Wlan Data Security - H3C MSR Series Configuration Manual

Figure 12 Shared key authentication process
Client
Authentication Response（Challenge）
Authentication（Encrypted Challenge）

WLAN data security

Compared with wired networks, WLAN networks are more susceptible to attacks because all WLAN
devices share the same medium and thus every device can receive data from any other sending
device. Plain-text data is transmitted over the WLAN if there is no security service.
To secure data transmission, 802.11 protocols provide some encryption methods to ensure that
devices without the right key cannot read encrypted data.
1. WEP encryption
Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized
users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a stream
encryption method) for confidentiality and supports WEP40, WEP104, and WEP128 keys.
Although WEP encryption increases the difficulty of network interception and session hijacking,
it still has weaknesses due to limitations of RC4 encryption algorithm and static key
configuration.
2. TKIP encryption
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has
several advantages over WEP, and provides more secure protection for WLAN as follows:
First, TKIP provides longer IVs to enhance encryption security. Compared with WEP
encryption, TKIP encryption uses 128-bit RC4 encryption algorithm, and increases the
length of IVs from 24 bits to 48 bits.
Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP
replaces a single static key with a base key generated by an authentication server. TKIP
dynamic keys cannot be easily deciphered.
Third, TKIP offers MIC and countermeasures. If a packet fails the MIC, the data might be
tampered, and the system might be attacked. If two packets fail the MIC in a certain period,
the AP automatically takes countermeasures. It will not provide services in a certain period
to prevent attacks.
3. AES-CCMP encryption
CTR with CCMP is based on the CCM of the AES encryption algorithm. CCM combines CTR for
confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both
the MAC Protocol Data Unit (MPDU) Data field and selected portions of the IEEE 802.11 MPDU
header. The AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly,
CCMP contains a dynamic key negotiation and management method, so that each wireless
client can dynamically negotiate a key suite, which can be updated periodically to further
enhance the security of the CCMP encryption mechanism. During the encryption process,
CCMP uses a 48-bit packet number (PN) to ensure that each encrypted packet uses a different
PN, improving the security to a certain extent.
Authentication Request
Authentication Response（Success）
AP
34