应用于IEEE802.1x的可扩展认证协议的安全分析

IEEE802．1x协议是对现行lEEE802．11协议的安全补充，lEEE委员会为IEEE802．11推出了一个安全架构，称之为RSN(Robust Security Network)。RSN利用IEEE802.lx标准来实现访问控制、认证以及密钥的管理。可扩展认证协议(EAP)是IEEE802．1x中引入的一个重要协议，该标准为基于802标准的局域网提供了一个认证的框架。文章对EAP在应用中所遇到的问题和安全隐患进行分析，并对这些问题提出了可能的解决方案。     

无线网络安全之802.11i

日前无线网络的安全防护已经逐渐被提上议程,本文首先阐述了传统安全技术,随后重点论述802.11i标准及其相关理论--802.1x认证机制。802.11i标准引入了802.1x认证机制实现身份验证及密钥管理等功能。文章详细描述了802.1x认证机制的实现过程和802.11i标准的安全防护措施,为无线网络安全的各个方面提出了完整的标准措施。     

无线网络安全之802．11i

日前无线网络的安全防护已经逐渐被提上议程．本文首先阐述了传统安全技术，随后重点论述802.11i标准及其相关理论——802．1x认证机制。802．1li标准引入了802．1x认证机制实现身份验证及密钥管理等功能。文章详细描述了802．1x认证机制的实现过程和802．1li标准的安全防护措施，为无线网络安全的各个方面提出了完整的标准措施。     

基于802．1x的无线园区网AAA系统的设计与实现

无线网接入安全是网络安全的重要课题之一。回顾了802．11i中采用的802．1xEAP认证技术,对无线园区网如何实现安全接入与认证进行深入研究,提出采用Free Radius实现AAA功能的无线网体系结构,实现了采用数字证书的EAP-TLS方式服务器和客户端双向认证,提高无线网安全,保护无线网资源。还对无线园区网采用802．IxEAP认证的几种方案进行了深入分析比较,对根据不同园区网应用环境选择适当EAP设计方案提出了建议。     

无线局域网WEP协议安全漏洞研究

随着无线局域网的普及和应用,网络安全问题日益突出,商用无线网络尤其需要采取有效的安全方案。有线等价协议WEP是在IEEE802.11标准中采用的信息保密机制,它主要用于无线局域网络中链路层信息数据的保密。文中对WEP的工作机理进行了分析,重点对其安全性能包括数据加密、IV重用、密钥管理、身份认证机制和数据完整性检查机制等方面进行了研究,并发现WEP不能对无线局域网中的数据提供可靠的保护。最后,提出了对WEP从加密和认证的角度进行改进的建议。     

A Wireless LAN under High Load and in Noise: Throughput Evaluation

IEEE 802.11 specifies a network technology for wireless local area networks (LANs) and mobile user connections. The fundamental access mechanism in the IEEE 802.11 MAC protocol is the Distributed Coordination Function (DCF). The throughput of LANs with the DCF mechanism under high load and in noise is evaluated by an analytical method, which ensures high estimation accuracy for any values of protocol parameters and bit error rates.     

引入移动IP技术的WLAN安全漫游解决方案

给出了一种将移动IP技术融入无线局域网的方案，该方案基于IEEE802.11协议，采用了专为移动网络设计的Diamcter Mobile IP应用协议来实现认证，授权和计费管理，在实现了跨不同管理区域的漫游功能的同时，提供了相互认证以及数据的完整性和保密性，同时尽量少影响现有的IEEE802.11系统。     

一种无线局域网漫游接入认证

在无线mesh网络中,用户对快速漫游切换需求愈发突出,但现有的IEEE802.1s WLan Mesh认证协议并未对此进行定义,且初始接入认证过程中,信息交换次数较多,时延较高。在现有协议基础上提出了采用基于签名的身份认证方式,将认证转移到用户和路由节点之间,并且将用户向服务器注册与用户对路由节点认证过程并发执行,减少了认证的时延。分析结果表明,接入认证方式总体性能优于现有网络标准。     

