WAPI specific explanation

Wapi (wireless authentication privacy infrastructure), wireless authentication and security structure, usually pronounced (WAPI).

Is a security protocol applied to wireless local area network system.

WAPI security system adopts public key cryptography technology, and authentication server AS is responsible for issuing, verifying and revoking certificates. Wireless clients (i.e. mobile terminals and wireless access points AP) are all equipped with public key certificates issued by AS as their own digital identity certificates.

When the mobile terminal MT logs into the wireless access point AP, both parties must be authenticated by the authentication server before using or accessing the network.

According to the verification result, the mobile terminal MT with legal certificate can access the wireless access point AP with legal certificate, that is, it can access the network through the AP.

This can not only prevent the illegal mobile terminal MT from accessing the AP and accessing the network to occupy network resources, but also prevent the mobile terminal MT from logging into the illegal AP and causing information leakage.

Wireless LAN authentication and privacy infrastructure (WAPI) system includes the following parts: WAPI authentication and key management WPI data transmission protection WAPI and 802. 1 1i comparison WEPWAPPIEE802.11I authentication mechanism One-way authentication (AP authentication MT) Two-way authentication (AP and MT realize mutual authentication through AS). One-way and two-way authentication (between MT and Radius), MT cannot authenticate the legitimacy of AP. The authentication process of open system authentication (or * * * shared key authentication) is simple and easy; Identity certificate is a public key digital certificate; Wireless users and wireless access points have equal status, which not only realizes the access control of wireless access points, but also ensures the security of wireless users' access; The client supports multiple certificates, which is convenient for users to use in many places, and fully ensures that the authentication process of its roaming function is complicated; User identity is usually user name and password; The Radius server at the back end of AP authenticates the user; The user key management of the client user of the authentication object is incomplete (the local area network is managed by AS), and the * * * shared key needs to be set manually between AP and Radius server; Only the authentication architecture is defined between AP and MT, and the specific designs of different manufacturers may be incompatible. The cost of achieving compatibility is high. Algorithm 64-bit RC4 192-bit elliptic curve algorithm (ECC 192) is related to specific protocols. The identification of security vulnerabilities is easy to forge, and the identity certificate of unidentified users is simple, easy to be stolen and can be used at will after being stolen. : * * * There are security risks in key management. Static and dynamic encryption keys (user-based, authentication-based, dynamically updated during communication) dynamic algorithm 64-bit RC4 block encryption algorithm (SMS 4)128-bit AES and128-bit RC4 WAPI history, China began to study WLAN in 1994, and the first WLAN prototype in China passed the ministerial appraisal. In May 2003, the national compulsory standard GB15629.111102-2003 was approved and released. When the compulsory product certification for WLAN products was announced in March 2004, the US Secretary of State, the Secretary of Commerce and the Trade Representative jointly sent a letter asking China to abandon the WAPI standard. In April 2004, AQSIQ, CNCA and National Standards Committee jointly announced that the mandatory implementation of WAPI standards would be postponed on June 1 2004, and in June12005, eight ministries and commissions, including the National Development and Reform Commission, successively held joint meetings of WAPI. In February 2005, the Ministry of Finance and other three ministries and commissions jointly issued the Notice on Printing and Distributing the Implementation Opinions on WLAN Product Procurement. In June 2006, GB 1 5629.1-2003 Revision1and two national mandatory standards for WLAN expansion were promulgated. In June 2006, the General Administration of Quality Supervision, Inspection and Quarantine and the National Standards Committee jointly issued the Announcement on Issuing National Standards for WLAN. In April 2009, the Ministry of Industry and Information Technology of China convened a meeting of mobile phone manufacturers. It is announced that all 2G and 3G mobile phones in China can use the WAPI technology WAPI certificate system in the future. In order to solve the loopholes and hidden dangers in the current security mechanism of WLAN, WAPI adopts two-way authentication based on digital certificates, and establishes mutual authentication between the client (wireless network card) and the wireless access point (AP), so that both parties can prove their legitimacy within a reasonable time. Only two-way authentication can detect and isolate fake access points of illegal clients.

Specifically, the WLAN security network based on WAPI protocol consists of three entities: AP, client and authentication server (AS). The two-way authentication between the client and AP is completed by public key cryptosystem, and the session key is negotiated between the client and AP by elliptic curve cryptosystem during the authentication process. The data in the communication process is encrypted by the encryption algorithm specified by the State Encryption Administration, and the security is extremely high.

At the same time, WAPI also supports updating the session key every certain time interval or after transmitting a certain number of data packets during communication, which will greatly improve the security of data.

From the application point of view, the certificate mechanism is very convenient for users to manage.

WAPI provides wired and wireless integrated IP data access security scheme, which can provide centralized security authentication and management scheme in user information system.

The encryption and decryption algorithm WAPI adopts the public key cryptosystem elliptic curve cryptosystem and the key system block cryptosystem approved by the Office of the State Cryptography Management Committee.

WPI wireless LAN security infrastructure (WPI) encrypts and decrypts MPDU in MAC sublayer, which is used for digital certificate, key agreement and encryption and decryption of transmission data of WLAN devices respectively, and realizes device identity authentication, link verification, access control and encryption protection of user information in wireless transmission state.

