802.11 Session

802.11

802.11 802.11 LAN LAN

802.11 802.11 LAN LAN

/ /

/ ROI 70 CompUSA AP

/ IT WLAN

WLAN

/ / Barcode POS WEP

HIPAA LANS

802.11 802.11 LAN LAN

802.11 (SSID) (WEP) MAC

(SSID) Cisco SSID SSID LAN Cisco SSID

WEP RC4 40 104

XOR

12345 XOR CISCO AHGAE

IV IV 45678 XOR IV CISCO WGSSF

802.11 IV 802.11 IV 24 Octets 40 64 104 128 Bits IV MSDU Pad 0-2304 4 ID ICV

802.11 1. 2. 3. 4. 5. 6. AP

802.11 WEP, WEP WEP

802.11 1. EP 123456 2. ( ) 3. / 4. WEP WEP 112233 4. X AP WEP AP

802.11 EP 112233 1. 2. ( ) 3. ( ) 4. ( ) WEP 112233 AP WEP AP WEP AP,

802.11 MAC 802.11

802.11 MAC 1. 2. RADIUS (PAP) MAC MAC ABC 4. ( ) 3. RADIUS- RADIUS AP MAC 1) 2) AAA

802.11 WEP

802.11 802.11 LAN LAN

802.11 WEP WEP

SSID! Beacons SSID SSID WiFi

SSID

NIC

XOR XOR

XOR ( )

MAC MAC MAC

802.11 WEP WEP 1M 4M LAN AirSnort

LAN IV/WEP

IV/WEP ) LAN, IV

IV/WEP 2. 1.

IV/WEP XORed XORed XOR XOR (1) (1) (2) (2) XOR XOR (1) (1) (2) (2) (1) (1) (2) (2) (1) (1) (2) (2) WEP WEP

LAN

(ICV) CRC-32 ICV AP

WEP ICV 3 CRC Fail WEP XOR

WEP (F1 and C1) 01011010110101 110 XOR 110 (F2) 000000111 00000 XOR 101 ICV (C3) (F3) 010110 010 10101 010 ICV (C2) ICV + ICV (F3 + C3) 010110 010 10101 101

802.11 1997 802.11 WEP LAN!!

802.11 WEP

802.11 802.11 LAN LAN

LAN

LAN 802.11

LAN VPN TKIP 802.1X

AAA

802.11 VPN PKI AAA

802.11 802.1X 2 (EAP) AP AAA PKI

802.1X RADIUS AP RADIUS RADIUS

EAP LAN EAP-Cisco (aka LEAP) EAP-TLS ( ) EAP-PEAP ( EAP) / EAP-TTLS ( TLS) /

EAP-Cisco Windows 95-XP Windows CE Macintosh OS 9.X 10.X Linux (WGB 340 350) (BR350 )

EAP-Cisco RADIUS Cisco ACS Cisco AR Funk Steel Belted RADIUS Interlink Merit Microsoft Active Directory ( )

EAP-Cisco RADIUS NT/AD AP RADIUS RADIUS AP,

EAP-TLS Windows 2000, XP EAP-TLS RADIUS Cisco ACS, Cisco AR, MS IAS RADIUS Windows 2000 Server

EAP-TLS RADIUS AP AP,

EAP-TTLS TLS (CHAP, PAP ) EAP-PEAP TLS EAP (EAP-GTC, EAP-MD5 )

