Client access authentication – H3C Technologies H3C WX6000 Series Access Controllers User Manual

31-6

Static WEP encryption

With Static WEP encryption, all clients using the same SSID must use the same encryption key. If the

encryption key is deciphered or lost, attackers will get all encrypted data. In addition, periodical manual

key update brings great management workload.

Dynamic WEP encryption

Dynamic WEP encryption is a great improvement over static WEP encryption. With dynamic WEP

encryption, WEP keys are negotiated between client and server through the 802.1X protocol so that

each client is assigned a different WEP key, which can be updated periodically to further improve

unicast frame transmission security.

Although WEP encryption increases the difficulty of network interception and session hijacking, it still

has weaknesses due to limitations of RC4 encryption algorithm and static key configuration.

2) TKIP

encryption

Temporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP has many

advantages over WEP, and provides more secure protection for WLAN as follows:

First, TKIP provides longer IVs to enhance encryption security. Compared with WEP encryption,

TKIP encryption uses 128–bit RC4 encryption algorithm, and increases the length of IVs from 24

bits to 48 bits.

Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIP replaces a

single static key with a base key generated by an authentication server. TKIP dynamic keys cannot

be easily deciphered.

Third, TKIP offers Message Integrity Check (MIC) and countermeasures. If a packet fails the MIC,

the data may be tampered, and the system may be attacked. If two packets fail the MIC in a certain

period, the AP automatically takes countermeasures. It will not provide services in a certain period

to prevent attacks.

3) CCMP

encryption

CTR with CBC-MAC protocol (CCMP) is based on the CCM of the AES encryption algorithm. CCM

combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the

integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header. The AES

block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly, CCMP contains a

dynamic key negotiation and management method, so that each wireless client can dynamically

negotiate a key suite, which can be updated periodically to further enhance the security of the CCMP

encryption mechanism. During the encryption process, CCMP uses a 48-bit packet number (PN) to

ensure that each encrypted packet uses a different PN, thus improving the security to a certain extent.

Client Access Authentication

After a wireless client sets up a wireless link with an AP, the wireless client is considered as having

accessed the wireless network. However, for the security and management of the wireless network, the

wireless client can access the network resources only after passing subsequent authentication. Among

the authentication mechanisms, preshared key (PSK) authentication and 802.1X authentication

accompany the dynamic key negotiation and management of the wireless link, and therefore, they are

closely related to wireless link negotiation. However, they are not directly related to the wireless link.

1) PSK

authentication

Both WPA wireless access and WPA2 wireless access support PSK authentication. To implement PSK

authentication, the client and the authenticator must have the same shared key configured.