Security Policy
Four WLAN security policies are available: Wired Equivalent Privacy (WEP), Wi-Fi Protected Access (WPA), WPA2, WLAN Authentication and Privacy Infrastructure (WAPI). Each security policy has a series of security mechanisms, including the link authentication mechanism used to establish a wireless link, user authentication mechanism used when users attempt to connect to a wireless network, and data encryption mechanism used during data transmission.
WEP
Wired Equivalent Privacy (WEP), defined in IEEE 802.11, is used to protect data of authorized users from tampering during transmission on a WLAN. The WEP protocol uses the RC4 algorithm that encrypts data using a 64-bit or 128-bit encryption key. An encryption key contains a 24-bit initialization vector (IV) generated by the system, so the length of key configured on the WLAN server and client is 40 bits or 104 bits. WEP uses a static encryption key. That is, all STAs associating with the same SSID use the same key to connect to the wireless network.
A WEP security policy defines a link authentication mechanism and a data encryption mechanism.
Link authentication mechanisms include open system authentication and shared key authentication. For details about link authentication, see "Link Authentication" in STA Access.
If open system authentication is used, data is not encrypted during link authentication. After a user goes online, service data can be encrypted by WEP or not, depending on the configuration.
If shared key authentication is used, the WLAN client and server complete key negotiation during link authentication. After a user goes online, service data is encrypted using the negotiated key.
WPA/WPA2
WEP shared key authentication uses the RC4 symmetric stream cipher to encrypt data. This authentication method requires the same static key pre-configured on the server and client. Both the encryption mechanism and encryption algorithm can bring security risks to the network. The Wi-Fi Alliance developed Wi-Fi Protected Access (WPA) to overcome WEP defects before more secure policies are provided in 802.11i. WPA still uses the RC4 algorithm, but it uses an 802.1x authentication framework and supports Extensible Authentication Protocol-Protected Extensible Authentication Protocol (EAP-PEAP) and EAP-Transport Layer Security (EAP-TLS) authentication, and defines the Temporal Key Integrity Protocol (TKIP) encryption algorithm. Later, 802.11i defined WPA2. Different from WPA, WPA2 uses a more secure encryption algorithm: Counter Mode with CBC-MAC Protocol (CCMP).
Both WPA and WPA2 support 802.1X authentication and TKIP/CCMP encryption algorithm, ensuring better compatibility. The two protocols provide almost the same security level and their difference lies in the protocol packet format.
The WPA/WPA2 security policy involves four phases: link authentication, access authentication, key negotiation, and data encryption.
Link Authentication
Link authentication can be completed in open system authentication or shared key authentication mode. For details, see "Link Authentication" in STA Access.
WPA and WPA2 support only open system authentication.
Access Authentication
WPA/WPA2 enterprise edition (WPA/WPA2-802.1X authentication): uses a RADIUS server and the EAP protocol for authentication. Users provide authentication information, including the user name and password, and are authenticated by an authentication server (generally a RADIUS server).
Large-scale enterprise networks usually use the WPA/WPA2 enterprise edition.
For details about 802.1X authentication, see 802.1X Authentication in the Configuration Guide - Security.
WPA/WPA2 implements 802.1X authentication using EAP-TLS and EAP-PEAP. Figure 4-1 and Figure 4-2 show EAP-TLS 802.1X authentication and EAP-PEAP 802.1X authentication processes.
WPA/WPA2 personal edition: A dedicated authentication server is expensive and difficult to maintain for small- and medium-scale enterprises and individual users. The WPA/WPA2 personal edition provides a simplified authentication mode: pre-shared key (WPA/WPA2-PSK) authentication. This mode does not require a dedicated authentication server. Users only need to set a pre-shared key on each WLAN node (including WLAN server, wireless router, and wireless network adapter). A WLAN client can access the WLAN if its pre-shared key is the same as that configured on the WLAN server. The pre-shared key is not used for encryption; therefore, it will not bring security risks like the 802.11 shared key authentication.
802.1X authentication can be used to authenticate wireless and wired users, whereas PSK authentication is specific to wireless users.
PSK authentication requires that a STA and an AP be configured with the same pre-shared key. The STA and AP authenticate each other through key negotiation. During key negotiation, the STA and AP use their pre-shared keys to decrypt the message sent from each other. If the messages are successfully decrypted, the STA and AP have the same pre-shared key. If they use the same pre-shared key, PSK authentication is successful; otherwise, PSK authentication fails.
