6.2 / IEEE 802.

11i WIRELESS LAN SECURITY

Tng quan v IEEE 802,11 WIRELESS LAN

IEEE 802 l mt y ban pht trin tiu chun cho mt phm vi rng ca cc mng cc b (LAN).Nm 1990, y ban IEEE 802 thnh lp mt nhm lm vic mi, IEEE 802,11, vi mt iu l pht trin mt giao thc v thng s k thut truyn dn cho mng LAN khng dy (WLAN).K t thi im , nhu cu i vi cc mng WLAN ti cc tn s khc nhau v tc d liu bng n. Gi nhp vi nhu cu ny, nhm lm vic IEEE 802.11 ban hnh mt danh sch cc tiu chun ngy cng m rng. Bng 6.1 tm tt nh ngha cc thut ng chnh c s dng trong tiu chun IEEE 802,11. Lin minh Wi-Fi Cc tiu chun 802.11 u tin c chp nhn rng ngnh cng nghip l 802.11b. Mc d sn phm 802.11b u da trn cng mt tiu chun, c lun lun l mt mi quan tm cho d cc sn phm t cc nh cung cp khc nhau s thnh cng interoperate.To p ng mi quan tm ny, Lin minh tng thch Ethernet khng dy (WECA), mt ngnh cng nghip con-sortium, c thnh lp vo nm 1999.T chc ny, sau i tn thnh Lin minh Wi-Fi (Wireless Fidelity), to ra mt b kim tra xc nhn kh nng tng tc cho thut ng sn phm 802.11b c s dng cho cc sn phm c chng nhn 802.11b Wi-Fi.Wi-Fi certi-quan n vic xc c m rng802.11g sn phm.Lin minh Wi-Fi cng pht trin mt qu trnh cp giy chng nhn cho cc sn phm 802.11a, c gi l Wi-Fi5.Lin minh Wi-Fi l c lin quan vi mt lot cc khu vc th trng cho mng WLAN, bao gm c doanh nghip, nh, v cc im nng. Gn y, Lin minh Wi-Fi pht trin cc th tc cp giy chng nhn tiu chun an ninh cho IEEE 802,11, c gi l Wi-Fi Protected Access (WPA). Cc phin bn gn y nht ca WPA, WPA2, kt hp tt c cc tnh nng ca c im k thut bo mt WLAN 802.11i.

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

im truy cp (AP ) T chc, c nhn c chc nng nh ga v cung cp quyn truy cp vo h thng phn phi thng qua cc phng tin khng dy cho cc trm lin quan. Thit lp dch v c bn (BSS) Chc nng phi hp Cc chc nng hp l xc nh khi mt trm hot ng trong mt BSS l mi giy phep truyn ti v c th l c th nhn c PDU. H thng phn phi (DS) Mt h thng c s dng kt ni mt b ca BSSs v tch hp cc mng LAN to ra mt ESS. Dch v t m rng (ESS) Mt tp hp ca mt hoc nhiu BSSs kt ni vi nhau v tch hp mng LAN xut hin nh l mt BSS duy nht lp LLC ti bt k trm lin kt vi mt trong nhng BSSs. n v d liu giao thc MAC ( MPDU ) Cc n v d liu c trao i gia hai thc th ngang hng MAC bng cch s dng cc dch v ca lp vt l. MAC dch v d liu n v ( MSDU ) Thng tin c cung cp nh mt n v gia ngi s dng MAC. Tram Bt k thit b c cha mt IEEE 802.11 tun th QTI MAC v lp vt l Bng 6.1 IEEE 802.11 thut ng Mt tp hp cc trm kim sot bi mt chc nng phi hp duy nht.

Kin trc Giao thc IEEE 802 Trc khi tip tc, chng ta cn mt thi gian ngn xem trc cc kin trc giao thc IEEE 802. Tiu chun IEEE 802.11 c nh ngha bn trong cu trc ca mt tp hp cc giao thc lp. Cu trc ny, c s dng cho tt c cc tiu chun IEEE 802, c minh ha trong hnh 6.1. Tng vt l lp thp nht ca m hnh tham kho IEEE 802 l lp vt l, trong bao gm cc chc nng nh m ha / gii m cc tn hiu v truyn ti tip nhn bit /. Ngoi ra, lp vt l bao gm mt c im k thut ca cc phng tin truyn dn. Trong trng hp ca IEEE 802.11, lp vt l cng xc nh di tn s v c tnh ng-ten. Media Access Control Tt c cc mng LAN bao gm b su tp cc thit b chia s dung lng truyn dn ca mng li. Mt s phng tin kim sot truy cp mi trng truyn dn l cn thit cung cp mt trt t v hiu qu s dng ca capacity.This l chc nng ca mt iu khin truy cp media (MAC) layer.The lp MAC nhn d liu t mt giao thc lp cao hn, thng l Logical Link Control (LLC) lp, trong cc hnh thc ca mt khi d liu c bit n l n v MAC dch v d liu (MSDU). Nhn chung, cc lp MAC thc hin cc chc nng sau:

6.2 / IEEE 802.11i WIRELESS LAN SECURITY 3 Trn truyn dn, tng hp s liu vo mt khung hnh, c bit n nh mt n v MAC giao thc d liu (MPDU) vi cc lnh vc a ch v pht hin li. M tip nhn, tho ri khung hnh, v thc hin nhn dng a ch v pht hin li. Chnh ph tip cn vi mi trng truyn dn mng LAN.

