Protocol WPA2 is defined by the IEEE 802.11i standard created in 2004 to replace. It implements CCMP and encryption AESdue to what WPA2 became more secure than its predecessor. Since 2006 support WPA2 is a prerequisite for all certified devices.
Difference between WPA and WPA2
Searching for the difference between WPA2 and WPA2 is not relevant for most users, since all the protection of a wireless network comes down to choosing a more or less complex access password. Today, the situation is such that all devices operating in Wi-Fi networks must support WPA2, so the choice of WPA can only be due to non-standard situations. For example, oS older than Windows XP SP3 do not support WPA2 without patches, so machines and devices managed by such systems require the attention of the network administrator. Even some modern smartphones may not support the new encryption protocol, mainly for off-brand Asian gadgets. On the other hand, some windows versions older than XP do not support working with WPA2 at the level of GPOs, therefore, in this case, they require more fine-tuning of network connections.
The technical difference between WPA and WPA2 lies in the encryption technology, in particular, in the protocols used. WPA uses TKIP, WPA2 uses AES. In practice, this means that more modern WPA2 provides a higher degree of network security. For example, the TKIP protocol allows you to create an authentication key up to 128 bits, AES - up to 256 bits.
The difference between WPA2 and WPA is as follows:
- WPA2 is an enhanced WPA.
- WPA2 uses the AES protocol, WPA uses the TKIP protocol.
- WPA2 is supported by all modern wireless devices.
- WPA2 may not be supported by legacy operating systems.
- WPA2 is more secure than WPA.
WPA2 authentication
Both WPA and WPA2 operate in two authentication modes: personal (Personal) and corporate (Enterprise)... In WPA2-Personal mode, a 256-bit key, sometimes referred to as a pre-shared key, is generated from the plaintext passphrase entered. The PSK key, as well as the identifier and length of the latter, together form the mathematical basis for the formation of the master pair key. PMK (Pairwise Master Key)which is used to initialize a four-way handshake and generate a temporary pair or session key PTK (Pairwise Transient Key)to communicate with the wireless user device with the access point. Like static, WPA2-Personal has key distribution and maintenance issues inherent in it, making it more suitable for use in small offices than in enterprises.
However, WPA2-Enterprise successfully addresses static key distribution and management issues, and integrates with most enterprise authentication services to provide account-based access control. This mode requires credentials such as username and password, security certificate, or one-time password; authentication is carried out between workstation and a central authentication server. The access point or wireless controller monitors the connection and routes authentication packets to the appropriate authentication server, typically this. WPA2-Enterprise mode is based on 802.1X, which supports port-based user and machine authentication for both wired switches and wireless access points.
WPA2 encryption
WPA2 is based on the AES encryption method, which replaced DES and 3DES as the de facto industry standard. Compute-intensive, AES requires hardware support that is not always available in older WLAN hardware.
WPA2 uses the Cipher Block Chaining Message Authentication Code (CBC-MAC) protocol for authentication and data integrity, and Counter Mode (CTR) for data encryption and MIC checksum. The message integrity code (MIC) of WPA2 is nothing more than a checksum and, unlike WPA, provides data integrity for unchanged 802.11 header fields. This prevents packet replay attacks to decrypt packets or compromise cryptographic information.
The MIC is calculated using a 128-bit Initialization Vector (IV), and the IV is encrypted using the AES method and a temporary key, resulting in a 128-bit result. Next, an exclusive OR operation is performed on this result and the next 128 bits of data. The result is encrypted with AES and TK, and then an XOR operation is performed over the last result and the next 128 bits of data. The procedure is repeated until the entire payload has been exhausted. The first 64 bits of the result obtained in the very last step are used to calculate the MIC value.
A counter mode-based algorithm is used to encrypt data and MIC. As with encryption of the MIC initialization vector, this algorithm starts with preloading a 128-bit counter, where the counter value is set to one in the counter field instead of the value corresponding to the data length. Thus, a separate counter is used to encrypt each packet.
Using AES and TK, the first 128 bits of data are encrypted, and then an exclusive OR operation is performed on the 128-bit result of this encryption. The first 128 bits of data give the first 128-bit encrypted block. The preloaded counter value is incremented and encrypted with AES and a data encryption key. Then, the result of this encryption and the next 128 bits of data is again XORed.
