IEEE802.11i Wireless LAN security technology

Introduction

Before Wireless LAN is widely used, the most urgent problem is network security. Network integrity is a concern of IT professionals, business managers, and relevant personnel responsible for wireless infrastructure security. 802.11 is the first standard for wireless Ethernet. The standard covers many subsets, and each subset has different focuses. 802.11a, 802.11b, and 802.11g define the core physical layer specifications, 802.11i is designed to address the security issues in the 802.11 standard. 1. Analysis of wireless network security technology and its defects due to the characteristics of 802.11 technology itself, its security issues have aroused wide attention. Some "hackers" exploit the security vulnerability of Wireless LAN authentication and encryption to crack the key in just a few minutes. 802.11 the technology itself provides authentication and encryption functions, but there are major security risks, which are described below. 1.1 Service Set Identifier (SSID) in the wireless LAN, set different SSID for multiple wireless access points AP (accesspoint), and require the wireless workstation to show the correct SSID to access the AP, in this way, users in different groups can be allowed to access resources and different access permissions can be restricted. Therefore, the SSID can be considered as a simple password to ensure a certain degree of security. However, if the AP is configured to broadcast its SSID outward, the security level will decrease. Generally, the user configures the client system on his/her own, so many people know the SSID and it is easy to share it with illegal users. Currently, some manufacturers support any (any) SSID method. As long as the wireless workstation is in any AP range, the client will automatically connect to the AP, which will skip the SSID security control function. 1.2 physical address filtering (MAC) because each network adapter of a wireless workstation has a unique physical address, you can manually maintain a list of MAC addresses that can be accessed in the AP, implements physical address filtering. This scheme requires the MAC address list in the AP to be updated at any time, with poor scalability. In theory, MAC addresses can be forged, so this is also a low level of authorization authentication. 1.3 The wireless peer-to-peer Security (WEP) uses the RC4 symmetric encryption technology at the link layer. the user's encryption key must be in the same time as the AP's key to allow access to network resources, this prevents unauthorized user listening and unauthorized user access. WEP provides a 40-bit and 128-bit key mechanism, but it still has many defects. For example, all users in a service area share the same key, if a user loses a key, the entire network is insecure. In addition, 40-bit keys are easily cracked today. Keys are static and need to be manually maintained with poor scalability. To improve security, we recommend that you use a 128-bit encryption key. 2. improved IEEE802.11i Security Mechanism 2.1wpa (Wi-fiprotectedaccess) WPA (Wi-fiprotectedaccess) as a subset of the 802.11i standard, which consists of three parts: authentication, encryption, and data integrity verification, is a complete security solution. Its core is 802.1x (Port Access Control Technology) and TKIP (temporalkeyintegrityprotocol ). WPA is a new technology that inherits the basic principles of WEP and solves the disadvantages of WEP. Because the algorithm for generating encryption keys is enhanced, even if the group information is collected and parsed, it is almost impossible to calculate a general key. The principle is to generate different keys for each group based on the general key and the serial number indicating the MAC address and group information of the computer, this key is then used for RC4 encryption like WEP. Through this processing, the data exchanged for group information of all clients is encrypted by different keys. No matter how much data is collected, it is almost impossible to crack the original universal key. WPA also adds functions and authentication functions to prevent data tampering in the middle. With these features, all the shortcomings that were previously criticized by WEP have been solved. WPA is not only a more powerful encryption method than WEP, but also has a richer connotation. Port 2.2 Access Control Technology port access control technology (802.1x) is an enhanced network security solution for wireless LAN. When the STA of the wireless workstation is associated with the AP of the wireless access point, whether the AP service can be used depends on the 802.1x authentication result. If the authentication succeeds, the AP opens the logical port for the STA. Otherwise, the user is not allowed to access the Internet. 802.1X requires the wireless workstation to install 802.1x client software. The wireless access point must be embedded with an 802.1X Authentication Proxy. It also serves as a radius client to forward user authentication information to the RADIUS server. In addition to port access control, 802.1x also provides user-based authentication systems and billing, which is particularly suitable for public wireless access solutions. 2.3eap (extensibleauthentication) IEEE802.11i protocol uses EAP (extensibleauthentication Communication Protocol) and 802. 1x to force the user to perform verification and interactive verification. The MIC (Message integrit Code, information integrity code) is used to check whether the transmitted bytes have been modified; in addition, TKIP (Temporal Key Integrity Protocol), CCMP (counter-mode/CBC-MAC protocol), and wrap (wirelessrobust Authenticated Protocol) encryption mechanisms are used, the encryption process changes from static to dynamic, making it more difficult for attackers to crack. 2.4aes (advancedencryp2tionstandard) standard to provide higher-level encryption protection, 802.11i (as shown in protocol structure 1) adopts a new WLAN architecture and supports the new AES (advancedencryp2tionstandard) standard. TKIP uses RC4 In the WEP mechanism as the core encryption algorithm. It can improve WLAN security by upgrading the firmware and driver on existing devices. The CCMP mechanism is based on the AES (advancde encryptionstandard) encryption algorithm and the CCM (counter-mode/CBC-Mac) authentication method, which greatly improves the security of WLAN and is mandatory for RSN. Because AEs has high hardware requirements, CCMP cannot be upgraded based on existing devices. TKIP introduces four new algorithms based on the RC4 encryption algorithm: (1) extended 48-bit initialization vector (IV) and IV sequence rule (ivsequencingrules); (2) per-packet Key Construction Mechanism (Per-packetkeyconstruction); (3) Michael message integrity code (MIC); (4) key re-acquisition and distribution mechanism. TKIP does not directly use the key decomposed by PTK/GTK as the key for encrypting packets, but uses the key as the base key (basekey). After two phases of key mixing, to generate a new key that is different for each packet transmission. This key is used for direct encryption. In this way, the security of WLAN can be further enhanced. The key generation process 2 is shown in. In addition to the TKIP algorithm, CCMP (counter-mode/CBC-macprotocol) also specifies a CCMP data encryption mode based on the AES (Advanced Encryption Standard) encryption algorithm. Like TKIP, CCMP uses 48-bit initialization vector (IV) and IV sequence rules, and uses the CCM Algorithm for complete message detection. AES is a symmetric block encryption technology that uses-bit grouping to encrypt data, providing higher encryption performance of the RC4 algorithm in WEP/TKIP. Symmetric cryptographic systems require both parties to know the key, and the biggest difficulty of this system is how to securely allocate the key to both parties, especially in the network environment. 3. conclusion In the development of wireless networks, security issues are the focus of all problems, while new security measures have been added to the 802.11i standard to enhance the security of wireless networks, it effectively solves the security defects and hidden risks of existing wireless networks. The improvement of security standards will undoubtedly promote WLAN applications. Network security is related not only to encryption and authentication mechanisms, but also to intrusion detection, firewall, and other technologies. Therefore, the security of Wireless LAN must be considered at multiple layers, comprehensive use of various technologies.