Hnh 6.1 ngn xp giao thc IEEE 802.11

Hnh 6.2 Tng IEEE 802 MPDU Format Cc nh dng chnh xc ca MPDU khc phn no cho MAC khc nhau ngh nh s dng. Ni chung, tt c ca MPDUs c mt nh dng tng t nh hnh 6.2. Cc lnh vc khung ny nh sau. MAC iu khin: Trng ny c cha bt k thng tin iu khin giao thc cn thit cho cc chc nng ca giao thc MAC.V d, mt mc u tin c th c ch ra y. im n MAC Address: a ch ch vt l trn mng LAN cho MPDU. Source MAC Address: a ch vt l trn mng LAN cho MPDU. MAC d liu dch v: Cc d liu t cc lp cao hn tip theo. CRC: lnh vc kim tra d tha tun hon, cn c gi l lnh vc Kim tra khung (FCS) Trnh t.y l mt m pht hin li, chng hn nh c s dng trong giao thc kim sot d liu khc lin kt.CRC c tnh ton da trn cc bit trong ton b MPDU.Ngi gi tnh ton CRC v thm n vo khung hnh.Nhn thc hin cc tnh ton tng t trn MPDU n v so snh tnh ton rng lnh vc CRC trong MPDU n.Nu hai gi tr khng ph hp, sau mt hoc nhiu bit b thay i trong qu cnh.

6.2 / IEEE 802.11i WIRELESS LAN SECURITY 4 Cc lnh vc trc trng MSDU c gi l tiu MAC, v cc lnh vc lnh vc MSDU c gi l MAC trailer.The tiu v trailer c cha thng tin iu khin i km vi lnh vc d liu v c s dng bi cc giao thc MAC.

Lp lin kt d liu. Trong hu ht cc giao thc iu khin lin kt d liu, giao thc lin kt d liu thc th l trch nhim khng ch pht hin cc li bng cch s dng CRC, nhng phc hi t nhng sai st bng cch pht li cc khung b h hi.Trong kin trc giao thc mng LAN, hai chc nng c phn chia gia lp MAC v LLC.Lp MAC l chu trch nhim cho vic pht hin li v loi b bt k khung hnh c cha li.Lp LLC ty chn theo di trong khung hnh nhn c thnh cng v truyn li cc khung hnh khng thnh cng. IEEE 802.11 Thnh phn Mng v m hnh kin trc Hnh 6.3 minh ha cc m hnh pht trin bi 802,11 group.The khi xy dng nh nht ca mt mng LAN khng dy l mt tp hp dch v c bn (BSS), trong bao gm cc trm khng dy thc hin cc giao thc MAC ging nhau v cnh tranh truy cp vo mi trng khng dy cng chia s.mt BSS c th c c lp, hoc n c th kt ni vi xng sng

Figure 6.3 IEEE 802.11 M rng dch v ci t h thng phn phi (DS) thng qua mt im truy cp (AP) Cc chc nng AP nh l mt cy cu v mt im chuyn tip.Trong mt BSS, trm khch hng khng giao tip trc tip vi nhau.Thay vo , nu mt trm trong BSS mun giao tip vi mt trm khc trong cng mt BSS, khung MAC l ln u tin gi t trm ngun gc AP v sau t cc AP vi trm ch.Tng t nh vy, mt khung MAC t mt trm trong BSS n mt trm t xa c gi t cc trm a phng vi AP v sau chuyn tip ca AP trong DS trn ng n ch station. Cc DS c th l mt chuyn i, mng c dy hoc mng khng dy. Khi tt c cc trm BSS l nhng trm in thoi di ng giao tip trc tip vi mt khc (khng s dng mt AP), BSS c gi l mt BSS c lp (IBSS). IBSS mt thng l mt mng ad hoc.Trong mt IBSS, cc trm giao tip trc tip, v khng c AP c tham gia.

6.2 / IEEE 802.11i WIRELESS LAN SECURITY 5 Mt cu hnh n gin c th hin trong hnh 6,3, trong mi trm thuc v mt BSS duy nht, l, mi trm l trong phm vi khng dy duy nht ca cc trm khc trong cng mt BSS.N cng c th cho hai BSSs chng ln nhau v mt a l, do , mt trm duy nht c th tham gia nhiu hn mt BSS.Hn na, s kt hp mt nh ga v mt BSS l nng ng.Trm c th tt i trong phm vi, v i ra khi phm vi.

Mt thit lp dch v m rng (ESS) bao gm hai hoc nhiu dch v c bn thit lp kt ni vi nhau bi mt tp hp system.The phn phi dch v m rng xut hin nh mt mng LAN hp l duy nht kim sot mc lin kt logic (LLC). Dch v IEEE 802.11 IEEE 802.11 nh ngha 9 dch v cn c cung cp bi cc mng LAN khng dy t c chc nng tng ng vi l c hu c dy mng LAN. Bng 6.2 lit k cc dch v v ch ra hai cch phn loi chng. 1. Cc nh cung cp dch v c th l trm hay DS. Dch v trm c thc hin trong mi trm 802.11, bao gm cc trm AP. Phn phi dch v c cung cp gia BSSs; cc dch v ny c th c thc hin trong mt AP hoc trong mt thit b chuyn dng gn lin vi h thng phn phi. 2. Ba trong s cc dch v c s dng kim sot IEEE 802.11 LAN truy cp v s cn thn. Su trong s cc dch v c s dng h tr giao MSDUs gia cc i. Nu MSDU l qu ln c truyn i trong mt MPDU duy nht, n c th c phn mnh v truyn i trong mt lot cc MPDUs. Theo cc ti liu IEEE 802.11, chng ti tip tc tho lun v cc dch v trong mt trt t c thit k lm r cc hot ng ca mt mng IEEE ESS 802,11. MSDU giao hng, l dch v c bn, c cp. Dch v lin quan n bo mt c gii thiu ti mc 6.2. PHN PHI cc tin nhn trong A DS Hai dch v c lin quan vi s phn b ca cc tin nhn trong mt DS l phn phi v hp lai. Phn phi l dch v chnh c s dng bi cc trm trao i MPDUs khi cc MPDUs phi i qua cc DS c c t mt trm trong mt BSS n mt trm trong mt BSS. V d, gi s mt khung c gi t trm 2 ( STA 2) n trm 7 ( STA 7) trong khung hnh 6.3.The c gi t STA 2 1 AP, AP cho BSS. AP cho khung DS, trong c cc cng vic ch o cc khung AP lin quan vi STA 7 trong BSS ch. AP 2 nhn c frame v chuyn tip n STA 7. Lm th no tin nhn c vn chuyn thng qua DS l vt qu phm vi ca tiu chun IEEE 802,11. Nu hai trm ang truyn thng trong cng mt BSS, sau cc dch v phn phi mt cch hp l i qua AP duy nht m BSS.

Dch v Hip hi Xc thc S chinh xac S tach ra Phn chia Tch hp MSDU phn phi Bo mt Kt hp lai

Nh cung cp H thng phn phi Tram Tram H thng phn phi H thng phn phi H thng phn phi Tram Tram H thng phn phi

c s dng h tr MSDU phn phi LAN truy cp v an ninh LAN truy cp v an ninh MSDU phn phi MSDU phn phi MSDU phn phi MSDU phn phi LAN truy cp v an ninh MSDU phn phi

Bng 6.2 Dich vu IEEE 802.11

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

Cc dch v tch hp cho php truyn d liu gia mt trm trn mt IEEE 802.11 LAN v mt trm trn mt tch hp IEEE 802.x LAN. Thut ng tch hp cp n mt mng LAN c dy c kt ni vt l vi DS v trm mt cch hp l c th c kt ni vi mt mng LAN IEEE 802.11 qua service. hi nhp dch v tch hp chm sc ca bt k dch a ch v logic chuyn i phng tin truyn thong cn thit cho vic trao i d liu. HIP HI DCH V LIN QUAN Mc ch chnh ca lp MAC chuyn MSDUs gia cc thc th MAC, mc ch ny c thc hin bi cc dch v phn phi. dch v hot ng, n i hi thng tin v trm trong ESS c cung cp bi cc dch v lin quan n hip hi. trc khi dch v phn phi c th cung cp d liu hoc chp nhn d liu t mt trm, trm phi c lin kt. Trc khi nhn vo cc khi nim v lin kt, chng ta cn m t cc khi nim v di ng. Tiu chun ny nh ngha ba loi chuyn tip, da trn di ng: Khng c qu trnh chuyn i: Mt trm ca loi ny hoc l c nh hoc di chuyn ch trong vng phm vi giao tip trc tip ca cc trm lin lc ca mt BSS duy nht. BSS qu trnh chuyn i ny c nh ngha nh l mt phong tro trm t mt BSS khc BSS trong cng mt ESS. Trong trng hp ny, cung cp cc d liu ti nh ga yu cu kh nng gii quyt c c th nhn ra v tr mi ca trm. ESS qu trnh chuyn i ny c nh ngha nh l mt phong tro trm t mt BSS trong mt ESS mt BSS trong mt trng hp khc ESS.This ch c h tr trong ngha rng trm c th di chuyn. Duy tr kt ni lp trn c h tr bi 802,11 c th khng c m bo. Trong thc t, s gin on ca dch v c th xy ra. cung cp mt tin nhn trong mt DS, dch v phn phi cn bit ni m cc trm ch nm. C th, DS cn phi bit bn sc ca AP m tin nhn s c gi theo th t cho rng message tip cn trm ch. p ng yu cu ny, mt trm phi duy tr mt hip hi vi cc AP trong dch v BSS.Three hin ti ca n lin quan n yu cu ny: Hip hi: Thit lp mt hip hi ban u t mt trm v mt AP. Trc khi mt trm c th truyn hoc nhn khung hnh trn mt mng LAN khng dy, nhn dng ca n v a ch phi c bit n. Vi mc ch ny, mt trm phi thnh lp asso ciation vi mt AP trong mt c th BSS.The AP sau c th giao tip thng tin cho cc AP khc trong ESS to iu kin thun li cho nh tuyn v giao hang gii quyt khung. Reassociation: Cho php mt hip hi c thnh lp c chuyn t mt AP khc, cho php mt trm in thoi di ng di chuyn t mt BSS khc. Disassociation: Mt thng bo t mt trm hoc mt AP rng hin ti hip hi l terminated.A trm nn a ra thng bo ny trc khi ri mt ESS hoc tt. Tuy nhin, qun l c s MAC bo v chnh n chng li cc trm bin mt m khng cn thng bo. 6.2 IEEE 802.11iWIRELESS LAN SECURITY C hai c im ca mt mng LAN c dy m khng phi l vn c trong mt mng LAN khng dy. 1. truyn ti trn mt mng LAN c dy, trm phi c kt ni vt l vo mng LAN. Mt khc, vi mt mng LAN khng dy, bt k trm trong i pht thanh phm vi ca cc thit b khc trn mng LAN c th truyn ti. Trong mt ngha no , l mt hnh thc xc thc vi mt mng LAN c dy ch n i hi mt s tch cc v c l l quan st hnh ng kt ni mt knh vo mt mng LAN c dy. 2. Tng t nh vy, nhn c truyn t mt trm l mt phn ca mt LAN c dy, trm tip nhn cng phi c gn lin vi LAN.On c dy Mt khc, vi mt mng LAN khng dy, bt k i pht thanh trong phm vi c th receive.Thus, mt mng LAN c dy cung cp mt mc ring t, hn ch tip nhn d liu n cc trm kt ni vi mng LAN.

6.2 / IEEE 802.11i WIRELESS LAN SECURITY 7 Nhng khc bit gia khng dy v mng LAN khng dy ngh gia tng cn cho cc dch v v cc c ch bo mt mnh m cho mng LAN khng dy. bn gc 802,11 c im k thut bao gm mt tp hp cc tnh nng bo mt ring t v thc l kh yu. Ring t, 802,11 nh ngha Wired Equivalent Privacy (WEP) algorithm.The ring t phn ca tiu chun 802.11 c cha chnh yu nesses. Tip theo s pht trin ca WEP, nhm nhim v 802.11i pht trin mt tp hp cc kh nng gii quyt cc vn bo mt WLAN. y nhanh tin gii thiu ca bo mt mnh m vo mng WLAN, Wi-Fi Alliance ban hnh Wi-Fi Protected Access (WPA) nh l mt standard.WPA Wi-Fi l mt tp hp cc c ch bo mt loi b hu ht cc vn an ninh 802,11 v c da trn trng thi hin ti ca 802.11i. Dng cui cng ca tiu chun 802.11i c gi l mnh m Security Network (RSN). Wi-Fi Alliance chng nhn nh cung cp ph hp vi cc 802.11i c im k thut y theo chng trnh WPA2.

IEEE 802.11i Services RSN c im k thut bo mt 802.11i xc nh cc dch v sau. Xc thc: Mt giao thc c s dng xc nh mt s trao i gia ngi dng v mt AS cung cp xc thc ln nhau v to ra phm tm thi c s dng gia khch hng v cc AP qua lin kt khng dy. Kim sot truy cp: 1 Chc nng ny thc thi vic s dng cc chc nng xc thc tuyn cc thng ip ng, v to iu kin trao i kha. N c th lm vic vi mt lot cc giao thc xc thc. Bo mt ton vn thng ip: MAC cp d liu (v d, mt LLC PDU) m ha cng vi mt m ton vn thng ip m bo rng cc d liu c khng b thay i. Hnh 6.4a cho thy cc giao thc bo mt c s dng h tr cc dch v ny Hnh 6.4b lit k cc thut ton m ha c s dng cho cc dch v ny

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

Robust Security Network (RSN)

Kim sot truy cp

Xc thc v to kha

bo mt, ngun gc d liu xc thc ,tnh ton vn v bo v

IEEE 802.1 Port-based kim sot truy cp

Giao thc m rng xc thc (EAP)

(a) Services

TKIP

CCMP

and protocols

Robust Security Network (RSN)

Bo mt

Ngun gc d liu xc thc CCMTKIP HMAC- HMAC(AES(michael SHA-1 MD5 CBCMIC) MAC)
(b) Cryptographic

To kha

CCM NTSP TKIP (AES- Key (CR4) CTR) wrap

HMACSHA-1

RFC 1750

algorithms

CBC-MAC (MAC)

= Cipher Block Block Chaining Message Authentication Code

(thut ton m ha khi block chanining tin nhn xc thc m) CCM = Counter Mode with Cipher Block Chaining Message Authentication Code (truy cp ch vi thut ton m ha khi block chanining tin nhn xc thc m) CCMP = Counter Mode with Cipher Block Chaining MAC Protocol (truy cp ch vi thut ton m ha khi block chanining giao thc MAC) TKIP = Temporal Key Integrity Protocol (to kha tm thi) Figure 6.4 Elements of IEEE 802.11i

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

IEEE 802.11i Phases of Operation Cc hot ng ca RSN 802.11i c th c chia thnh nm giai on ring bit hot ng. Bn cht chnh xc ca cc pha s ph thuc vo cu hnh v im kt thc ca giao tip. Kh nng bao gm (xem hnh 6.3): 1. Hai trm khng dy trong cng mt BSS giao tip thng qua cc im truy cp (AP) cho rng BSS. 2. Hai ga khng dy (STAS) trong cng mt qung co IBSS hoc giao tip trc tip vi nhau. 3. Hai trm khng dy trong BSSs khc nhau giao tip thng qua cc im truy cp ca mnh qua mt h thng phn phi. 4. Mt trm khng dy giao tip vi mt trm cui cng trn mt mng c dy thng qua AP v h thng phn phi. IEEE 802.11i an ninh ch l c lin quan vi thng tin lin lc an ton gia STA v AP. Trong trng hp 1 trong danh sch trn, thng tin lin lc an ton c m bo nu STA mi thit lp cc thng tin lin lc an ton vi AP. Trng hp 2 l tng t, vi cc chc nng AP trong STA. i vi trng hp 3, an ninh khng c cung cp qua h thng phn phi cp ca IEEE 802.11, nhng ch trong vng mi BSS. cui to-end bo mt (nu c yu cu) phi c cung cp ti mt lp cao hn. Tng t nh vy, trong trng hp 4, bo mt ch c cung cp gia cc STA v AP ca n. Vi nhng nhn xt ny trong tm tr, Hnh 6.5 m t cc giai on 5-operation cho mt RSN v bn cho cc thnh phn mng lin quan. ci mi thnh phn l my ch xc thc (AS). Cc hnh ch nht cho thy vic trao i trnh t ca MPDUs.The nm giai on c nh ngha nh sau. Khm ph: AP An s dng tin nhn c gi l Beacons v phn hi Probe qung co IEEE chnh sch bo mt 802.11i. C vn k thut s dng nhng xc nh mt AP cho mt mng WLAN m n mun giao tip. Nhng ngi cng tc STA vi AP, m n s dng la chn b thut ton m ha v xc thc mechanism khi Beacons v hi p Probe trnh by mt s la chn. Xc thc: Trong giai on ny, STA v AS chng minh danh tnh ca h mi khi other.The AP lu lng truy cp khng xc thc gia STA v AS cho n khi giao dch xc thc thnh cng. AP khng tham gia trong giao dch xc thc khc hn l chuyn tip lu lng gia cc STA v AS. Key v phn phi: AP v STA thc hin mt s operations gy ra kha mt m c to ra v t trn AP v STA. Khung c trao i gia AP v STA ch. Bo v truyn d liu: Khung c trao i gia cc STA v kt thc trm thng qua cc AP.As k hiu l che v m-un m ha biu tng, chuyn d liu an ton xy ra gia cc STA v AP ch, an ninh khng c cung cp end-to-end. Kt ni chm dt: khung AP v STA ngoi t. Trong thi gian ny giai on, kt ni an ton c d b v kt ni c khi phc vo ban u nh nc.

