-
N 802.11ipre Shared Key Mode The Initial Key Is Generated카테고리 없음 2020. 9. 19. 06:52
- N 802.11i Pre Shared Key Mode The Initial Key Is Generated In One
- N 802.11i Pre Shared Key Mode The Initial Key Is Generated Full
- N 802.11ipre Shared Key Mode The Initial Key Is Generated Number
Azure Blob storage is Microsoft's object storage solution for the cloud. Blob storage is optimized for storing massive amounts of unstructured data, such as text or binary data.
Blob storage is ideal for:
Answer to In 802.11i pre-shared key mode, the initial key is generated. Automatically B. From a passphrase C. From a password D. None of the above. Study Resources. There is no initial key in 802.11i pre-shared key mode.
- Serving images or documents directly to a browser
- Storing files for distributed access
- Streaming video and audio
- Storing data for backup and restore, disaster recovery, and archiving
- Storing data for analysis by an on-premises or Azure-hosted service
Source code | Package (PyPI) | API reference documentation | Product documentation | Samples
Getting started
Prerequisites
- Python 2.7, or 3.5 or later is required to use this package.
- You must have an Azure subscription and anAzure storage account to use this package.
Install the package
Install the Azure Storage Blobs client library for Python with pip:
Create a storage account
If you wish to create a new storage account, you can use theAzure Portal,Azure PowerShell,or Azure CLI:
Create the client
The Azure Storage Blobs client library for Python allows you to interact with three types of resources: the storageaccount itself, blob storage containers, and blobs. Interaction with these resources starts with an instance of aclient. To create a client object, you will need the storage account's blob service account URL and acredential that allows you to access the storage account:
Looking up the account URL
You can find the storage account's blob service URL using theAzure Portal,Azure PowerShell,or Azure CLI:
Types of credentials
The
credential
parameter may be provided in a number of different forms, depending on the type ofauthorization you wish to use:-
To use an Azure Active Directory (AAD) token credential,provide an instance of the desired credential type obtained from theazure-identity library.For example, DefaultAzureCredentialcan be used to authenticate the client.
This requires some initial setup:
- Register a new AAD application and give permissions to access Azure Storage
- Grant access to Azure Blob data with RBAC in the Azure Portal
- Set the values of the client ID, tenant ID, and client secret of the AAD application as environment variables:AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET
Use the returned token credential to authenticate the client:
-
To use a shared access signature (SAS) token,provide the token as a string. If your account URL includes the SAS token, omit the credential parameter.You can generate a SAS token from the Azure Portal under 'Shared access signature' or use one of the
generate_sas()
functions to create a sas token for the storage account, container, or blob: -
To use a storage account shared key(aka account key or access key), provide the key as a string. This can be found in the Azure Portal under the 'Access Keys'section or by running the following Azure CLI command:
az storage account keys list -g MyResourceGroup -n MyStorageAccount
Use the key as the credential parameter to authenticate the client:
-
To use anonymous public read access,simply omit the credential parameter.
Creating the client from a connection string
Depending on your use case and authorization method, you may prefer to initialize a client instance with a storageconnection string instead of providing the account URL and credential separately. To do this, pass the storageconnection string to the client's
from_connection_string
class method:The connection string to your storage account can be found in the Azure Portal under the 'Access Keys' section or by running the following CLI command:
Key concepts
The following components make up the Azure Blob Service:
- The storage account itself
- A container within the storage account
- A blob within a container
The Azure Storage Blobs client library for Python allows you to interact with each of these components through theuse of a dedicated client object.
Clients
Four different clients are provided to to interact with the various components of the Blob Service:
- BlobServiceClient -this client represents interaction with the Azure storage account itself, and allows you to acquire preconfiguredclient instances to access the containers and blobs within. It provides operations to retrieve and configure theaccount properties as well as list, create, and delete containers within the account. To perform operations on aspecific container or blob, retrieve a client using the
get_container_client
orget_blob_client
methods. - ContainerClient -this client represents interaction with a specific container (which need not exist yet), and allows you to acquirepreconfigured client instances to access the blobs within. It provides operations to create, delete, or configure acontainer and includes operations to list, upload, and delete the blobs within it. To perform operations on aspecific blob within the container, retrieve a client using the
get_blob_client
method. - BlobClient -this client represents interaction with a specific blob (which need not exist yet). It provides operations toupload, download, delete, and create snapshots of a blob, as well as specific operations per blob type.
