Improvement Of Wireless Local Area Network Security Authentication Mechanism Based On EAP

In a wireless LAN environment,connected users often have several authentication methods,such as 802.1X/ EAP,IEEE802.11 i,WEP,WAPI,etc.According to different security requirements,different electronics manufacturers can choose different safety standards based on the above methods.At present,the EAP authentication method based on the 802.1X standard,which is scalable,safe and most widely used,has some security risks such as dictionary attacks,man-in-the-middle attacks,and replay attacks.This paper studies these problems and proposes a novel KEAP authentication protocol.The specific research contents include:(1)Through the analysis of existing dictionary attacks,man-in-the-middle attacks and replay attacks,based on the existing EAP authentication method,a new KEAP authentication method is proposed.With some ideas of EAP,our authentication process is defined as two stages,namely the legality authentication phase and the legality repeated verification phase.In the first stage,the two-way authentication method using asymmetric key encryption is used to verify the legality of the client and the server.The second stage uses a pre-negotiated hash key chain to verify the message again to discern the authenticity of the message and prevent the public key from being tampered with,thereby improving the reliability of the authentication.(2)Firstly,in terms of anti-dictionary attacks,the KEAP protocol uses the same two-way authentication method of asymmetric key encryption as the EAP-TLS protocol.The messages transmitted on the network are encrypted by public key,and these messages can only be decrypted by the corresponding private key.Therefore,even if the message is intercepted during the transmission,it cannot be cracked by attacker,thus the probability of the dictionary attack is effectively reduced.However,compared with the EAP-TLS protocol,because the KEAP protocol does not use the certificate management mechanism,but uses the pre-negotiated hash key chain to perform secondary verification on the message,the difficulty of its implementation is reduced,at the same time,it no longer needs to do a lot of certificate management.Secondly,for the anti-man-in-the-middle attack,a message feedback mechanism based on the layered one-way hash key chain is used in the second authentication stage of the KEAP protocol,which is used to encrypt the authentication result message.Because the attacker cannot decrypt the relay message,the man-in-the-middle attack cannot be completed.Finally,in the aspect of anti-replay attack,a method based on the combination of random number and hash key basic chain serial number is designed.Referring to the idea of the Kerberos protocol,the concept of ticket authorization is introduced into the EAP authentication process and modified.After combining the key base chain serial number i with the random number rndi in the message,it is compared with the message data table in the key storage management center to help the receiver confirm whether a replay attack has occurred.(3)The experiment was completed and analyzed for the KEAP certification process.This paper uses the OPNET simulation platform to simulate the KEAP authentication process and simulates three attack modes: dictionary attack,man-in-the-middle attack and replay attack.The “Message Tampering Rate” and “Bandwidth Occupancy Rate” is used as the metrics of the experimental results.We compared KEAP with EAP-TLS authentication method which has good security.The experimental result shows that the KEAP protocol's anti-dictionary attack capability is similar to the EAP-TLS protocol.For the man-in-the-middle attack and replay attack problems,the KEAP protocol's anti-attack effect is better than the EAP-TLS protocol.