On the IEEE i security: a denial-of-service perspective

Transcription

1 SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2015; 8: Published online 21 August 2014 in Wiley Online Library (wileyonlinelibrary.com) REVIEW ARTICLE On the IEEE i security: a denial-of-service perspective Rajeev Singh 1 * and Teek Parval Sharma 2 1 Govind Ballabh Pant University, Pantnagar, Udham Singh Nagar, Uttarakhand, India 2 National Institute of Technology, Hamirpur, Himachal Pradesh, India ABSTRACT The IEEE i standard provides authentication and security at the Medium Access Control layer in wireless local area networks (WLANs). It involves an authentication process followed by a four-way handshake to evolve a key for securing data sessions. The standard suffers under denial-of-service (DoS) attacks. These attacks often block the ongoing communication process and deprive services to the legitimate users. These are easy to conduct while maintaining anonymity of the attackers. It hence becomes imperative to learn about the attacks and their solutions in IEEE i-protected WLANs so that future research proposals and solutions to mitigate the attack may develop. The paper presents a review of DoS attacks and existing solutions pertaining to the IEEE i security standard. Copyright 2014 John Wiley & Sons, Ltd. KEYWORDS WLAN security; i; 802.1X; denial of service *Correspondence Rajeev Singh, Govind Ballabh Pant University, Pantnagar, Udham Singh Nagar, Uttarakhand, India. rajeevpec@gmail.com 1. INTRODUCTION Wireless local area network (WLAN) technology use, utility, and popularity are increasing day by day. This is attributed to easy access, ease of work, enhanced flexibility, sufficient bandwidth, and support provided for a large number of network applications. As the wireless medium is open for public access within a certain range, security is a concern. Research community and societies are working to make WLANs robust and secure. The initial security protocol, that is, Wired Equivalent Privacy (WEP), was the first effort in this direction used with IEEE local area networks (LANs) for security purposes. The protocol has several deficiencies like lack of key management mechanism, lack of initial vector (IV) generation mechanism, no replay protection, and a weak integrity-check mechanism. It is hence deprecated [1 4]. Wi-Fi Protected Access (WPA) is the second security solution for WLANs. WPA is a forward-compatible subset of the current security standard, that is, i [5]. It required driver updates on the communicating nodes. The complete security standard, that is, IEEE i [5] (also known as WPA2), which required firmware updates, came into existence in June i, the current standard, is used for establishing a secure communication at the Medium Access Control (MAC) layer in WLANs. The IEEE i security is mainly concerned with initial entity authentication, access control, and key management. For initial entity authentication and access control in large enterprises, 802.1X is used [6] X provides access into the network after verifying the user s entity at the authentication server (AS). Initial entity authentication is carried out using the Extensible Authentication Protocol (EAP) method. A four-way handshake is performed after the initial entity authentication for evolving a fresh session key X blocks the wireless station s (STA) communication at the access point (AP) till the entire process of initial entity authentication and four-way handshake is successfully completed. After completion of the 802.1X and handshake, regular data frame transmission follows i involves protection (encryption and message integrity code (MIC) calculation) using the Advanced Encryption Standard [7,8]. Despite the strong cryptographic protection, the standard is prone to several attacks and vulnerabilities [4,9 12], out of which the denial-ofservice (DoS) attacks are most prominent. DoS attacks are those where an attacker attempts to prevent users or other systems from accessing resources in a timely manner. These attacks are mainly motivated by monetary gain, self-actualization and boredom, revenge, and information warfare and may have associated financial or intangible costs [13] Copyright 2014 John Wiley & Sons, Ltd.

2 R. Singh and T. P. Sharma On the IEEE i security: a denial-of-service perspective A WLAN AP, in general, has limited capacity and limited resources like processing power and memory. Hence, an AP can easily fall prey to DoS attacks as its queue can be easily choked and flooded by attack packets. The attacker can even make the processor busy in computing a large number of cryptographic primitives like MIC verification, encryption/decryption, and so on. The DoS problem remained unsolved in WLANs since its inception. As per [14 21], the DoS problem in WLANs is very much practical and is not a wild cry. Easy availability of DoS attack tools and mechanisms deteriorates the situation. Several instances of WLAN DoS have been reported, for example, in gaming and poker events [22,23], in train operation disruption, in safety monitoring systems at a nuclear power plant, in bank ATMs, in car parking [24,25], and so on. The occurrences of these attacks have also been reported in various news and forums [25 28]. Among WLAN security protocols, WEP and WPA have no consideration for DoS attacks. IEEE i does not give enough priority to AP security because of computational limitations and for accommodating a large number of existing authentication methods. During initial entity authentication, the STA is authenticated to AS only, but not to the AP. Because of this, attacks like DoS pose a threat and deprive services to legitimate users [29] management frames like authentication/association and deauthentication/disassociation remained unprotected and unauthenticated; that is, they are neither authenticated nor encrypted. This means that these unauthenticated STA frames can be used to cause a DoS attack. The first message of the four-way handshake is not protected; it can be utilized in DoS attacks for blocking the protocol. IEEE w [30] is developed as a solution against DoS conducted using management frames, but it is not useful against all kinds of DoS attacks and in all phases of i [31,32]. Thus, no security protocol protects effectively against DoS attacks. This paper hence focuses mainly on DoS attacks and existing solutions that protect IEEE i security. This effort will help in providing insight into existing DoS solutions. This will also help in motivating researchers to develop novel and effective defense against DoS attacks, leading to strengthening