无线局域网安全技术研究

本文针对现有无线局域网标准IEEE802.11的安全机制的严重不足，深入分析了基于IEEE802.1X的扩展认证协议（EAP）和Kerberos认证协议，阐述了加密算法中WEP/WEP2和AES的解决方案，并对密钥再生技术做了初步探讨，最后给出了进一步的研究方向。     

Cellular access control and charging for mobile operator wireless local area networks

This article presents a system architecture, design considerations, and rationale for a mobile operator wireless LAN. The article also discusses the system implementation and performance issues. The system presented reuses GSM and GPRS mechanisms for user authentication, access control, subscriber management, operator roaming, and billing, while still being compatible with wireless Internet service provider networks and IETF and IEEE protocols such as RADIUS, EAP, and IEEE 802.1x. The architecture is a result of research carried out by Nokia between 1999 and 2002. The designed architecture has also been verified in a complete system implementation.     

基于EAP/RADIUS的WLAN认证和密钥分配协议

研究了无线局域网的认证机制,描述了EAP/RADIUS协议在IEEE802.1x标准中的消息封装格式,针对基于端口访问控制协议的缺陷,提出一种新的应用于WLAN的认证和密钥分配方案,并设计详细协议流程.该协议基于EAP/RADIUS认证框架,使用服务令牌将认证和授权结合起来,授权校验的同时进行密钥分配,完善了WLAN的访问控制机制.     

Enhancing EAP-TLS authentication protocol for IEEE 802.11i

IEEE 802.11i authentication framework is composed of the 802.1x and an extensible authentication protocol (EAP) mechanism. One of the most applicable techniques in the EAP methods is EAP-transport layer security (EAP-TLS). The EAP-TLS implementation issues are high execution time; high number of data exchanges between two parties and possibility of closing connection as a result of modification in the contents of the handshake messages, which are all addressed in this paper. This research analyses the EAP-TLS in WLANs to improve this method’s efficiency in terms of the security analysis, time and memory usage. Based on the results, this research proposes an enhanced method with a discrete cryptographic mechanisms and a distinct handshake structure, which reduces the number of steps in the handshake protocol. This enhanced method also provides robust security compared to the original EAP-TLS with approximately the same level of memory usage, which reduces execution time significantly.     

WLAN电信级应用安全系统设计方案

本文WLAN网络技术的背景以及可能存在的风险威胁出发,通过分析当前WLAN的若干种常用认证方法的优劣,最后提出了一种较为安全并且具备可操作性的解决方案,即以IEEE802.11i-2004国际标准为核心,在IEEE802.11i标准框架下,采用802.1X/EAP方式实现强壮网络联合安全的强身份认证,完成身份认证后,使用基于AES算法(FIPS PUB 197-2001)的CCMP实现数据保密性与完整性保护。     

基于WIMAX系统的安全策略研究

全球微波接入互操作性(WiMAX)是一个极具发展潜力的无线通信标准,需要有一个好的安全机制来保证。文中简要概述了WiMAX系统的安全体系结构和802.1x协议的体系架构,在此基础上阐述了EAP协议,特别是EAP协议的实现流程步骤,并深入阐述了在公司系统测试平台上实现WiMAX安全机制的协议流程和解决方案,包括在公司系统测试平台上实现鉴权协议的具体过程与3GPP协议规定的鉴权流程的详细区别。     

无线局域网接入的安全性问题

介绍了在线以太网(WLAN)现有的4种安全控制措施：基于SSID的安全控制；给予MAC地址的安全控制；基于WEP的加密措施；基于IEEE 802．1x的安全控制。并着重对IEEE 802．1x进行了较为详细地介绍和分析。     

以太网宽带接入管理技术

通过对目前3种主要的以太网宽带接入管理技术PPPoE,DHCP Web(Client),IEEE 802.1x深入细致的研究,比较了他们的优缺点,探讨了这3种接入管理技术的适用领域,为未来以太网宽带接入管理技术的选择提供了理论依据。同时认为在现阶段电信运营商应该立足于PPPoE管理体制,在特定环境中使用IEEE 802.1x体制和DHCP 体制作为补充,以满足迅速发展的宽带接入运营。     