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

10

pht hin giai on Chng ti by gi nhn chi tit hn cc giai on RSN hot ng, bt u vi pht hin giai on, c minh ha trong phn trn ca mc ch Hnh 6.6.The ca giai on ny l cho mt STA v mt AP nhn ra nhau, ng trn mt tp hp cc cng ngh bo mt, h thng cnh bo kh nng ninh, v thit lp mt hip hi s dng nhng thng tin lin lc trong tng lai kh nng bo mt. Kh nng bo mt Trong giai on ny, STA v AP quyt nh c th k thut trong cc lnh vc sau: Bo mt v cc giao thc ton vn ca MPDU bo v lu lng unicast (giao thng duy nht gia STA v AP) Phng thc xc thc Cryptography cha kha tip cn qun l

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

11

Bo mt v tnh ton vn giao thc bo v multicast / broadcast nn bun fic c quyt nh bi AP, k t khi tt c cc STAS trong mt nhm multicast phi s dng cng mt pro- tocols v c im k thut ciphers.The ca mt giao thc, cng vi chiu di kha c la chn (nu bin) c bit n nh l mt b mt m. Cc ty chn v bo mt v ton vn cipher suite WEP, vi mt phm hoc 40-bit hoc 104-bit, cho php tng thch ngc vi IEEE 802,11 trin khai TKIP CCMP Nh cung cp phng php c th Cc b tha thun khc l qun l xc thc v cha kha (AKM) suite, trong xc nh (1) phng tin m AP v STA thc hin ln nhau xc thc v (2) phng tin bt ngun chnh gc m t cc phm khc c th c generated.The c th AKM b IEEE 802.1X Pre-shared key (khng c chng thc r rng din ra v ln nhau authentica tion c ng nu STA v AP chia s mt kha duy nht b mt) Nh cung cp phng php c th.

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

12

IEEE 802.11 my nh nc, nh thc hin trong hin ti IEEE 802.11 phn cng. V bn cht, hai thit b (STA v AP ) ch n gin l trao i nh danh. Hip hi: Mc ch ca giai on ny l ng v mt tp hp cc an ninh capabili mi quan h s c s dng. STA sau s gi mt khung yu cu Hip hi vi AP. Trong khung ny, STA xc nh mt tp hp cc kh nng kt hp ( 1 xc thc - cation v b qun l ch cht, mt cp cipher suite, v mt b mt m nhm -key ) trong s nhng qung co ca AP. Nu khng c trn u trong kh nng gia AP v STA, AP t chi cc yu cu ca Hip hi. Cc khi STA n qu, trong trng hp n lin kt vi mt AP gi mo hoc mt ngi no l chn khung lu trn channel.As ca n c hin th trong hnh 6.6, cng IEEE 802.1X kim sot b chn, v khng c lu lng truy cp ca ngi dng vt qu cc AP.The khi nim v cc cng b chn c gii thch sau . Giai oan xac thc Nh cp, giai on xc thc cho php xc thc ln nhau gia mt STA v mt my ch xc thc (AS) nm trong DS. Xc thc c thit k cho php ch cc trm y quyn s dng mng v cung cp cc STA vi s m bo rng n c giao tip vi mt mng li hp php. IEEE 802.1X KIM SOT TIP CN lm cho vic s dng mt tiu chun c thit k cung cp cc chc nng kim sot truy cp mng LAN. Tiu chun IEEE 802.1X, Port-Based Network Access Control. Cc giao thc xc thc c s dng, Extensible Authentication Protocol (EAP), c nh ngha trong tiu chun IEEE 802.1X. IEEE 802.1X s dng supplicant v, thm nh, v my ch xc thc (AS). Trong bi cnh ca mt mng WLAN 802,11, hai thut ng tng ng vi cc trm khng dy v AP. AS l thng l mt thit b ring bit pha bn dy ca mng ( v d, truy cp trn DS ) nhng cng c th t trc tip trn xc thc. Trc khi mt ngi xin c thm nh bi AS bng cch s dng mt chng thc proto- col, xc thc ch chuyn iu khin hoc tin nhn xc thc gia ngi xin v AS, knh iu khin 802.1X c ht cm, nhng cc knh 802.11 d liu b chn. Khi supplicant c xc thc v cc phm c cung cp, ngi thc hin chng thc c th chuyn tip d liu t cc ngi xin, hn ch kim sot truy cp c xc nh trc cho ngi xin n mang.Under nhng trng hp ny, cc knh d liu c b chn. Nh c ch ra trong hnh 6.7, 802.1X s dng cc khi nim v cng kim sot v khng bi kim sot. Cng l cc n v logic c nh ngha trong xc thc v tham kho cc kt ni mng vt l. Cho mt mng WLAN, xc thc ( AP ) c th ch c hai cng vt l: mt kt ni vi DS v mt cho cc giao tip khng dy trong BSS ca n. Mi cng logic c nh x ti mt trong hai cng vt l. Mt cng khng kim sot c cho php trao i PDU gia ngi xin v AS, bt k ca nh nc chng thc kim sot ngi xin. Mt cng kim soat cho php trao i ca PDU gia mt ngi xin v cc h thng khc trn mng LAN ch nu trng thi hin ti ca supplicant y quyn cho

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

13

mt cuc trao i nh vy. Khung 802.1X, vi mt giao thc xc thc trn lp, ph hp vi c o vi mt kin trc BSS bao gm mt s cc trm khng dy v mt AP. Khung 802.1X, vi mt giao thc xc thc trn lp, ph hp vi c o vi mt kin trc BSS bao gm mt s cc trm khng dy v mt AP.

