Ju-A A Lee and Jae-Hyun Kim

Similar documents
A Secure Wireless LAN Access Technique for Home Network

Chapter 4 Configuring 802.1X Port Security

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Wireless LAN Security. Gabriel Clothier

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Secure Initial Access Authentication in WLAN

Authentication and Security: IEEE 802.1x and protocols EAP based

Network Access Flows APPENDIXB

Port-based authentication with IEEE Standard 802.1x. William J. Meador

How to Break EAP-MD5

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Design and Implementation of WIRE1x

Authentication and Security: IEEE 802.1x and protocols EAP based

802.1x Configuration. FSOS 802.1X Configuration

802.1x. ACSAC 2002 Las Vegas

Security Enhanced IEEE 802.1x Authentication Method for WLAN Mobile Router

Wireless Attacks and Countermeasures

Appendix E Wireless Networking Basics

Security in IEEE Networks

FAQ on Cisco Aironet Wireless Security

Table of Contents X Configuration 1-1

Wireless technology Principles of Security

802.11a g Dual Band Wireless Access Point. User s Manual

802.1x Configuration. Page 1 of 11

ENHANCING PUBLIC WIFI SECURITY

Operation Manual 802.1x. Table of Contents

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

Secure User Authentication Mechanism in Digital Home Network Environments

Chapter 10 Security Protocols of the Data Link Layer

802.1X: Background, Theory & Implementation

Table of Contents X Configuration 1-1

Selection of EAP Authentication Method for use in a Public WLAN: Implementation Environment Based Approach

Securing Wireless LANs with Certificate Services

PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Exam Questions CWSP-205

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

What is Eavedropping?

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Security Setup CHAPTER

Network Security. Chapter 10 Security Protocols of the Data Link Layer

WLAN Security Performance Study

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Cross-organisational roaming on wireless LANs based on the 802.1X framework Author:

Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.

Controlled/uncontrolled port and port authorization status

Implementing X Security Solutions for Wired and Wireless Networks

Selected Network Security Technologies

Wireless Network Security Spring 2015

WPA-GPG: Wireless authentication using GPG Key

Vol. 7, No. 6, June 2016 ISSN Journal of Emerging Trends in Computing and Information Sciences CIS Journal. All rights reserved.

Technical White Paper for Huawei 802.1X

Cisco 4400 Series Wireless LAN Controllers PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service (IAS)

Princess Nora Bint Abdulrahman University College of computer and information sciences Networks department Networks Security (NET 536)

Chapter 24 Wireless Network Security

Expected Outcomes Able to design the network security for the entire network Able to develop and suggest the security plan and policy

Application Note. Using RADIUS with G6 Devices

EXAM - PW Certified Wireless Security Professional (CWSP) Buy Full Product.

Outline : Wireless Networks Lecture 10: Management. Management and Control Services : Infrastructure Reminder.

TABLE OF CONTENTS CHAPTER TITLE PAGE

Table of Contents. Why doesn t the phone pass 802.1X authentication?... 16

TopGlobal MB8000 Hotspots Solution

Configuring IEEE 802.1x Port-Based Authentication

Wireless KRACK attack client side workaround and detection

(2½ hours) Total Marks: 75

TestsDumps. Latest Test Dumps for IT Exam Certification

IEEE 802.1X workshop. Networkshop 34, 4 April Josh Howlett, JRS Technical Support, University of Bristol. Copyright JNT Association

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO

Htek IP Phones 802.1x Guide

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Standard For IIUM Wireless Networking

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

Secure and Seamless Handoff Scheme for a Wireless LAN System

REMOTE AUTHENTICATION DIAL IN USER SERVICE

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

Wired Dot1x Version 1.05 Configuration Guide

Wireless Network Security Spring 2016

Selection of an EAP Authentication Method for a WLAN

Network Security. Chapter 11 Security Protocols of the Data Link Layer. Scope of Link Layer Security Protocols

Design and Implementation of WIRE1x

Computer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1

Category: Standards Track Microsoft May 2004

802.1x Port Based Authentication

Overview of Security

Configuring 802.1X Settings on the WAP351

HW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)

Fast and Secure Initial Access Authentication Protocol for Wireless LANs

About 802.1X... 3 Yealink IP Phones Compatible with 802.1X... 3 Configuring 802.1X Settings... 5 Configuring 802.1X using configuration files...

Securing Wireless Networks by By Joe Klemencic Mon. Apr

A Wireless LAN Protocol for Initial Access Authentication

WPA SECURITY (Wi-Fi Protected Access) Presentation. Douglas Cheathem (csc Spring 2007)

Light Mesh AP. User s Guide. 2009/2/20 v1.0 draft

Configuring Funk RADIUS to Authenticate Cisco Wireless Clients With LEAP

Defeating All Man-in-the-Middle Attacks

Cisco Wireless LAN Controller Module

Htek 802.1X Authentication

COSC4377. Chapter 8 roadmap

Network Encryption 3 4/20/17

Transcription:

Ju-A A Lee and Jae-Hyun Kim Wireless Information & Network Engineering Research Lab, Korea {gaia, jkim}@ajou.ac.kr Abstract. IEEE 802.11i standard supports a secure access control for wireless LAN and IEEE 802.1X standard includes various authentication methods. It is expected that next-generation wireless LAN security techniques will be based on IEEE 802.1X and IEEE 802.11i standards. However users who are not familiar with a computer or an authentication method have difficulty to setup the network security based on IEEE 802.11i. Accordingly, this paper proposes the authentication scenario to minimize the participation by users, and the password method which is changed randomly and periodically. The proposed protocols provide convenience for nonprofessional computer users as well as secure home network environment against unwanted attacks such as a brute force attack or a replay attack.

2 1. Introduction Home network service has been integrated with various com-munication technologies for the convenient life. The service is closely related to the private information about electric home applications, electronic commerce, medicine service and banking service. But contrary to the device directly connected with another in wire LAN, the connection of wireless LAN (WLAN) is exposed to other devices in the range of access point (AP). This property offers the chance that the neighbor or man near the house can receive the traffic and the malicious intruder makes bad use of privacy. Therefore, authentication mecha-nisms have to be considered a mechanism that only an eligible user is authenticated to use resources of the home network. IEEE 802.11 working group (WG) specifies an authentication procedure but it provides the only basic mechanism which can not protect the WLAN communications from the ineligible approach. IEEE 802.11i standardization group is working on the access control based on IEEE 802.1X and air traffic encryption to strengthen WLAN security techniques[1]. In conventional method, nonprofessional user is confused how to setup security information inside WLAN stations and APs. Furthermore there are various user levels of computer knowledge in home network. Because of this reason, the way to setup authentication information should be prepared easily for users who are not familiar with a computer or an authentication. In this paper, we suggest the authentication scenario in order to easily protect the users from intrusion even if the users don t have the knowledge about the access control of WLAN in home network. And we propose the authentication procedures based on the scenario as well as the packet format to maintain the backward compatibility with legacy systems. The rest of the paper is organized as follows: Section II presents related works. In Section III, we describe the proposed authentication scenario and the security mechanisms for home network. A performance analysis of the proposed security mechanisms is presented in Section IV. Finally Section V concludes the paper.