The procedure is repeated until all 128-bit data blocks are encrypted. After that, the final value in the counter field is reset to zero, the counter is encrypted using the AES algorithm, and then an exclusive OR is performed on the result of the encryption and MIC. The result of the last operation is docked to the encrypted frame.
After MIC counting using CBC-MAC protocol, data and MIC are encrypted. Then the 802.11 header and the CCMP packet number field are added to this information in front, the 802.11 trailer is docked, and it is all sent together to the destination address.
Data decryption is performed in reverse order of encryption. To retrieve the counter, the same algorithm is used as for its encryption. To decrypt the counter and the encrypted portion of the payload, a counter mode-based decryption algorithm and TK are applied. The result of this process is the decrypted data and the MIC checksum. After that, using the CBC-MAC algorithm, the MIC for the decrypted data is recalculated. If the MIC values \u200b\u200bdo not match, then the packet is discarded. If the specified values \u200b\u200bmatch, the decrypted data is sent to network stackand then to the client.
This article focuses on the security issue when using wireless networks WiFi.
Introduction - WiFi vulnerabilities
The main reason for the vulnerability of user data when this data is transmitted over WiFi networks is that the exchange occurs over the radio wave. And this makes it possible to intercept messages at any point where the WiFi signal is physically available. Simply put, if the signal of an access point can be caught at a distance of 50 meters, then interception of all network traffic of this WiFi network is possible within a radius of 50 meters from the access point. In the next room, on another floor of the building, on the street.
Imagine this picture. In the office, the local network is built via WiFi. This office's access point signal is picked up outside the building, for example in a car park. An attacker outside the building can gain access to the office network, that is, unnoticed by the owners of this network. WiFi networks can be accessed easily and invisibly. Technically much easier than wired networks.
Yes. To date, WiFi network protection tools have been developed and implemented. This protection is based on encrypting all traffic between the access point and the end device that is connected to it. That is, an attacker can intercept a radio signal, but for him it will be just digital "garbage".
How does WiFi protection work?
The access point includes in its WiFi network only the device that will send the correct (specified in the access point settings) password. In this case, the password is also sent encrypted, in the form of a hash. The hash is the result of irreversible encryption. That is, the data that is translated into a hash cannot be decrypted. If an attacker intercepts the password hash, he will not be able to obtain the password.
But how does the access point know if the password is correct or not? What if she also receives a hash, but cannot decrypt it? It's simple - in the access point settings, the password is specified in its pure form. The authorization program takes a clean password, creates a hash from it, and then compares this hash with the one received from the client. If the hashes match, then the client has the correct password. The second feature of hashes is used here - they are unique. The same hash cannot be obtained from two different sets of data (passwords). If two hashes match, then they are both created from the same dataset.
By the way. Due to this feature, hashes are used for data integrity control. If the two hashes (generated with a time interval) match, then the original data (during this time interval) has not been changed.
Nevertheless, despite the fact that the most modern method wiFi protection network (WPA2) is reliable, this network can be hacked. How?
There are two methods for accessing a WPA2 secured network:
- Password brute force attack (so-called dictionary search).
- Exploiting a vulnerability in the WPS function.
In the first case, the attacker intercepts the password hash for the access point. Then a hash comparison is performed over a database in which thousands, or millions of words are recorded. A word is taken from the dictionary, a hash for this word is generated and then this hash is compared with the hash that was intercepted. If a primitive password is used on the access point, then cracking the password, this access point, is a matter of time. For example, an 8-digit password (8 characters is the minimum password length for WPA2) is one million combinations. On a modern computer, it is possible to enumerate one million values \u200b\u200bin a few days or even hours.
In the second case, a vulnerability is exploited in the first versions of the WPS function. This feature allows you to connect a device to the access point where you cannot enter a password, such as a printer. When using this function, the device and the access point exchange a digital code, and if the device sends the correct code, the access point will authorize the client. There was a vulnerability in this function - the code was of 8 digits, but uniqueness was checked only by four of them! That is, to hack WPS, you need to enumerate all the values \u200b\u200bthat give 4 digits. As a result, hacking an access point via WPS can be done in literally a few hours, on any, the weakest device.
Setting up WiFi security
The security of the WiFi network is determined by the settings of the access point. Several of these settings directly affect network security.
WiFi network access mode
The access point can operate in one of two modes - open or protected. When open access, any device can connect to the access point. In the case of secure access, only the device that transmits the correct access password is connected.