Hinh 6.7 802.1X Truy cp iu khin Tuy nhin, i vi mt IBSS, c l khng c AP. i vi mt IBSS, 802.11i cung cp mt gii php phc tp hn, trong bn cht, lin quan n vic xc thc cp gia cc trm trn cc IBSS. MPDU Trao i Phn di ca Hnh 6.6 cho thy vic trao i MPDU quyt nh bi IEEE 802.11 cho giai on xc thc. Chng ta c th ngh rng giai on xc thc bao gm ba giai on sau y. Kt ni vi AS: STA s gi yu cu n AP ca n ( m n hasan hip hi) kt ni AS. AP xc nhn yu cu ny v gi mt yu cu truy cp vo AS. EAP trao i: trao i ny xc thc STA v AS vi nhau. Mt s trao i thay th l c th, nh c gii thch sau . Bo mt cha kha giao hng: Sau khi xc thc c thnh lp, AS to ra mt kha phin ch ( MSK), cn c gi l xac nhn, s cho phep, K ton (AAA ) khoa v gi n STA. Nh gii thch sau , tt c cc kha mt m cn thit bi STA giao tip an ton vi AP ca n c to ra t MSK ny. IEEE 802.11i khng quy nh mt phng php phn phi an ton ca MSK nhng da trn EAP cho iu nay. Bt c phng php c s dng, n lin quan n s ly truyn ca mt MPDU cha mt MSK c m ha t AS, thng qua AP, AS. EAP Trao i nh cp, c mt s c th trao i EAP c th c s dng trong giai on xc thc. Thng thng, lung thng bo

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

14

gia STA v AP s dng EAP qua giao thc ( EAPOL ) LAN, v dng tin nhn gia AP v AS s dng giao thc Authentication Dial t xa s dng dch v (RADIUS), mc d cc ty chn khc c sn cho c hai STA- to- AP v AP -AS trao i. [ FRAN07 ] cung cp tm tt sau y ca vic trao i xc thc bng cch s dng EAPOL v RADIUS. 1. Vic trao i EAP bt u vi AP pht hnh mt khung yu cu / nhn dng EAP STA. 2. STA tr li vi mt khung EAP-Response/Identity, AP nhn c qua cng khng kim sot c. Sau , gi tin c ng gi trong RADIUS trn EAP v truyn n my ch RADIUS nh l mt gi tin RADIUS Access-Request. 3. Cc my ch tr li AAA vi mt gi tin RADIUS Access-Challenge, c thng qua ngy STA nh mt yu cu EAP-. Yu cu ny l cc loi chng thc thch hp v cha thng tin thch thc c lin quan. 4. STA lp mt tin nhn EAP- Response v gi n AS. p ng c dch ca AP vo mt Radius - Access-Request vi vic ng ph vi nhng thch thc nh mt trng d liu. Bc 3 v 4 c th c lp i lp li nhiu ln, ty thuc vo phng php EAP c s dng. i vi phng php TLS ng hm, n l ph bin xc thc yu cu 10 n 20 chuyn i vng. 5. Cc my ch AAA ti tr truy cp vi mt Radius Truy cp - Chp nhn gi tin. AP pht hnh mt khung EAP- thnh cng. ( Mt s giao thc yu cu xc nhn v s thnh cng bn trong cc ng hm TLS xc nhn tnh xc thc EAP ). Cng kim sot c y quyn, v ngi s dng c th bt u truy cp vo mng. Lu t hnh 6.6 rng cc cng AP kim sot vn cn b chn traffic.Although generaluser xc thc thnh cng, cc cng vn b chn cho n khi cc khoa thi gian c ci t trong STA v AP, m xy ra trong qu trnh bt tay 4-Way. Qun l kha pha Trong giai on qun l ch cht, mt lot cc kha mt m c to ra v phn phi cho STAs.There hai loi ca cc khoa: cp khoa c s dng cho nication - cng gia mt STA v mt khoa AP v nhm c s dng cho multicast giao tip - tion. 6,8 hnh, da trn [ FRAN07 ], cho thy hai h thng phn cp quan trng, v Bng 6.3 nh ngha cc khoa c nhn. KEYS khoa tng i cp c s dng giao tip gia mt cp thit b, thng l gia mt STA v AP. Cc khoa to thnh mt h thng phn cp u vi mt kha ch m t cc khoa khc c ngun gc ng v c s dng trong mt thi gian gii hn ca thi gian. cp u ca h thng phn cp hai possibilities.A pre-shared key (PSK) l mt kha b mt chia s ca AP v STA v ci t trong mt s thi trang bn ngoi phm vi ca IEEE 802.11i. Thay th khc l phin tng th chnh ( MSK), cn c gi l cc AAAK, c to ra bng cch s dng giao thc IEEE 802.1X

a. Cp chnh h thng phn cp

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

15

Ngoai day khoa PSK Ghi chu _ Khng phi sa i _Co th ct giam _PRF ( chc nng gi ngu nhin ) bng cch s dng HMAC- SHA-1

Phng phap EAP cua ng cua AAAK hoc MSK

Kha chia x
256 bits
Ngi dung inh nghia bi mt PMK

Khoa AAA
>=256 bits
Xac thc EAP

Cp kha chnh
256 bits PTK

Sau khi xc thc EAP hoc PSK

Cp khoa tam
384 bits (CCMP) 512 bits (TKIP) Trong 4 cch bt tay

Khoa EAPOL xac nhn khoa

Khoa EAPOL ma hoa khoa

Khoa biu thi theo thi gian

Thanh phn cua PTK (a) Tng i quan trng h thng phn cp

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

16

GMK ( c to ra bi AS ) Nhm kha chnh

256 bits

GTK Nhom khoa theo thi gian

40 bits, 104 bits (WEP) 128 bits (CCMP) 256 bits (TKIP)

Thay i nh k hoc nu b xm nhp

Thay i da trn s chinh sach( Phn tich,)