Wireless Access Point EAP : Extensible Authentication Protocol Laptop computer Ethernet Radius Server Beacon (RSNIE : Robust Security Network Information Element) Open System Authentication Request Open System Authentication Response Associate Request(RSNIE) Associate Response EAPoL-Start EAP-Request/Identity EAP-Response/Identity Radius-Access-Request EAP Authentication Protocol Exchange EAP-Success Radius-Access-Accept 4-way EAP-Key handshake (4-way handshake) Access allowed 3 2. Related Works IEEE 802.11i provides enhanced security in the medium access control (MAC) layer for the IEEE 802.11 networks[2]. One of the major missions of IEEE 802.11i is to define a robust security network (RSN). The definition of an RSN according to the IEEE 802.11i specification is a security network that only allows the creation of robust security network associations. To provide associations in an RSN, IEEE 802.11i defines authentication, encryption improvements, key management, and key establishment. In the first stage, IEEE 802.11i starts with Open System Authentication defined IEEE 802.11. And the WLAN station is authenticated and associated with an AP. At the end of this stage, IEEE 802.1X port remains blocked and no data packets can be exchanged. The second stage consists of IEEE 802.1X authentication which employs extensible authentication protocol (EAP) to authenticate users. A user can surf the Internet after the completion of 4-Way Handshake execution in the third stage. The IEEE 802.1X standard specifies how to implement port-based access control for IEEE 802 LANs, including wireless LAN[3]. In IEEE 802.1X, the port represents the association between a WLAN station and an AP. Basically IEEE 802.1X has three entities which are a supplicant, an authenticator, and a backend authentication server. In the context of a WLAN, the supplicant is a WLAN station, the authentica-tor is an AP, and the authentication server can be a centralized remote access dial-in user service (RADIUS) server. IEEE 802.1X employs EAP as an authentication frame-work that can carry many authentication protocols, between the supplicant and the authenticator[4], [5]. The proto-col between the authenticator and the authentication server is not specified in the IEEE 802.1X standard. Instead, IEEE 802.1X provides RADIUS usage guidelines in the Annex. The EAP messages in EAP over LAN or wireless LAN (EAPoL) contain the authentication information and the RADIUS proto-col is used to carry EAP messages to the authentication server from the authenticator. EAP is a method of conducting an authentication conversation between a supplicant and an authentication server[5]. The authentication methods in EAP include message digest 5 (MD5), transport layer security (TLS), tunneled TLS (TTLS) and so on. These method protocols have features as follows. EAP-MD5[6]: EAP-MD5 uses challenge handshake authentication protocol (CHAP[7]) which is a chal-lenge-response process for the user authentication por-tion. It is one of the most popular EAP types because it is easy to use. The authentication server asks for the password by sending RADIUS-Access-Challenge. The password hash is then sent by using EAP-Re-sponse, which is further encapsulated by RADIUS-Access-Request. EAP-TLS[8] : EAP-TLS provides a way to use certificates for both the supplicant and the server to authenticate each other. Therefore, the forged APs can be detected. Both the supplicant and the authentication server need to have valid certificates when using EAP-TLS. EAP-TTLS[9] : EAP-TTLS extends EAP-TLS to exchange additional information between the supplicant and the authentication server by using the secure tunnel established by TLS negotiation. An EAP-TTLS negotiation comprises two phases: the TLS handshake phase and the TLS tunnel phase. During phase one, the TLS process is used for the supplicant to authenticate the authentication server by using certificates. In phase two, the authentication of the supplicant can use any non-eap protocols[10]. To apply these protocols mentioned above to the user s device, the user has to know how to setup these authentication protocols. Accordingly, it needs a simple and easy way to authenticate the home network users. In this paper, we consider the home network user and discuss how to provide automatic authentication mechanism for the users.

Sever transmits EAP-Request/Identity Server receives EAP-Response/Identity A.N. is included in EAP-Response/Identity? A.N. of WLAN station No == A.N. in MAC.T.? Server authenticate the WLAN station using the password in A.N.T. The WLAN station is authenticated? A.N. of WLAN station No and password to the == the current A.N.? WLAN station Server transmits EAP-Success No No A.N. : authentication number A.N.T. : authentication number management table MAC. : MAC address MAC.T. : MAC address management table Authenticate the WLAN station using the appointed password transmit the current A.N. The WLAN station is authenticated? Server transmits EAP-Failure No 4 3. WLAN Security Mechanisms for Home Network It is inconvenient to use the current method for access control of WLAN, for example, users have to setup the authentication information in WLAN stations and APs. In addition, the technical terms of the authentication properties obstruct the secure access of the users without related knowledge. This may causes the serious problem of security that intruder easily can access the network. Therefore we propose the access control scenario that offers convenience and this method minimizes the user s participation. In the scenario, we assume that the WLAN user needs an appointed password to be authorized at the first time. The appointed password can be registered to an authentication server by user. On the other way, WLAN station seller transfers the MAC address to the service provider which can register the password based on the MAC address to the authentication server. Then the authentication server periodically changes the password at random by software without user s participation. And the server distributes the changed password to all WLAN stations in home network. After receiving the changed password from the authentication server, the WLAN stations use the new password to next connection with an AP. Through this scenario the user can easily access the home network with security even though the user has insufficient knowledge about the authentication. To support the mentioned scenario, an authentication protocol requires additional message exchanges including information which is not specified in Standards[7], [9]. The periodic password change may cause a problem for WLAN users, when the password is changed while a user takes the WLAN station out of home. The WLAN station needs to be authenticated again when the user brings the WLAN station back home. However the WLAN station can not obtain the authority without user s assistance since the password is already changed. Other stations in home network are also needed to know the new password to keep the authority. The proposed protocols solve the problem by adding the authentication number. The authentication number is an index number which corresponds to each password. It is numbered randomly whenever the password is changed. The authentication server manages two tables. One is the MAC address management table which records the MAC addresses of the authenticated stations and the authentication number. The other is the authentication number management table. When the password is changed, the password and the authentication number are recorded in the authentication table.

