Challenges of Wireless Security in the Healthcare Field : A study on the WPA3 standard

Mironov, Georgiana

January 2020

The healthcare environment is a complex one, saturated by wireless medical devices and sensitive patient data flowing through the network traffic. With the increased popularity of wireless medical devices in the healthcare domain together with the announcement of the new wireless security standard WPA3 comes a need to prepare for a new generation shift in wireless security. The goal of this study is therefore to investigate what challenges the healthcare sector can encounter when faced with the inevitable transition to WPA3. By performing a literature review on the security state of WPA3 compared to its predecessor and performing qualitative interviews with network technicians working in the healthcare sector, three major challenges were identified. IT professionals in the healthcare domain struggle with integrating legacy software systems, keeping middleware software solutions secure, and with handling hardware medical devices that come with outdated wireless standards. By analysing existing literature, several mitigating actions to battle these challenges were presented in this study.

WPA3

Wi-Fi Protected Access 3

WPA2

Wi-Fi Protected Access 3

wireless security standard

healthcare

challenges

wireless medical devices

Computer Sciences

Datavetenskap (datalogi)

User Efficient Authentication Protocols with Provable Security Based on Standard Reduction and Model Checking

Lin, Yi-Hui

12 September 2012

Authentication protocols are used for two parties to authenticate each other and build a secure channel over wired or wireless public channels. However, the present standards of authentication protocols are either insufficiently secure or inefficient for light weight devices. Therefore, we propose two authentication protocols for improving the security and user efficiency in wired and wireless environments, respectively. Traditionally, TLS/SSL is the standard of authentication and key exchange protocols in wired Internet. It is known that the security of TLS/SSL is not enough due to all sorts of client side attacks. To amend the client side security, multi-factor authentication is an effective solution. However, this solution brings about the issue of biometric privacy which raises public concern of revealing biometric data to an authentication server. Therefore, we propose a truly three factor authentication protocol, where the authentication server can verify their biometric data without the knowledge of users¡¦ templates and samples. In the major wireless technologies, extensible Authentication Protocol (EAP) is an authentication framework widely used in IEEE 802.11 WLANs. Authentication mechanisms built on EAP are called EAP methods. The requirements for EAP methods in WLANs authentication have been defined in RFC 4017. To achieve user efficiency and robust security, lightweight computation and forward secrecy, excluded in RFC 4017, are desired in WLAN authentication. However, all EAP methods and authentication protocols designed for WLANs so far do not satisfy all of the above properties. We will present a complete EAP method that utilizes stored secrets and passwords to verify users so that it can (1) meet the requirements of RFC 4017, (2) provide lightweight computation, and (3) allow for forward secrecy. In order to prove our proposed protocols completely, we apply two different models to examine their security properties: Bellare¡¦s model, a standard reduction based on computational model, that reduces the security properties to the computationally hard problems and the OFMC/AVISPA tool, a model checking approach based on formal model, that uses the concept of the search tree to systematically find the weaknesses of a protocol. Through adopting Bellare¡¦s model and OFMC/AVISPA tool, the security of our work is firmly established.

Wireless Local Area Networks (WLANs)

Wired and Wireless Security

Model Checking

Standard Reduction

Formal Security Proofs

Lightweight Devices

Authentication

Passwords

Smart Cards

Forward Secrecy

Extensible Authentication Protocol (EAP)

Biometric Privacy

Wireless secret key generation versus capable adversaries

Ghoreishi Madiseh, Masoud

22 December 2011

This dissertation applies theories and concepts of wireless communications and signal processing to the security domain to assess the security of a Wireless secret Key Generation (WKG) system against capable eavesdroppers, who employ all the feasible tools to compromise the system’s security. The security of WKG is evaluated via real wireless measurements, where adversary knows and applies appropriate signal processing tools in ordere to predict the generated key with the communicating pair. It is shown that in a broadband stationary wireless communication channel, (e.g. commercial off-the-shelf 802.11 WLAN devices), a capable eavesdropper can recover a large portion of the secret key bits. However, in an Ultra-wideband (UWB) communication, at the same stationary environment, secret key rates of 128 bits per channel probe are achievable. / Graduate

Wireless Secret Key Generation

Wireless Security

Point to Point Secure Communication

Secret Key Capacity

Wire-tap channel

Public Discussion

Wireless Channel Characterization

Ultrawide Band communication channels

WLAN

IEEE 802.11

Bezdrátové zabezpečovací zařízení / Wireless Security and Surveillance System

Výborný, Jiří

January 2008

This Master’s thesis deals with design and construction of a wireless security and surveillance system in ZigBee wireless networks (IEEE802.15.4). The design consists of creating a star network topology with intended monitoring of home area via end device boards paired with coordinator board, which provides basic networking functionality. End device is used to send data from a temperature sensor DS1631 and magnetic reed switches to coordinator. ZigBee module ZDM-A1281-A2 made by MeshNetics company embedded on each board contains a micro controller ATMega1281 and a transceiver AT86RF230 working in a 2,4GHz frequency band. System is able to notice of any door or window move actions and too high temperature. The non-fully functional ZigBee stack, which is called an Open MAC software, based on MAC (Media Access Control ) layer and PHY (Physical) layer from MeshNetics, has been used to develop the user software. Open MAC consists of three application samples in C code. One of them was modified by the user for an application of communication between the module and sensors. The same design with module RC2204AT made by Radiocrafts company was tested as well, but it couldn’t be executed. All developed boards have been constructed and tested via Terminal PC program.