Efficient multicasting and broadcasting in layer 2 provider backbone networks

Ethernet has grown from its roots in LANs to contend in previously unchartered territory of MANs and WANs. A slew of projects underway in the IEEE 802 standards bodies plan to groom Ethernet with carrier grade features like high availability, fault management, and resiliency thus far found only in other circuit-switched technologies. These include, among others, IEEE 802.1ag (connectivity fault management), IEEE 802.1ad (provider bridges), and IEEE 802.1ah (provider backbone bridges). IEEE 802.1ah addresses the service and MAC address scalability of provider backbone bridges. Since Ethernet has been architected and designed for a shared medium, it inherently handles broadcast and multicast traffic very efficiently, unlike layer 3 technologies, where multicasting and broadcasting rely on using multiple point-to-point connections. With IEEE 802.1ah, Ethernet would be able to provide millions of service instances in a provider backbone network. While flooding of frames in a LAN may provide for good multicasting, flooding of data in a MAN or WAN could mean huge bandwidth wastages, especially when the remote peers are geographically distant, and the traffic is not necessarily destined to any of its local ports of the peers. In this article we explore technologies to Address efficient multicasting in provider backbone networks. We also consider extending this technology to address unknown unicast floods and efficient proxy of customer multicast frames.     

EPON系统中RADIUS认证技术的研究

安全管理和计费管理对于以太网无源光网络(EPON)进入电信级运营,推动EPON的大规模商用有着重要意义.认证是实现安全管理和计费管理的关键技术.文章结合IEEE802.1x标准和RADIUS协议,提出了EPON系统认证机制的一种设计,通过net-snmp软件包在Linux系统上开发代理,实现了远程认证拨号用户服务(RADIUS)客户端功能.     

Evaluation of authentication interworking methods among multiple WLAN service providers

The interworking technologies to combine multiple WLANs into a single virtual system have not been studied extensively, particularly for legacy wireless networks. In this paper, we study how to provide the inter‐domain authentication among multiple WLAN service providers with minimum overhead. We introduce five inter‐domain authentication methods, referred to as Info‐Sharing, AP‐Seq, AP‐Con, AS‐Seq and AS‐Con, which are designed in the form of an extension to the standard IEEE 802.1x and EAP protocols. In order to evaluate these methods, we compare their authentication time, implementation cost, confidentiality, flexibility and increment of messages. From the evaluation with analysis and experiments, we show that the AS‐Con method can provide the authentication interworking function with minimal overhead on legacy network equipments. Also it is shown that, even though the authentication of AS‐Con takes longer than the previous method, their difference is under one second and insensitive to users. Copyright © 2006 John Wiley & Sons, Ltd.     

基于IEEE 802.1Q 帧标记的VLAN实现原理

IEEE 802.1Q标准通过标准化的帧标记来实现虚拟局域网。对802．1Q的帧标记格式，VLAN的实现机制从入口过程、转发过程、出口过程进行了深入的分析研究，并结合实例给予了说明。     

基于IEEE802．1x的校园网认证系统的改进与实现

目前,中国高校校园网规模越来越大,功能也越来越强,如何保证网络的安全戍为高校校园网的重要问题之一。丈中分析了高校校园网现状,指出了IEEE802．1x协议在校园网身份认证中存在的包括不可抵赖性、地址盗用、帐号盗用、认证灵活性、用户管理等方面的缺陷,提出了有效的改进方案,介绍了重新制订认证方案、修改客户端数据帧及程序、修改RADIUS认证服务等技术实现过程。     

A secure n-secret based client authentication protocol for 802.11 WLANs

Authentication has strong impact on the overall security model of every information system. Various authentication techniques are available for restricting the access of unauthorized users to the enterprise scale networks. IEEE 802.1X defines a secure and reliable authentication framework for 802.11 WLANs, where Extensible Authentication Protocol (EAP) provides the base to this architecture. EAP is a generic architectural framework which supports extensibility by incorporating the new and improved authentication schemes, which are based on different types of credentials. Currently there exist a number of EAP and Non-EAP methods with varying level of security and complexity. In this work, we have designed a new n-secret based authentication scheme referred here as Personal Dialogue Based Authentication, for the client authentication to the network. It is a Transport Layer Security (TLS) protected authentication protocol, which will be executed inside the secure TLS tunnel for providing the privacy and credential security to the wireless client. The developed authentication protocol has a reasonable set of features like; strong security, user privacy, simplicity and extensibility. For the formal analysis of the protocol we have used SPAN–AVISAP model checker on Ubuntu platform for validating the realization of the specified security goals. The experimental results obtained by simulation performed with the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool shows that our protocol is efficient and secured.