Wireless Access Point WLAN station Ethernet Authentication Server 5 The proposed EAP-MD5 procedure by using the authentication number is as follows. 1. The WLAN station associates with an AP using Open System Authentication with wired equivalent privacy (WEP) turned off. Then the AP asks for the user s identity. 2. The WLAN station transmits an EAP-Response message which contains the identity and the authentication number of the WLAN to the server. 3. The server confirms whether the authentication number transmitted by WLAN station is the same as the authentication number recorded in the MAC address management table. 4. If both authentication numbers are the same, the server sends the EAP-MD5 challenge to the station. 5. The station encodes the MD5-challenge by using its password and transmits the encoded MD5- challenge (MD5-response) to the server. 6. After receiving the MD5-response, the server decodes the message by using the password corresponding to the authentication number in the authentication management table. And the server decides whether the station is valid or not according as the MD5-challenge and the decoded MD5- response are the same or not. 7. If the station is valid and the authentication number of the station is different from the current authentication number, the server transmits the current authentication number and password to the station for the next authentication. 8. The WLAN station which received the current authentication information updates the authentication information for itself. This message is encoded using the password of the WLAN station for protection from the man-in-the-middle attack. 9. The server rewrites the authentication number in the MAC address management table and transmits the EAP-Success message after receiving EAP-Response message.

Wireless Access Point WLAN station Ethernet Authentication Server 6 The proposed EAP-TTLS procedure by using the authentication number is as follows. 1. The user s WLAN station associates with an AP using Open System Authentication. Then the AP asks for the user s identity 2. The WLAN station transmits an EAP-Request message encapsulated in an EAPoL frame to the AP, which contains the MAC address of the WLAN station. 3. The server is authenticated to the WLAN station using its security certificate and a TLS connection is established between them. The encryption key for the TLS connection will be used for air traffic encryption. 4. Inside the TLS connection (inside box), the exchanged messages are encapsulated into TLS records that are again encapsulated into EAP-Request and EAP-Response messages. In the existing procedure, the WLAN station informs the AP of a user name and a password. In addition, we propose that the WLAN station sends the authentication number in the same EAP-Response message. After receiving it, the AP relays it to the server. 5. The server then verifies the authentication number whether the MAC address and the authentication number of the WLAN station are the same as the stored data in the MAC address management table. If the authentication number is verified, the server completes the course of authentication by using the password corresponding to the authentication number management table. At this point, the authentication method is able to use many protocols. Here, we assume that CHAP is used. 6. After authenticating the WLAN station, if the authentication number of the station is different from the current authentication number, the server transmits the current authentication number and password to the WLAN station. The WLAN station which received the current authentication information updates the authentication information for itself. 7. The server rewrites the authentication number in the MAC address management table after receiving EAP-Response message. 8. The EAP-TTL procedure ends by sending the EAP-success message to the WLAN station.

