Connectivity and Data Protection
The Shared Key authentication service uses a four-step transmission of
frames as follows.
1.
A requesting station sends an authentication frame to the access
point (or station in the case of an IBSS).
2.
The access point replies with an authentication frame
containing 128 octets of clear text (unencrypted) challenge text.
3.
The requesting station copies the challenge text into a new
authentication frame which it encrypts and sends to the access
point.
4.
The access point decrypts the authentication frame and
compares the challenge text found there to the original. If a
match occurs, then the access point replies with an
authentication frame indicating a successful authentication. If
not, the responding access point (or station) sends an
authentication frame containing an unsuccessful indication.
Shared Key authentication is very easy to break because the process
exposes both the encrypted and unencrypted form of the challenge
text. Since the WEP key is used both for authentication and for data
encryption, this is a severe security risk. As a result, you should avoid
using Shared Key authentication. Open System authentication with
WEP allows automatic connectivity to the access point, but the user
must then have the correct WEP key configured in order to pass
traffic through the access point. Instead of using either of these basic
security methods, you should consider using WPA-PSK, 802.1X/EAP-
WPA, IEEE 802.11i, or VPN technologies for authentication and
encryption. These methods impose user-based authentication based
on passwords, tokens, and/or digital certificates.
Association
The process of association means that a station joins a BSS and accepts
operating parameters, such as available data rates. In order to associate
with an access point, the station must be configured with the SSID of
the access point or be using the broadcast SSID, which is often null
(blank). A matching SSID is generally sufficient to continue with
association.
