无线局域网安全协议IEEE 802.11i的研究与实现
|
摘要
无线局域网(WLAN)是新世纪无线通信领域最有发展前景的技术之一。然而,其所使用的无线媒介具有开放性特点,这使得它要求比有线网络更严格的安全措施。安全问题如不解决,它将会影响WLAN的发展。但从目前的情况来看,安全是滞后于应用的。
IEEE任务组Ⅰ正在规范化WLAN的安全协议802.11i,其最终目的是建立一个健壮性的安全网络。国内关于它的研究不多,作者从安全能力发现、认证和访问控制、动态密钥管理和安全数据传输这几个方面来深入剖析802.11i。为了深刻理解该协议,作者对IEEE802.11规范、应用密码学理论及其他网络安全所涉及到的原理、方法和协议进行了系统的学习。同时,针对802.11i草案所提出的安全解决方案,作者也提出自己的一些看法。
本课题的实现是基于Linux平台的,利用了网络上目前已经存在的一些源代码。本人通过使用Xsuppliant、hostAP和freeRadius等开放源码就可以完全实现一个具备802.1X功能的无线局域网环境,但远不能达到802.11i所提出的要求。因此,作者首先仔细阅读了这些源码,然后在它们的基础上扩充相应的模块。在扩充PCMCIA无线网卡驱动、内核加密和动态密钥管理等模块以后,基本能实现802.11i。
最后,论文还分析介绍了WLAN的最新发展以及中国最近制定并强制执行的WAPI。
In this new era, Wireless LAN is one of the most promising technologies in the field of telecommunication. However, it should have more strict measures to communicate securely for its openness of wireless media. If security problems are not solved correctly, they will restrict the development of WLAN. Alas, as we can see from the current situation, security lags far behind application.
IEEE task group I is standardizing wireless security protocol, namely the 802.11i, which aims at establishing Robust Security Network. It is so new that few work on it. I dissectsed 802.11i into several aspects, including security capbility discovery, authentication and access control, dynamic key management, data transfer. To fully undestand it, I systematically studied 802.11 related standards, theory of applied cryptography and other protocols about network security. At the meantimes, I put forward some viewpoints about it.
The implementation was based on Linux, and I used many open sources from Internet. And I have set up a wireless LAN environment featured with 802. lx by using such open source projects as Xsupplicant, Hostap and freeRadius. However, it is too simple to satisfy the requirement of 802.11i. So, I firstly read their codes carefully and then added more functions to their original implementations. After extensizing such modules as PCMCIA driver, Kernel cryptographic algorithms and dynamic key management, I finally implemented 802.11i.
In the end, the thesis also analysis and introduce the new development of WLAN and WAPI, the newly-issued standard of wireless LAN in China.
IEEE任务组Ⅰ正在规范化WLAN的安全协议802.11i,其最终目的是建立一个健壮性的安全网络。国内关于它的研究不多,作者从安全能力发现、认证和访问控制、动态密钥管理和安全数据传输这几个方面来深入剖析802.11i。为了深刻理解该协议,作者对IEEE802.11规范、应用密码学理论及其他网络安全所涉及到的原理、方法和协议进行了系统的学习。同时,针对802.11i草案所提出的安全解决方案,作者也提出自己的一些看法。
本课题的实现是基于Linux平台的,利用了网络上目前已经存在的一些源代码。本人通过使用Xsuppliant、hostAP和freeRadius等开放源码就可以完全实现一个具备802.1X功能的无线局域网环境,但远不能达到802.11i所提出的要求。因此,作者首先仔细阅读了这些源码,然后在它们的基础上扩充相应的模块。在扩充PCMCIA无线网卡驱动、内核加密和动态密钥管理等模块以后,基本能实现802.11i。
最后,论文还分析介绍了WLAN的最新发展以及中国最近制定并强制执行的WAPI。
In this new era, Wireless LAN is one of the most promising technologies in the field of telecommunication. However, it should have more strict measures to communicate securely for its openness of wireless media. If security problems are not solved correctly, they will restrict the development of WLAN. Alas, as we can see from the current situation, security lags far behind application.
