An Efficient WLAN Initial Access Authentication Protocol

Transcription

1 Globecom Communication and nformation System Security Symposium An Efficient WLAN nitial Access Authentication Protocol Xinghua Li Jianfeng Ma Shen Yulong Xidian University, Xi'an, , China Xidian University Wayne State University, USA Virginia Polytechnic nstitute and State University, VA, 22043, USA lixingh@gmail.com Xi' an, , China jfma@mail.xidian.edu.com ylshen@mail.xidian.edu.cn Abstract-Nowadays, with the rapid increase of WLANenabled mobile devices, new scenarios emerge which require a more efficient WLAN initial link setup mechanism, and an access authentication method faster than the current EEE S02.Hi is desired. Our analysis indicates that the essential reason resulting in the inefficiency of S02.Hi is that it is designed from the framework perspective which introduces too many messages. To overcome the drawbacks, an efficient initial access authentication protocol is proposed which realizes the authentications and key distribution through 2 roundtrip messages between the mobile device and the networks. Analysis indicates that our proposal is of the same security as the 4-way handshake protocol. The experiment result shows that our scheme can improve the authentication delay of the EAP-TLS by 94.7%. Furthermore, a simple and practical method is presented to enable it to be compatible with S02.Hi.. NTRODUCTON n recent years, Wireless Local Area Networks (WLAN) [1, 2] technology gets rapid development for its good mobility, high bandwidth and important flexibility. The mobile equipments that support WLAN increase greatly, such as smart phones, tablet computers. Users can easily access a variety of network applications through WLAN, e.g., facebook, twitter, and real videos. However, security is a serious concern because the wireless medium is open for public access within a certain range. n order to provide secure data communications over wireless links, the Task Group proposed the Wired Equivalent Privacy (WEP) to encrypt the data stream and authenticate the wireless devices. However, significant deficiencies have been identified in both the encryption and the authentication mechanisms [3, 4]. To repair the problems in WEP, the Wi Fi Alliance proposed an authentication mechanism based on EAP/802.XlRADUS [5, 6, 7] to replace the poor open system authentication and shared key authentication in WEP. As a long-term solution to securing wireless links, the latest EEE standard i [8] was ratified on June 24, The authentication process combines 802.X authentication with key management procedures to generate a fresh pairwise key and/or group key, followed by data transmission sessions. However, with the rapid increase of the WLAN-enabled mobile devices, some new scenarios emerge which challenge the current WLAN standards including i. E.g., there exists such a WLAN in a metro station where a large number of mobile users are constantly entering and leaving the coverage area of an access point (AP) in an extended service set (ESS). Every time the mobile device enters an ESS, the mobile device has to do an initial set-up to establish WLAN connectivity. This works well when the number of new stations (STAs) in a given time period is small. However, when a high number of users simultaneously enter an ESS, an efficient mechanism that scales well is required to minimize the time STAs spend in the initial link setup, while maintaining a secure authentication. Another scenario also has the similar requirement where every STA passes through the coverage area in a short time and still needs to access WLAN. To solve the problem, a specific task group EEE ai [9] is established, and its goal is to reduce the initial link establishment time but maintain the security level of i. The authentication process specified by EEE i, as a bulky time consuming component of the initial link setup, is regarded by ai as an important improvement target. Our analysis indicates that the essential reason leading to the inefficiency of the 802.i is that it is designed from the framework perspective which introduces too many message interactions (e.g., for EAP-TLS [10], 11 roundtrip messages are needed) between mobile terminals and the networks. To improve its efficiency, an efficient initial access authentication method is proposed which just takes two roundtrip messages to fulfill the authentications and key distribution between the mobile terminal, AP and authentication server (AS). Analysis indicates that our scheme is of the same security level as the 4-way handshake protocol, but the performance is improved by 94.7% compared with the EAP-TLS. At the same time, in implementation we give a simple method that enables our scheme to be compatible with the EEE i. The rest of the paper is organized as follows. Section 2 presents the i and its drawback analysis. Our scheme is given in Section 3. Section 4 analyzes the proposed scheme, and the paper is concluded in Section 5.. BACKGROUND i RSNA (robust security network association) [8] establishment procedure consists of 802.X authentication and key management protocols. Three entities are involved, called /12/$ EEE 1035