基于IEEE 802.11认证协议的DoS攻击

对IEEE802. 11认证协议的漏洞和无线网络受到的拒绝服务 (DoS)攻击进行了深入的剖析。捕获并分析IEEE802. 11MAC帧,利用序列号分析的方法,对授权的合法客户受到的DoS攻击进行检测;利用统计分析方法,对访问接入点AP受到的DoS攻击进行检测。     

量子密码在无线局域网中的安全研究

本文通过对量子密码BB84协议及IEEE802.11i认证协议的分析与讨论,深入研究了802.11i密钥管理机制中的4次握手,利用量子密码安全的优势与IEEE802.11i无线网络相结合,提出量子握手,为无线网络中数据的通信安全提供保障。     

Access control protocols with two-layer architecture for wireless networks

In this paper we study two access control protocols which have similar two-layer access control architectures for wireless networks in public places. The first protocol, called the Lancaster protocol, employs user password for authentication and enforces access control at the IP layer; while the second protocol, referred to as the Stanford protocol, uses public key cryptosystems (PKC) for authentication and performs access control at the link layer. Although both protocols are intended to restrict access to wireless networks only to authorized users, our analysis shows that both protocols have serious security flaws which make them vulnerable to attacks. Then we propose a password-based protocol and a PKC-based protocol for the Lancaster architecture and the Stanford architecture, respectively. Both of our protocols provide mutual authentication, perfect forward secrecy and access control for wireless networks. Moreover, they also provide DoS resistance and identity confidentiality for the client. We present detailed security and performance analysis for our protocols, and show that both of our protocols are secure and efficient for access control in wireless networks.     

基于 eduroam 的跨域无线接入解决方案

eduroam (education roaming,教育漫游) 满足了授权用户在成员高校和科研机构之间自由、安全的使用无线网络,提高了网络接入效率。eduroam 在无线网络的接入认证时,应用 IEEE 802.1x 协议,采用 RADIUS 协议进行认证。本文分析了 eduroam 架构和认证过程,在高能所网络环境中部署实践了 eduroam 认证环境,验证了账号认证和签发证书认证的可行性,并提出在认证过程中对 LDAP 明文密码的 NT hash 加密存储方法。分析证明,该方法简化了 eduroam 部署,提高了认证效率和安全性。     

802.11i的认证安全性分析

IEEE设计802.11i协议解决无线局域网的安全问题.802.11i协议的形式化分析,对于确保该协议的正确性至关重要.利用串空间理论对802.11i协议进行建模,在串空间模型中验证协议的认证属性.结果表明,802.11i协议能够安全实现它的认证功能.     

Products plug WiFi security holes

Vendors are developing new security products for WiFi (IEEE 802.11) wireless LAN technology. WiFi has become very popular but has also caused concern because of vulnerabilities that, among other things, let unauthorized users intrude into networks relatively easily. The IEEE is working on its 802.11i standard that would improve overall WiFi security via authentication and encryption. Until 802.11i is finalized, the IEEE and the WiFi alliance have developed WiFi protected access to partially upgrade the technology's data protection and access control. However, WPA doesn't address all important security issues.     

Runtime optimization of IEEE 802.11 wireless LANs performance

IEEE 802.11 is the standard for wireless local area networks (WLANs) promoted by the Institute of Electrical and Electronics Engineers. Wireless technologies in the LAN environment are becoming increasingly important and the IEEE 802.11 is the most mature technology to date. Previous works have pointed out that the standard protocol can be very inefficient and that an appropriate tuning of its congestion control mechanism (i.e., the backoff algorithm) can drive the IEEE 802.11 protocol close to its optimal behavior. To perform this tuning, a station must have exact knowledge of the network contention level; unfortunately, in a real case, a station cannot have exact knowledge of the network contention level (i.e., number of active stations and length of the message transmitted on the channel), but it, at most, can estimate it. We present and evaluate a distributed mechanism for contention control in IEEE 802.11 wireless LANs. Our mechanism, named asymptotically optimal backoff (AOB), dynamically adapts the backoff window size to the current network contention level and guarantees that an IEEE 802.11 WLAN asymptotically achieves its optimal channel utilization. The AOB mechanism measures the network contention level by using two simple estimates: the slot utilization and the average size of transmitted frames. These estimates are simple and can be obtained by exploiting information that is already available in the standard protocol. AOB can be used to extend the standard 802.11 access mechanism without requiring any additional hardware. The performance of the IEEE 802.11 protocol, with and without the AOB mechanism, is investigated through simulation. Simulation results indicate that our mechanism is very effective, robust, and has traffic differentiation potentialities.     

