Huawei WLAN Authentication and Encryption

Transcription

1 Huawei WLAN Authentication and Encryption The Huawei integrated Wireless Local Area Network (WLAN) solution can provide all-round services for municipalities at various levels and enterprises and institutions in all walks of life. These services include wireless access, authentication, charging, security auditing, intelligent O&M, and network plan and design. This solution is widely used in various scenarios such as the campus, office area, hotel, government, bank, energy source, transportation, medical care, and wireless city. The Huawei WLAN authentication and encryption feature is a feature of the Huawei integrated WLAN solution. The Huawei WLAN authentication and encryption feature ensures the security of air interface key data using advanced encryption algorithms such as Rivest Cipher 4 (RC4), Advanced Encryption Standard (AES), and SMS4, and authenticates users using the portal, 802.1x, or WLAN Authentication and Privacy Infrastructure (WAPI), preventing user data from being stolen and user privacy from leaking, making the WLAN as secure as the wired network, and laying the firm foundation for mobile networks. 1. Overview WLAN wireless data is transmitted over the air and can be received any proper device. Therefore, WLAN wireless data security has always been of great concern since the emergence of WLAN, and authentication and encryption technologies have been developed and improved. A series of security mechanisms has been developed, including Wired Equivalent Privacy (WEP) at the initial stage, Wi-Fi Protected Access (WPA), WPA2, and the Chinese standard WAPI. Huawei launches an integrated authentication and encryption solution to protect users' wireless data security in various WLAN networks, including small home networks, campus networks, enterprise networks and even the widely covered carrier networks. The commonly used WLAN authentication and encryption methods are WEP, WPA/WPA2, WAPI, web, and MAC address authentication and encryption. WEP: WEP is a WLAN authentication and encryption method developed at the initial stage. It supports two 错 误! 未 知 的 文 档 属 性 名 称 1/13

2 authentication modes: open system authentication and shared key authentication. WPA/WPA2: WPA substitutes the WEP standard before IEEE i is published. It performs only some of the functions defined in IEEE i. WPA2 performs all the functions defined in IEEE i. Compared with WPA, the AES in Counter with CBC-MAC (CCM) mode is added. CBC-MAC is Ciphy Block Chaing Message Authentication Code for short. WPA and WPA2 support two authentication modes: pre-shared key (PSK) authentication and 802.1x authentication. PSK is the simplified WPA/WPA2 without 802.1x. In the PSK mode, authentication is performed between a user and the AC using pre-shared keys. Similar to WEP, the pair wise master key (PMK) is pre-installed, but all the keys used for encryption and other functions are generated dynamically. Therefore, WPA/WPA2 is a powerful security solution x: Based on IEEE for WLAN access, 802.1x is first introduced to solve the problem of access authentication of WLAN users. It prevents unauthenticated users or devices from accessing the Local Area Network (LAN) or the Metropolitan Area Network (MAN) through access interfaces. The 802.1x authentication defines only an implementation framework to authenticate the user identity. To implement the authentication process, you need to use other protocols. The 802.1x authentication is also called the dot1x authentication. WAPI: WAPI is a Chinese national standard and it consists of two parts: WLAN Authentication Infrastructure (WAI) and WLAN Privacy Infrastructure (WPI). WAI authenticates user identity and WPI provides the encryption function to protect data transmitted on WLANs. WAPI can provide higher security for the WLAN system. The portal authentication is also called the web authentication or DHCP+WEB authentication. DHCP is short for Dynamic Host Configuration Protocol. The client uses the web browser such as Internet Explorer to enter user names and passwords on the authentication page. Then the web server completes user authentication. In the MAC address authentication mode, a client sends its MAC address as the identity information to an access device. Clients do not need the client software in MAC address authentication. Table 1 lists Huawei WLAN authentication and encryption feature in details. Table 1: Huawei WLAN authentication and encryption feature Authentication Description Mode The WEP is one part of the IEEE standard that is passed in WEP September, 1999, and ensures confidentiality using the Rivest Cipher 4 (RC4) serial stream encryption technology 错 误! 未 知 的 文 档 属 性 名 称 2/13