2 c' r:jl Stage 1: AP and [.. Security Capacity ' (3) Probe Response Discovery + AA RSN E.'1 (4) Authentication Request (Open) _ (5) Authentication Response (Open) Stage 2: Authentication (6) Association Request + SPA RSN E and Association (7 (!; i E ;: 1 Stage 3: EAP Authentication 12 MutualAuthentication e.g.eap-lls Stage 4: 4-way Handshake MSK,PMK GTK Obtained, 802.XUnblocked Fig. 1. (14) EAPoL Success (15)ANonce (16) SNonce, MlC (17) ANonce, GTK, MlC (18)MC Five stages of 802.1li $ (11) Radius Request (13) Radius Accept + PMK the Supplicant (the STA), the authenticator (the AP), and the Authentication Server (de facto a RADUS server [7]). Generally, a successful authentication means that the supplicant and the authenticator verify each other's identity and generate a shared secret for subsequent key derivations. Based on this shared secret, the key management protocols compute and distribute usable keys for data communication sessions. The authentication server can be implemented either in a single device with the authenticator, or through a separate server, assuming the link between the authentication server and the authenticator is physically secure. The complete handshakes of establishing a RSNA are shown in Figure 1. For the purpose of analysis, these steps can be divided into 5 stages as follows. Stage 1. AP and Security Capability Discovery This stage consists of messages numbered (1) to (3). The AP either periodically broadcasts its security capabilities, indicated by RSN E (Robust Security Network nformation Element), in a specific channel through the Beacon frame; or responds to a station's Probe Request through a Probe Response frame. A wireless station may discover available access points and corresponding security capabilities by either passively monitoring the Beacon frames or actively probing every channel. Stage Authentication and Association This stage consists of messages numbered (4) to (7). The station chooses one AP from the list of available APs, and tries to authenticate and associate with that AP. Note that Open System Authentication is included only for backward compatibility, and a station should indicate its security capabilities in the Association Request. After this stage, the station and the AP are in authenticated and associated state. However, the authentication achieved so far is weak, and will be supplemented by further steps. At the end of this stage, the 802.1X ports remain blocked and no data packets can be exchanged. Stage 3. EAP/802.1X1RADUS Authentication This stage consists of messages numbered (8) to (14). The supplicant and the authentication server execute a mutual authentication protocol (de facto EAP-TLS [10]), with the authenticator acting as a relay. After this stage, the supplicant and the authentication server have authenticated each other and generated some common secret, called the Master Session Key (MSK). The supplicant uses the MSK to derive a Pairwise Master Key (PMK); The AAA key material on the server side is securely transferred to the authenticator, indicated by message (13). This allows the authenticator to derive the same PMK. This stage might be skipped if the supplicant and the authenticator are configured using a static Pre-Shared Key (PSK) as the PMK, or when a cached PMK is used during are-association. Stage 4. 