无线自组织网络中TCP稳定性的分析及改进

在无线自组织网络中,基于IEEE 802.11的TCP流存在严重的不稳定性,其原因与MAC协议、路由协议和TCP本身均有一定的关系,但最根本之处在于MAC协议的不公平性以及假的链路失效消息导致了不必要的耗时的路由发现过程.结合IEEE802.11的MAC协议和DSR路由协议,对这些原因进行了深入的理论分析和仿真实验,并提出了针对MAC协议和路由协议的改进算法.仿真结果证明,提出的改进算法不仅能基本上避免TCP流的不稳定性,还能够极大地提高TCP流的平均吞吐量.     

Revealing the problems with 802.11 medium access control protocol in multi-hop wireless ad hoc networks

The IEEE 802.11 medium access control (MAC) protocol is a standard for wireless LANs, it is also widely used in almost all test beds and simulations for the research in wireless mobile multi-hop ad hoc networks. However, this protocol was not designed for multi-hop networks. Although it can support some ad hoc network architecture, it is not intended to support the wireless mobile ad hoc network, in which multi-hop connectivity is one of the most prominent features. In this paper, we focus on the following question: can IEEE 802.11 MAC protocol function well in multi-hop networks? By presenting several serious problems encountered in transmission control protocol (TCP) connections in an IEEE 802.11 based multi-hop network, we show that the current TCP protocol does not work well above the current 802.11 MAC layer. The relevant problems include the TCP instability problem found in this kind of network, the severe unfairness problem, and the incompatibility problem. We illustrate that all these problems are rooted in the MAC layer. Furthermore, by revealing the in-depth cause of these problems, we conclude that the current version of this wireless LAN protocol does not function well in multi-hop ad hoc networks. We thus doubt whether the current WaveLAN based system is workable as a mobile multi-hop ad hoc test bed. All the results shown in this paper are based on NS2 simulations, and are compatible with the results from the OPNET simulations.     

基于无线局域网的认证方法研究

以无线局域网中的身份认证方式为研究对象,在研究WEP认证、IEEE802.11i认证的基础上,基于安全协议设计规范中通信实体间的相互认证原则,将现有的IEEE802.11i中的伪双向身份认证改进后使之为真正的双向认证机制,经过形式化的仿真分析表明对IEEE802.11i的改进可以防止各种假冒攻击,进一步保证了通信双方的合法性。     

SRPM: Secure Routing Protocol for IEEE 802.11 Infrastructure Based Wireless Mesh Networks

Infrastructure based IEEE 802.11 wireless mesh networks (WMNs) are new paradigm of low cost broadband technology. The large scale city-wide community-based coverage and multi-hop architecture are such characteristics which are vulnerable to network layer threats, and the adversary can exploit them for large scale degradation of the broadband services. So far many secure routing protocols have been proposed for ad-hoc networks, however, due to the different nature and characteristics; they cannot perform well in a WMN environment. In this paper, we discuss the limitations and challenges as well as propose an exclusive secure routing protocol for an infrastructure based wireless mesh (SRPM) network. SRPM is robust against a variety of multi-hop threats and performs well over a range of scenarios we tested.     

无线网络中MAC层违规行为的检测和惩罚

802.11无线媒体访问控制(MAC)协议利用分布式争夺解决机制处理无线信道的共享。在这种环境下,那些没有执行MAC协议的节点可以获得不公平的信道带宽。IEEE 802.11要求节点等待一个随机时间间隔之后再竞争访问信道,如果某些节点等待一个较小的时间间隔,那么对其他普通节点来说,这是不公平的。针对这种情况对IEEE 802.11 MAC协议做简单的改进来检测这样的违规行为并对其进行惩罚。