Key Negotiation
802.11i defines two key hierarchies: pairwise key hierarchy and group key hierarchy. The pairwise key hierarchy protects unicast data exchanged between STAs and APs. The group key hierarchy protects broadcast or multicast data exchanged between STAs and APs.
During key negotiation, a STA and an AP use the pairwise master key (PMK) to generate a pairwise transient key (PTK) and a group temporal key (GTK). The PTK is used to encrypt unicast packets, and the GTK is used to encrypt multicast and broadcast packets.
In 802.1X authentication, a PMK is generated in the process shown in Figure 4-1.
- In PSK authentication, the method to generate a PMK varies according to the method to set the pre-shared key (configured using a command):
- If the pre-shared key is a hexadecimal numeral string, it is used as the PMK.
- If the pre-shared key is a character string, the PMK is calculated using the hash algorithm based on pre-shared key and service set identifier (SSID).
Key negotiation consists of unicast key negotiation and multicast key negotiation.
Unicast key negotiation
Key negotiation is completed through a four-way handshake between a STA and an AP, during which the STA and AP send EAPOL-Key frames to exchange information, as shown in Figure 4-3.- The AP sends an EAPOL-Key frame with a random value (ANonce) to the STA.
- The STA calculates the PTK using MAC addresses of its own and the AP, PMK, ANonce, and SNonce, and sends an EAPOL-Key frame to the AP. The EAPOL-Key frame carries the SNonce, robust security network (RSN) information element, and message integrity code (MIC) of the EAPOL-Key frame. The AP calculates the PTK using the MAC addresses of its own and the STA, PMK, ANonce, and SNonce, and validates the MIC to determine whether STA's PMK is the same as its own PMK.
- The AP sends an EAPOL-Key frame to the STA to request the STA to install the PTK. The EAPOL-Key frame carries the ANonce, RSN information element, MIC, and encrypted GTK.
- The STA sends an EAPOL-Key frame to the AP to notify the AP that the PTK has been installed and will be used. The AP installs the PTK after receiving the EAPOL-Key frame.
Multicast key negotiation
Multicast key negotiation is completed through a two-way handshake. The two-way handshake begins after the STA and AP generate and install a PTK through a four-way handshake. Figure 4-4 shows the two-way handshake process.- The AP calculates the GTK, uses the unicast key to encrypt the GTK, and sends an EAPOL-Key frame to the STA.
- After the STA receives the EAPOL-Key frame, it validates the MIC, decrypts the GTK, installs the GTK, and sends an EAPOL-Key ACK frame to the AP. After the AP receives the EAPOL-Key ACK frame, it validates the MIC and installs the GTK.
Data Encryption
WPA and WPA2 support TKIP and CCMP encryption algorithms.
TKIP
Unlike WEP that uses a static shared key, TKIP uses a dynamic key negotiation and management mechanism. Each user obtains an independent key through dynamic negotiation. The key of a user is calculated using the PTK generated in key negotiation, MAC address of the sender, and packet sequence number. This mechanism helps defend against attacks to WEP.
TKIP uses MICs to ensure integrity of frames received on the receiver and validity of data sent by the sender and receiver. This mechanism protects information integrity. A MIC is calculated using the MIC key generated during key negotiation, destination MAC address, source MAC address, and data frame.
CCMP
Different from WEP and TKIP that use a stream cipher algorithm, CCMP uses an Advanced Encryption Standard (AES) block cipher. The block cipher algorithm overcomes defects of the RC4 algorithm and provides a higher security.
WAPI
WLAN Authentication and Privacy Infrastructure (WAPI) is a Chinese national standard for WLANs, which was developed based on IEEE 802.11. WAPI provides higher security than WEP and WPA and consists of the following:
- WLAN Authentication Infrastructure (WAI): authenticates user identities and manages keys.
- WLAN Privacy Infrastructure (WPI): protects data transmitted on WLANs and provides the encryption, data verification, and anti-replay functions.
WAPI uses the elliptic curve cryptography (ECC) algorithm based on the public key cryptography and the block key algorithm based on the symmetric-key cryptography. The ECC algorithm is used for digital certificate authentication and key negotiation between wireless devices. The block key algorithm is used to encrypt and decrypt data transmitted between wireless devices. The two algorithms implement identity authentication, link authentication, access control, and user information encryption.
