Scribd Logo
Upload

Welcome to Scribd!

  • Cac Phuong TH C B o M T M NG Wlan 2337

    Uploaded by

    Việt Nguyễn
    4 views10 pages

    Original Title

    Cac Phuong Th c b o m t m Ng Wlan 2337

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    4 views10 pages

    Cac Phuong TH C B o M T M NG Wlan 2337

    Uploaded by

    Việt Nguyễn

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 10

    Cc phng th c b o m t m ng WLAN V i gi thnh xy d ng m t h th ng m ng WLAN gi m,ngy cng c nhi u cng ty s d ng.

    i u ny s khng th trnh kh i vi c Hacker chuy n sang t n cng v khai thc cc i m y u trn n n t ng m ng s d ng chu n 802.11. Nh ng cng c Sniffers cho php tm c cc gi tin giao ti p trn m ng, h c th phn tch v l y i nh ng thng tin quan tr ng c a b n. V y b n bi t g v cc phng th c b o m t m ng WLAN. Nh ng ph n m m scan c th c ci t trn cc thi t b nh Smart Phone hay trn m t chi c Laptop h tr chu n k t n i Wi-Fi.

    i u ny d n t i nh ng thng tin nh y c m trong h th ng m ng, nh thng tin c nhn c a ng i dng

    Nh ng nguy c b o m t trong WLAN bao g m:

    - Cc thi t b c th k t n i t i nh ng Access Point ang broadcast SSID. - Hacker s c g ng tm ki m cc phng th c m ho ang c s d ng trong qu trnh truy n thng tin trn m ng, sau c phng th c gi i m ring v l y cc thng tin nh y c m. - Ng i d ng s d ng Access Point t i gia nh s khng m b o tnh b o m t nh khi s d ng t i doanh nghi p. b o m t m ng WLAN, b n c n th c hi n qua cc b c sau:

    - Ch c nh ng ng i dng c xc th c m i c kh nng truy c p vo m ng thng qua cc Access Point. - Cc phng th c m ho c p d ng trong qu trnh truy n cc thng tin quan tr ng. - B o m t cc thng tin v c nh bo nguy c b o m t b ng h th ng IDS v IPS. Xc th c v b o m t d li u b ng cch m ho thng tin truy n trn m ng. IDS nh m t thi t b gim st m ng Wireless v m ng Wire tm ki m v c nh bo khi c cc d u hi u t n cng. Ban u, IEEE 802.11 s d ng gi i php b o m t b ng nh ng kho tnh (static keys) cho c qu trnh m ho v xc th c. Phng th c xc th c nh v y l khng m nh, cu i cng c th b t n cng. B i v cc kho c qu n l v khng thay i, i u ny khng th p d ng trong m t gi i php doanh nghi p l n c. Cisco gi i thi u v cho php s d ng IEEE 802.1x l giao th c xc th c v s d ng kho ng (dynamic keys), bao g m 802.1x Extensible Authentication Protocol (EAP). Cisco cng gi i thi u phng th c ch ng l i vi c t n cng b ng cch s d ng qu trnh bm

    (hashing) (Per Packet Key PPK) v Message Integrity Check (MIC). Phng th c ny c bi t n nh Cisco Key Integrity Protocol (CKIP) v Cisco Message Integrity Check (CMIC). Cc t ch c chu n 802.11 b t u ti n hnh vi c nng c p b o m t cho m ng WLAN. Wi-Fi Alliance gi i thi u gi i php WPA (Wi-Fi Protected Access). M t chu n n m trong chu n 802.11i l chu n b o m t c a WLAN v s d ng chu n 802.1x lm phng th c xc th c v m ho d li u. WPA c s d ng cho vi c xc th c ng i dung, MIC, Temporal Key Integrity Protocol (TKIP), v Dynamic Keys. N tng t nh phng th c c a Cisco nhng cch th c hi n c khc i cht. WPA cng bao g m m t passphrase hay preshared key cho ng i dung h xc th c trong gi i php b o m t trong gia nh, nhng khng c s d ng cho gi i php doanh nghi p. Ngy nay , IEEE 802.11i nng c p v Advanced Encryption Standard (AES) thay th cho WEP v l phng th c b o m t m i nh t v b o m t nh t trong m ho d li u. Wireless IDS hi n nay c v i vai tr nh n di n v b o v h th ng WLAN tr c nh ng t n cng. Wi-Fi Alliance 802.11i lm vi c v s d ng nh WPA2

    Cc Access Point g i broadcast m t ho c nhi u SSIDs, hay data rates, v m t s thng tin. Cc thi t b Wi-Fi c th scan t t c cc knh v tm truy c p vo b t k m ng no m h scan ra c t nh ng Access Point. Client s th ng k t n i t i nh ng Access Point m tn hi u m nh nh t. N u tn hi u y u, client ti p t c scan t i m t Access Point khc (trong tr ng h p Roaming). Trong qu trnh k t n i, SSID, a ch MAC v cc thi t l p b o m t c g i t client t i Access Point v ki m tra b i Access Point.