     

基于以太网端口的用户访问控制技术

文章介绍了IEEE 802.1×这一基于以太网端口的用户访问控制协议的内容和特点,论述了采用以太网接入时在以太网交换机上实现用户认证的方法,并给出了一个宽带城域网应用的解决方案。     

IEEE802.11s路由协议漏洞与攻击

IEEE802.11s是IEEE关于无线Mesh网络的规范。802.11s虽然沿用了IEEE802.11i的安全规范,但是对于路由协议的安全并没有做过多的定义,由此产生了一定的安全隐患。文章分析了IEEE802.11s标准(草案)中的路由协议的漏洞,并针对IEEE802.11s中使用的混合无线网状网协议(HybridWirelessMeshProtocol,HWMP)设计了两种攻击方式,从而破坏无线网状网络的可用性。通过在自行设计的路由器平台上实现无线攻击,并分析攻击对网络造成的影响来验证安全漏洞的存在性和可利用性。     

Wireless LAN security and IEEE 802.11i

This article reviews wireless LAN security with a focus on the evolving new IEEE 802.11i standard. The major security enhancements in encryption and authentication defined by 802.11i are illustrated. In addition, the newly introduced key management in 802.11i is discussed. Because 802.11i incorporates IEEE 802.1X as its authentication enhancement, 802.1X with consideration of roaming users is depicted. Both intrasubnet and intersubnet roaming are illustrated.     

Survey of multi-channel MAC protocols for IEEE 802.11-based wireless Mesh networks

This paper reviews multi-channel media access control (MAC) protocols based on IEEE 802.11 in wireless Mesh networks (WMNs). Several key issues in multi-channel IEEE 802.1l-based WMNs are introduced and typical solutions proposed in recent years are classified and discussed in detail. The experiments are performed by network simulator version 2 (NS2) to evaluate four representative algorithms compared with traditional IEEE 802.11. Simulation results indicate that using multiple channels can substantially improve the performance of WMNs in single-hop scenario and each node equipped with multiple interfaces can substantially improve the performance of WMNs in multi-hop scenario.     

使用集中式802.1x构建校园网认证系统

802.1x认证通常采用分布式方式部署,随着校园网规模的不断扩大,分布式部署给设备管理和认证系统管理带来了许多不便;另一方面,传统802.1x集中部署无法对用户终端进行定位。结合（NAS IP,Port,Vlan）三元组定位,Super Vlan和Port+Vlan的地址管理3种技术解决了802.1x集中部署模式下用户终端定位的问题,并在华中科技大学校园网中进行了部署实验,取得了良好的效果。     

Analysis of secure handover for IEEE 802.1x-based wireless ad hoc networks

The handover procedure in secure communication wireless networks is an extremely time-consuming phase, and it represents a critical issue in relation to the time constraints required by certain real-time traffic applications. In particular, in the case of the IEEE 802.1X model, most of the time required for a handover is used for packet exchanges that are required for authentication protocols, such as Extensible Authentication Protocol Transport Layer Security (EAP-TLS), that require an eight-way handshake. Designing secure re-authentication protocols to reduce the number of packets required during a handover is an open issue that is gaining interest with the advent of a pervasive model of networking that requires realtime traffic and mobility. This article presents the 802.1X model and evaluates its application to ad hoc networks based on IEEE 802.11 i or IEEE 802.1 be standards, focusing on the problems that must be evaluated when designing handover procedures, and suggesting guidelines for securing handover procedures. It also presents a novel protocol to perform secure handovers that is respectful of the previous analysis and that has been implemented in a mesh environment.