Keep your network card extinct! Encryption of Wireless Networks

Some time ago, the bubble network wireless network channel first reported that the Beijing Zhongguancun store had sold the "Yellow nic" message (For details, refer to "full resolution of the free anti-network tool for paying Internet fees for others: http://www.bkjia.com/article/200909/41399.html after that, all major media began to pay attention to the "ENI" event. At that time, wireless network users paid great attention to this event. In addition to the condemnation of products such as "ENI, even more worried about the existence of such problems in your wireless network.

In the report, the author not only made an unannounced visit to the sales of the primary network card in the store, but also experienced such a non-essential wireless network product in depth, we found that many wireless networks around us have more or less vulnerabilities, which are not noticed by users at ordinary times, but they pose a great risk to our wireless network security.

Our eyes are on us.

As a matter of fact, we also have a good way to guard against an "immoral" product such as "ENI": 1. Upgrade the password encryption mode of the wireless network, build the first line of defense; 2. Disable SSID broadcast to hide our wireless network; 3. Set the MAC address access list, and enter my wireless network from strangers.

Wireless Network conditions found in my laptop

In particular, the encryption mode of wireless networks, as the most basic wireless network protection measure, should be the easiest and most appropriate, however, when I tested the "ENI" in the residential area, I found that many users do not set a password for their wireless networks, even if they have set a password, most of them are WEP modes with the lowest password level. Many users may ask: My wireless network is encrypted. Why is it still cracked? Next, let's talk about the wireless network password level.

Due to the particularity of the information transmission mode, wireless networks can receive all the information they need in the coverage of wireless signals. For example, an unencrypted wireless network is like a celebrity film. All the content you write on it can be seen by anyone. You don't want others to know what they have written, in this way, only emails with protection level can be seen only when the envelope is damaged. This is like cracking the wireless network password. Then, EMS is like high-level wireless network encryption mode, it can greatly protect the security of wireless network information transmission.

Wireless encryption options in wireless routers

Currently, the wireless router has the following encryption modes: WEP, WPA-PSK (TKIP), WPA2-PSK (AES) and WPA-PSK (TKIP) + WPA2-PSK (AES ). What are the differences between these encryption modes? Let's look at them.

　　WEP (Wired Equivalent encryption)

WEP is short for WiredEquivalentPrivacy. It is a security protocol defined in the 802.11b standard for WLAN. WEP is used to provide security at the same level as wired lan. A lan is inherently safer than a WLAN because its physical structure protects it, and some or all networks are buried in the building to prevent unauthorized access.

WLAN via radio waves does not have the same physical structure, so it is vulnerable to attacks and interference. The goal of WEP is to provide security by encrypting the data of the radio receiver, just like sending data at the end. The WEP feature uses the rc4prng algorithm developed by rsa Data security companies. If your wireless base station supports MAC filtering, we recommend that you use this feature together with WEP (MAC filtering is much safer than encryption ).

Such a "Lock" is equivalent to a false one.

Although the name seems to be a security option for wired networks, this is not the case. The WEP standard has been created in the early stages of wireless networks and is designed to become a necessary security protection layer for WLAN in Wireless LAN. However, the performance of WEP is undoubtedly disappointing. It is rooted in design defects.

In WEP systems, data transmitted over wireless networks is encrypted using a random key. However, the method WEP uses to generate these keys is quickly discovered to be predictable, so that it is easy for potential intruders to intercept and crack these keys. Even a medium-tech wireless hacker can quickly crack WEP encryption within two to three minutes.

The dynamic Wired Equivalent Security (WEP) model of was designed later in. At that time, powerful encryption technology was used as an effective weapon and was strictly restricted by the export of the United States. Wireless Network products are banned from being exported due to fear of cracking powerful encryption algorithms. However, two years later, the dynamic Wired Equivalent security mode was found to have serious disadvantages. However, the error should not be considered as a wireless network security or standard. The wireless network industry cannot wait for the association of Electrical and Electronics Engineers to revise the standard, therefore, they launched the dynamic Key Integrity Protocol TKIP (a patch version with dynamic Wired Equivalent confidentiality ).