- BlobLeaseClient -this client represents lease interactions with a
ContainerClient
orBlobClient
. It provides operations toacquire, renew, release, change, and break a lease on a specified resource.
Blob Types
Once you've initialized a Client, you can choose from the different types of blobs:
- Block blobsstore text and binary data, up to approximately 4.75 TiB. Block blobs are made up of blocks of data that can bemanaged individually
- Append blobsare made up of blocks like block blobs, but are optimized for append operations. Append blobs are ideal for scenariossuch as logging data from virtual machines
- Page blobsstore random access files up to 8 TiB in size. Page blobs store virtual hard drive (VHD) files and serve as disks forAzure virtual machines
Examples
The following sections provide several code snippets covering some of the most common Storage Blob tasks, including:
Note that a container must be created before to upload or download a blob.
Create a container
Create a container from where you can upload or download blobs.
Use the async client to upload a blob
Uploading a blob
Upload a blob to your container
Use the async client to upload a blob
Downloading a blob
Download a blob from your container
Download a blob asynchronously
Enumerating blobs
List the blobs in your container
List the blobs asynchronously
Optional Configuration
Optional keyword arguments that can be passed in at the client and per-operation level.
Retry Policy configuration
Use the following keyword arguments when instantiating a client to configure the retry policy:
- retry_total (int): Total number of retries to allow. Takes precedence over other counts.Pass in
retry_total=0
if you do not want to retry on requests. Defaults to 10. - retry_connect (int): How many connection-related errors to retry on. Defaults to 3.
- retry_read (int): How many times to retry on read errors. Defaults to 3.
- retry_status (int): How many times to retry on bad status codes. Defaults to 3.
- retry_to_secondary (bool): Whether the request should be retried to secondary, if able.This should only be enabled of RA-GRS accounts are used and potentially stale data can be handled.Defaults to
False
.
Encryption configuration
Use the following keyword arguments when instantiating a client to configure encryption:
- require_encryption (bool): If set to True, will enforce that objects are encrypted and decrypt them.
- key_encryption_key (object): The user-provided key-encryption-key. The instance must implement the following methods:
wrap_key(key)
--wraps the specified key using an algorithm of the user's choice.get_key_wrap_algorithm()
--returns the algorithm used to wrap the specified symmetric key.get_kid()
--returns a string key id for this key-encryption-key.
- key_resolver_function (callable): The user-provided key resolver. Uses the kid string to return a key-encryption-keyimplementing the interface defined above.
Other client / per-operation configuration
Other optional configuration keyword arguments that can be specified on the client or per-operation.
Client keyword arguments:
- connection_timeout (int): Optionally sets the connect and read timeout value, in seconds.
- transport (Any): User-provided transport to send the HTTP request.
Per-operation keyword arguments:
- raw_response_hook (callable): The given callback uses the response returned from the service.
- raw_request_hook (callable): The given callback uses the request before being sent to service.
- client_request_id (str): Optional user specified identification of the request.
- user_agent (str): Appends the custom value to the user-agent header to be sent with the request.
- logging_enable (bool): Enables logging at the DEBUG level. Defaults to False. Can also be passed in atthe client level to enable it for all requests.
- headers (dict): Pass in custom headers as key, value pairs. E.g.
headers={'CustomValue': value}
Troubleshooting
General
Storage Blob clients raise exceptions defined in Azure Core.All Blob service operations will throw a
StorageErrorException
on failure with helpful error codes.Logging
This library uses the standardlogging library for logging.Basic information about HTTP sessions (URLs, headers, etc.) is logged at INFOlevel.
Detailed DEBUG level logging, including request/response bodies and unredactedheaders, can be enabled on a client with the
logging_enable
argument:Similarly,
logging_enable
can enable detailed logging for a single operation,even when it isn't enabled for the client:Next steps
More sample code
Get started with our Blob samples.
