iOS device access WiFi and 3G network security analysis

1. WiFi access

1.1 Wireless Peer-to-peer Privacy WEP (Wired equivalent Privacy)

WEP uses RC4 symmetric encryption at the link layer, and the user's encryption key must be the same as the AP's key to gain access to the network's resources, thereby preventing unauthorized users from listening and access by illegal users. WEP provides a 40-bit and 128-bit length key mechanism, but it still has many drawbacks, such as sharing the same key for all users in a service area, and a user losing a key will make the entire network unsafe. And the 40-bit key is easy to crack today; The key is static, manual maintenance, poor scalability. To improve security, 128-bit encryption keys are recommended.

1.2 Wpa-psk (Wi-Fi Protected Access pre-shared Key)/wpa2-psk (TKIP or CCMP)

Pre-shared key authentication is adopted. WPA2 is based on the formal specification of ieee802.11i, which has a higher security than WPA. WPA-PSK must support key management and data encryption based on TKIP (temporal key Integrity Protocol) and whether WPA is supported based on CCMP (Counter mode with Cipher-block chaining Message authentication code PROTOCOL the key management and data encryption WiFi Federation does not provide for compliance or compatibility testing. WPA2-PSK must be able to support both TKIP and CCMP, both of which must pass the compatibility test. TKIP is an enhanced and upgraded method of WEP encryption with a key length of 128 bits, which solves the problem of too short a WEP key length and enhances security. TKIP generates keys to encrypt each packet by mixing a variety of factors, including the basic key, the AP's MAC address, and the packet's serial number. The hybrid operation is designed to minimize the requirements for wireless terminals and AP, and to provide enough password strength to not be easily cracked. In addition, the blending operation can also effectively address the problem of duplicate key usage and replay attacks encountered in WEP encryption. CCMP a security protocol based on the Block cipher of AES (Advanced encryption Standard). IEEE 802.11i requires the use of CCMP to provide four security services for wireless networks: Authentication, confidentiality, integrity, and replay attack protection. CCMP uses the 128-bit AES encryption algorithm to achieve confidentiality and uses other CCMP protocol components to implement the remaining three services. CCMP combines two complex cryptographic techniques (counter mode and CBC-MAC) to provide a robust security protocol for data communication between wireless terminals and AP. It is important to emphasize that although WPA-PSK/WPA2-PSK uses a more powerful encryption algorithm, the user-authenticated and encrypted shared password (the original key) is artificially determined and manually set, and the key is the same for all terminals that access the same AP. Therefore, its keys are difficult to manage and leak easily, and are not suitable for applications where security requirements are very stringent.

1.3 WPA/WPA2 (TKIP or CCMP)

To improve WPA-PSK or WPA2-PSK (referring to personal standards, primarily for individual users) in key management deficiencies, WiFi Federation provides WPA/WPA2 (TKIP or CCMP) (referring to enterprise standards, primarily for enterprise users), They use 802.1X for user authentication and generate a root key for encrypting data, instead of using a manually-configured preshared key, but the encryption process is no different. In WPA (or WPA2), the RADIUS server replaces the single password mechanism in the WPA-PSK (or WPA2-PSK) authentication process. Before accessing the wireless network, the user should first provide the corresponding identification, and check with the authentication information in the user's identity database to verify the permissions and dynamically distribute the key for encrypting data to the client. As a result of 802.1X user authentication, each user's login information is managed by itself, which effectively reduces the possibility of information leakage. And each time a user accesses a wireless network, the data encryption key is dynamically allocated through the RADIUS server, and it is difficult for an attacker to obtain the encryption key. As a result, WPA/WPA2 (TKIP or CCMP) greatly improves the security of the network and becomes the preferred access mode for high-security wireless networks.

See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Security/