(b) Nhm khoa h thng phn cp Hnh 6.8 IEEE 802.11i Key phn cp Trong giai on xc thc, nh m t phng php thc t trc y.trong giai on xc thc, nh m t phng php thc t trc.Cc phng php thc t ca kha th h ph thuc vo cc chi tit ca cc giao thc xc thc c s dng. Trong c hai trng hp (PSK hoc MSK), c mt khoa duy nht c chia s bi AP vi mi STA m n giao tip. Tt c cc khoa khc c ngun gc t kha ch ny cng l duy nht gia mt AP v mt STA. Nh vy, STA mi, bt c lc no, c mt b cc khoa, nh m t trong h thng phn cp ca hnh 6.8a, trong khi AP c mt tp hp ca cc khoa cho mi STAS ca n. Cp Master Key ( PMK ) c ngun gc t kha ch. Nu PSK c s dng, sau PSK c s dng nh PMK, nu MSK c s dng, sau PMK c ngun gc t MSK bi ct ngn ( nu cn thit). n cui ca giai on xc thc. n cui ca giai on xc thc, nh du bi mt thng bo thnh cng 802.1x EAP ( Hnh 6,6), c hai AP v STA c mt bn sao ca PMK chia s ca h. PMK c s dng to ra kha cp thong qua ( PTK ), m trong thc t bao gm ba khoa c s dng cho thng tin lin lc gia mt STA v AP sau khi h c hai bn xc thc. ly c PTK, HMAC -SHA-1 chc nng ny c p dng cho cc PMK, MAC a ch ca STA v AP, v nonces to ra khi cn thit. S dng cc a ch STA v AP trong th h ca PTK cung cp s bo v chng li vic cp quyn v mo danh, s dng nonces cung cp ti liu b sung keying ngu nhin. Tom tt Tn M t / Mc ch Kch thc Loi (bit) AAA Xc thc, c s dng >=256 Khoa th h S thanh ton Key ly c cc PMK. cha kha, cha Key cp phep S dung kha gc IEEE 802.1X xc thc v cch tip cn qun

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

17

PSK

PMK

GMK

PTK

TK

GTK

MIC Key

EAPOLKCK

l ch cht. Tng t nh MMSK. Kha chia x Tr thnh PMK trong mi trng quan trng trc khi chia s. Cp khoa c s dng vi chinh cc u vo khc ly c cc PTK. Nhom khoa c s dng vi chinh cc u vo khc ly c cc GTK. Tng cp khoa C ngun gc t phin PMK. bao gm EAPOL - KCK, EAPOL - KEK, v TK v ( TKIP) b thng tin v truyn thng quan trng. Khoa Temporal c s dng vi TKIP hoc CCMP cung cp bo mt v tnh ton vn bo v cho lu lng truy cp ca ngi dngunicast. Khoa nhm Xut pht t Temporal GMK. S dung cung cp bo mt v tnh ton vn bo v cho multicast/broadcast lu lng truy cp ca ngi dng. Tin nhn Lim c s dng bi kha M TKIP ca Michael MIC cung cp s bo v ton vn ca tin nhn. Khoa chng c s dng nhn EAPOL cung cp tnh ton -Key vn protectionfor vt liu ch yu

256

Khoa th h cha kha, cha kha gc Khoa th h chinh Khoa th h chinh Khoa tng hp

256

128

512 (TKIP) 384 (CCMP)

256 (TKIP) 128 (CCMP)

Khoa giao thng

256 (TKIP) 128 (CCMP) 40, 104 (WEP)

Khoa giao thng

64

Ton vn thng quan trng Ton vn thng quan trng

128

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

18

EAPOLKEK

Khoa ma hoa EAPOL-Key

WEP Key

Khoa bao matha tng ng co dy

c phn phi trong qu trnh bt tay 4-Way. c s dng 128 m bo tnh bo mt ca cc ti liu quan trng GTK v bt tay 4-Way. S dung vi Wep 40, 104

Khoa giao thng / khoa m ha Khoa giao thng

Ba phn ca cc PTK nh sau: EAP Over LAN (EAPOL) Key Chng nhn Key (EAPOL-KCK): H tr ngun gc ton vn d liu v tnh xc thc ca khung kim sot STA-to-AP trong hot ng thit lp ca mt RSN. N cng thc hin mt chc nng kim sot truy cp: giy t chng minh c quyn s hu ca PMK. Mt thc th s hu PMK c y quyn s dng lin kt. EAPOL Key Encryption Key (EAPOL-KEK): Bo v tnh bo mt ca phm v cc d liu khc trong mt s th tc lin kt RSN. Temporal Key (TK): Cung cp bo v thc t cho lu lng truy cp ca ngi dng. KEYS Nhm GROUP phm c s dng cho truyn thng multicast trong mt STA gi ca MPDU STAS nhiu. cp u ca h thng phn cp nhm phm l nhm ch chnh (GMK). GMK l mt cha kha quan trng to ra c s dng vi cc u vo khc ly c cha kha nhm tm thi (GTK). Khng ging nh cc PTK, c to ra bng cch s dng vt liu t c hai AP v STA, GTK c to ra bi AP v truyn STAS lin quan ca n. Chnh xc lm th no iu ny GTK c to ra l khng xc nh. IEEE 802.11i, tuy nhin, i hi gi tr ca n l tnh ton khng th phn bit ngu nhin. GTK c phn phi an ton bng cch s dng cc phm cp GTK established.The c thay i mi khi mt thit b ri khi mng. PHN PHI KEY cp Phn trn ca Hnh 6,9 cho thy MPDU trao i phn phi cc kha cp. Trao i ny c gi l cch-4 bt tay. STA v SP s dng ny bt tay xc nhn s tn ti ca PMK, xc minh s la chn ca b ng dng thut ton m ha, v ly c mt PTK v mi m cho d liu sau y session. bn phn trao i nh sau: AP->STA:Tin nhn bao gm a ch MAC ca AP v mt nonce (Anonce) : STA->AP: STA to ra nonce ring ca mnh (Snonce) v s dng c hai nonces v c hai a ch MAC, cng vi PMK, to ra mt PTK. STA sau gi mt tin nhn c cha a ch MAC ca n v Snonce, cho php cc AP to ra cng mt thng ip PTK.This bao gm mt m ton vn thng ip (MIC) 2

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

19

bng cch s dng HMAC-MD5 hoc HMAC-SHA-1-128.The phm c s dng vi B Thng tin v Truyn thng l KCK. : AP->STA:AP by gi l c th to ra PTK. AP sau gi tin nhn STA, c cha cc thng tin tng t nh trong thng ip u tin, nhng ln ny bao gm mt B Thng tin v Truyn thng. : STA->AP:y ch l mt thng bo xc nhn, mt ln na bo v bi mt MIC. NHM KEY PHN PHI i vi phn phi nhm chnh, AP to ra mt GTK v phn phi n mi STA trong mt group.The multicast hai tin nhn trao i vi nhau C vn k thut bao gm nhng iu sau y: :AP->STA: Tin nhn ny bao gm GTK, m ha hoc vi RC4 hoc vi phm AES.The c s dng m ha l KEK. Mt gi tr MIC c ni.