    Ng i dung c xc th c thong qua giao th c 802.1x. V i chu n 802.1x hay EAP c n thi t trn WLAN client. Access Point cng c th nh m t my ch p ng vi c xc th c cho ng i dng, ho c c th lien k t t i my ch RADIUS nh xc th c h , ho c c th lm vi c v i Cisco Secure ACS. Lightweight Access Pont s giao ti p v i WLAN controller, v n lm vi c nh m t my ch xc cung c p xc th c cho cc users. Client v my ch cung c p xc th c tri n khai v i hai phin b n EAP khc nhau. Thng tin EAP s c truy n t Access point t i my ch xc th c

    Sau khi xc th c song WLAN client, d li u s c m ho tr c khi truy n i. V c b n phng th c m ho d a vo thu t ton RC4 c s d ng b t u t WEP. TKIP s d ng m ho RC4 c tng c ng b o m t hn v v i nhi u bt m ho hn v c kho tch h p cho m i packet (key per packet PPK). AES c thay th cho RC4 v i thu t ton b o m t cao c p hn. WPA s d ng TKIP, trong khi WPA2 s d ng AES hay TKIP.

    S khc nhau gi a cc d ng WLANs. - Cho cc i m truy c p t ng (hotspots), vi c m ho khng c n thi t, ch c n ng i dung xc th c m thi. - V i ng i dng s d ng m ng WLAN cho gia nh, m t phng th c b o m t v i WPA passphare hay preshared key c khuy n co s d ng. - V i gi i php doanh nghi p, t i u qu trnh b o m t v i 802.1x EAP lm phng th c xc th c v TKIP hay AES lm phng th c m ho. c d a theo chu n WPA

    hay WPA2 v 802.11i security.

    B o m t m ng WLAN cng tng t nh b o m t cho cc h th ng m ng khc. B o m t h th ng ph i c p d ng cho nhi u t ng, cc thi t b nh n d ng pht hi n t n cng ph i c tri n khai. Gi i h n cc quy n truy c p t i thi u cho nh ng ng i dng c n thi t. D li u c chia s v yu c u xc th c m i cho php truy c p. D li u truy n ph i c m ho. K t n cng c th t n cng m ng WLAN khng b o m t b t c lc no. B n c n c m t phng n tri n khai h p l.

    - Ph i c l ng c cc nguy c b o m t v cc m c b o m t c n thi t p d ng. - nh gi c ton b cc giao ti p qua WLAN v cc phng th c b o m t c n c p d ng. - nh gi c cc cng c v cc l a ch n khi thi t k v tri n khai m ng WLAN. Theo VNE Research Deparment So snh cc phng th c b o m t d a trn vi c ch ng th c (su t m)

    I B o m t b ng WEP (Wired Equivalent Privacy) WEP l m t thu t ton b o nh m b o v s trao i thng tin ch ng l i s nghe tr m, ch ng l i nh ng n i k t m ng khng c cho php cng nh ch ng l i vi c thay i ho c lm nhi u thng tin truy n. WEP s d ng stream cipher RC4 cng v i m t m 40 bit v m t s ng u nhin 24 bit (initialization vector IV) m ha thng tin. Thng tin m ha c t o ra b ng cch th c hi n operation XOR gi a keystream v plain text. Thng tin m ha v IV s c g i n ng i nh n. Ng i nh n s gi i m thng tin d a vo IV v kha WEP bi t tr c. S m ha c miu t b i hnh 1.

    Hnh 1: S m ha b ng WEP Nh ng i m y u v b o m t c a WEP + WEP s d ng kha c nh c chia s gi a m t Access Point (AP) v nhi u ng i dng (users) cng v i m t IV ng u nhin 24 bit. Do , cng m t IV s c s d ng l i nhi u l n. B ng cch thu th p thng tin truy n i, k t n cng c th c thng tin c n thi t c th b kha WEP ang dng. + M t khi kha WEP c bi t, k t n cng c th gi i m thng tin truy n i v c th thay i n i dung c a thng tin truy n. Do v y WEP khng m b o c confidentiality v integrity. + Vi c s d ng m t kha c nh c ch n b i ng i s d ng v t khi c thay i (t c c ngha l kha WEP khng c t ng thay i) lm cho WEP r t d b t n cng. + WEP cho php ng i dng (supplicant) xc minh (authenticate) AP trong khi AP khng th xc minh tnh xc th c c a ng i dng. Ni m t cch khc, WEP khng cung ng mutual authentication. II. B o m t b ng WPA (Wifi Protected Access ) WPA l m t gi i php b o m t c ngh b i WiFi Alliance nh m kh c ph c nh ng h n ch c a WEP. WPA c nng c p ch b ng m t update ph n m m SP2 c a microsoft. WPA c i ti n 3 i m y u n i b t c a WEP :