4-Way Handshake This stage consists of messages numbered (15) to (18). Regardless of whether the PMK is derived from Stage 3, configured using a PSK, or reused from a cached PMK, the 4-Way Handshake must be executed for a successful RSNA establishment. The supplicant and authenticator use this handshake to confirm the existence of the PMK, verify the selection of the cipher suite, and derive a fresh Pairwise Transient Key (PTK) for the following data session. Simultaneously, the authenticator might also distribute a Group Transient Key (GTK) in message (17). After this stage, a fresh PTK (and maybe GTK) is shared between the authenticator and the supplicant; the 802.1X ports are unblocked for data packets. Stage 5. Group Key Handshake This stage consists of messages numbered (19) and (20). n case of multicast applications, the authenticator will generate a fresh GTK and distribute this GTK to the supplicants. These handshakes might not be present if the fresh GTK has been distributed in Stage 4; this stage may be repeated multiple times using the same PMK. Through these handshakes, the supplicant and the authenticator mutually authenticate each other and establish a secure session for data transmissions. A. Drawbacks of 802.lli and its analysis From Figure 1, it can be seen that i takes multiple roundtrip messages to achieve the authentications and key distribution. The number of message reactions varies for different authentication protocols used, e.g., EAP-TLS takes 11 roundtrip messages and PEAPEAP-MSCHAPv2 [11] takes 16 roundtrip messages (not including the scan process). As a result, too much time is consumed in the authentication and key management, consequently, the AP cannot establish links with a multiple of users at the same time or the dwelling time is not enough to establish the initial link before the STA moves out the coverage of the AP. The main reason leading to these drawbacks is that i is designed from the framework perspective. To begin with, to 1036

3 -, achieve backward compatibility, the open system authentication is preserved. But in function, the two messages are useless for the initial link establishment. Secondly, the EAP authentication is employed, the advantage of which is that it is open and any two-party authentication protocol can be included and run within it. However, it introduces some extra messages, e.g., message (9) EAPoL-RequestJdentity, message (10) EAPoL Response/dentity and message (11) Radius Request. Besides, to keep the uniformity of the framework, EAP authentication and 4-way handshake protocol have to be sequential execution. That is, only after the EAP phase, can the 4-way handshake protocol be performed to realize the mutual authentication between the STA and the AP. But in function, to some degree the authentication between the AP and the STA can parallelize with the one between the STA and AS. 1. Probe response(bssd, AS-D, RSN E) 2. The frst authentication message SNonce, User-D, AS-D, F, t) Authentication Request (open) 7. The second authentication message (ANonce, User-D, AS-D, E, t, Mel) _---'--- Authenticution Response (open) The third authentication message (User-lOt SNonce, MQ) Associution Request 11. The fourth authentication message (GTK,MC) Association Response 5. Fast authentication response (SNonce,User-D, AS-D, E, t, PMK) A. The design goal and idea. NEW SCHEME From the analysis in Section 2, we get the goal and guideline for our scheme as follows. Orientation: nstead of the replacement of 802.li, the new scheme is just a complement and should be compatible with it. Scope: Just a new initial access authentication is introduced which should not affect the subsequent procedure of the 802.i, such as the update of the PTK. Function: The least messages are used to realize the authentication and key distribution between STA, AP and AS. Security: The security level of the new scheme is no less than the existing standard. Performance: The new scheme should greatly improve li. According to the drawback analyzed in Section 2 and the design goal outlined above, we get the design idea of the new scheme as follows. Rather than using the current 802.li framework, a specific authentication protocol is designed; the least messages (two messages) are used to realize the authentication between the STA and the AS, and the 4-way handshake protocol messages are rationally integrated with them to realize the authentication between the STA and the AP. B. The protocol procedure n the proposed scheme, each STA shares a key k with the authentication server AS, and also it is assumed that the link between the AS and the AP is secure. Our scheme is shown in Figure 2, and its interaction procedure is as follows. (1) Through the proactive scan, the STA get the WLAN information which includes the basic service set identity (BSSD), the identity of the authentication server and the security capacity of the networks. (2) The first authentication message{ SNonce, User-D, AS D, F, t} is sent to the AP from the STA, among which t is a counter and its initial value is set as 1. The STA increases the counter by one once sending such a message. SNonce