( 6 1) ( 16 1) N D N C total memory size = + bytes N D + + bytes N C 7 4. Evaluation of Our Proposed Mechanism 4.1 Security analysis EAP-MD5 is more vulnerable to unwanted attacks than other authentication methods. One of such attacks is a brute force attack. A brute force attack is a method of defeating a cryptographic scheme by trying a large number of possibilities, for example, exhaustively working through all possible keys in order to decrypt a message. To protect the brute force attack, at least, the password should be changed by every month. The proposed protocol is robust to the brute force attack since it changes the password periodically. It also helps to detect a replay attack. By using the replay attack, an attacker could pretend to be an authorized user to access a network. For example, an attacker can simply intercept and replay a challenge message and response message to be authenticated. However owing to change of the password, the response message also changed on a periodic basis in proposed protocol. Therefore, even though the attacker receives the same challenge message as previous interceptive message, it is difficult for the attacker to be authenticated. In case of the mutual authentication, these security problems will be eliminated. Instead of security, the proposed mechanism gives automatic authentication under the environment the password is changed. 4.2 The burden of the authentication server Since the server has to manage two tables, we need to calculate the required memory size for practical implementation. First of all, for the MAC address management table, the MAC address consists of 6 bytes and the authentication number occupies 1 byte on the assumption whose range is from 0 to 255. The authentication number in the authentication number management table also occupies 1 byte like the MAC address management table. And if the password uses the WEP2 encryption, it will require the memory size of 16 bytes. We can calculate the total memory size by (1) total memory size = (6+1) bytesxn D +(16+1) bytesxn C where is the number of WLAN stations and is the number of the used authentication number. If we assume that there are 30 WLAN stations and 100 records of the changed password, the total required memory capacity is 1.91 Mbytes.

8 5. Conclusion The home network environment is sensitive to privacy, but wireless communication is exposed to the access of unauthorized people. In addition, most of home network users do not know well how to prevent from the unwanted access. Therefore we introduced WLAN authentication mechanism for home network users. First of all we proposed the authentication scenario which uses the periodically changed password. The change of password makes home network safe without authentication knowledge of users. Second, we proposed the procedure to support the scenario for EAP-MD5 and EAP-TTLS. Compared with the existing authentication protocol, the proposed protocol supports a protection against a brute force attack and a replay attack. Because it is difficult to find out the randomly changed password, WLAN users can protect from these attacks. The use of the proposed mechanism will provide secure and convenient WLAN access mechanism for home network and will contribute to authentication mechanisms for other wireless communication technologies in home network such as Bluetooth, Zigbee, or UWB. References [1] IEEE, LAN/MAN Specific Requirements Part 11: Wireless Medium Access Control(MAC) and Physical Layer(PHY) Specification: Specification for Robust Security, IEEE Std 802.11i/D3.2, Apr. 2003. [2] C. He and J. C. Mitchell, Security Analysis and Improvements for IEEE 802.11i, in proc. the 12th Annual Network and Distributed System Security Symposium (NDSS'05), San Diego, USA, Feb. 3-4, 2005, pp. 90-110. [3] IEEE Standards for Local and Metropolitan Area Networks Port-Based Network Access Control, IEEE Std 802.1X, Jun. 2001. H. Luo and P. Henry, A Secure Public Wireless LAN Access Technique That Supports Walk-Up Users, in proc. GLOBECOM 2003, vol. 22, no. 1, pp. 1415-1419, Dec. 2003. [4] B. Aboba et al., Extensible Authentication Protocol, IETF RFC 3748, Jun. 2004. [5] D. Potter et al., PPP EAP MS-CHAP-V2 Authentication Protocol, internet draft, Jan. 2002. [6] W. Simpson, PPP Chanllenge Handshake Authentication Protocol (CHAP), IETF RFC 1994, Aug. 1996. [7] B. Aboba, PPP EAP TLS Authentication Protocol, IETF RFC 2716, Aug. 1999. [8] P. Funk, EAP Tunneled TLS Authentication Protocol, internet draft, Jul. 2004. [9] J. C. Chen and Y. P. Wang, Extensible Authentication Protocol (EAP) and IEEE 802.1x: Tutorial and Empirical Experience, http://wire. cs.nthu.edu.tw/wire1x/. [10] J. A. Lee, J. H. Kim, J. H. Park and K. D. Moon, A Secure Wireless LAN Access Technique for Home Network, in Proc. IEEE VTC'06-Spring, Melbourne, Australia, May. 7-10, 2006. [11] Y. Ma and X. Cao, How to Use EAP-TLS Authentication in PWLAN Environment, in Int. Conf. Neural Networks&Signal Processing, Nanjing, China, Dec. 14-17, 2003.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback