The Basis and Standard of Wireless Network Security

With the improvement of wireless security technology, in recent years, this technology has gradually developed into the cornerstone of data communication and an inseparable step in daily life, which is never trusted and can only be used as a backup for a certain technology. It is predicted that soon, most people will use their mobile smartphones as their important computer tools. Wireless has become the communication choice of many people. However, without effective data security, wireless technology will not be developed and people will still rely on wired networks, despite costs and other inconveniences.

Data security

What is security? We all have things to protect. In the real world, we have houses and cars; in the digital world, we have personal data, such as social security numbers, online passwords and confidential email exchanges. Industrial and commercial users want to protect their intellectual property rights and products from infringement.

However, we often see some seemingly secure corporate networks attacked by hackers and there is nothing we can do about it. So how do we protect our property from theft or infringement? This worry has been around for a long time. The basis of security is that we have unhindered access to our property while others are restricted or inaccessible.

In the real world, we lock the door and use the key to open it. In the digital kingdom, we enter a series of combinations of numbers and letters to enter the computer or get data. The most basic principle is that there are locks and keys, and this metaphor should be kept in mind. The key is unique to the lock; there is no other key to open it. Locks can be removed or broken (violently); keys may be stolen or borrowed. All security measures have similar weaknesses.

Access control of data

Wireless security can consist of several different parts, depending on the security needs of individuals or companies. Small systems, such as small office / home office routers or personal wireless local area networks (WLAN), typically restrict access to the network by passwords. Large enterprise WLAN also requires passwords, but also requires additional authorization and encryption methods, which rely on authorization servers to control access to wireless networks. Large enterprises also limit traffic to different roles and rely on virtual local area networks (VLAN) and other methods to further subdivide network traffic. These technologies allow administrators to control data and decide who can access data based on levels such as job responsibilities or departments.

Wireless intrusion detection systems (WIDS) are also used to detect and reduce unauthorized users and to continuously monitor the network; these systems are very effective in most cases, but the cost is also high. Finally, this point is often overlooked, regardless of the size of the WLAN, there must be a security policy. Most network vulnerabilities are affected by so-called "social engineering". This word describes the process in which a person is deceived and presents his or her supporting documents to an unauthorized person. A reliable security policy is very effective in educating people on how to avoid being cheated or forced to show authorization certificates to unauthorized people.

The Development of Wireless Network Security Standard

Once upon a time, wireless networks were a bit expensive and new, and were not used in any critical applications. Open system Authorization (OSA) is an early method for network access, in which only the access point (AP) queries the client to ensure that the client device is compatible with IEEE 802.11. When the wired network is too expensive or impossible, wireless is used as an extension of the wired network. With the more and more extensive application of WLAN facilities, it is necessary to develop and implement some ways to ensure the security of wireless networks.

The first attempt to secure wireless networks is the so-called Wired equivalent encryption (WEP). The purpose of WEP is to provide an equivalent data reliability verification method for wireless networks, just as it does in wired networks. WEP encrypts plain text with a randomly generated 24-bit "initial vector" (IV) and a 40-or 104-bit static key (for 64-bit or 128-bit WEP, respectively). The key must match both the client and the access point.

WEP is subject to its inherent defects, which are related to the construction of keys and the reuse of IV. IV is used to spread plain text, making it possible to test IV reuse and conflicts through various techniques to determine the secret key. Its integrity check value (ICV) is based on cyclic redundancy check CRC-32, which is essentially not used for secure transmission; this provides another heuristic. With common tools, WEP can be breached in 10 seconds; therefore, WEP is no longer used and should be avoided, even in small office environments.

Temporary key Integrity Protocol (TKIP) is designed to repair IV reuse. Although existing devices are used, TKIP provides data security because they can be upgraded through firmware upgrades. TKIP was jointly developed by the IEEE 802.11i task force and the Wi-Fi Alliance to replace WEP. It has become the basis of Wireless protected access (WPA). This is just a transitional measure, a solution provided before more robust security mechanisms are developed and put into use. TKIP uses the only dynamically generated 128-bit encryption key, or "temporary key", while WEP uses a static key. A process called the 4-way handshake protocol, which takes place between the access point and the client device, is used to generate these keys. Each frame is also assigned a sequence number; if a frame is not in the sequence when it is received, it is rejected.

In addition, due to the use of complex keys, coupled with the process of developing a stronger key stream, the problems of weak keys and key reuse can be solved. TKIP is designed for outdated devices that use WEP encryption; RC4 passwords are also used in TKIP. Finally, the enhanced complete combination of data: message integrity coding (MIC) is realized. Although the use of TKIP is mandatory in WPA, it is optional in WAP2 because WAP2 enforces the use of CCMP-AES encryption.

IEEE 802.11 and CCMP/AES

Since recognizing that the use of wireless network technology is growing exponentially and that security is essential to support the development of this technology, the IEEE 802.11i working group has begun to study advanced ways to ensure the security of wireless networks.

Since the IEEE 802.11i amendment, robust secure Network (RSN) and robust secure Network Federation (RSNA) have been introduced to provide a framework for secure wireless networks. Generally speaking, successful authorization means that both parties to the transaction have verified each other's identity and have generated dynamic encryption keys to ensure secure data transmission.

WPA2 is a complex security method, which draws lessons from the advanced encryption methods provided by the Federal Information processing Standard (FIPS-197). The naming of WPA/WPA2, developed by the Wi-Fi Alliance, mirrors the copyright of the IEEE Standard Control Engineering Network, which is actually an authentication to ensure that devices comply with a common security standard. WPA2 specifies two types of security: password authorization control engineering network copyright for small and small office / home office networks, and 802.1X/EAP security for corporate networks.

WPA2 enforces the use of a new protocol, counter mode and ciphertext block link message authentication code protocol (CCMP). CCMP uses an AES block cipher instead of the RC4 password and temporary key integrity protocol used in WEP. Block ciphers process data in blocks, while data stream ciphers, such as RC4, are encrypted bit by bit in the form of serial data streams. This kind of encryption is generally called CCMP/AES. CAES uses a 128bit key to encrypt 128bit data sets. CCMP/AES has made a number of improvements, including temporary key (TK), block encoding, one-time data (numbers or bit strings that are only used once), upper layer encryption, and additional authorization data (AAD). It should be understood that AES is a standard, not a protocol. The AES standard specifies the use of Rijndael symmetric block ciphers, which can use 128,192,256-bit keys to encrypt 128bit data sets.

CCMP is a security protocol. It follows well-designed steps that include encrypting sensitive data using algorithms specified by AES. CCMP consists of specialized components that can provide specific functions. It also uses a temporary key to complete all encryption and data integrity processes.

Five Skills of Defense in Depth Strategy

The use of advanced network security and system monitoring functions can improve the reliability of power supply and reduce energy consumption. Allowing Internet access has raised concerns about network security in industrial enterprises, and in-depth defense measures will help.

 In order to make the decision of intelligent power management, in order to reduce energy consumption and improve the reliability of power supply, it is critical to monitor and understand how power is used, although the collection and acquisition of this information will draw attention to network security. The monitoring function realized by the industrial control system can be used to obtain the information of the equipment, so as to avoid downtime and understand the system parameters and diagnostic information, but it also creates a new risk: access to unauthorized information. or provide unauthorized users with unconscious access to equipment operation and parameter setting.

Defense in depth is a strategy to build different barriers at multiple levels within an organization to ensure the safety of industrial control systems. Five techniques for "defense in depth" include:

1. Establish firewalls for communications between multiple network segments and areas within the industrial control system network to add more stringent multiple rules

2. Create unregulated zones in established firewalls by grouping key components and isolating them from traditional commercial IT networks

3. Deploy intrusion detection and prevention systems to identify accidental events that may occur in industrial control system networks

4. Establish good review policies, procedures, standards and guidelines for the safety of industrial control networks, and record them in text

5. Ongoing safety assessments and training to ensure the safety of industrial control systems and the safety of people who rely on these industrial control systems.

(Author: Daniel E. Capano)