is the random value generated by STA. User-D is the user's identity, Fig. 2. The proposed scheme while AS-D is the identity of the AS. F=f(k, tl SNoncel User DAS-D), where f( ) is a hash function and k is the preshared key between the STA and the AS, and denotes the concatenation. (3) AP sends the fast access authentication request message {SNonce, User-D, AS-D, F, t}. (4) A counter is also set in the AS for each user which initial value is also set as 1. Upon receiving the fast access authentication request message, the AS gets its current t value according to the User-D and compares it with the received one. f the received t value is less than the t value preserved by the AS, the authentication of the STA will fail and the current t value of the AS will keep unchanged; otherwise, the AS will further verify F according to the received t and the key k. f correct, the authentication of the STA by the AS succeeds, and the AS adds the received t value by one and sets it as its current t value. Thereafter, the AS computes the pairwise master key PMK= h(k, "FA_PMK"lltllUser-DAS D), where h is a hash function and "FA_PMK" is a constant string. (5) The AS replies the AP with the authentication response message {SNonce, User-D, AS-D, E, t, PMK}, where E=f(k, tisnonceas-d User-D). (6) Upon receiving the message 5, the AP generates its own random value ANonce and computes the PTK. PTK= PRF-X (PMK, "Pairwise key expansion ", Min(AA, SPA)Max(AA,SPA)Min(ANonce,SNonce)Max(ANonce, SNonce)) n the above equation, PRF-X is a pseudo random function; SPA is the MAC address of the STA; AA is the MAC address of the AP; Min( ) means getting the minimum value; Max ( ) means getting the maximum value; "Pairwise key expansion" is a constant string. The derivation of the PTK here is exactly same as that of i. f the AS is co-exist with the AP, there is no message interactions between the AS and the AP, and the related operations are performed by the AP. (7) The AP sends the second authentication message 1037

4 {ANonce, User-D, AS-D, E, t, MCl}, where MC is the message authentication code computed on this message by the AP using the PTK, and t is the current value of the AS. (8) Upon receiving the second authentication message, the STA will compare the received t value with its current t value, and if equal the STA will validate E. f correct, the authentication of the AS will pass. Thereafter, the STA will compute the PMK and PTK, using the same method as that of the AS and AP. At the same time, the STA will verify the MC taking use of the PTK. f valid, the STA authenticates the AP successfully. (9) The STA sends the third authentication message {User D, SNonce, MC2}, where MC2 is the message authentication code computed on this message by the STA using the PTK. Meanwhile, the STA also indicates that whether the group temporal key GTK is required or not. (10) Upon receiving the third authentication message, the AP verifies the MC2. f correct, it means that the STA generates the same PTK, and the AP authenticates the STA successfully. So far, the networks side completes the authentication of the STA, and the AP installs the derived PTK. f the MC2 is verified invalid or in a given time the third authentication message is not received, the AP will delete the STA's authentication information and de-authenticate it. Meanwhile, the authentication failure message will be sent to the AS which will delete the authentication information of the STA and rollback its t value. (11) The AP sends the STA the fourth authentication message {GTK, MC3}, where the GTK is encrypted using the PTK. Upon receiving this message, the STA verifies the MC3. f correct, the STA decrypts and gets the GTK and other related information. At the same time, the STA installs the PTK. V. SCHEME ANALYSS (1) Compatibility analysis The proposed scheme does not intend to replace 802.1i, instead, it is oriented as a complement of the current standard for some special applications. Therefore, our scheme is provided as another choice besides the 802.1i. Before the standard 802.lli, when a user makes the initial authentication, he can chose the open system authentication or WEP. Referring to this method, we also provide users two options here, including the open system authentication and our scheme. To achieve this goal, a new Authentication Algorithm dentification [1] has to be added which is to identity our scheme. And this new identification is broadcast in the scan phase. Then, users have the idea that there are two authentication methods to choose following the scan phase. Depending on the specific scenario they will choose an appropriate one from the two options. f the open system authentication is chose, the normal 802.1i will be followed. Otherwise, our scheme will be executed. n such a way, the proposed scheme can be compatible with the current security standard i. n addition, our scheme is just applicable to the initial access authentication and the resulting output is also the PTK which is same as the 802.i, 8. STA AS 3. Fast access authentication request (SNonce,User-D,AS-D, F, t) t=t+l 14. AS verifies t and F, 1 then generates PMK Fig Fast authentication response (SNonce, User-D, AS-D, E, t) The interaction between the STA and AS STA Generates PMK and PTK, verifies MC, 2. The first authentication message ( SNonce, User-D) Authentication Request (open) 7. The second authentication message (ANonce, User-D, MC1) Authentication Response (open) 9. The third authentication message (SNonce, MC2) Association Request 11. The fourth authentication message (MC3) Association Response Fig. 4. The interaction between the STA and AP 10. AP Verifies MC2 therefore, the subsequent procedure (e.g., the update of the PTK) of 802.lli will not be affected. (2) Security analysis The proposed scheme first employs the shared key k to realize the mutual authentication between the STA and the AS, meanwhile, the PMK is derived. Then, using the PMK, the STA and the AP authenticate each other and generate the PTK. According to those two functions, we divide the scheme into two parts which are the interaction between the STA and the AS, and the one between the STA and the AP. The former is shown in Figure 3 and the latter in Figure 4. n the two figures, the message fields that do not affect the security are canceled. For the protocol in Figure 3, its security depends on that of the message (3). Because the message (5) is the response of the challenging message (3), its security is guaranteed except that the pre-shared key k is leaked. There are three ways that the attacker can take to destroy the security of the message (3), including the replay attack, forced delay [12] and forgery. The replay attack cannot work, because the t in the replayed message is less than the AS's current t value by at least one. Therefore, the AS thinks the received message invalid and the authentication will not succeed. The second attack is the forced delay, that is, when the STA sends a message (3), the attacker blocks and holds it, and then sends the message later. Using this method, the attacker can pass the protocol in Figure 3, 1038

5 o EAP-TLS (avg.= rns) 400 V E. Proposed Protocol (avg.=13.884ms) STA AP AS Fig. 5. The topology of the testbed however, he has no idea of the k and cannot get the PMK. Consequently, the attacker cannot pass through the protocol in Figure 4 and the authentication fails. Another attack is the forgery of the message (3), that is, the attacker chooses a t that is bigger than the current t value used and generates a valid F. There are two possibilities leading to the success of this attack. One is that the k is leaked, and the other one is that the hash function f( ) is insecure. But the pre-shared key k and the f( ) is assumed secure, therefore, this attack will not succeed either. n summary, the protocol in Figure 3 is secure, therefore, the PMK is derived securely. From Figure 4, it can be seen that the message interactions are same as those of the 4-way handshake protocol. The unique difference is that in the 4-way handshake protocol the STA and the AP have got the PMK before the protocol starts, while in our scheme the AP and the STA get the PMK respectively after the message (5) and message (7). Therefore, only if the derived PMK is secure, the protocol in Figure 4 is as secure as the 4- way handshake protocol. The above analysis has demonstrated the PMK's security, therefore, the protocol in Figure 4 is also secure. From the above analysis, we get that the first protocol is secure and the second one's security is same as that of the 4-way handshake protocol, therefore, in summary our scheme is of the same security level as the 4-way handshake protocol. (3) Performance analysis We implement the proposed scheme and measure its authentication delay. The topology of the testbed is shown in Figure 5, and the softwares and hardwares used are as follows. (1) STA One HP desktop (2.26GHz Core 2 Duo CPU and 2G RAM) is adopted as the STA, and its operation system is Linux Fedora 14 which kernel version is The wireless PC network card is TP-UNK TL_ WN550G 