WAI wireless LAN authentication infrastructure (WAI) not only has more secure authentication mechanism and more flexible key management technology, but also realizes centralized user management of the whole basic network.

So as to meet more users and more complex security requirements.

[Editor] Comparison between WAPI and 802. 1 1i The comparison between WAPI and 802. 1 1i is WEPWAPPIEEE 802.1/i authentication mechanism one-way authentication (AP authentication MT) two-way authentication. Wireless users and wireless access points have equal status, which not only realizes the access control of wireless access points, but also ensures the security of wireless users' access; The client supports multiple certificates, which is convenient for users to use in many places, and fully ensures that the authentication process of its roaming function is complicated; User identity is usually user name and password; The Radius server at the back end of AP authenticates the user; The user key management of the client user of the authentication object is incomplete (the local area network is managed by AS), and the * * * shared key needs to be set manually between AP and Radius server; Only the authentication architecture is defined between AP and MT, and the specific designs of different manufacturers may be incompatible. The cost of achieving compatibility is high. Algorithm 64-bit RC4 192-bit elliptic curve algorithm (ECC 192) is related to specific protocols. The identification of security vulnerabilities is easy to forge, and the identity certificate of unidentified users is simple, easy to be stolen and can be used at will after being stolen. : * * * There are security risks in key sharing management. Static and dynamic encryption keys (user-based, authentication-based, dynamically updated during communication) dynamic algorithm 64-bit RC4 block encryption algorithm (SMS4) 128-bit AES and 128-bit RC4[ edit] WAPI standardization [edit] GB15629 438+05438+ In May 2003, the basic national standard GB 15629.65438WAPI promulgated by China won the second prize of the National Technological Invention Award in 2005, and the China Invention Patent Gold Award jointly awarded by the 9th United Nations World Intellectual Property Organization and China National Intellectual Property Administration in 2005.

June 5438+20061October AQSIQ issued WLAN GB15629.438+01-2003/XG1-2006 and its extended national standard GB15629./.

WAPI Industrialization WAPI Industry Alliance Brief Introduction WAPI Industry Alliance was established on March 7, 2006, and ended on September 10, 2008, with full members of 4 1 person. Including: China Telecom Group Company China United Communications Co., Ltd. China Network Communications Group Company China Mobile Communications Group Company Datang Mobile Communications Equipment Co., Ltd. Huawei Technologies Co., Ltd. Lenovo (Beijing) Co., Ltd. Peking University Founder Group Co., Ltd. Qingdao Haier Technology Co., Ltd. Hisense Group Co., Ltd. Zhongtai Data Communication (Shenzhen). Co., Ltd. Guangzhou Jiesai Technology Co., Ltd. Guangzhou Xinyou Communication Equipment Co., Ltd. Shenzhen Minghua Aohan Technology Co., Ltd. Shenzhen Putian Yitong Technology Co., Ltd. Shenzhen Guoren Communication Co., Ltd. Shenzhen Lang Electronics Co., Ltd. Shenzhen * * * Gold Electronics Co., Ltd. Beijing Wulong Telecom Technology Co., Ltd. Shenzhen Yulong Communication Co., Ltd. Xidian Jietong Wireless Network Communication Co., Ltd. Beijing Zhongdian Huada Electronic Design Co., Ltd. Beijing Langboxin Micro-technology Co., Ltd. Beijing Liuhe Wantong Microelectronics Technology Co., Ltd. Beijing Tianyi Integrated Technology Co., Ltd. Beijing Yongyi Technology Co., Ltd. Beijing Hanming ICT Technology Co., Ltd. Ltd. Beijing Huaan Guangtong Technology Development Co., Ltd. Xi An Datang Power Communication Co., Ltd. Datang Microelectronics Technology Co., Ltd. Shanghai Ding Xin Technology Co., Ltd. Shanghai Huaman Information Technology Co., Ltd. Donglan Digital Co., Ltd. USA Anyitong Network Co., Ltd. Beijing Representative Office National Cryptography Administration Commercial Cryptography Research Center National Radio Monitoring Center Beijing Tanya Electrification Technology Co., Ltd. Beijing Denghe Technology Co., Ltd. Shanghai Runxin Technology Co., Ltd. Honghao Mingchuan Technology (Beijing) Co., Ltd. WAPI related products include WLAN end-to-end products including

Application of WAPI During the 2008 Beijing Olympic Games, nearly a thousand online users accessed the Internet through WAPI network in venues, hotels, residences and other places every day, and the network operated stably.

Operators such as China Mobile and China Telecom have incorporated the relevant requirements of WAPI national standards into WLAN enterprise standards, and indicated that they will actively adopt independent innovation technologies to fully promote the perfection, product maturity and commercialization of WAPI standards.

At present, the three major telecom operators in China have explicitly requested to support WAPI standard in the bidding process of WLAN.

On April 17, 2009, the Ministry of Industry and Information Technology called a meeting of mobile phone manufacturers and announced that all domestic 2G and 3G mobile phones can use WAPI technology in the future.