There are three types (standards) for protecting WiFi networks:
- WEP (Wired Equivalent Privacy)... The very first standard of protection. Today it does not actually provide protection, since it is very easy to hack due to the weakness of the defense mechanisms.
- WPA (Wi-Fi Protected Access)... Chronologically the second standard of protection. At the time of creation and commissioning, it provided effective protection for WiFi networks. But at the end of the 2000s, opportunities were found to break WPA security through vulnerabilities in security mechanisms.
- WPA2 (Wi-Fi Protected Access)... The latest security standard. Provides reliable protection if certain rules are followed. To date, there are only two known ways to break WPA2 protection. Searching for a password in a dictionary and a workaround through the WPS service.
Therefore, to ensure the security of the WiFi network, you must select the WPA2 security type. However, not all client devices can support it. For example Windows XP SP2 only supports WPA.
In addition to choosing the WPA2 standard, additional conditions are required:
Use AES encryption method.
The password to access the WiFi network must be composed as follows:
- Use letters and numbers in the password. An arbitrary set of letters and numbers. Or a very rare word or phrase that is meaningful only to you.
- Not use simple passwords like name + date of birth, or some word + a few numbers, for example lena1991 or dom12345.
- If you need to use only numeric password, then its length must be at least 10 characters. Because an eight-character digital password is brute-force in real time (from several hours to several days, depending on the power of the computer).
If you use complex passwords, in accordance with these rules, then your WiFi network will not be able to be hacked by guessing a password using a dictionary. For example, for a password like 5Fb9pE2a (arbitrary alphanumeric), maximum possible 218340105584896 combinations. Today it is almost impossible to match. Even if the computer compares 1,000,000 (million) words per second, it will take almost 7 years to iterate over all the values.
WPS (Wi-Fi Protected Setup)
If your access point has Wi-Fi Protected Setup (WPS), you need to disable it. If this feature is required, you need to ensure that its version is updated to the following features:
- Using all 8 characters of the pincode instead of 4, as it was at the beginning.
- Enabling a delay after several attempts to transmit the wrong PIN code from the client.
An additional opportunity to improve WPS security is the use of an alphanumeric pincode.
Security of public WiFi networks
Today it is fashionable to use the Internet via WiFi networks in public places - in cafes, restaurants, shopping centers, etc. It is important to understand that the use of such networks can lead to theft of your personal data. If you access the Internet through such a network and then authorize on any site, then your data (login and password) can be intercepted by another person who is connected to the same WiFi network. Indeed, on any device that has passed authorization and is connected to an access point, you can intercept network traffic from all other devices on this network. A feature of public wiFi networks in the fact that anyone can connect to it, including an attacker, and not only to an open network, but also to a protected one.
What can you do to protect your data when connected to the Internet via a public WiFi network? There is only one option - to use the HTTPS protocol. This protocol establishes an encrypted connection between the client (browser) and the site. However, not all sites support the HTTPS protocol. Addresses on a site that supports HTTPS start with the prefix https: //. If the addresses on the site have the http: // prefix, this means that the site does not support HTTPS or it is not used.
Some sites do not use HTTPS by default, but they have this protocol and you can use it if you explicitly (manually) specify the https: // prefix.
For other use cases such as Internet chats, Skype, etc., free or paid VPN servers can be used to protect this data. That is, first connect to the VPN server, and only then use chat or an open site.
WiFi password protection
In the second and third parts of this article, I wrote that in the case of using the WPA2 security standard, one of the ways to hack a WiFi network is to guess a password using a dictionary. But for an intruder, there is another way to get the password to your WiFi network. If you store your password on a sticker glued to the monitor, this makes it possible for a stranger to see this password. Also, your password can be stolen from a computer that is connected to your WiFi network. This can be done by a stranger if your computers are not protected from unauthorized access. This can be done with malware... In addition, the password can be stolen from a device that is taken out of the office (home, apartment) - from a smartphone, tablet.
Thus, if you need reliable protection your WiFi network, you need to take steps to store the password securely. Protect it from unauthorized access.
If you found it useful or just liked this article, then do not hesitate - financially support the author. It's easy to do by throwing money on Yandex Wallet No. 410011416229354... Or on the phone +7 918-16-26-331 .