of i security. The rest of the paper is divided into six sections. Section 2 provides a brief overview of the IEEE i protocol. Section 3 gives an insight to the existing DoS threats and attacks against i. Section 4 presents the existing solutions. Section 5 compares these solutions, while Section 6 provides discussions pertaining to these solutions. Section 7 provides conclusion and future directions. beacons. It is then followed by legacy authentication and association between STA and AP. A Robust Security Network (RSN) Information Element (IE) in probe response and association request message is used for negotiating the network capabilities between STA and AP. Accomplishment of association leads STA and AP to associated states. After this, the i authentication is performed. The IEEE i authentication specifies the pre-shared key and 802.1X as two RSNA authentication mechanisms. The latter is preferred in large networks [33]. It defines three software entities: supplicant, which is installed on STA; authenticator, which is installed on AP; and AS, which is a Remote Authentication Dial In User Service (RADIUS) server. EAP is utilized for STA authentication. Several EAP methods like Kerberos, Lightweight EAP, Protected EAP, Transport Layer Security (EAP-TLS), and Tunneled TLS are available for this purpose. The default method is EAP-TLS, which is based upon the digital certificate authentication. EAP packets are encapsulated in Layer-2 frames (802.1X) between STA and AP, which is known as EAP over LAN (EAPOL), whereas between AP and AS, these are encapsulated over RADIUS frames [33]. Accomplishment of EAP authentication leads to sharing of the Pairwise Master Key (PMK) at STA and AP. For confirming the possession of the same PMK on both STA and AP, a four-way handshake is performed after the authentication process. A handshake also evolves a fresh session key, that is, the Pairwise Transient Key (PTK) [4,8,34]. The first message (4H1 ) of the handshake is sent by the AP. The message contains the AP MAC address (AA) and nonce (ANonce). On receiving 4H1, STA selects its own nonce (SNonce) and generates PTK using a pseudorandom function (PRF). After generating the PTK, STA sends the second message (4H2) of the handshake to AP. The message contains the STA MAC address (SPA), nonce (SNonce), and RSN IE. As AP now has both ANonce and SNonce, it also generates the same PTK. The third message (4H3) containing RS NIE confirms possession of the correct PTK by the AP. RSN IE verification through 4H2 and 4H3 messages confirms the initial RSN IE negotiations. The fourth message (4H4) sent by STA acknowledges the receipt of 4H3 (at STA) to AP. The PTK that evolved in the four-way handshake is utilized for securing the data sessions between STA and AP using either the Temporal Key Integrity Protocol (TKIP) or Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP). AP starts forwarding the encrypted data packets after the successful handshake. 2. OVERVIEW OF IEEE I IEEE i executes Robust Security Network Association (RSNA) establishment procedures starting with network and security capability discovery. The discovery is performed via probe request/response or via periodic For the sake of convenience, we are following naming conventions for handshake messages as per Park s scheme [34]. The symbol H denotes handshake. It is preceded by the handshake type, that is, 4 for four way and 3 for three way, and it is followed by the sequence number of the individual frame in the handshake; that is, the first message of a four-way handshake is denoted as 4H1, and the second message as 4H2. For a three-way handshake, it is 3H1 for the first message. Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd. 1379

3 On the IEEE i security: a denial-of-service perspective R. Singh and T. P. Sharma IEEE i DoS Attacks Authentication/ Association Authentication Request Floods Association Request Floods 802.1X Authentication 4-way Handshake Data communication Disconnection Procedure DoS via EAPOL frames Exception Triggered DoS Flooding DoS using first message of handshake DoS attack due to PTK inconsistencies DoS attack due to RSN IE poisoning Flooding DoS involving cryptographic calculations DoS in TKIP Deauthentication DoS Disassociation DoS Handshake failure due to invalid MIC Figure 1. DoS attacks in i: a classification. 3. DoS ATTACKS IN IEEE I In IEEE i, unauthenticated and unprotected management frames are a major source for conduction of DoS attacks. The attacker utilizes the authentication (or association) frames for conducting flooding DoS attacks on STA or AP [4,15 20,29,35,36]. Under a Transient Security Network environment, the STA s request for RSNA, that is, for using i, may be denied by the attacker through forged AP beacons and probe responses. The EAP-led i authentication process itself is prone to DoS attacks. The spoofed EAPOL frames are utilized for this process. The four-way handshake used for keyrefreshing purposes is prone to flooding DoS attacks conducted via the unprotected first message [4,37 45]. The handshake failure may also occur because of flaws in handling the MIC enforced by the attacker [34]. The RSN IE confirmation failure during handshake caused by poisoning of nonsignificant bits during negotiation results in protocol blocking (due to disassociation) [4]. The attacker may even cause DoS attacks by causing successive Michael MIC failures [4]. During data transmission, attacker may flood the receiver with frames bearing wrong MIC, making the receiver busy in verifying and discarding MICs. MIC verification requires time in the order of 1.5 ms [46]. This leads to computational DoS. In summary, almost all the phases of i are prone to DoS attacks, leading to DoS to the user. Availability of a large number of softwares and tools makes the attacker s task easier. For obtaining the network information including the MAC address of the associated AP, tools such as Tcpdump [47], Wireshark [48] (formerly ethereal), or Kismet [49] are utilized. Sniffing tools like Netstumbler [50], Dsniff [51], and so on are also useful for obtaining and analyzing network information. Spoofing and forging are major methods to cause DoS attacks. Tools like GNU MAC Changer [52], SpoofMAC [53], MAC address changer [54], and KisMAC [55] are utilized for Michael algorithm is TKIP s MIC calculation algorithm. spoofing, while for forging and injecting frames, tools like File2air [56] and Aireplay-ng [57] are utilized. DoS attacks can also be caused on the STAs by fake AP [58] and AirSnarf [59]. Management frame-based forging tools are most