Client access authentication – H3C Technologies H3C WX3000E Series Wireless Switches User Manual
Page 243
227
1.
WEP encryption
Wired Equivalent Privacy (WEP) was developed to protect data exchanged among authorized
users in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a stream
encryption algorithm) for confidentiality. WEP encryption falls into static and dynamic encryption
according to how a WEP key is generated.
•
Static WEP encryption
With Static WEP encryption, all clients using the same SSID must use the same encryption key. If
the encryption key is deciphered or lost, attackers will get all encrypted data. In addition,
periodical manual key update brings great management workload.
•
Dynamic WEP encryption
Dynamic WEP encryption is a great improvement over static WEP encryption. With dynamic WEP
encryption, WEP keys are negotiated between client and server through the 802.1X protocol so
that each client is assigned a different WEP key, which can be updated periodically to further
improve unicast frame transmission security.
Although WEP encryption increases the difficulty of network interception and session hijacking, it
still has weaknesses due to limitations of RC4 encryption algorithm and static key configuration.
2.
TKIP encryption
Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has many
advantages over WEP, and provides more secure protection for WLAN as follows:
First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption,
TKIP encryption uses 128–bit RC4 encryption algorithm, and increases the length of IVs from
24 bits to 48 bits.
Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP
replaces a single static key with a base key generated by an authentication server. TKIP
dynamic keys cannot be easily deciphered.
Third, TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the
MIC, the data may be tampered, and the system may be attacked. If two packets fail the MIC
in a certain period, the AP automatically takes countermeasures. It will not provide services in
a certain period to prevent attacks.
3.
CCMP encryption
CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM
combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the
integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The
AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP
contains a dynamic key negotiation and management method, so that each wireless client can
dynamically negotiate a key suite, which can be updated periodically to further enhance the
security of the CCMP encryption mechanism. During the encryption process, CCMP uses a 48-bit
packet number (PN) to ensure that each encrypted packet uses a different PN, thus improving the
security to a certain extent.
Client access authentication
1.
PSK authentication
To implement PSK authentication, the client and the authenticator must have the same shared key
configured. Otherwise, the client cannot pass pre-shared key (PSK) authentication.
2.
802.1X authentication