3 The WEP supports the open system authentication and shared key authentication. The WEP is a technology for encrypting group information between the access points (APs) and client using RC4. After the key is configured, the key cannot be automatically updated. The password can be easily cracked. Therefore, the WEP authentication is seldom used currently. The open system authentication is the most frequently used authentication for carrier networks, and is generally used with the portal authentication. The WPA is short for Wi-Fi Protected Access, and is a commercial standard introduced by the Wi-Fi alliance. The WPA implements most part of the IEEE i standard, and is a transitional scheme that replaces the WEP before the i is completely established. The WPA uses the Temporal Key Integrity Protocol (TKIP) for data encryption. The WPA2 is a completely-established i standard and the WPA/WPA2-PS K second version of the WPA. The WPA2 uses Counter Mode with CBC-MAC Protocol (CCMP) for data encryption. The WPA/WPA2-PSK requires a key to be input in advance at each WLAN node, for example, the AP, wireless controller, and network adapter. A WLAN client can access the WLAN if its shared key is the same as that configured on the WLAN server. The shared key is used only for authentication but not for encryption. Therefore, it will not bring security risks as the pre-shared key authentication. Do not install the client because it is seldom used and no personnel is available for maintaining the password required by WPA/WPA2. WPA/WPA2-80 The 802.1x defines only the authentication frame but not a complete 错 误! 未 知 的 文 档 属 性 名 称 3/13

4 2.1x set of authentication rules. Specific authentications require other protocols, such as Extensible Authentication Protocol (EAP), Lightweight Extensible Authentication Protocol (LEAP), EAP-TLS, EAP-TTLS, and PEAP. TLS is Transport Layer Security for short and TTLS is Tunneled Transport Layer Security for short. Generally specific client software must be installed. However, if a user performs only the admission control but not the policy control, all common operating systems such as ISO, Android, and Windows supports 802.1x, and the client does not need to be installed. The 802.1X is frequently used in enterprise networks and seldom used in carrier networks. The WAPI is the Chinese national WLAN standard GB This standard includes the new WAPI security mechanism that is composed of WLAN Authentication Infrastructure (WAI) and WLAN Privacy Infrastructure (WPI). The WAPI provides the certificate-based and pre-shared-key-based WAPI key management methods. Unlike the WAP, the WAPI authenticates both users and APs, and uses SMS4 instead of CCMP as the encryption algorithm for better security. WAPI is a national standard, and must be supported in markets inside China but is seldom used in markets outside China. The portal authentication is also called the web authentication or the DHCP+WEB authentication. It uses the standard web browser such Portal as Internet Explorer, and does not need special client software. The client obtains the IP address before authentication. Layer 3 devices such as routers can be available between the user and the access server 错 误! 未 知 的 文 档 属 性 名 称 4/13

5 The portal authentication is frequently used on carrier networks and enterprise networks. In the MAC address authentication, a client sends its MAC address as the identity information to an access device. Mac The MAC address authentication does not require user name and password to be entered for login, and is used in scenarios without high security requirements. The real-name authentication is a comprehensive authentication solution provided by Huawei. In this authentication, each user uses Real-name authentication the real name to log in to the WLAN. This authentication is used in scenarios with high security requirements such as the court and educational institution so that users can be tracked down. 2. Application The Huawei WLAN authentication and encryption and Huawei integrated solution can provide WLAN networks with high security, delicate policy control, and intelligent O&M for customers. The Huawei WLAN authentication and encryption feature supports leading authentication and encryption protocols in the industry, and provide various combined authentication solutions, such as the solution for the carrier WLAN, for customers based on scenarios. On the carrier WLAN, the open system authentication plus portal authentication are used. After a user connects to the carrier WLAN, the portal server automatically displays an authentication service page. After the user is authenticated, the user can visit the WLAN. Generally advertisements are displayed on the authentication service page and the MAC binding function is pushed. After the user selects the MAC binding function, the user can use the MAC authentication to visit the carrier WLAN network next time without the necessity to enter the user name and password 错 误! 未 知 的 文 档 属 性 名 称 5/13

6 2.1 TKIP/CCMP Encryption Algorithm Huawei WLAN Authentication and Encryption Feature Internal The TKIP is an encryption protocol at the link layer provided by i to remove major defects in Wired Equivalent Privacy (WEP) design. The major drawback of the WEP is that the random seed of the WEP is composed of the initial vector (IV) and the WEP key. To guard against attacks on the IN, the TKIP is improved in the following points: 1. The sender device calculates the message integrity code (MIC) to ensure the information integrity. The plain text, source address, and destination address are included in the MIC calculation. The calculation result is encrypted using the MIC key. 2. The packet sequence number is used to prevent replay. The sequence number is contained in the WEP IV. 3. The Fast Packet Keying algorithm is used to generate the packet encryption key by combining the temporary key and packet sequence number. 4. The 802.1x EAPoL Key protocol is used to update the temporary key and MIC key. The TKIP is better than the WEP. However, the TKIP is also based on the stream password, and cannot eliminate security concerns. The CCMP is a security protocol that is based on AES block password and developed by the IEEE work group. The CCMP provides the encryption, authentication, integrity check, and anti-replay functions. It is based on the CCM that uses the AES algorithm and combines the Counter Mode (CTR) for encryption and CBC-MAC for authentication and integrity to ensure the integrity of MPDU data and IEEE MPDU header x Authentication The 802.1x protocol is a network access control protocol based on ports. On the WLAN, ports generally refer to MAC addresses at the logical layer. This protocol provides an authentication process frame. In this frame, the system consists of the authentication requester, authentication point, and authentication server. They respectively correspond to the client, access server, and AAA server. The authentication point is only responsible for the authentication and exchange process at the link layer, and does not maintain any user information. Any authentication request is forwarded to the authentication server, for example, RADIUS, for actual handling 错 误! 未 知 的 文 档 属 性 名 称 6/13

7 The EAP over LAN (EAPOL) protocol defined by 802.1x is used between the authentication requester and the authentication point. The back end transmits EAP packets through RADIUS encapsulation. The 802.1x protocol requires any data to be authenticated. Unauthorized connection ports transmit only authentication frames, and abandon all non-eapol frames. Data frames can be forwarded on after the authentication succeeds. Figure 1 shows the entity protocol stacks of the 802.1x authentication system. Figure 1: Entity protocol stacks of the 802.1x authentication system Authentication Requester Client Authentication Point Access Server Authentication Server AAA Server On the WLAN, most authentication service gateways of wireless users are configured on the AC. Otherwise, for example, when service gateways are configured on the Broadband Remote Access Server (BRAS), wireless users are the same as the wired users for service gateways. In the 802.1x authentication mode, authentication service gateways are configured on the AC and the local forwarding and concentrated forwarding of user data are supported. The 802.1x authentication is secure and reliable, can be easily implemented and flexibly applied, and meet industry standards. Therefore, it is frequently used on carrier or enterprise networks merging 3G and WLAN. Secure and reliable: In the wireless LAN environment, 802.1x is combined with EAP-TLS and EAP-TTLS to dynamically allocate WEP certificate keys, eliminating the security loopholes in wireless LAN access. Easily implemented and flexibly applied: The 802.1x retains the traditional AAA authentication network architecture, and can use existing RADIUS devices and easily implement and flexibly control the authentication granularity. In this authentication mode, user access, user IDs or connected devices can be authenticated for 错 误! 未 知 的 文 档 属 性 名 称 7/13

8 different users. Industry standards: The IEEE standard has the same source as the Ethernet standard, and can implement seamless merging with the Ethernet technology. The Windows, Linux, IOS, and Android operating systems running on clients support the 802.1x protocol. 2.3 Portal Authentication The portal authentication is also called the web authentication. When a user needs to use other information on the Internet, the user must pass the authentication on a portal website before using Internet resources. The user can visit an existing portal server and enter the user name and password for authentication. The user can also directly visit other external networks through HTTP. However, any external network URL visited before authentication is forcibly pushed to the portal server. On the WLAN, most authentication service gateways of wireless users are configured on the AC. Otherwise, for example, when service gateways are located on the BRAS, wireless users are the same as the wired users for service gateways. In the portal authentication mode, authentication service gateways are configured on the AC and the local forwarding and concentrated forwarding of user data are supported. The Huawei WLAN product version V2R2 passes the TR5 review by the end of October. The portal authentication includes the Layer 2 authentication and Layer 3 authentication. The differences between the Layer 2 authentication and Layer 3 authentication are that in the Layer 2 authentication, the MAC address of the server to which a user is to visit cannot be obtained and the ARP detection cannot be performed to check whether a user is online. The Layer 2 authentication and Layer 3 authentication processes are the same. Figure 2 shows the process. Figure 2: Portal authentication (web authentication) process 错 误! 未 知 的 文 档 属 性 名 称 8/13

9 C l i e n t Access Server DHCP Server Web Authentication Server 6 AAA Server The process is as follows: 1 to 4: A dynamic user obtains the MAC address through DHCP (a static user can manually configure the MAC address). 5: The user visits the authentication page of the web authentication server, and enters the user name and password to log in. 6: The portal authentication server notifies the access server of the user information through internal protocols. 7: The access server authenticates the user on the corresponding AAA server. 8: The AAA server sends back the authentication result to the access server. 9: The access server notifies the web authentication server of the authentication result. 10: The web authentication server displays the authentication result on the HTTP authentication page to notify the user of the result 错 误! 未 知 的 文 档 属 性 名 称 9/13

