< Home

WAPI

Security Policy

WAPI is a Chinese national standard for WLANs, which was developed based on IEEE 802.11. WAPI provides higher security than WEP and WPA and consists of the following parts:

  • WLAN Authentication Infrastructure (WAI): authenticates identities and manages keys.
  • WLAN Privacy Infrastructure (WPI): protects data transmitted on WLANs and provides the encryption, data verification, and anti-replay functions.

WAPI uses the Elliptic Curve Cryptography (ECC) algorithm based on public key cryptography and the block cipher algorithm based on symmetric cryptography. The ECC algorithm is used for digital certificates, certificate authentication, and key negotiation of wireless devices. The block cipher algorithm is used to encrypt and decrypt data transmitted between wireless devices. The two algorithms implement identity authentication, link authentication, access control, and user information encryption.

Two authentication methods are available: WAPI-PSK authentication and WAPI-certificate authentication.

  • WAPI-PSK authentication

    WAPI-PSK authentication applies to home networks or small-scale enterprise networks. No additional certificate system is required.

  • WAPI-certificate authentication

    WAPI-certificate authentication applies to large-scale enterprise networks or carrier networks where expensive certificate systems can be deployed and maintained. WAPI uses X.509 V3 certificates encoded in Base64 binary mode and saved in PEM format. The extension of an X.509 V3 certificate file is .cer. Before importing a certificate for WAPI, ensure that the certificate file has been stored in the root directory of the memory.

WAPI defines a dynamic key negotiation mechanism, but there are still security risks if STAs use the same encryption key for a long time. WAPI provides the time-based key update mechanism. Both the Unicast Session Key (USK) and Multicast Session Key (MSK) have a lifetime and need to be updated when the lifetime ends.

Configuration Method

  • Configure WAPI-PSK authentication.

    <HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wapi psk pass-phrase testpassword123  //Set the authentication method to PSK authentication and enter the key.

  • Configure WAPI-certificate authentication.

    <HUAWEI> system-view
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wapi certificate  //Set the authentication method to WAPI-certificate authentication.
[HUAWEI-wlan-sec-prof-p1] wapi import certificate ac format pem file-name flash:/ae.cer  //Load the AC certificate.
[HUAWEI-wlan-sec-prof-p1] wapi import certificate asu format pem file-name flash:/as.cer  //Load the ASU certificate.
[HUAWEI-wlan-sec-prof-p1] wapi import certificate issuer format pem file-name flash:/as.cer  //Load the issuer certificate.
[HUAWEI-wlan-sec-prof-p1] wapi import private-key format pem file-name flash:/ae.cer  //Import the AC private key file.
[HUAWEI-wlan-sec-prof-p1] wapi asu ip 10.164.10.10  //Set the ASU server IP address to 10.164.10.10.
Parent Topic: Wireless User Access Security
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >