authentication Protocol (EAP) is an extension of the Remote Authentication Dial-In User Service (RADIUS. The wireless client adapter can communicate with the RADIUS server.
IEEE 802.1x, a proposed standard for control port access.
When a wireless LAN implements a security and confidentiality solution, a site within the BSS can be integrated with the Access Point only after it passes authentication. When the site enters the user name and password in the network login dialog box or something similar, the client and the RADIUS server (or other Authentication servers) perform two-way authentication. The customer provides the user name and password for authentication. Then, the RADIUS server and the user server determine the WEP Key used by the client during the current logon period. All sensitive information, such as passwords, must be encrypted to prevent attacks.
The authentication process for this solution is:
A site must be connected to an access point.
Unless the site has successfully logged on to the network, the Access Point will prohibit the site from using network resources.
In the network Login Dialog Box and similar structure, enter the user name and password.
With the ieee802.1x protocol, the site and RADIUS server perform two-way authentication through the access point on the wired LAN. You can use one of several authentication methods. For example, the RADIUS server sends an authentication request to the user. The client performs a hash operation on the password provided by the user to respond to the request and sends the result to the RADIUS server; using the information provided by the user database, the RADIUS server creates its own response and compares it with the client response. Once the server authenticates the user, the opposite process is performed so that the user authenticates the RADIUS server.
After mutual authentication is completed, the RADIUS server and the user determine a WEP Key to distinguish the user and provide the user with a proper level of network access. In this way, each user is provided with almost the same security as wired switching. The user loads the key and uses it during the logon period.
The WEP Key sent by the RADIUS server to the user, which is called a period key.
The Access Point encrypts its broadcast key with the period key and sends the encryption key to the user. The user uses the period key for decryption.
The user and the Access Point activate WEP and use the period key to communicate with the broadcast key for the remainder of the period.
The entire authentication process is shown in step 3.
Figure 3 secure transmission based on ieee802.1x