Hnh 6,9 IEEE 802.11i giai on ca hot ng: Four-Way bt tay v bt tay Key Nhm

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

20

Hnh 6,9 IEEE 802.11i giai on ca hot ng: Four-Way bt tay v bt tay Key Nhm

TKIP c thit k yu cu thay i phn mm duy nht thit b

trin khai thc hin vi phng php c an ninh mng LAN khng dy c gi l dy Equivalent Privacy (WEP). TKIP cung cp hai dch v: ton vn tin nhn: TKIP thm mt m ton vn thng ip (MIC) vi 802,11 MAC khung sau khi B Thng tin v Truyn thng d liu field.The c to ra bi mt thut ton, c gi l Michael, tnh ton mt gi tr 64-bit bng cch s dng nh l u vo ngun v ch a ch MAC cc gi tr v cc lnh vc d liu, cng vi cc ti liu quan trng. d liu bo mt: bo mt d liu c cung cp bng cch m ha

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

21

MPDU cng vi MIC gi tr bng cch s dng RC4. TK 256-bit (Hnh 6.8) c s dng nh sau. Hai phm c s dng 64-bit vi thng ip Michael tiu ha thut ton sn xut mt m ton vn thng ip. Mt phm c s dng bo v cc thng ip STA-to-AP, v cha kha khc c s dng bo v AP-to-STA messages.The cn li 128 bit c ct ngn to ra kha RC4 c s dng m ha d liu truyn qua ng. bo v thm, mt TKIP n iu tng chui truy cp (TSC) c gn cho mi khung hnh. TSC phc v hai mc ch. u tin, TSC bao gm mi MPDU v c bo v bi B Thng tin v Truyn thng bo v chng li replay cuc tn cng. Th hai, TSC c kt hp vi cc phin TK sn xut mt nng ng m ha kha m thay i vi mi MPDU truyn, do lm cho gii m kh khn hn.

CCMP l dnh cho mi hn IEEE 802.11 thit b c trang b

phn cng h tr chng trnh ny. Vi TKIP, CCMP cung cp hai dch v: ton vn tin nhn: CCMP s dng thut ton m ha khi-chaining xc thc thng ip m (CBC-MAC), c m t trong Chng 3. d liu bo mt: CCMP s dng thut ton m ha ch chn CTR hot ng vi AES m ha. CTR c m t trong Chng 2. Cng mt kho AES 128-bit c s dng cho s ton vn v confidentiality.The chng trnh s dng mt s gi 48-bit xy dng mt nonce ngn chn pht li cuc tn cng. Chc nng gi ngu nhin IEEE 802.11i Ti mt s ni trong 802.11i chng trnh, mt chc nng pseudorandom (PRF) c s dng. V d, n c s dng to ra nonces, m rng cc kha cp, v to ra GTK. Thc hnh bo mt tt nht dictates rng gi ngu nhin khc nhau dng s c s dng cho cc mc ch khc nhau. Tuy nhin, thc hin hiu qu s dng, chng ti mun da trn mt s gi ngu nhin duy nht pht in chc nng. PRF c xy dng trn vic s dng HMAC-SHA-1 to ra mt bit gi ngu nhin dng. Nh li rng HMAC-SHA-1 mt tin nhn (khi d liu) v mt phm chiu di t nht 160 bit v to ra mt gi tr bm 160-bit. SHA-1 c ti sn rng s thay i ca mt bit duy nht ca u vo sn xut mt gi tr mi bm vi khng r rng kt ni n ti sn value.This bm trc l c s cho gi ngu nhin s th h. IEEE 802.11i PRF c bn tham s u vo v sn xut mong mun s ca chc nng bits.The ngu nhin l ca PRF hnh thc (,,, Len), ni K=key b mt A= mt chui vn bn c th cho ng dng (v d, nonce th h hoc cp cha kha m rng) B= mt s d liu c th cho tng trng hp

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

22

Len = mong mun s lng bit gi ngu nhin V d, cho phm thong qua cp cho CCMP: PTK = PRF (PMK, "tng i cha kha m rng", min (APa ch, STA-Addr) | | max (AP-a ch, STA-a ch) | | min (Anonce, Snonce) | | max (Anonce, Snonce), 384) V vy, trong trng hp ny, cc tham s c K=PMK A= chui vn bn "cp cha kha m rng" B= a sequence of bytes formed by concatenating the two MAC addresses
and the two nonces Len=384bit

Tng t nh vy, mt nonce c to ra bi Nonce = PRF (S ngu nhin, "Init Counter", MAC | | Thi gian, 256) Thi gian l mt thc o ca thi gian mng c bit n vi cc my pht in nonce. Cha kha nhm tm thi c to ra bi GTK = PRF (GMK, "Tp on ch cht m rng", MAC | | Gnonce, 256) Hnh 6.10 minh ha PRF chc nng (,,, Len) tham s phc v nh l u vo quan trng HMAC. Cc u vo tin nhn bao gm bn mc ni vi nhau: cc tham s, mt byte vi gi tr 0, tham s v truy cp mt. cc truy cp c khi to thut ton HMAC 0.The c chy mt ln, sn xut mt bm 160-bit gi tr. Nu bit hn l bt buc, HMAC c chy mt ln na vi cc yu t u vo tng t, ngoi tr c tng ln mi ln cho n khi s lng cn thit ca cc bit l generated.Chng ta c th th hin logic nh sau:
PRF(K, A, B, Len) R -- null string for i -- 0 to ((Len + 159)/160 1) do R -- R || HMACSHA1(K, A ||0 ||B ||i) Return TruncatetoLen(R, Len)

6.2 / IEEE 802.11i WIRELESS LAN SECURITY

23