common for causing DoS attacks. Automated tools like AirJack [60], Void11 [61], file2air [56], aireplay-ng [57], and so on can be used to perform management frame-based DoS attacks against a victim. Tools are available even for cracking the security mechanism (Aircrack-ng [62]) and for causing the attack using the encrypted packets (Packetforge-ng [63]). Considering the vulnerabilities and attack tools, we find that the primary reasons for DoS threat in IEEE i are as follows: no authentication and no protection of management frames and EAPOL frames (frames used in the authentication process) [36], unsecured 4H1 (the first four-way handshake frame), poisoning of RSN IE, and lack of proper authentication of data frames. We hence categorize DoS attacks in five categories, namely (i) DoS attacks in authentication and association, (ii) DoS attacks in EAP-based authentication, (iii) DoS attacks in the four-way handshake, (iv) DoS attacks in the data communication phase, and (v) DoS attacks in deauthentication and disassociation. This categorization is mapped logically to the phases of the IEEE i standard and is shown in Figure DoS attacks in authentication and association IEEE i adopted the open authentication and association for the sake of backward compatibility. The open authentication does not involve AS and is performed with authentication request and response management frames. Association follows authentication of the STA by sending an association request to the AP. If AP permits STA to join the network, it sends a successful association response back to the station. Both authentication and association management frames are neither authenticated nor encrypted. As a result, these frames are easily spoofed 1380 Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd.

4 R. Singh and T. P. Sharma On the IEEE i security: a denial-of-service perspective by the attacker, enabling him to target the AP using repetitive authentication/association requests. A large volume of such requests is termed as a request flood. The authentication request flood(authrf) is easy to conduct. Any STA can start the attack by sending large fake authentication requests (Figure 2). For association request flood (AssRF), the STA must be in an authenticated state so that the AP can accept the association requests (Figure 3). AssRF results in an overflow of the association table and blocking of AP [17]. For conducting AuthRF and AssRF, the average attack rate considered is 250 management frames per second (physical bandwidth required is less than 0.11 Mbps), which is sufficient to make AP deny new Voice-over-Internet Protocol (VOIP) calls/transmission Control Protocol (TCP) connections and stop servicing the active VOIP calls/tcp connections. Both AuthRF and AssRF attacks cause significant performance degradations, memory exhaustion, and communication disconnections. Thus, the legitimate STA is left with little or no connection to the wireless network [64]. In Figures 2 and 3, STA2 (Supplicant2) is deprived of AP services under the AuthRF and AssRF DoS attacks. In these attacks, the attacker needs to be equipped with a high-energy source as the victim is under DoS only for the active attack period; that is, once the attacker stops the authentication/association requests, AP starts processing the victim requests. Void11 [61] is an automated tool used to execute an authentication/association flooding attack against the victim. It can even target many APs in a specific area if the attacker is equipped with a high-gain antenna [17,18]. If AP receives an association/ authentication request from an already associated client, then it starts a new connection, terminating the earlier connection. The DoS attacker uses this fact to trouble already associated STAs and deprive them of service DoS attacks in EAP-based authentication Unprotected messages like EAPOL-Start, EAPOL-Failure, and EAPOL-Logoff in 802.1X authentication are used for conducting DoS attacks. Repetitive forged EAPOL-Start frames by an adversary can prevent the 802.1X authentication. Forged EAPOL-Failure and EAPOL-Logoff are used to disconnect the supplicant in between, causing DoS [4,35,65 67]. Zhao et al. [68] presented the exceptiontriggered DoS attack in the TLS (the default EAP authentication method) handshake. In this attack, the attacker injects fake messages or misleading messages to trigger exception handling to bring down the whole protocol session. Authentication Request Authentication Response Supplicant1 Authenticator Supplicant2 DoS attack AuthRF Attacker Authentication Request No Response Figure 2. Authentication DoS attack. Supplicant1 Authentication Request Authentication Response Association Request Association Response Authenticator Authentication Request Supplicant2 Authentication Response Association Request DoS attack AssRF Attacker No Response Figure 3. Association DoS attack. Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd. 1381

5 On the IEEE i security: a denial-of-service perspective R. Singh and T. P. Sharma 3.3. DoS attacks in the four-way handshake The messages of the four-way handshake are embedded in EAPOL key frames of the IEEE 802.1X authentication protocol. IEEE MAC encapsulates these EAPOL key frames in data frames. The data frames received without a frame check sequence (FCS) error in WLANs are followed by the return of an acknowledgement (ACK). Also, the first frame (4H1) in the handshake is totally unprotected, while other frames are protected by MIC. Considering this background, we discuss a DoS attack in the four-way handshake categorized as flooding attacks, DoS due to PTK inconsistencies, RSN IE poisoning, and DoS due to MIC check failure Flooding DoS attack. An attacker causes 4H1 flooding DoS attacks (Figure 4) on the STA via a large number of forged 4H1s targeted toward STA. Each of these frames contains different ANonce values (ANonce, ANonce, ANonce N ). The STA is forced to calculate a new PTK (PTK, PTK,, PTK N ) every time it receives a forged 4H1. The new PTK and ANonce values overwrite previous ones. Thus, the STA is busy calculating PTKs using the PRF, and hence, CPU utilization DoS results. If STA stores ANonce and PTK without overwriting the previous ones, then this may lead to memory exhaustion (Figure 4). CPU and memory exhaustion results in handshake blocking, hence a DoS attack. IEEE i provides a mechanism to calculate a temporary PTK (TPTK) after receiving 4H1 to overcome it. TPTK is modified on reception of each new 4H1, leaving PTK unaffected. PTK is modified only after reception and verification of 4H3. MIC at the supplicant is calculated using TPTK, while 4H3 carries MIC calculated using PTK. Thus, if TPTK is affected under an attack, a mismatch between the two will occur, resulting in MIC failure and hence failure of the four-way handshake. A PMK identifier (PMKID) and link layer data encryption (LLDE) were also introduced to counter the problem [38 41]. PMKID was derived from PMK, and hence, only a legitimate authenticator can embed it in 4H1. But an attacker can spoof it after the actual authenticator s 4H1 packet and reuse it for DoS attacks. LLDE encrypts all but the first message of the four-way handshake, leaving 4H1 to the attacker arsenal. Thus, the attacker still can cause a DoS attack by choosing 4H1, after it is sent by the authenticator DoS attack due to PTK inconsistency. An intelligent attacker observes the handshake flows. It selects the time after STA has sent 4H2 to the AP and is waiting for 4H3 to launch the attack (Figure 5). The attacker creates 4H1 (containing the spoofed AP address and other copied values of 4H1) and sends it with a changed ANonce (ANonce ) value in the frame. On the receipt of this forged frame, STA calculates the new PTK (PTK ) and stores ANonce. STA soon receives 4H3 frames for the ongoing session with AP and tries to verify MIC with the stored PTK. The verification fails, and 4H3 is discarded by the STA. The AP again sends 4H3, which is again discarded because of a different PTK. After timeout, AP sends a deauthentication request to STA. STA again reauthenticates and follows the fourway handshake. The attacker also follows the same timings and attack steps. Repetitions of these steps again and again ultimately result in DoS to the STA [4,38 41,45] DoS attack due to RSN IE poisoning. RSN IE is meant for negotiating the authentication parameters, cipher suites, and other capabilities between the authenticator and supplicant. The authenticator embeds it in the beacon and in the probe response. The supplicant inserts it in the probe request. In order to confirm the authenticity of RSN IE, the RSN IE verification is performed at the supplicant after 4H3 message and at the authenticator after 4H2 message of the handshake. The attacker can poison the RSN IE [4] (changing of insignificant bits of RSN IE) such that initial authentication, association, and EAP authentication remain unaffected, while Attacker Supplicant Authenticator 4H1 Data (EAP-Key (Msg1, ANonce)) Calculate PTK Store ANonce and PTK 4H2 Data (EAP-Key (Msg2, SNonce, MIC )) 4H1 Data (EAP-Key (Msg1, ANonce')) Data (EAP-Key (Msg1, ANonce'')) Calculate PTK' Store ANonce' and PTK' Calculate PTK'' Store ANonce' and PTK'' Data (EAP-Key (Msg1, ANonce )) Calculate PTK Store ANonce' and PTK Figure 4. Flooding DoS attack on four-way handshake [39] Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd.

6 R. Singh and T. P. Sharma On the IEEE i security: a denial-of-service perspective Attacker Supplicant Authenticator 4H1 Data (EAP-Key (Msg1, ANonce)) Calculate PTK 4H2 Data (EAP-Key (Msg2, SNonce, MIC PTK)) 4H1 4H2 Data (EAP-Key (Msg1, ANonce')) Data (EAP-Key (Msg2, SNonce', MIC PTK )) Calculate PTK' Verify MIC using PTK' Discard 4H3 4H3 Data (EAP-Key (Msg3, ANonce, MIC PTK)) Deauthentication Timeout Figure 5. DoS attack due to PTK inconsistencies [34,39]. RSN IE verification during handshake results in failure. This failure due to poisoning by the attacker leads to disassociation and hence blocking of the protocol (Figure 6). Such repetitive blocking results in a DoS attack. This attack is successful because of three reasons [4,38]. First, management frames are not protected. Second, the period between RSN IE negotiation and confirmation is large. Many messages were exchanged and resources utilized in this duration. Third, a bit-wise computation of RSN IE is too strict Failure of four-way handshake due to invalid MIC. Consistency of the data frame during handshake is checked via FCS. An FCS failure at the MAC level is followed by data frame retransmission after a timeout interval (say t 1 ). After successful FCS verification, the ACK is sent back to the sender while the frame itself is forwarded to the 802.1X supplicant (or authenticator), who decapsulates it for the EAPOL key frame. MIC is now checked for the integrity and authenticity of the data in the EAPOL key frame. Its failure indicates that it was sent by an unauthorized party. This might also be due to either a channel error that was undetected by FCS or an internal processing error. The attacker can utilize this fact and can frequently cause MIC failures. The supplicant installs PTK after sending 4H4 (4H4 is meant for acknowledging 4H3) and expects an encrypted data packet from the authenticator [34]. It might happen (or be intentionally made by the attacker) that 4H4 passes the FCS check but fails in the Supplicant Becon + AA RSNIE Authenticator Forged Becon + Modified AA RSNIE Probe Request Probe Response + AA RSNIE Forged Probe Response + Modified AA RSNIE Open Authentication, Association, Mutual EAP-TLS Authentication RSNIE confirmation failed, Disassociation Msg3, AA, ANonce, MIC PTK, AA RSN IE 4H3 Dissassociate Supplicant Figure 6. DoS attack via RSN IE poisoning [4]. Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd. 1383

7 On the IEEE i security: a denial-of-service perspective R. Singh and T. P. Sharma MIC check [34]. Because of this failure, the authenticator silently drops the 4H4 frame and sends the 4H3 frame again after a timeout interval (say t 2 ). But the supplicant was expecting an encrypted frame; hence, it discards this unencrypted second 4H3 (Figure 7). The further 4H3s are also discarded at the supplicant, resulting in an unsuccessful termination of the handshake process. The crafted repetitive terminations in this manner by the attacker may lead to DoS to the STA and AP DoS attacks in data communication Flooding DoS involving cryptographic calculations. Flooding-based DoS attack is possible on the AP or STA by using encrypted data packets. The computing resources are utilized in decrypting the data packets. These packets do not contain any additional authentication information and hence depend upon the decryption using shared key for the authentication. The verification (authentication) takes place only after the decryption is over. The packets that fail in the verification are dropped. The attacker utilizes this fact and sends a large number of fake encrypted data frames. A lot of AP computing power is wasted, and it may even lead to DoS to the regular nodes. This attack is also possible if instead of authentication of frames via encryption, MIC is used for frame authentication as computation overheads are also involved in MIC calculations DoS in TKIP. TKIP uses the Michael algorithm for keyed MIC calculations. The Michael algorithm is subjected to forgery after 2 19 attempts (20-bit security). TKIP implements a countermeasure to protect from such forgery attempts against the Michael algorithm by an adversary. The countermeasure treats the first detected Michael MIC failure as a securityrelevant matter, while detection of a second failure within 60 s ceases transmission and reception for 60 s. The authenticator could re-key or deauthenticate the supplicant during this period. The countermeasure opens a DoS vulnerability in which an adversary can send unsuccessful forgery attempts to cause two Michael MIC failures and shut down the connection. For this, the attacker has to intercept the packet with a valid TKIP sequence counter, modify the corresponding FCS and integrity-check value, and send a modified packet every 2 min [4,69] DoS attacks in disconnection procedures Deauthentication and disassociation management frames are used for supplicant and authenticator disconnection. An attacker can easily forge these frames by putting spoofed MAC addresses and the service set identification (SSID) of the network. Spoofing of these frames is possible because of the lack of authentication and protection. The deauthentication DoS attack is caused by sending the forged deauthentication frames, while the disassociation DoS attack is caused by sending forged disassociation frames to the target. The disassociation DoS attack leaves the target in the authenticated state. Thus, the work performed by the target to undo the attack s effect is more in case of deauthentication DoS attack as compared with disassociation DoS attack [70 72]. The attack frames are sent successively so that the target receives another forged frame before it finishes fresh authentication and association (Figure 8). A high-rate attack blocks the target from using the network (DoS). These attacks can even target all the WLAN STAs by using a single frame (Figure 8). All the WLAN STAs can be disconnected by putting the destination address as FF:FF:FF:FF:FF:FF (broadcast address) in STA AP Supplicant MAC MAC Authenticator 4H3 Data (EAP-Key (Msg3, ANonce, MIC )) ACK t1 4H4 Data (EAP-Key (Msg4, MIC )) t2 Install PTK Activate Protection Dropped t1 ACK MIC Failure 4H3s t1: timeout1set at the MAC layer t2: timeout2 set at 802.1X Figure 7. MIC failure resulting in handshake failure [34] Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd.

8 R. Singh and T. P. Sharma On the IEEE i security: a denial-of-service perspective Supplicant1 Authenticator Supplicant2 Authentication Request Supplicant1 Disassociated Authentication Response Association Request Association Response DisAss Request Attacker1 Authentication Request Authentication Response Association Request Attacker2 Disassociate ALL Supplicant2 Disassociated Figure 8. DoS attacks in disconnection procedures [70,72]. the attack frame [73,17]. Repetitive broadcast of the attack frame results in DoS to all STAs; hence, more attack impact is caused with minimum effort. Once the user becomes deauthenticated, the attacker may also further mount damaging attacks like man-in-the-middle and session hijacking to take advantage of the situation [74]. 4. PROTECTION AGAINST DoS ATTACKS We classify the solutions against DoS attacks (Figure 9) into four categories: (i) solutions that detect spoofing (spoof detection); (ii) solutions that provide protection to management frames (including deauthentication/ disassociation management frames); (iii) solutions that provide protection during the four-way handshake; and (iv) solutions that consider protection against deauthentication/disassociation DoS attacks. Category (iv) includes solutions that target only the attacks conducted via deauthentication/disassociation management frames Spoof detection Use of reverse address resolution protocol. Reverse Address Resolution Protocol (RARP) used to detect spoofing is discussed by Cardenas in [75]. A host can send a RARP request to the administrative host to find the associated Internet Protocol (IP) address, and the return of more than one IP address by the host indicates spoofing. The solution does not work if the attacker spoofs IP along with MAC address or if the hosts in the network are permitted to use multiple IPs for the same network interface controller (NIC) Radiofrequency fingerprinting/transceiver printing. To identify spoofing, Hall et al. [76] utilized the unique hardware characteristics of a transceiver that cannot be easily forged. It is a hardware-based solution that detects transceiver-print anomaly. A unique transceiver-print (transient portion of a signal) is extracted when a transceiver is turned on. It is then bound with the MAC address of the transceiver (profile of the transceiver). The stored profile is then used by the intrusion detection system (IDS) to detect the anomaly and hence spoofing. The IDS is supposed to maintain the fingerprints of all the nodes, which is a difficult task in the WLAN networks because of node mobility Power hopping. Power hopping to prevent spoofing is proposed by Nagarajan et al. [77]. It refers to partitioning of the power levels of STA into k levels as follows: P ¼ fp 1 ; P 2 ; ; P k g where P i P min Here, P min is the minimum power required to transmit a packet from STA to AP. The power of STA is changed to random Pi at each time interval Δt i. STA sends the packet at a different power level at a different instance of time. The AP knows power level at which the STA is sending, but the attacker does not know this. Hence, the attacker s spoofed packets are rejected at the AP. The entire solution is divided into an initialization phase and a power hop phase [77]. The former involves setting initial parameters using received power and sent power of the AP beacons, STA authentication at the AP, and Hypertext Transfer Protocol Secure session (for transferring the STA seed and power level set securely to AP). In the power hop phase, AP calculates the index (i) in Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd. 1385

9 On the IEEE i security: a denial-of-service perspective R. Singh and T. P. Sharma Figure 9. DoS attack solutions in i: a classification. the power level set (the value at this index is referred to as Pi). AP matches this with the received STA power; a correct match indicates legitimate STA; else, it indicates spoofing. This method only filters attacker packets and will not prevent the attacker from masquerading a MAC address. The presence of noise can also affect the power received at the AP. Even though the STA is close to AP, it still has to transmit at a high power level, resulting in more energy consumption Use of sequence numbers for spoof control. Every frame has a sequence number (12 bits) starting from 0 to It is incremented by one each time a MAC Service Data Unit is sent. If the frame is fragmented, then its sequence number is kept the same, and its fragment number is incremented by 1. Wright et al. [78] have performed sequence number gap analysis and found that the packets with the same MAC address that differ in these sequence numbers by a large margin are spoofed. They neglected the case with small margin gaps. This may happen because of dropping of malformed frames or changing of transmit/receive channel. The solution has associated issues. First, a baseline of monitored MAC addresses and the sequence numbers in use need to be established at the IDS level. Second, if the client roams out of the range of the IDS and when the client returns back within range of the IDS, the sequence numbers that follow will appear anomalous because of the large gap in sequence values. For this, it is suggested that IDS invalidates the tracked sequence number pattern on detecting a delay of more than a few seconds between the receiving frames for the activity of a client, assuming that the client has roamed out of range or has reset its NIC card. Dasgupta et al. [79] used a fuzzy logic-based decision system (multilevel monitoring and detection system) to detect MAC address spoofing based on detection of sequence number anomaly. The collected spoofed sequence number traces are used to train the system. After training, the validation of effectiveness of the system is carried out by detection of new spoofing attacks. A sequence number can change because of lost frames, duplicated frames, and out-of-order frames. It is not clear that such fuzzy logic system can handle these cases. The system requires special devices and cannot be deployed at each node. Guo et al. [80] analyzed the patterns of sequence number change for a frame and proposed an algorithm. The algorithm defines the gap (G) between successive frame sequence numbers. The current frame is treated as a retransmitted frame or normal frame or frame under verification, depending upon the value of G for this frame. If the frame is under verification, then the result of verification determines whether the current frame under 1386 Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd.

10 R. Singh and T. P. Sharma On the IEEE i security: a denial-of-service perspective verification is spoofed or not. For detecting spoofing, the algorithm is run at the monitor machine. Moreover, it is capable of only detecting the spoofing, not protecting against it. An adaptive threshold-based MAC layer filtering mechanism utilizing sequence numbers is presented in [81] by Zhang. The mechanism protects only the clients, not the AP Relationship-based detection. Li et al. [82] proposed two different families of relationships for detecting spoofing. These families do not require explicit use of cryptographic material and are thus suitable for scenarios where the maintenance of keying material is not practical (ad hoc and sensor networks).the first family uses monotonicity of the sequence number field in transmitted packets, while the second family involves the implicit transmission and reception properties associated with the distribution of interarrival time between packets. A forge-resistant consistency check detector is used to identify the anomalous behavior resulting from the spoofing of another node s identity using these relationships. The detector discriminates between various normal, non-adaptive spoofed, and adaptive spoofed traffic patterns. Normal patterns may have occasional packet loss, non-adaptive patterns are ones where adversaries will blindly spoof the MAC address of a device without adjusting their sequence numbers, and adaptive patterns are ones where adversaries will spoof a MAC address of a device along with usage of previously observed sequence numbers to adapt their sequence number field. In order to facilitate multi-level classification, the detector is augmented with a measurement of the threat severity (benign, low spoofing, and more severe spoofing). The solution needs separate monitoring devices for monitoring the abnormalities. It can detect spoofing but cannot prevent it [82,83] Detecting detectors. Various IDS [84] utilize the signature/fingerprint database to detect the LAN discovery and DoS attacks. The tactics and strategies used by the attack tools are analyzed, compared, and updated in the database. Constant updating of the database is required for effectiveness in such a system Specification-based IDS. A specification-based IDS is proposed by Smith et al. [24]. The system constructs a state transition model and configures it on a wireless sensor. Every frame in the network is evaluated against the specifications (constraints) by the sensor. An alert is raised on violation, and it is used to identify the DoS attack (malicious activity). The system has a drawback that the attack, which is caused by the actions that do not violate the state transition model, remains unidentified. Moreover, the violation of specification may be due to legitimate frames Triggering mechanism protection. Zhao et al. [68] proposed a twofold symptom check approach to detect exception-triggered DoS attacks. The first symptom checks for multiple (contradictory) response messages in the same state of the protocol s state machine. The second looks for abnormal protocol termination. The occurrence of these symptoms, many times in a certain time interval, indicates an attack. As an improvement against these attacks, a strategy is adopted where in case of conflicting messages, the one having the consequence of least cost is selected while delaying the other. This strategy is not much effective as the smart attacker may utilize the countermeasure itself for new attacks Protecting management frames The spoofed and unprotected management frames are a major source for causing DoS attacks against the i security mechanism. Protecting the authentication messages and association messages is one of the major and difficult requirements for a secure solution that is resistant against DoS attacks. MAC address filtering and traffic pattern filtering (TPF) are discussed in [20] for protecting against AuthRF and AssRF. The former is based on the AP control table. If the received client MAC address matches with the one in the AP table, the received authentication request is processed; otherwise, the request is dropped. In the latter, if sender of the received association request frame exists, the request is processed; else, the TPF mechanism is used. In TPF, if the number of authentication or association request frames received per second is greater than five, the association requests will be dropped; else, they will be processed. These schemes are validated by Malekzadeh et al. [85]. These are not suitable for a bigenterprise environment, and also the MAC address of every STA is difficult to add, owing to mobility of the STA. We discuss next the solutions that protect not only authentication/association management frames but also deauthentication/disassociation management frames Cryptographic MIC based. The IEEE w [30] standard provides protection against authentication/association requests in existing connection and against deauthentication/disassociation DoS attacks. It includes cryptographic MIC to protect against spoofed requests and spoofed deauthentication/disassociation frames. The cryptographic MIC is calculated using the secret key shared between AP and STA. Only legitimate requests are accepted because of the correct MIC, and spoofed requests are discarded (Figure 10) w has drawbacks [31,32]. First, it can be used only if we are using WPA and WPA2. Second, it does not consider other DoS attacks like EAP spoofing, request flooding, and so on. Third, threats from unmanaged devices like Rogue APs and MAC spoofing of STA and AP are also outside the scope of w. A similar cryptographic MIC-based solution is proposed by Malekzadeh et al. [86] to protect management frames. Because of their similarity, it is not discussed separately. Martinovic et al. [87] also tried to provide the cryptographic protection to management frames. The solution involves early MAC address Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd. 1387

11 On the IEEE i security: a denial-of-service perspective R. Singh and T. P. Sharma Legacy Deauth/Disass. Request MIC Spoofed Deauth/Disass. Request MIC Figure 10. IEEE 80.11w, DoS protection using MIC [30]. binding with the Diffie Hellman key obtained through public key cryptography. The solution has the drawback that an attacker can also evaluate the Diffie Hellman key for crafting a computation DoS attack on AP Authentication before association. Performing 802.1X authentication before association yields the shared key to be used for authentication/ encryption of management frames. He et al. [4] proposed this functionality in their improved i version for overcoming the DoS attacks conducted via management frames. The 802.1X authentication is a complex process, and it involves communication and computation overheads. Performing 802.1X authentication before association will open another avenue of DoS attack as the attacker will intentionally cause failures in 802.1X authentication between STA and AP, leading to unsuccessful associations and hence DoS. Performing it before association will also involve delays in association, which may cause problems in time-critical applications. The proposal of He et al. [4] will be successful when instead of 802.1X authentication, some other lightweight and secure authentication is performed before association. DiscoSec [88] is one such lightweight service pack for patching the WLANs. It provides an authentication mechanism for authenticating the management frames. The AP has a precomputed private key (K AP ) and corresponding public key (PK AP ) pair generated using the elliptic curve (EC) cryptosystem. EC parameters (EC Param ) define an EC over a finite field. AP uses the public key (PK AP ) for its current STA session. AP sends PK AP,EC Param, and association token (AT) to STA in authentication request. AP STA : fpk AP ; EC Param ; ATg STA generates its own key (K STA ) and public key (PK STA ) pair. It then utilizes its key (K STA ) and the extracted public key (PK AP ) of AP for generating the master key (MK) using the EC Diffie Hellman (ECDH) key algorithm. The AT is a random nonce, used along with MK to evaluate the fresh session key SK as MK at the STA ¼ ECDH key generation algorithm fk STA ; PK AP g SK at the STA ¼ SHA 256 fmk; ATg STA now responds to the authentication request by putting PK STA and AT in the response frame for the AP. STA AP : fpk STA ; ATg AP calculates its MK using the ECDH key generation algorithm and SK using MK and selected AT as MK at the AP ¼ ECDH key generation algorithm fpk STA ; K AP g SK at the AP ¼ SHA 256 fmk; ATg To make the scheme resilient against computation and memory DoS attacks, rate limitation of key exchange requests is proposed. AP either broadcasts or sends a pregenerated pool of random numbers (Θ t ) to STA. STA selects one of the numbers (this acts as AT) from the random number set that was received from AP. This AT is then returned back in the response frame to AP. If the number is not used by any other STA, then the key generation proceeds. In this way, the flood of messages causing DoS attacks on AP is restricted. The scheme only reduces the DoS attack effect but does not eliminate it. DiscoSec s association rate control mechanism to counter DoS is not much effective because of lack of authentication. Any STA that is able to generate large fake MAC addresses and that captures a large number of random numbers can block the genuine users. The Detect and Reduce DoS Attack (DRDA) scheme [89] utilizes the DiscoSec concept and provides authentication before association. It is also less complex and less resource consuming compared with the 802.1X authentication. It detects and reduces authentication and association flooding DoS, deauthentication and disassociation flooding DoS, and DoS on AP/AS. It uses AS for DoS protection, and hence, extra message communication between AP and AS under DoS is involved. A cryptographic link layer frame protection using public key cryptography is proposed in [90]. The method provides dummy authentication (one where user authentication is not performed) as a complement to open-system authentication in WLANs. The frames used for dummy authentication can be manipulated and spoofed; even the session keys can be compromised easily. Use of cryptographic operations in the authentication phase and for frame protection involves cost. Lee et al. [91,92] proposed a puzzle-based WLAN authentication solution. Other puzzle-based solutions are also proposed [93,94]. These only help under authentication 1388 Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd.

12 R. Singh and T. P. Sharma On the IEEE i security: a denial-of-service perspective and association floods. Also, these do not provide framelevel authentication and are prone to DoS attacks Random bit authentication of management frames. Random bit authentication methods [95 100] are generally lightweight and hence the most suitable authentication methods against DoS attacks. These provide less security as compared with the existing security of i standard. We categorize these schemes into two categories: 1-bit and 3-bit authentication schemes. The first category of schemes provides 1-bit identity authentication per frame to the authorized communicating party (one with the shared secret key). These schemes enjoy less communication overheads and provide continuous authentication (hence, suitable for mobility scenarios). As only 1 bit is utilized for authentication, the chances of an attacker to guess the authentication bits are quite high (50%). This also makes them vulnerable to DoS attacks. These schemes differ in their authentication bit synchronization methods. The Statistical One bit Lightweight Authentication (SOLA) s synchronization scheme involves incrementing the authentication bit stream of both sender and receiver to the next opposite bit plus 1, in case of nonsynchronization [95,96]. Wang s scheme [97] takes less time to stabilize in case of nonsynchronization as resynchronization is performed only by the sender in its authentication bit stream. This fact may be utilized by the attacker who can modify or replay the receiver s response to confuse the sender. This may lead the sender to resynchronize unnecessarily; in the worst case, the sender may become busy most of the time. The system also does not differentiate between the instances when the system is in nonsynchronization because of packet loss or the attacker utilizing a long authentication stream of 0 s or 1 s. Keeping in view the synchronization issues, Wang et al. [98] later came up with three approaches manipulating the pointer movement in the authentication bit streams. They also found statistically the authenticity of a mobile node. The schemes in [97,98] provide authentication but do not talk about confidentiality (packet encryption), integrity, and key management. The number of synchronization runs in both schemes varies in accordance to the difference of the distance between the communicating parties authentication bit strings. Performance of these schemes decreases with increase in the number of synchronization runs. It is also possible that the authentication bit stream may lose synchronization itself [99]. An enhancement to the Wang scheme is carried out by Ren et al. [99] (second category of schemes). Their scheme decreases the attack probability by utilizing more bits (3 bits) for authentication at the MAC layer. It is compatible with the existing frame structure of WLANs. The scheme only detects the attacks by using a statistical method but does not provide any confidentiality, integrity, and key management. For these issues, it depends upon higher-layer measures (like IPsec at the network layer). Its major drawback is the fact that it does not authenticate the ACK frames. An attacker with false synchronization information (wrong value of counter) in ACK failure can easily fool the sender. The chances that the sender and receiver are nonsynchronized and still the 3-bit authentication (stuffed by the attacker) matches are 8 1 (0.125). Lee et al. [100] also propose a similar random bit authentication. They consider protection only against DoS attacks conducted via management frames. Out of eight spoofed packets, the success rate of an attacker is again 8 1 (0.125). The lightweight random bit authentication schemes discussed raise the issue of authentication bit synchronization, which is important in the WLANs as packets might become lost or tampered frequently. The attacker s chances are also quite high in these schemes as less number of bits are involved in authentication. Most importantly, most of these do not involve encryption or protection of the authentication bit streams or data packets. Thus, none of these schemes provide a secure authentication solution Pseudorandom number authentication. Synchronized pseudorandom number generation [101] is a symmetric key-based authentication protocol that tries to prevent a replay attack and avoids key reuse. Both the sender and the receiver are synchronized and generate their pseudorandom numbers, which are used as authenticator variables. These are also utilized as a unique encryption key for each data frame. The synchronization process is prone to DoS attacks. A sufficient number of authentication errors may result in session termination, reassociation, and re-establishment of the synchronization counters. DoS can even be conducted by changing the counter values such that it becomes different from that of the receiver. Pseudorandom numbers generated in the scheme depends only upon previous pseudorandom numbers. This can compromise the entire sequence generated hence after. A pseudorandom number authentication mechanism proposedbykhanet al. [102] identifies 16 bits in the common 32-bit FCS field of the management and control frames for placing the pseudorandom number for frame authentication. It generates a pseudorandom number by including previous sequence numbers inside the PRF. This ensures that a change in input corresponds to a maximum change in the output value of the pseudorandom number. The scheme is not robust against DoS attacks that are conducted before the PTK generation. It also does not consider DoS attacks within the authentication process itself Central manager approach. The central manager (CM) approach [65,66] uses AS to centrally manage the APs and STAs in order to protect APs from DoS attacks. AP processes the management frames only when instructed by the CM. For this purpose, CM maintains three tables: first, for AP-related information and number of authenticated and unauthenticated clients, second to contain AP s authenticated client s MAC address and log out and login information, and third to contain AP s unauthenticated clients. The DoS attacks Security Comm. Networks 2015; 8: John Wiley & Sons, Ltd. 1389