    + WPA cng m ha thng tin b ng RC4 nhng chi u di c a kha l 128 bit v IV c chi u di l 48 bit. M t c i ti n c a WPA i v i WEP l WPA s d ng giao th c TKIP (Temporal Key Integrity Protocol) nh m thay i kha dng AP v user m t cch t ng trong qu trnh trao i thng tin. C th l TKIP dng m t kha nh t th i 128 bit k t h p v i a ch MAC c a user host v IV t o ra m kha. M kha ny s c thay i sau khi 10 000 gi thng tin c trao i. + WPA s d ng 802.1x/EAP m b o mutual authentication nh m ch ng l i man-inmiddle attack. Qu trnh authentication c a WPA d a trn m t authentication server, cn c bi t n v i tn g i RADIUS/ DIAMETER. Server RADIUS cho php xc th c user trong m ng cng nh nh ngha nh ng quy n n i k t c a user. Tuy nhin trong m t m ng WiFi nh (c a cng ty hoc tr ng h c), i khi khng c n thi t ph i ci t m t server m c th dng m t phin b n WPA-PSK (pre-shared key). t ng c a WPAPSK l s dng m t password (Master Key) chung cho AP v client devices. Thng tin authentication gi a user v server s c trao i thng qua giao th c EAP (Extensible Authentication Protocol). EAP session s c t o ra gi a user v server r chuy n i thng tin lin quan n identity c a user cng nh c a m ng. Trong qu trnh ny AP ng vai tr l m t EAP proxy, lm nhi m v chuy n giao thng tin gi a server v user. Nh ng authentication messages chuy n i c miu t trong hnh 2.

    Hnh 2: Messages trao i trong qu trnh authentication. + WPA s d ng MIC (Michael Message Integrity Check ) tng c ng integrity c a thng tin truy n. MIC l m t message 64 bit c tnh d a trn thu t tan Michael. MIC s c g i trong gi TKIP v gip ng i nh n ki m tra xem thng tin nh n c c b l i trn ng truy n ho c b thay i b i k ph ho i hay khng. Tm l i, WPA c xy d ng nh m c i thi n nh ng h n ch c a WEP nn n ch a ng nh ng c i m v t tr i so v i WEP. u tin, n s d ng m t kha ng m c thay i m t cch t ng nh vo giao th c TKIP. Kha s thay i d a trn ng i dng, session trao i nh t th i v s l ng gi thng tin truy n. c i m th 2 l WPA cho php ki m tra xem thng tin c b thay i trn ng truy n hay khng nh vo MIC message. V c i m n i b t th cu i l n cho php multual authentication b ng cch s d ng giao th c 802.1x Nh ng i m y u c a WPA.

    - i m y u u tin c a WPA l n v n khng gi i quy t c denial-of-service (DoS) attack [5]. K ph ho i c th lm nhi u m ng WPA WiFi b ng cch g i t nh t 2 gi thng tin v i m t kha sai (wrong encryption key) m i giy. Trong tr ng h p , AP s cho r ng m t k ph ho i ang t n cng m ng v AP s c t t t c cc n i k t trong vng m t pht trch hao t n ti nguyn m ng. Do , s ti p di n c a thng tin khng c php s lm xo tr n ho t ng c a m ng v ngn c n s n i k t c a nh ng ng i dng c cho php (authorized users). - Ngoi ra WPA v n s d ng thu t tan RC4 m c th d dng b b v b i FMS attack ngh b i nh ng nh nghin c u tr ng i h c Berkeley [6]. H th ng m ha RC4 ch a ng nh ng kha y u (weak keys). Nh ng kha y u ny cho php truy ra kha encryption. c th tm ra kha y u c a RC4, ch c n thu th p m t s l ng thng tin truy n trn knh truy n khng dy. - WPA-PSK l m t bin b n y u c a WPA m n g p v n v qu n l password hoc shared secret gi a nhi u ng i dng. Khi m t ng i trong nhm (trong cng ty) r i nhm, m t password/secret m i c n ph i c thi t l p. III. Tng c ng b o m t v i chu n 802.11i (WPA2) Chu n 802.11i c ph chu n vo ngy 24 thng 6 nm 2004 nh m tng c ng tnh m t cho m ng WiFi. 802.11i mang y cc c i m c a WPA. T p h p nh ng giao th c c a 802.11i cn c bi t n v i tn g i WPA 2. Tuy nhin, 802.11i s d ng thu t ton m ha AES (Advanced Encryption Standard) thay v RC4 nh trong WPA. M kha c a AES c kch th c l 128, 192 ho c 256 bit. Tuy nhin thu t ton ny i h i m t kh nng tnh ton cao (high computation power). Do , 802.11i khng th update n gi n b ng software m ph i c m t dedicated chip. Tuy nhin i u ny c c tnh tr c b i nhi u nh s n xu t nn h u nh cc chip cho card m ng Wifi t u nm 2004 u thch ng v i tnh nng c a 802.11i.

    You might also like