Bidirectional identity authentication
Bidirectional identity authentication prevents access from unauthorized STAs and protects a WLAN against attacks from unauthorized WLAN devices. Other security policies only enable WLAN devices to authenticate STAs and do not provide a mechanism to authenticate WLAN devices.
Digital certificate as identity information
A WAPI system has an independent certificate server. STAs and WLAN devices use digital certificates to prove their identities, improving network security. When a STA requests to join or leave a network, the administrator only needs to issue a certificate to the STA or revoke the certificate of the STA.
Well-developed authentication protocol
WAPI uses digital certificates to identify STAs and wireless devices. During identity authentication, the elliptic curve digital signature algorithm is used to verify a digital certificate. In addition, the secure message hash algorithm is used to ensure message integrity, preventing attackers from tampering or forging information transmitted during identity authentication. In other security policies, the message integrity check mechanism is ineffective and cannot prevent attackers from tampering or forging authentication success messages.
As shown in Figure 4-5, WAPI involves identity authentication and key negotiation, which begin after a STA associates with an AP.
Identity Authentication
WAPI provides two identity authentication modes: certificate-based mode (WAPI-CERT) and pre-shared key-based mode (WAPI-PSK).
WAPI-CERT: A STA and an AP authenticate each other's certificate. The certificates must be loaded on the STA and AP and verified by an authentication service unit (ASU). After certificate authentication is complete, the STA and AP use the temporal public key and private key to generate a base key (BK) for key negotiation.
The WAPI-CERT mode is applicable to large-scale enterprise networks or carrier networks that can deploy and maintain an expensive certificate system.
Figure 4-6 shows the WAPI certificate authentication process.
- Authentication activation: When a STA requests to associate or re-associate with an AP, the AP checks whether the user is a WAPI user. If the user is a WAPI user, the AP sends an authentication activation packet to trigger the certificate authentication process.
- Access authentication request: The STA sends an access authentication request carrying the STA's certificate and system time to the AP. The system time is the access authentication request time.
- Certificate authentication request: When the AP receives the access authentication request, it records the access authentication request time and sends a certificate authentication request to the ASU. The certificate authentication request carries the STA's certificate, access authentication request time, AP's certificate, and signature generated using the AP's private key and the preceding information.
- Certificate authentication response: When the ASU receives the certificate authentication request, it authenticates the AP's signature and certificate. If the AP's signature and certificate are invalid, the authentication fails. If they are valid, the ASU authenticates the STA's certificate. After the authentication is complete, the ASU constructs a certificate authentication response with the STA's certificate authentication result, AP's certificate authentication result, and signature generated using the authentication results, and sends the certificate authentication response to the AP.
- Access authentication response: When the AP receives the certificate authentication response, it checks the signature to obtain the STA's certificate authentication result, and controls access of the STA based on the certificate authentication result. The AP then forwards the certificate authentication response to the STA. The STA checks the signature generated by the ASU to obtain the AP's certificate authentication result, and determines whether to associate with the AP based on the result. If the certificate authentication succeeds, the AP accepts the access request. If the certificate authentication fails, the AP disassociates the STA from the network.
WAPI-PSK: The STA and AP have the same pre-shared key configured before authentication. The pre-shared key is converted into a BK during authentication.
The WAPI-PSK mode does not require an expensive certificate system, so it is applicable to individual users or small-scale enterprise networks.
Key Negotiation
After the AP is authenticated by the ASU, the AP initiates key negotiation with the STA. Key negotiation consists of unicast key negotiation and multicast key negotiation.
Unicast key negotiation
The STA and AP use the unicast encryption key and unicast integrity key obtained through unicast key negotiation to ensure security of unicast data exchanged between them. During unicast key negotiation, the STA and AP use the KD-HMAC-SHA256 algorithm to calculate a unicast session key (USK) based on the BK. In addition to the USK, the STA and AP also negotiate the encryption key and identity key used to generate the multicast key.
Figure 4-7 shows the unicast key negotiation process.
Unicast key negotiation request
After a BK is generated, the AP sends a unicast key negotiation request packet to the STA.
Unicast key negotiation response
After the STA receives the unicast key negotiation request packet, it performs the following steps:
- Checks whether this negotiation process is triggered to update the unicast key.
- If so, the STA proceeds to step b.
- If not, the STA proceeds to step c.