10 11: The user accesses network resources normally after the authentication succeeds. The portal authentication can provide convenient management functions. Portal websites can develop advertisement and community services and personalized businesses. In this manner, carriers, device providers, and content and service providers can form an Internet content union. The portal authentication is frequently used on carrier or enterprise WLANs. 2.4 Real-Name Authentication The security of WLAN is crucial for the large-scale deployment and widespread application of WLAN, particularly in sensitive scenarios such as government department and schools. Huawei introduces the real name authentication system for such scenarios, making the tracing and auditing of floating personnel easier. The real-name authentication takes the mobile number as the real name and the network account. Figure 3 shows the real-name authentication process. Figure 3: Real-name authentication process (5) The system sends the network account and password to the visitor service mobile phone. Third-Party SMS Message Platform Enterprise WLAN 5 (6) The visitor enters and submits the account and password, and uses the network after authentication. 6 SRUN AAA IP backbone network 4 (4) The administrator authenticates the mobile number and the visitor. AC (2) The visitor connects to the WLAN. The self-service portal page is displayed. (1) A visitor enters the enterprise for visit and communication. portal LSW (3) The visitor enters the mobile number for registration and applies for the network password Enterprise visitor Enterprise employee HUAWEI TECHNOLOGIES CO., LTD. Page 1 The real-name authentication makes the following tasks easier: Tracing and auditing visitors Providing online self-services for visitors Obtaining accounts and passwords automatically using Short Message Service (SMS) 错 误! 未 知 的 文 档 属 性 名 称 10/13

11 messages Appointing a customer or reserving a meeting Sending account passwords or reserved meeting notifications to appointed customers in s at specified time 2.5 WAPI Authentication The WAPI is the Chinese national WLAN standard GB This standard includes the new WAPI security mechanism. WAPI is an access control method based on Triple-Element Peer Authentication (TePA). It implements two-way authentication, and supports certificate authentication and pre-shared key authentication. It also supports unicast and multicast, and can be widely used in wired and wireless networks. However, WAPI is commercially immature, and is seldom used in markets outside China. 3. Ordering Information The authentication and encryption feature is bound to WLAN devices, and do not need to be separately purchased. To order the feature, you must order the device at the same time. For details, contact the local sales office. Table 2 lists the ordering information. Table 2: Ordering information of authentication and encryption feature Device Description AP devices AP6010SN/DN AP7110DN AP6310SN AP6510DN Built-in antenna. Indoor installation mode, 100 mw, and supporting b/g/n and the authentication and encryption feature. External antenna. Adopting leading technology, 3x3 MIMO, and supporting b/g/n and the authentication and encryption feature. Indoor high power Data Access Service (DAS) product. 100 mw, and supporting b/g/n and the authentication and encryption feature. Outdoor dual-frequency standard AP device. 2.4 GHz 500 mw/5 GHz 错 误! 未 知 的 文 档 属 性 名 称 11/13

12 125 mw, and supporting b/g/n and the authentication and encryption feature. Outdoor dual-frequency bridge AP device. 2.4 GHz 500 mw/5 GHz 125 AP6610DN mw, and supporting upstream optical interfaces, b/g/n and the authentication and encryption feature. AC devices AC PWR host. 20 GE interfaces, 4 combo interfaces, 2 SFP+ AC6605 ports, and supporting the authentication and encryption feature. The license must be configured. ACU-H80D2ACMPS00-Wireless access control board. This device is not S9300/S7700 SPU separately for sale. The license must be configured. The authentication and encryption feature must be configured. Authentication server Deep blue srun300 TSM This device supports the 802.1x, portal, MAC, and WAPI authentication, and traffic-based and duration-based charging. This device supports the 802.1x, portal, MAC, and WAPI authentication and the policy control. SMS message platform Third-party SMS message Integrate the third-party SMS message platforms or purchase the SMS platform/sms modem message message modems based on the site requirements, for example, those produced by Montnets or Maixuntong. 4. Huawei and Partners Huawei and partners can help you enhance network authentication and secure deployment experience, and speed up the establishment, O&M, innovation, and growth of the WLAN. Huawei has a professional team for secure authentication technology and a senior team for WLAN design 错 误! 未 知 的 文 档 属 性 名 称 12/13

13 These teams can create a clear and replicable WLAN network with easy O&M and optimize services and enhance performance for you, helping you increase operation efficiency, save funds, reduce risks, and achieve success. 5. More Information For more information about Huawei WLAN authentication and encryption feature, visit or contact the local sales office 错 误! 未 知 的 文 档 属 性 名 称 13/13