Even a small amount can help you write new articles :)
Today we will dig a little deeper into the topic of protection. wireless connection... Let's figure out what it is - it is also called "authentication" - and which one is better to choose. Surely when you came across such abbreviations as WEP, WPA, WPA2, WPA2 / PSK. And also some of their varieties - Personal or Enterprice and TKIP or AES. Well, let's take a closer look at all of them and figure out which type of encryption to choose to provide maximum speed without losing speed.
Note that you must protect your WiFi with a password, no matter what type of encryption you choose. Even the most simple authentication will allow you to avoid quite serious problems in the future.
Why do I say that? It's not even that the connection of many left-handed clients will slow down your network - these are just flowers. The main reason is that if your network is not password protected, then an intruder can stick to it, who from under your router will perform illegal actions, and then you will have to answer for his actions, so take the protection of wifi with all seriousness.
WiFi data encryption and authentication types
So, we were convinced of the need to encrypt the wifi network, now let's see what types there are:
What is WEP wifi protection?
WEP (Wired Equivalent Privacy) is the very first standard that has appeared, which no longer meets modern requirements in terms of reliability. All programs configured to hack the network wifi method enumeration of characters are aimed more precisely at selecting the WEP encryption key.
What is WPA Key or Password?
WPA (Wi-Fi Protected Access) is a more modern authentication standard that allows you to reliably protect the local network and the Internet from illegal penetration.
What is WPA2-PSK - Personal or Enterprise?
WPA2 - an improved version of the previous type. Hacking WPA2 is almost impossible, it provides the maximum degree of security, so in my articles I always say without explanation that it is necessary to install it - now you know why.
The WiFi security standards WPA2 and WPA have two more flavors:
- Personal, referred to as WPA / PSK or WPA2 / PSK. This type is the most widely used and optimal for use in most cases - both at home and in the office. In WPA2 / PSK, we set a password of at least 8 characters, which is stored in the memory of the device that we connect to the router.
- Enterprise - a more complex configuration that requires the RADIUS function to be enabled on the router. It works according to the principle, that is, a separate password is assigned for each separate connected gadget.
WPA Encryption Types - TKIP or AES?
So, we decided that WPA2 / PSK (Personal) would be the best choice for network security, but it has two more types of data encryption for authentication.
- TKIP - today it is already an obsolete type, but it is still widely used, since many devices for a certain number of years of release support only it. Does not work with WPA2 / PSK technology and does not support 802.11n WiFi.
- AES - the last and most reliable type at the moment wiFi encryption.
How to choose the type of encryption and put the WPA key on the WiFi router?
With the theory sorted out - let's move on to practice. Since WiFi 802.11 "B" and "G" standards, which maximum speed up to 54 Mbps, no one has been using it for a long time - today the norm is 802.11 "N" or "AC", which support speeds up to 300 Mbps and higher, then there is no point in considering the option of using WPA / PSK security with the TKIP encryption type. Therefore, when you configure a wireless network, then set the default
WPA2 / PSK - AES
Or, as a last resort, specify "Auto" as the encryption type in order to provide for the connection of devices with an outdated WiFi module.
In this case, the WPA key, or, simply put, the password for connecting to the network, must have from 8 to 32 characters, including English lowercase and capital letters, as well as various special characters.
Wireless Security on TP-Link Router
The screenshots above show the control panel of a modern TP-Link router in new version firmware. The network encryption setting is located here in the "Advanced settings - Wireless mode" section.
In the old "green" version, the WiFi network configurations of interest to us are located in the " Wireless - Security". Do everything as in the image - it will be super!
If you noticed, there is still such an item as "WPA Group Key Renewal Period". The point is that the real WPA digital key for encrypting the connection is dynamically changed to provide more protection. Here you set the value in seconds after which the change occurs. I recommend not touching it and leaving it at its default - the refresh interval differs from model to model.
Authentication method for ASUS router
Everything on ASUS routers wiFi parameters located on one page "Wireless network"
Network protection through Zyxel Keenetic router
Similarly, for Zyxel Keenetic - section "WiFi Network - Access Point"
IN keenetic routers without the "Zyxel" prefix, change the encryption type in the section " home network».
Configuring the security of the D-Link router
On D-Link we are looking for the section “ Wi-Fi - Security»
Well, today we figured out the types of WiFi encryption and terms like WEP, WPA, WPA2-PSK, TKIP and AES and found out which one is better to choose. Read about other network security options in one of the previous articles, in which I talk about MAC and IP addresses and other protection methods.
Video on setting the type of encryption on the router
IN recent times there have been many “revealing” publications about hacking of any next protocol or technology that compromises the security of wireless networks. Is this really so, what is worth fearing, and how to make access to your network as secure as possible? Do words WEP, WPA, 802.1x, EAP, PKI mean little to you? This short overview will help bring together all the encryption and radio access authorization technologies in use. I will try to show that a properly configured wireless network is an insurmountable barrier for an attacker (up to a certain limit, of course).
The basics
Any interaction between the access point (network) and the wireless client is based on:- Authentication - how the client and the access point introduce themselves to each other and confirm that they have the right to communicate with each other;
- Encryption - what scrambling algorithm for the transmitted data is used, how the encryption key is generated, and when it is changed.
The wireless network parameters, primarily its name (SSID), are regularly announced by the access point in broadcast beacon packets. In addition to the expected security settings, requests for QoS, 802.11n parameters, supported speeds, information about other neighbors, etc. are transmitted. Authentication defines how the client is presented to the point. Possible options:
- Open - so-called open network, in which all connected devices are authorized at once
- Shared - the authenticity of the connected device must be verified with a key / password
- EAP - the authenticity of the connected device must be verified using the EAP protocol by an external server
- None - no encryption, data is transmitted in clear text
- WEP - cipher based on the RC4 algorithm with different static or dynamic key lengths (64 or 128 bits)
- CKIP - a proprietary replacement for WEP from Cisco, an early version of TKIP
- TKIP - improved WEP replacement with additional checks and security
- AES / CCMP - the most advanced algorithm based on AES256 with additional checks and protection
Combination Open Authentication, No Encryption widely used in guest access systems like providing the Internet in a cafe or hotel. To connect, you only need to know the name of the wireless network. Often this connection is combined with additional verification to the Captive Portal by redirecting the user's HTTP request to an additional page where you can request confirmation (login-password, consent to the rules, etc.).
Encryption WEPis compromised and cannot be used (even with dynamic keys).
Commonly used terms WPAand WPA2 determine, in fact, the encryption algorithm (TKIP or AES). Due to the fact that client adapters have been supporting WPA2 (AES) for quite some time, it makes no sense to use TKIP encryption.
Difference between WPA2 Personal and WPA2 Enterprise is where the encryption keys used in the mechanics of the AES algorithm come from. For private (home, small) applications, a static key (password, a codeword, PSK (Pre-Shared Key)) with a minimum length of 8 characters, which is specified in the access point settings, and is the same for all clients of this wireless network. Compromising such a key (letting a neighbor slip, an employee fired, a laptop stolen) requires an immediate password change for all remaining users, which is realistic only in the case of a small number of them. For corporate applications, as the name suggests, a dynamic key is used that is individual for each working client at the moment. This key can be periodically updated during operation without breaking the connection, and an additional component is responsible for its generation - the authorization server, and almost always this is a RADIUS server.
All possible safety parameters are summarized in this plate:
| Property | Static WEP | Dynamic WEP | WPA | WPA 2 (Enterprise) |
| Identification | User, computer, WLAN card | User, computer |
User, computer |
User, computer |
| Authorization |
Shared key |
EAP |
EAP or shared key |
EAP or shared key |
Integrity |
32-bit Integrity Check Value (ICV) |
32-bit ICV |
64-bit Message Integrity Code (MIC) |
CRT / CBC-MAC (Counter mode Cipher Block Chaining Auth Code - CCM) Part of AES |
Encryption |
Static key |
Session key |
Per-packet key via TKIP |
CCMP (AES) |
Key distribution |
One-shot, manually |
Segment Pair-wise Master Key (PMK) |
Derived from PMK |
Derived from PMK |
Initialization vector |
Text, 24 bit |
Text, 24 bit |
Extended vector, 65 bit |
48-bit packet number (PN) |
Algorithm |
RC4 |
RC4 |
RC4 |
AES |
Key length, bit |
64/128 |
64/128 |
128 |
up to 256 |
Required infrastructure |
No |
RADIUS |
RADIUS |
RADIUS |
If everything is clear with WPA2 Personal (WPA2 PSK), the corporate solution requires additional consideration.
WPA2 Enterprise
Here we are dealing with an additional set of different protocols. Client side custom component software, supplicant (usually the OS part) interacts with the authorizing part, the AAA server. IN this example the work of a unified radio network based on lightweight access points and a controller is displayed. In the case of using access points "with brains" the entire role of an intermediary between clients and the server can be assumed by the point itself. In this case, the data of the client supplicant is transmitted over the radio, formed in the 802.1x protocol (EAPOL), and on the controller side, they are wrapped in RADIUS packets.
The use of the EAP authorization mechanism in your network leads to the fact that after successful (almost certainly open) authentication of the client by the access point (together with the controller, if any), the latter asks the client to authorize (confirm its authority) with the infrastructure RADIUS server:
Using WPA2 Enterprise requires a RADIUS server on your network. At the moment, the following products are the most efficient:
- Microsoft Network Policy Server (NPS), formerly IAS - configurable via MMC, free, but you need to buy Windows
- Cisco Secure Access Control Server (ACS) 4.2, 5.3 - configurable via the web interface, heaped up in functionality, allows you to create distributed and fault-tolerant systems, is expensive
- FreeRADIUS - free, configurable by text configs, not convenient in management and monitoring
In this case, the controller closely monitors the ongoing exchange of information, and waits for the successful authorization, or refusal in it. If successful, the RADIUS server is able to transmit to the access point extra options (for example, in which VLAN to place the subscriber, which one to assign an IP address, QoS profile, etc.). At the end of the exchange, the RADIUS server allows the client and the access point to generate and exchange encryption keys (individual, valid only for this session):
EAP
The EAP protocol itself is containerized, that is, the actual authorization mechanism is at the mercy of the internal protocols. On currently the following have received any significant distribution:- EAP-FAST (Flexible Authentication via Secure Tunneling) - developed by Cisco; allows authorization by login-password transmitted within the TLS tunnel between the supplicant and the RADIUS server
- EAP-TLS (Transport Layer Security). Uses infrastructure public keys (PKI) for authorization of the client and server (supplicant and RADIUS server) through certificates issued by a trusted certification authority (CA). Requires subscribing and installing client certificates for each wireless devicetherefore only suitable for managed enterprise environments. Windows Certificate Server has a means of allowing a client to generate a certificate for itself if the client is a member of a domain. Blocking a client is easily done by revoking his certificate (or through accounts).
- EAP-TTLS (Tunneled Transport Layer Security) is similar to EAP-TLS, but no client certificate is required when creating a tunnel. In such a tunnel, similar to a browser's SSL connection, additional authorization is performed (by password or something else).
- PEAP-MSCHAPv2 (Protected EAP) - Similar to EAP-TTLS in that it initially establishes an encrypted TLS tunnel between a client and a server, requiring a server certificate. Further, in such a tunnel, authorization takes place using the well-known MSCHAPv2 protocol
- PEAP-GTC (Generic Token Card) - similar to the previous one, but requires one-time password cards (and related infrastructure)
All of these methods (except for EAP-FAST) require a server certificate (on the RADIUS server) issued by a certification authority (CA). In this case, the CA certificate itself must be present on the client's device in the trusted group (which is easy to implement using Group Policy in Windows). Additionally, EAP-TLS requires an individual client certificate. Client authentication is performed as per digital signature, so (optional) comparing the certificate provided by the client to the RADIUS server with the one the server retrieved from the PKI infrastructure (Active Directory).
Support for any of the EAP methods must be provided by a client-side supplicant. The standard built into Windows XP / Vista / 7, iOS, Android provides at least EAP-TLS, and EAP-MSCHAPv2, which explains the popularity of these methods. The ProSet utility is shipped with Intel Windows client adapters to expand the available list. The Cisco AnyConnect Client does the same.
How reliable is it
In the end, what does an attacker need to hack into your network?For Open Authentication, No Encryption is nothing. Connected to the network, and that's it. Since the radio environment is open, the signal travels to different sides, blocking it is not easy. If there are appropriate client adapters that allow listening to the air, the network traffic is seen as if the attacker was connected to the wire, to the hub, to the SPAN port of the switch.
WEP-based encryption only requires a brute-force IV and one of the many freely available scanning utilities.
For encryption based on TKIP or AES, direct decryption is possible in theory, but in practice there have been no cases of hacking.
Of course, you can try to guess the PSK key, or the password for one of the EAP methods. No common attacks against these methods are known. You can try social engineering techniques, or
Security is a major concern for all wireless LANs (and, for that matter, all wired LANs). Security is just as important here as it is for any Internet user. Security is a complex issue and requires constant attention. Huge harm can be caused to the user due to the fact that he uses random hot spots (hot spots) or open points access WI-FI home or office and does not use encryption or VPN (Virtual Private Network - virtual private network). This is dangerous because the user enters his personal or professional data, and the network is not protected from intrusion.
WEP
It was initially difficult to provide adequate security for wireless LANs.
Hackers could easily connect to almost any WiFi network, breaking early versions of security systems such as Wired Equivalent Privacy (WEP). These events left their mark, and for a long time, some companies were reluctant to implement wireless networks or did not implement them at all, fearing that the data transmitted between wireless WiFi devices and Wi-Fi hotspots can be intercepted and decrypted. Thus, this security model slowed down the process of integrating wireless networks into business and made users nervous when using WiFi networks at home. Then the IEEE Institute, created working group 802.11i, which worked to create a comprehensive security model to provide 128-bit AES encryption and authentication to protect data. The Wi-Fi Alliance has released its own interim version of this 802.11i security specification: Wi-Fi Protected Access (WPA). The WPA module combines several technologies to address the vulnerability of 802.11 WEP systems. Thus, WPA provides strong user authentication using the 802.1x standard (mutual authentication and encapsulation of data transmitted between wireless client devices, access points and a server) and Extensible Authentication Protocol (EAP).
The principle of operation of security systems is shown schematically in Fig. 1
Also, WPA is equipped with a temporary module for encrypting the WEP engine using 128 - bit encryption keys and uses Temporary Key Integrity Protocol (TKIP). And the message checksum (MIC) prevents data packets from being modified or formatted. This combination of technologies protects the confidentiality and integrity of data transmission and ensures security by controlling access so that only authorized users can access the network.
WPA
Further enhancing WPA security and access control is to create a new unique key master for communication between each user wireless equipment and access points and providing an authentication session. And also, in creating a random key generator and in the process of generating a key for each package.
The IEEE ratified the 802.11i standard in June 2004, greatly expanding many of its capabilities thanks to WPA technology. The Wi-Fi Alliance has strengthened its security module in the WPA2 program. Thus, the transmission security level wiFi data 802.11 standard has reached the necessary level for the introduction of wireless solutions and technologies in enterprises. One of the significant changes in 802.11i (WPA2) over WPA is the use of 128-bit Advanced Encryption Standard (AES). WPA2 AES uses anti-CBC-MAC mode (a mode of operation for a cipher block that allows a single key to be used for both encryption and authentication) to ensure data confidentiality, authentication, integrity, and playback protection. 802.11i also offers key caching and pre-authentication for ordering users by access point.
WPA2
With the 802.11i standard, the entire chain of the security module (login, authority exchange, authentication and data encryption) becomes more reliable and effective protection from undirected and targeted attacks. WPA2 allows the Wi-Fi network administrator to switch from security issues to operations and device management.
The 802.11r standard is a modification of the 802.11i standard. This standard was ratified in July 2008. The technology of the standard transfers key hierarchies more quickly and reliably, based on the Handoff technology, as a user moves between access points. The 802.11r standard is fully compliant with the 802.11a / b / g / n WiFi standards.
There is also the 802.11w standard, which is designed to enhance the security mechanism based on the 802.11i standard. This standard is designed to protect control packages.
802.11i and 802.11w standards are mechanisms for protecting WiFi networks of the 802.11n standard.
Encrypting files and folders in Windows 7
The encryption function allows you to encrypt files and folders that will later be impossible to read on another device without a special key. This feature is present in such versions of Windows 7 as Professional, Enterprise or Ultimate. Next, we will highlight how to enable encryption of files and folders.
Enabling file encryption:
Start -\u003e Computer (select the file to encrypt) -\u003e right button mouse over the file-\u003e Properties-\u003e Advanced (General tab) -\u003e Additional attributes-\u003e Put a marker in the item encrypt content to protect data-\u003e Ok-\u003e Apply-\u003e Ok (Select apply only to the file) -\u003e
Enabling folder encryption:
Start -\u003e Computer (select a folder for encryption) -\u003e right mouse button on the folder-\u003e Properties-\u003e Advanced (General tab) -\u003e Additional attributes-\u003e Put a marker in the item encrypt content to protect data-\u003e Ok-\u003e Apply-\u003e Ok (Select apply to file only) -\u003e Close Properties dialog (Click Ok or Close).