WAPI allows the STA to directly send a unicast key negotiation response to the AP to initiate a unicast key update.
- Checks whether the challenge of the AP is the same as the challenge that is obtained in last unicast key negotiation and saved locally. If the two challenges are different, the STA drops the unicast key negotiation request packet.
- Generates a random challenge, and then uses the KD-HMAC-SHA256 algorithm to calculate a USK and the AP's challenge used for the next unicast key negotiation based on the BK, AP's challenge, and STA's challenge.
- Uses the message authentication key and HMAC-SHA256 algorithm to calculate a message authentication code, and sends it to the AP with a unicast key negotiation response packet.
- Checks whether this negotiation process is triggered to update the unicast key.
Unicast key negotiation ACK
After the AP receives the unicast key negotiation response packet, it performs the following steps:
- Checks whether the AP's challenge is correct. If the AP's challenge is incorrect, the AP drops the unicast key negotiation response packet.
- Uses the KD-HMAC-SHA256 algorithm to calculate a USK and the AP's challenge used for the next unicast key negotiation based on the BK, AP's challenge, STA's challenge. The AP then calculates the local message authentication code using the message authentication key and HMAC-SHA256 algorithm, and compares the local message authentication code with that in the received unicast key negotiation response packet. If the two message authentication codes are different, the AP drops the unicast key negotiation response packet.
- Checks the WAPI information element in the response packet if this is the first unicast key negotiation after the BK is generated. If the network type is BSS, the AP checks whether the WAPI information element in the response packet is the same as that in the association request packet it received before. If they are different, the AP sends a Deauthentication frame to disassociate the STA. If the network type is IBSS (ad-hoc network), the AP checks whether the unicast key algorithm supports the information element in the response packet. If not, the AP sends a Deauthentication frame to disassociate the STA.
- Uses the message authentication key and HMAC-SHA256 algorithm to calculate a message authentication code, and sends it to the STA with a unicast key negotiation ACK packet.
Multicast key negotiation
The AP uses the multicast encryption key and multicast integrity key derived from the multicast master key (MMK) to encrypt broadcast or multicast data it sends, and sends a multicast key advertisement packet to the STA. The STA obtains the multicast encryption key and multicast integrity key from the multicast key advertisement packet to decrypt the broadcast or multicast data it receives.
Multicast key negotiation is performed after unicast key negotiation is complete. The AP advertises the multicast keys to the STA in this process.
Figure 4-8 shows the multicast key negotiation process.
Multicast key advertisement
The AP uses the random number algorithm to calculate an MMK, encrypts the MMK using the negotiated unicast key, and sends an advertisement packet to notify the STA of the MMK.
Multicast key response
After the STA receives the multicast key advertisement packet, it performs the following steps:
- Calculates the checksum using the message authentication key identified by the unicast key identifier, and compares the checksum with the message authentication code. If the checksum is different from the message authentication code, the STA drops the multicast key advertisement packet.
- Checks whether the key advertisement identifier is increasing. If not, the STA drops the multicast key advertisement packet.
- Decrypts the multicast key to obtain the 16-byte master key and uses the KD-HMAC-SHA256 algorithm to extend it to 32 bytes. The first 16 bytes indicate the encryption key, and the last 16 bytes indicate the integrity key.
- Saves the key advertisement identifier and sends a multicast key response packet to the AP.
- After the AP receives the multicast key response packet, it performs the following steps:
- Calculates the checksum using the message authentication key identified by the unicast key identifier, and compares the checksum with the message authentication code. If the checksum is different from the message authentication code, the AP drops the multicast key response packet.
- Compares fields (such as key advertisement identifier) in the multicast key response packet with corresponding fields in the multicast key advertisement packet it has sent. If all the fields are the same, the multicast key negotiation is successful. Otherwise, the AP drops the multicast key response packet.
Key Update
WAPI defines a dynamic key negotiation mechanism, but there are still security risks if a STA uses the same encryption key for a long time. To enhance security, WAPI provides time-based and packet-based key updates mechanisms:
- Time-based key update: The unicast and multicast keys of a STA have an aging time (configured using a command). When the aging time of the current unicast or multicast key expires, the STA and AP negotiate a new unicast or multicast key.
- Packet-based key update: When the number of packets encrypted using a unicast or multicast key reaches a specified value (configured using a command), the STA and AP negotiate a new unicast or multicast key.