A Novel Design and Implementation of DoS-Resistant Authentication and Seamless Handoff Scheme for Enterprise WLANs

Lee, Isaac Chien-Wei

January 2010

With the advance of wireless access technologies, the IEEE 802.11 wireless local area network (WLAN) has gained significant increase in popularity and deployment due to the substantially improved transmission rate and decreased deployment costs. However, this same widespread deployment makes WLANs an attractive target for network attacks. Several vulnerabilities have been identified and reported regarding the security of the current 802.11 standards. To address those security weaknesses, IEEE standard committees proposed the 802.11i amendment to enhance WLAN security. The 802.11i standard has demonstrated the capability of providing satisfactory mutual authentication, better data confidentiality, and key management support, however, the design of 802.11i does not consider network availability. Therefore, it has been suggested that 802.11i is highly susceptible to malicious denial-of-service (DoS) attacks, which exploit the vulnerability of unprotected management frames. This research first investigates common DoS vulnerabilities in a Robust Security Network (RSN), which is defined in the 802.11i standard, and presents an empirical analysis of such attacks – in particular, flooding-based DoS attacks. To address those DoS issues, this thesis proposes a novel design and implementation of a lightweight stateless authentication scheme that enables wireless access points (APs) to establish a trust relationship with an associating client and derive validating keys that can be used to mutually authenticate subsequent layer-2 (link layer) management frames. The quality of service provisioning for real-time services over a WLAN requires the total latency of handoff between APs to be small in order to achieve seamless roaming. Thus, this thesis further extends the proposed link-layer authentication into a secure fast handoff solution that addresses DoS vulnerabilities as well as improving the existing 802.11i handoff performance. A location management scheme is also proposed to minimise the number of channels required to scan by the roaming client in order to reduce the scanning delay, which could normally take up 90% of the total handoff latency. In order to acquire practical data to evaluate the proposed schemes, a prototype network has been implemented as an experimental testbed using open source tools and drivers. This testbed allows practical data to be collected and analysed. The result successfully demonstrated that not only the proposed authentication scheme eradicates most of the DoS vulnerabilities, but also substantially improved the handoff performance to a level suitable for supporting real-time services.

802.11i

802.11r

WLAN

handoff

roaming

Denial of service

attacks

scanning

RSNA

client puzzle

authentication

Secure and Privacy-Preserving Decentralized Wi-Fi Aware Service Discovery Architecture / En Wi-Fi Aware -Decentraliserad säker serviceupptäcktsarkitektur i mobilt ad-hoc-nätverk

Wang, Jiahao

January 2022

In modern Mobile Ad hoc Networks (MANETs), service discovery is a major component for mobile devices to exchange data and find available services. However, service discovery architectures developed and adopted by the industry either are not appropriate for MANETs or cannot provide security and privacy protection to clients. Service discovery architectures could be either directory-based or directory-less. Both of the two types of architectures suffer from certain security or privacy issues: The directory-based architecture requires a directory server to facilitate communication between service providers and users, which makes the directory server a single point of failure and may harm users’ privacy if the directory server is honestbut- curious; the directory-less architecture solves these two problems but without a trusted directory, the Denial of Service (DoS) attacks can be easily performed on all entities in the system since the mutual authentication between entities consumes significant computational resource. Wi-Fi Aware, a recently introduced Wi-Fi-based connectivity, allows MANETs nodes to discover and connect directly to each other without any infrastructure. Moreover, the size of the message transmitted in this process is large enough (around 255 bytes) for security and privacy protection. So in this thesis, we implemented a Wi-Fi Aware-based decentralized secure service discovery system that allows the clients to directly discover nearby service providers and provide mutual authentication between them without a directory server. In our system we leverage several schemes, including bloom filter, Timed Efficient Stream Loss- Tolerant Authentication (TESLA), and client puzzle. A set of experiments are carried out for the evaluation of the implemented system. The evaluation results show that our system meets most of the security requirements of service discovery architectures with acceptable processing delays. / I moderna moblie ad hoc -nätverk (MANETs) är service discovery en huvudkomponent för noder för att utbyta data och hitta andras tjänster. Men serviceupptäcktsarkitekturerna som utvecklats och antagits av branschen är antingen inte lämpliga i MANET eller kan inte ge kunderna säkerhet och integritetsskydd. service discovery-arkitekturer är katalogbaserade eller kataloglösa. Båda de två arkitekturerna lider av vissa säkerhetseller sekretessproblem: Den katalogbaserade arkitekturen kräver att katalogservern underlättar kommunikationen mellan tjänsteleverantörer och användare, vilket gör katalogservern till en enda felpunkt och kan skada användarnas integritet om katalogservern är ärlig-men-nyfiken; Den kataloglösa arkitekturen löser dessa två problem men utan en pålitlig katalog kan Denial of Service (DoS) -attacker enkelt utföras på alla enheter i systemet eftersom den ömsesidiga autentiseringen mellan enheter förbrukar massor av beräkningsresurser. Nyligen, med den nyaWi-Fi-funktionen som kallas WiFi-Aware cite wifiaware, kan MANET-noder upptäcka och ansluta direkt till varandra utan någon annan typ av anslutning mellan dem . Dessutom är storleken på meddelandet som överförs i denna process tillräckligt stor (cirka 255 byte) för säkerhetsautentisering. Så i denna avhandling implementerade vi ett Wi-Fi Aware-baserat Decentralized Secure service discovery-system som gör att klienterna direkt kan upptäcka närliggande tjänsteleverantörer och tillhandahålla ömsesidig autentisering mellan dem utan en katalogserver. I vårt system används flera system för att skydda vårt system från ovanstående säkerhets- och integritetsfrågor, bland annat blomfilter, Timed Efficient Stream Loss-Tolerant Authentication (TESLA) och klientpussel. En uppsättning utvärderingsförsök utförs för det implementerade systemet. Utvärderingsresultaten visar att vårt system uppfyller de flesta säkerhetskraven för service discovery -arkitekturer med en acceptabel bearbetningsfördröjning.

Wi-Fi Aware

Secure Service Discovery

Bloom Filter

TESLA

Client Puzzle

Wi-Fi Aware

Säker Serviceupptäckt

Bloom Filter

TESLA

Klient Pussel

Computer and Information Sciences

Data- och informationsvetenskap