IEEE task group I is standardizing wireless security protocol, namely the 802.11i, which aims at establishing Robust Security Network. It is so new that few work on it. I dissectsed 802.11i into several aspects, including security capbility discovery, authentication and access control, dynamic key management, data transfer. To fully undestand it, I systematically studied 802.11 related standards, theory of applied cryptography and other protocols about network security. At the meantimes, I put forward some viewpoints about it.
The implementation was based on Linux, and I used many open sources from Internet. And I have set up a wireless LAN environment featured with 802. lx by using such open source projects as Xsupplicant, Hostap and freeRadius. However, it is too simple to satisfy the requirement of 802.11i. So, I firstly read their codes carefully and then added more functions to their original implementations. After extensizing such modules as PCMCIA driver, Kernel cryptographic algorithms and dynamic key management, I finally implemented 802.11i.
In the end, the thesis also analysis and introduce the new development of WLAN and WAPI, the newly-issued standard of wireless LAN in China.
引文
[1] IEEE STD 802.11i/D4. Wireless Medium Access Control (MAC) and physical layer (PHY) specifications: Medium Acess Control (MAC) Security. May 2003.
[2] IEEE. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications.IEEE Std 802.11-1999, Institute of Elec-trical and Electronics Engineers, August 1999.
[3] IEEE Std 802.1X-2001. IEEE Standard for Local and Metropolitan area networks—Port-Based Network Access Control.2001.
[4] IETF EAP Working Group. Internet-Drafts EAP Key Management Framework. 9 August 2003.
[5] Arunesh Mishra. An initial security analysis of the IEEE 802. 1x standard. 6 Feb.2002.
[6] IETF EAP Working Group.RFC2284 Extensible Authentication Protocol (EAP)
[7] W. Richard Stevens. Unix Network Programming Valume 1/2. Prentice-Hall. 1990.
[8] W. Richard Stevens. Advanced Programming in the UNIX Environment. Addison-Wesley.1992.
[9] Bruce Schneier. Applied Cryptography: Protocols, algorithms, and source code in C(Second Edition). 1996.
[10] Eric Rescorla. SSL and TLS: Designing and Building Secure Systems. Addison-Wesley.
[11] William Stallings. Cryptography and Network Security: Principles and Practice.
[12] W. Richard Stevens. TCP/IP Illustrated, Volume 1: The protocols. Addison-Wesley. 1994.
[13] Comer, D. Internetworking with TCP/IP, Volume 1: Principles, protocaols and Architecture.Prentice Hall. 1995.
[14] Daniel P. Bovet, Marco Cesati. Understanding the Linux Kernel. O'reilly. 2000.
[15] Alessandro Rubini, Jonathan Corbet. Linux Device Drivers (second edition). 2002.
[16] 李善平,陈文智.边干边学—Linux内核指导.浙江大学出版社.2002
[17] The Linux Kernel API,Available online from http://kemelnewbies.org/documents/kdoc/kernel-api/linuxkernelapi.html
[18] News story about Peter Shipley's war driving, Available online form http://online.securityfocus.com/news/192, April 2001
[19] Seven Security Problems of 802.11 Wireless, Available online from http://www.oreillynet.com/pub/a/wireless/2002/05/24/wlan.html
[20] Jun Sun's Mini-howto on Flashing Intersil Prism Chipsets, Available online from http://linux.junsun.net/intersil-prism/
[21] IETF. EAP state machine. Available from:http://www.ietf.org/internet-drafts/draft-ietf-eap-statemachine-02.pdf
[22] IETF RFC 2716. PPP EAP TLS Authentication Protocol
[23] Adam Sulmicki. HOWTO on EAP/TLS authentication between FreeRADIUS and XSupplicant. available front http://www.eax.com.at
[24] David Hinds. Linux PCMCiA Programmer's Guide. Available from
http://pcmcia-cs.sourceforge.net/ftp/doc/PCMCIA-PROG.html
[25] Tim Carstens. Programming with pcap.The latest version of this document can be found at http://broker.dhs.org/pcap.html
[26] libdnet project.http://libdnet.sourceforge.net
[27] AES Homepage http://csrc.nist.gov/CryptoToolkit/aes/
[28] The Linux Wireless LAN Howto. Available from:http://www.hpl.hp.com/personal/Jean Tourrilhes/Linux/Wireless.html
[29] Jim Geier.无线局域网.王群等译.人民邮电出版社
[30] 李建东,黄振海.WLAN的标准与技术发展.中兴通.信2003年4月
[31] Robert Moskowitz. Weakness in Passphrase Choice in WPA Interface.http://wifinetnews.com/archives/002452.html
[32] hostap project, http://hostap.epitest.fi/
[33] Xsupplicant project, http://www.openl x.com
[34] OpenSSL project. http://www.openssl.com
[35] FreeRadius project. http://www.freeradius.com
[36] 中国宽带无线IP标准工作组.http://www.chinabwips.org/
[2] IEEE. Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications.IEEE Std 802.11-1999, Institute of Elec-trical and Electronics Engineers, August 1999.