CA EAP-TLS / LDAP Unix NT/AD Kerberos

EAP-TLS RADIUS AAA AP AP,

EAP-TLS RADIUS AAA AP EAP EAP AP,

EAP-MD5 WLAN

EAP-Cisco RADIUS RADIUS AP

EAP-MD5 EAP-Cisco EAP-TLS EAP- TTLS/PEAP VPN AP X X X X X X X X X X X X X* X* X X X X: *

T (TKIP) WEP VPN 3DES HMAC-SHA1 HMAC-MD5

TKIP Cisco

IV IV IV WEP WEP WEP IV

IV WEP Hash XOR IV WEP IV IV IV WEP WEP WEP IV

IV 802.11 IV 2^24 ( 0 16.7M) WEP 802.1X IV/

(MIC) IV/WEP

(MIC) WEP 802.11 IV LLC SNAP ICV WEP MIC802.11 WEP IV LLC SNAP MIC SEQ ICV WEP

(MIC) MIC MAC Seed 32 MIC SEQ DA SA LLC SNAP SEQ MMH Hash 4 MIC

802.1X WEP

WEP TKIP VPN X X IV AirS rt X X X X

802.11 802.11 LAN LAN

LAN 802.11 VPN TKIP 802.1X

802.11 VPN VPN

802.11 VPN VPN WLAN

802.11 VPN AP

802.11 VPN ( ) IP ARP

802.11 VPN IP ( ) UDP DNS DHCP ESP ( 50)

802.11 VPN IP DNS DHCP IKE ( 500)

802.11 VPN IP DNS DHCP IKE ( 500)

802.11 VPN AP

802.11 VPN 3 ACL ESP IKE ICMP DHCP DNS

802.11 VPN 3 ACL ESP IKE ICMP DHCP DNS

VPN ACLs VPN, DHCP, DNS VPN Si VPN AAA

802.11 VPN Si Si ACLs to Allow VPN, DHCP, DNS Si Si VPN VPN VLAN

802.11 VPN VPN CPE IPSec AP

802.11 VPN WAN ACLs to Allow VPN, DNS, DHCP WAN AP Si VPN AP

802.11 VPN VPN WAN WAN WAN ACLs VPN, DHCP,DNS Si AP

802.11 VPN VPN WAN

802.11 VPN s ACLs VPN IPSec IPSec AAA

802.11 VPN IPSec ACLs to Allow VPN Si IPSec VPN AAA

802.11 VPN 30% 40%

802.11 VPN IP IPX AppleTalk 802.11e QoS VPN WLAN IP/ESP

802.11 VPN WLAN Barcode, 802.11 2 ESP 3 IP

TKIP 802.1X EAP-Cisco EAP-TLS Cisco AP

TKIP 802.1X AP VPN, 11.10T1 TKIP 11.10T1 / VPN 4.25.10 NDIS 6.97 TKIP 4.25.23 NDIS 8.01.06

TKIP 802.1X RADIUS EAP-Cisco ACS v2.6 v3.0 AR v1.7 Funk Steel Belted RADIUS 3.0 Interlink RAD-E v5.1 EAP-TLS ACS v3.0 MS IAS 2000

TKIP 802.1X TKIP

TKIP 802.1X RADIUS AP NAS RADIUS RADIUS 27

TKIP 802.1X Si Si CA RADIUS

TKIP EAP-Cisco Cisco 340/350 Cisco EAP-Cisco (LEAP) Windows

TKIP EAP-Cisco 802.1X 10

TKIP EAP-Cisco RADIUS NT /W2K Active Directory

TKIP EAP-Cisco EAP-Cisco v11.10t1

TKIP EAP-Cisco EAP-Cisco NT/W2K AD EAP-Cisco RADIUS

TKIP EAP-TLS WinXP Win2K SP3 OS SSID

TKIP EAP-TLS

TKIP EAP-TLS CA MS CA Win2K

TKIP EAP-TLS RADIUS Cisco ACS Microsoft IAS Microsoft Win2k CA

TKIP 802.1X RADIUS WAN WAN WAN Si

WAN 802.1X

WAN 802.1X QoS WAN 802.1X RADIUS DSCP AF31/IP 3 LLQ CBWFQ RADIUS 1.5 KB 8 Kbps 5

TKIP 802.1X IEEE, 802.11 802.11 E, F, H, I

TKIP 802.1X WEP MIC 5% 15%

TKIP 802.1X ( ) RADIUS 300 600 ms

RADIUS (PSPF)

RADIUS AP RFC2866 RADIUS ; AP

RADIUS AP AP AP

RADIUS EAP EAP EAP / / MAC

RADIUS RADIUS / / ID NAS ( ) IP

RADIUS -> / /

RADIUS / EAP EAP

WLAN AP BSS

PSPF

802.11 802.11 LAN LAN

IEEE 802.11i TKIP (WiFi) AES

AES 3DES NIST Rijndael 128,192, 256

AES (OCB ) (CCM )

TKIP 802.1X IPSec (Bits) 128 168 ACL RC4 CRC32/MIC / / / CA 3 DES MD5-HMAC/SHA-HMAC / OTP VPN IP Static WEP 128 PC PAD; PC PAD; OS OS RC4 CRC32/MIC QoS IPSec VPN

EAP-SIM MAC_RAND RADIUS AuC AP 1IMSI@realm 1IMSI@realm GetAuthInfo SIM- SIM- Authenticated SIM- SIM- -Resp EAP- -Resp MAC_SRES AP,

802.11 Session

Session