34Figure 12 Shared key authentication processWLAN data securityCompared with wired networks, WLAN networks are more susceptible to attacks because all WLANdevices share the same medium and thus every device can receive data from any other sendingdevice. Plain-text data is transmitted over the WLAN if there is no security service.To secure data transmission, 802.11 protocols provide some encryption methods to ensure thatdevices without the right key cannot read encrypted data.1. WEP encryptionWired Equivalent Privacy (WEP) was developed to protect data exchanged among authorizedusers in a wireless LAN from casual eavesdropping. WEP uses RC4 encryption (a streamencryption method) for confidentiality and supports WEP40, WEP104, and WEP128 keys.Although WEP encryption increases the difficulty of network interception and session hijacking,it still has weaknesses due to limitations of RC4 encryption algorithm and static keyconfiguration.2. TKIP encryptionTemporal key integrity Protocol (TKIP) and WEP both use the RC4 algorithm, but TKIP hasseveral advantages over WEP, and provides more secure protection for WLAN as follows:{ First, TKIP provides longer IVs to enhance encryption security. Compared with WEPencryption, TKIP encryption uses 128-bit RC4 encryption algorithm, and increases thelength of IVs from 24 bits to 48 bits.{ Second, TKIP allows for dynamic key negotiation to avoid static key configuration. TKIPreplaces a single static key with a base key generated by an authentication server. TKIPdynamic keys cannot be easily deciphered.{ Third, TKIP offers MIC and countermeasures. If a packet fails the MIC, the data might betampered, and the system might be attacked. If two packets fail the MIC in a certain period,the AP automatically takes countermeasures. It will not provide services in a certain periodto prevent attacks.3. AES-CCMP encryptionCTR with CCMP is based on the CCM of the AES encryption algorithm. CCM combines CTR forconfidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of boththe MAC Protocol Data Unit (MPDU) Data field and selected portions of the IEEE 802.11 MPDUheader. The AES block algorithm in CCMP uses a 128-bit key and a 128-bit block size. Similarly,CCMP contains a dynamic key negotiation and management method, so that each wirelessclient can dynamically negotiate a key suite, which can be updated periodically to furtherenhance the security of the CCMP encryption mechanism. During the encryption process,CCMP uses a 48-bit packet number (PN) to ensure that each encrypted packet uses a differentPN, improving the security to a certain extent.APClientAuthentication RequestAuthentication Response(Challenge)Authentication(Encrypted Challenge)Authentication Response(Success)