Although WEP has proved to be outdated and inefficient, it is still supported in many modern wireless access points and routers. In addition, it is still one of the most popular encryption methods used by individuals or companies. If you are using WEP encryption, if you pay great attention to the security of your network, do not use WEP as much as possible in the future, because it is really not very secure.

　　The WPA-PSK (TKIP)

The first security mechanism adopted by wireless networks was WEP (equivalent wired encryption). However, it was found that WEP was insecure, and 802.11 organizations began to develop new security standards, that is, the later 802.11i protocol. However, it takes a long time for the establishment of standards to the final release, and considering that consumers will not give up their original wireless devices for the sake of network security, before the launch of the Wi-Fi Alliance standard, based on the draft 802.11i, a security mechanism called WPA (Wi-FiProctedAccess) is developed. It uses TKIP (temporary Key Integrity Protocol ), it uses the encryption algorithm RC4 used in WEP, so it does not need to modify the hardware of the original wireless device. WPA has the following problems in WEP: IV is too short, key management is too simple, and there is no effective protection for message integrity. The network security is improved through software upgrade.

The appearance of WPA provides users with a complete authentication mechanism. The AP determines whether to allow users to access the wireless network based on the user's authentication results; after successful authentication, You can dynamically change the encryption key of each access user based on multiple methods (the number of data packets transmitted, the time when the user accesses the network, and so on. In addition, perform MIC encoding on the data packets transmitted by the user over the wireless network to ensure that the user data is not changed by other users. As a subset of the 802.11i standard, the core of WPA is IEEE802.1x and TKIP (TemporalKeyIntegrity Protocol ).

"Lock" your assets

WPA takes into account different users and different application security needs. For example, enterprise users require high security protection (enterprise level). Otherwise, very important commercial secrets may be leaked; home users usually only use the network to browse the Internet, send and receive E-mail, print, and share files. These users have relatively low security requirements. To meet the needs of users with different security requirements, WPA specifies two application modes: Enterprise mode and home mode (including small office ).

Based on the two different application modes, WPA authentication also has two different methods. For applications of large enterprises, "802.1x + EAP" is often used, and users provide the creden。 required for authentication. However, for some small and medium-sized enterprise networks or home users, WPA also provides a simplified mode that does not require dedicated Authentication servers. This mode is called "WPA pre-shared key (WPA-PSK)", which requires only one key in advance on each WLAN node (AP, wireless router, Nic, etc.

This key is only used for authentication, not for data transmission encryption. The data encryption key is dynamically generated after authentication. The system will ensure "one user and one password". There is no situation where the entire network shares an encryption key like WEP, therefore, the system security is greatly improved.

　　WPA2-PSK (AES)

After the publication of 802.11i, the Wi-Fi Alliance launched WPA2, which supports AES (Advanced Encryption Algorithm). Therefore, it requires new hardware support, it uses CCMP (full code protocol for block Chain messages in counter mode ). In WPA/WPA2, PTK generation depends on PMK, and PMK obtains two methods. One is the PSK form, which is the pre-shared key. In this mode, PMK = PSK, in another method, the authentication server and the site need to negotiate to generate the PMK.

The IEEE Standard sets technical standards. The Wi-Fi Alliance sets commercial standards, and the commercial standards set by Wi-Fi basically comply with the technical standards set by IEEE. WPA (Wi-FiProtectedAccess) is actually a security standard developed by the Wi-Fi Alliance. This commercial standard aims to support the technology-oriented security standard of IEEE802.11i. WPA2 is actually the second version of WPA. The reason why two versions of WPA appear is the commercial operation of the Wi-Fi Alliance.

Want to crack? Difficult

We know that the purpose of the 802.11i Task Team is to build a safer Wireless LAN. Therefore, the encryption project standardizes two new security