54M. The OpenSSL [13] is used for encryptions and decryptions whose version is openssl-1.0.0d. The wpa_supplicant [14] is adopted as the STA simulator which version is wpa_supplicant (2) AP One HP desktop (2.26GHz Core 2 Duo CPU and 2G RAM) acts as the AP, and its operation system is Linux Fedora 14 which kernel version is The wireless PC networks card is TP-UNK TL_ WN550G 54M. The same OpenSSL is installed. The hostapd [15] is adopted as the AP simulator which version is hostapd (3) AS The AS runs on a HP desktop (3.0GHz Core 2 Duo CPU and 2G RAM) and its operation system is UbuntulO.lO. The Fig. 6. ElaCElaaaaaaaaaaaaElaaaaaElaaaaaaaaaElaaaaaaaaaaaElaaaa trial Authentication delay comparison between EAP-TLS and OUf scheme TABLE PERFORMANCE COMPARSON BETWEEN EAP-TLS AND OUR SCHEME Authentication dejay(ms) freeradius [16] is adopted which version is freeradius-server , and the same OpenSSL is installed. We run the EAP-TLS (inbuilt in freeradius and wpa_supplicant) and our scheme for 50 times respectively, and measure their authentication delays (not including the scan time) and the results are shown in Figure 6. The average authentication delays of the EAP-TLS and our scheme are ms and ms respectively, and our scheme improves the authentication delay of the EAP-TLS by 94.7%. Table 1 shows the comparison between them. From the above analysis, it can be seen that the proposed protocol fulfills our design goal. V. CONCLUSON With the rapid increase of the WLAN-enabled mobile devices, the current WLAN security standard EEE i is challenged for its low efficiency. We point out that the essential reason leading to the inefficiency is that 802.1i is designed from the framework perspective which introduces too many message interactions. To overcome the drawback and meet the requirement of new applications, an efficient initial access authentication protocol is proposed, which takes just two roundtrip messages between the client and the networks to complete the authentications and key distribution between the STA, AP and AS. Analysis indicates that in security our scheme is same as the 4-way handshake protocol and the authentication delay is improved by 94.7% compared with the EAP-TLS. Moreover, in implementation a simple method is given that enables our scheme to be compatible with the i. ACKNOWLEDGMENT This work is partially supported by the Major national S&T program(2011zx ), National Natural Science Foundation of China(Ul135002,610n066,611n068, ), 1039

6 the Fundamental Research Funds for the Central Universities(JY , JY ), Program for New Century Excellent Talents in University(Grant No. NCET-ll- 0691). REFERENCES [1] EEE Standard nformation technology- Telecommunications and information exchange between systems-local and metropolitan area networks-specific equirements-part 11: Wireless LAN Medium Access Control and Physical Layer Specifications [2] EEE Standard b Higher-Speed Physical Layer Extension in the 2.4 GHz Band, Supplement to EEE Standard for nformation technology-telecommunications and information exchange between systems-local and metropolitan area networks-specific requirements-part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications. September, [3] W. A. Arbaugh, N.Shankar, J. Wang. Your Network has no Clothes. n Proceedings of the First EEE nternational Conference on Wireless LANs and Home Networks, pages , D ecember, [4] N. Borisov,. Goldberg, D. Wagner. ntercepting mobile communications: the insecurity of n Proceedings of the 7th Annual nternational Conference on Mobile Computing and Networking, Rome, taly, July, [5] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson. RFC 3748: Extensible Authentication Protocol (EAP), June, 2004 [6] EEE Standard 802.1X EEE Standard for Local and metropolitan area networks-port-based Network Access Control. June, [7] C. Rigney, S. Willens, A. Rubens, W. Simpson. RFC 2865: Remote Authentication Dial n User Service (RADUS), June, [8] EEE P802.11i1DlO.0. Medium A ccess Control (MAC) Security Enhancements, Amendment 6 to EEE Standard for nformation technology Telecommunications and information exchange between systems-local and metropolitan area networks-specific requirements -Part 11: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications. April, [9] [10] B. Aboba, D. Simon. RFC 2716: PPP EAP TLS authentication protocol. October, [11] G. Zorn. RFC 2759: Microsoft PPP CHAP Extensions, Version 2, January, 2000 [12] A. Menezes, P. van Oorschot, S. Vanstone. Hand book of Applied Cryptography. CRC Press, 1996 [13] [14] [15] [16]