[3] IEEE Std 802.1X-2001. IEEE Standard for Local and Metropolitan area networks—Port-Based Network Access Control.2001.
[4] IETF EAP Working Group. Internet-Drafts EAP Key Management Framework. 9 August 2003.
[5] Arunesh Mishra. An initial security analysis of the IEEE 802. 1x standard. 6 Feb.2002.
[6] IETF EAP Working Group.RFC2284 Extensible Authentication Protocol (EAP)
[7] W. Richard Stevens. Unix Network Programming Valume 1/2. Prentice-Hall. 1990.
[8] W. Richard Stevens. Advanced Programming in the UNIX Environment. Addison-Wesley.1992.
[9] Bruce Schneier. Applied Cryptography: Protocols, algorithms, and source code in C(Second Edition). 1996.
[10] Eric Rescorla. SSL and TLS: Designing and Building Secure Systems. Addison-Wesley.
[11] William Stallings. Cryptography and Network Security: Principles and Practice.
[12] W. Richard Stevens. TCP/IP Illustrated, Volume 1: The protocols. Addison-Wesley. 1994.
[13] Comer, D. Internetworking with TCP/IP, Volume 1: Principles, protocaols and Architecture.Prentice Hall. 1995.
[14] Daniel P. Bovet, Marco Cesati. Understanding the Linux Kernel. O'reilly. 2000.
[15] Alessandro Rubini, Jonathan Corbet. Linux Device Drivers (second edition). 2002.
[16] 李善平,陈文智.边干边学—Linux内核指导.浙江大学出版社.2002
[17] The Linux Kernel API,Available online from http://kemelnewbies.org/documents/kdoc/kernel-api/linuxkernelapi.html
[18] News story about Peter Shipley's war driving, Available online form http://online.securityfocus.com/news/192, April 2001
[19] Seven Security Problems of 802.11 Wireless, Available online from http://www.oreillynet.com/pub/a/wireless/2002/05/24/wlan.html
[20] Jun Sun's Mini-howto on Flashing Intersil Prism Chipsets, Available online from http://linux.junsun.net/intersil-prism/
[21] IETF. EAP state machine. Available from:http://www.ietf.org/internet-drafts/draft-ietf-eap-statemachine-02.pdf
[22] IETF RFC 2716. PPP EAP TLS Authentication Protocol
[23] Adam Sulmicki. HOWTO on EAP/TLS authentication between FreeRADIUS and XSupplicant. available front http://www.eax.com.at
[24] David Hinds. Linux PCMCiA Programmer's Guide. Available from
http://pcmcia-cs.sourceforge.net/ftp/doc/PCMCIA-PROG.html
[25] Tim Carstens. Programming with pcap.The latest version of this document can be found at http://broker.dhs.org/pcap.html
[26] libdnet project.http://libdnet.sourceforge.net
[27] AES Homepage http://csrc.nist.gov/CryptoToolkit/aes/
[28] The Linux Wireless LAN Howto. Available from:http://www.hpl.hp.com/personal/Jean Tourrilhes/Linux/Wireless.html
[29] Jim Geier.无线局域网.王群等译.人民邮电出版社
[30] 李建东,黄振海.WLAN的标准与技术发展.中兴通.信2003年4月
[31] Robert Moskowitz. Weakness in Passphrase Choice in WPA Interface.http://wifinetnews.com/archives/002452.html
[32] hostap project, http://hostap.epitest.fi/
[33] Xsupplicant project, http://www.openl x.com
[34] OpenSSL project. http://www.openssl.com
[35] FreeRadius project. http://www.freeradius.com
[36] 中国宽带无线IP标准工作组.http://www.chinabwips.org/