Several Storage Blobs Python SDK samples are available to you in the SDK's GitHub repository. These samples provide example code for additional scenarios commonly encountered while working with Storage Blobs:
-
blob_samples_container_access_policy.py (async version) - Examples to set Access policies:
- Set up Access Policy for container
-
blob_samples_hello_world.py (async version) - Examples for common Storage Blob tasks:
- Set up a container
- Create a block, page, or append blob
- Upload blobs
- Download blobs
- Delete blobs
-
blob_samples_authentication.py (async version) - Examples for authenticating and creating the client:
- From a connection string
- From a shared access key
- From a shared access signature token
- From active directory
-
blob_samples_service.py (async version) - Examples for interacting with the blob service:
- Get account information
- Get and set service properties
- Get service statistics
- Create, list, and delete containers
- Get the Blob or Container client
-
blob_samples_containers.py (async version) - Examples for interacting with containers:
- Create a container and delete containers
- Set metadata on containers
- Get container properties
- Acquire a lease on container
- Set an access policy on a container
- Upload, list, delete blobs in container
- Get the blob client to interact with a specific blob
-
blob_samples_common.py (async version) - Examples common to all types of blobs:
- Create a snapshot
- Delete a blob snapshot
- Soft delete a blob
- Undelete a blob
- Acquire a lease on a blob
- Copy a blob from a URL
-
blob_samples_directory_interface.py - Examples for interfacing with Blob storage as if it were a directory on a filesystem:
- Copy (upload or download) a single file or directory
- List files or directories at a single level or recursively
- Delete a single file or recursively delete a directory
Additional documentation
For more extensive documentation on Azure Blob storage, see the Azure Blob storage documentation on docs.microsoft.com.
IEEE 802.11i-2004, or 802.11i for short, is an amendment to the original IEEE 802.11, implemented as Wi-Fi Protected Access II (WPA2). The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks, replacing the short Authentication and privacy clause of the original standard with a detailed Security clause. In the process, the amendment deprecated broken Wired Equivalent Privacy (WEP), while it was later incorporated into the published IEEE 802.11-2007 standard.
Replacement of WEP[edit]
802.11i supersedes the previous security specification, Wired Equivalent Privacy (WEP), which was shown to have security vulnerabilities. Wi-Fi Protected Access (WPA) had previously been introduced by the Wi-Fi Alliance as an intermediate solution to WEP insecurities. WPA implemented a subset of a draft of 802.11i. The Wi-Fi Alliance refers to their approved, interoperable implementation of the full 802.11i as WPA2, also called RSN (Robust Security). 802.11i makes use of the Advanced Encryption Standard (AES) block cipher, whereas WEP and WPA use the RC4stream cipher.[1]
Protocol operation[edit]
IEEE 802.11i enhances IEEE 802.11-1999 by providing a Robust Security Network (RSN) with two new protocols: the four-way handshake and the group key handshake. These utilize the authentication services and port access control described in IEEE 802.1X to establish and change the appropriate cryptographic keys.[2][3] The RSN is a security network that only allows the creation of robust security network associations (RSNAs), which are a type of association used by a pair of stations (STAs) if the procedure to establish authentication or association between them includes the 4-Way Handshake.[4]
The standard also provides two RSNA data confidentiality and integrity protocols, TKIP and CCMP, with implementation of CCMP being mandatory since the confidentiality and integrity mechanisms of TKIP are not as robust as those of CCMP.[5] The main purpose to implement TKIP was that the algorithm should be implementable within the capabilities of most of the old devices supporting only WEP.
The initial authentication process is carried out either using a pre-shared key (PSK), or following an EAP exchange through 802.1X (known as EAPOL, which requires the presence of an authentication server). This process ensures that the client station (STA) is authenticated with the access point (AP). After the PSK or 802.1X authentication, a shared secret key is generated, called the Pairwise Master Key (PMK). In PSK authentication, the PMK is actually the PSK[6], which is typically derived from WiFi password by putting it through a key derivation function that use SHA-1 as the cryptographic hash function.[7] If an 802.1X EAP exchange was carried out, the PMK is derived from the EAP parameters provided by the authentication server.
Four-way handshake[edit]
The four-way handshake[8] is designed so that the access point (or authenticator) and wireless client (or supplicant) can independently prove to each other that they know the PSK/PMK, without ever disclosing the key. Instead of disclosing the key, the access point (AP) and client encrypt messages to each other—that can only be decrypted by using the PMK that they already share—and if decryption of the messages was successful, this proves knowledge of the PMK. The four-way handshake is critical for protection of the PMK from malicious access points—for example, an attacker's SSID impersonating a real access point—so that the client never has to tell the access point its PMK.
The PMK is designed to last the entire session and should be exposed as little as possible; therefore, keys to encrypt the traffic need to be derived. A four-way handshake is used to establish another key called the Pairwise Transient Key (PTK). The PTK is generated by concatenating the following attributes: PMK, AP nonce (ANonce), STA nonce (SNonce), AP MAC address, and STA MAC address. The product is then put through a pseudo-random function. The handshake also yields the GTK (Group Temporal Key), used to decrypt multicast and broadcast traffic.
The actual messages exchanged during the handshake are depicted in the figure and explained below (all messages are sent as EAPOL-Key frames):
- The AP sends a nonce-value (ANonce) to the STA together with a Key Replay Counter, which is a number that is used to match each pair of messages sent, and discard replayed messages. The STA now has all the attributes to construct the PTK.
- The STA sends its own nonce-value (SNonce) to the AP together with a Message Integrity Code (MIC), including authentication, which is really a Message Authentication and Integrity Code (MAIC), and the Key Replay Counter which will be the same as Message 1, to allow AP to match the right Message 1.
- The AP verifies Message 2, by checking MIC, RSN, ANonce and Key Replay Counter Field, and if valid constructs and sends the GTK with another MIC.
- The STA verifies Message 3, by checking MIC and Key Replay Counter Field, and if valid sends a confirmation to the AP.
The Pairwise Transient Key (64 bytes) is divided into five separate keys:
- 16 bytes of EAPOL-Key Confirmation Key (KCK) – Used to compute MIC on WPA EAPOL Key message
- 16 bytes of EAPOL-Key Encryption Key (KEK) – AP uses this key to encrypt additional data sent (in the 'Key Data' field) to the client (for example, the RSN IE or the GTK)
- 16 bytes of Temporal Key (TK) – Used to encrypt/decrypt Unicast data packets
- 8 bytes of Michael MIC Authenticator Tx Key – Used to compute MIC on unicast data packets transmitted by the AP
- 8 bytes of Michael MIC Authenticator Rx Key – Used to compute MIC on unicast data packets transmitted by the station
The Group Temporal Key (32 bytes) is divided into three separate keys:
- 16 bytes of Group Temporal Encryption Key – used to encrypt/decrypt Multicast and Broadcast data packets
- 8 bytes of Michael MIC Authenticator Tx Key – used to compute MIC on Multicast and Broadcast packets transmitted by AP
- 8 bytes of Michael MIC Authenticator Rx Key – currently unused as stations do not send multicast traffic
The Michael MIC Authenticator Tx/Rx Keys in both the PTK and GTK are only used if the network is using TKIP to encrypt the data.
This four-way handshake has been shown to be vulnerable to KRACK.
Group key handshake[edit]
The Group Temporal Key (GTK) used in the network may need to be updated due to the expiration of a preset timer. When a device leaves the network, the GTK also needs to be updated. This is to prevent the device from receiving any more multicast or broadcast messages from the AP.
To handle the updating, 802.11i defines a Group Key Handshake that consists of a two-way handshake:
- The AP sends the new GTK to each STA in the network. The GTK is encrypted using the KEK assigned to that STA, and protects the data from tampering, by use of a MIC.
- The STA acknowledges the new GTK and replies to the AP.
CCMP overview[edit]
CCMP is based on the Counter with CBC-MAC (CCM) mode of the AES encryption algorithm. CCM combines CTR for confidentiality and CBC-MAC for authentication and integrity. CCM protects the integrity of both the MPDU Data field and selected portions of the IEEE 802.11 MPDU header.
Key hierarchy[edit]
RSNA defines two key hierarchies:
- Pairwise key hierarchy, to protect unicast traffic
- GTK, a hierarchy consisting of a single key to protect multicast and broadcast traffic
The description of the key hierarchies uses the following two functions:
- L(Str, F, L) - From Str starting from the left, extract bits F through F+L–1.
- PRF-n - Pseudo-random function producing n bits of output, there are the 128, 192, 256, 384 and 512 versions, each of these output these number of bits.
The pairwise key hierarchy utilizes PRF-384 or PRF-512 to derive session-specific keys from a PMK, generating a PTK, which gets partitioned into a KCK and a KEK plus all the temporal keys used by the MAC to protect unicast communication.
N 802.11i Pre Shared Key Mode The Initial Key Is Generated In One
The GTK shall be a random number which also gets generated by using PRF-n, usually PRF-128 or PRF-256, in this model, the group key hierarchy takes a GMK (Group Master Key) and generates a GTK.
MAC frame formats[edit]
Frame Control field[edit]
Frame Control field[9] Subfield Protocol Version Type Subtype To DS From DS More Fragments Retry Power Management More Data Protected Frame Orders Bits 2 bits 2 bits 4 bits 1 bit 1 bit 1 bit 1 bit 1 bit 1 bit 1 bit 1 bit Protected Frame field[edit]
'The Protected Frame field is 1 bit in length. The Protected Frame field is set to 1 if the Frame Body field contains information that has been processed by a cryptographic encapsulation algorithm. The Protected Frame field is set to 1 only within data frames of type Data and within management frames of type Management, subtype Authentication. The Protected Frame field is set to 0 in all other frames. When the bit Protected Frame field is set to 1 in a data frame, the Frame Body field is protected utilizing the cryptographic encapsulation algorithm and expanded as defined in Clause 8. Only WEP is allowed as the cryptographic encapsulation algorithm for management frames of subtype Authentication.'[8]
See also[edit]
- WLAN Authentication and Privacy Infrastructure (WAPI), China's centralized wireless security method
- IEEE 802.1AE MACsec
References[edit]
- ^'IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements'(PDF). IEEE Standards. 2004-07-23. Retrieved 2007-12-21.
- ^IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements(PDF), IEEE Standards, 2004-07-23, p. 14, retrieved 2010-04-09
- ^IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements(PDF), IEEE Standards, 2004-07-23, p. 14, retrieved 2010-04-09,
RSNA relies on IEEE 802.1X to provide authentication services and uses the IEEE 802.11 key management scheme
- ^IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements(PDF), IEEE Standards, 2004-07-23, p. 5, retrieved 2010-04-09
- ^IEEE 802.11i-2004: Amendment 6: Medium Access Control (MAC) Security Enhancements(PDF), IEEE Standards, 2004-07-23, p. 43, retrieved 2010-04-09
- ^'IEEE 802.11i-2004 Standard Amendment 6: Medium Access Control (MAC) Security Enhancements'(PDF). p. 33.
- ^'IEEE 802.11i-2004 Standard Amendment 6: Medium Access Control (MAC) Security Enhancements'(PDF). p. 165.
- ^ ab'IEEE 802.11i-2004 Standard Amendment 6: Medium Access Control (MAC) Security Enhancements'(PDF).
- ^'Section of MAC frame formats'. Archived from the original on 2018-04-27. Retrieved 2018-04-27.
N 802.11i Pre Shared Key Mode The Initial Key Is Generated Full
- General
- 'IEEE 802.11-2007: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications'. IEEE. 2007-03-08.
- 'The Evolution of 802.11 Wireless Security'(PDF). ITFFROC. 2010-04-18.
External links[edit]
- Vulnerability in the WPA2 protocol, hole196 [1], [2]
N 802.11ipre Shared Key Mode The Initial Key Is Generated Number
Retrieved from 'https://en.wikipedia.org/w/index.php?title=IEEE_802.11i-2004&oldid=949208972'