Authentication Techniques Based on Physical Layer Attributes / Autentisering tekniker baserade på fysiska lager attribut

Liang, Xintai

January 2022

Authentication is an indispensable part of information security. It serves to distinguish legitimate users from unauthorized ones. With the rapid growth of Internet of Things (IoT) devices, authentication of wireless communication is gathering more and more attention. Traditional authentication methods using cryptography, such as Hash-based Message Authentication Codes (HMACs) or digital signature, demand significant computational power and hardware resources, especially for low-end platforms. Spoofing attackers take advantage of trust relationships, trying to impersonate legitimate entities the wireless Access Point (AP) trusts. To tackle this issue, physical layer authentication methods are proposed. Using a fast and lightweight implementation, authentication based on physical layer attributes has the chance to improve the security performance of the authentication in the wireless network and protect it from spoofing attacks. It takes advantage of the uniqueness and inimitability of physical layer attributes by using them as identifying information. In this project, one of the physical layer attributes, Channel State Information (CSI), is utilized as the identifying information of devices. CSI samples from different wireless devices are collected by a wireless monitor. Features on amplitude and phase are extracted from raw CSI samples through data processing algorithms. For every device, a corresponding feature profile is pre-built so that authentication can be accomplished by matching the CSI profile. One-Class Support Vector Machine (OCSVM), a machine learning technique, which has a satisfying performance in novel discrimination, is used for profile building and profile matching algorithms so that the physical layer identities from various devices can be distinguished effectively. Our study aims to prove the feasibility of the authentication using CSI identity is conducted and the authentication and spoofer detection accuracy is calculated. With the profile matching algorithm based on OCSVM, the authentication accuracy and the spoofer detection accuracy remains around 98% and 100% respectively. Finally, to address the limitations in related work, such as the phase error fingerprinting which is not effective across all the bands, and the instability of the authentication results, a combined authentication method is designed and implemented successfully. The new method is based on both the traditional cryptographic authentication and CSI-based authentication. The implementation is accomplished by using the data processing methods and discrimination techniques mentioned above. The basic functions, such as detecting CSI variance and switching between CSI and cryptographic authentication, and the CPU computing performance under different authentication modes are observed. The performance of the new method is analyzed and evaluated under different potential attack scenarios. The evaluation shows that the basic functions and defense ability are valid and satisfying under different scenarios. The computing resource saves at least 36.92% and at most 79.73% compared to various traditional cryptographic authentication. / Autentisering är en oumbärlig del av informationssäkerheten, eftersom den särskiljer legitima användare och motståndare i nätverk. Med den snabba tillväxten av trådlösa IoT-enheter får säker autentisering inom trådlös kommunikation mer och mer uppmärksamhet. Traditionell trådlös autentisering metoder har en enorm efterfrågan på beräkningskraft och hårdvaruresurser, samtidigt som de är sårbara för vissa attacker. Spoofing-attack, som drar fördel av pålitliga relationer genom att imitera en person eller organisation som den trådlösa AP litar på, är en av de svåraste säkerheterna problem med trådlös autentisering. För att lösa detta problem föreslås autentiseringsmetoder för fysiska lager. Genom att använda en snabb och lätt implementering har autentiseringen baserad på fysiska lagerattribut möjlighet att förbättra säkerhetsprestandan för autentiseringen i det trådlösa nätverket och skydda den från spoofing attacker. Eftersom det tar fördelen av det unika och oefterhärmlighet av fysiska lagerattribut genom att använda dem som identitetsinformation som ska autentiseras. I detta projekt används ett av attributen för fysiskt lager, CSI som enhetsidentitet för att studera prestandan för trådlös autentisering under det nya överföringsprotokollet 802.11ac.CSI-prov från olika trådlösa enheter samlas in från den trådlösa monitorn. Funktioner på Amplitude och Phase extraheras från råa CSI-prover genom respektive dataförbehandlingsalgoritmer. För varje enhet är en motsvarande funktionsprofil förbyggd så att autentiseringen kan utföras genom att matcha CSI-profilen. Maskininlärningsteknik, OCSVM, som har en tillfredsställande prestanda i den nya diskrimineringen, används i profilbyggande och profilmatchningsalgoritmer så att de fysiska lagrets identiteter från olika enheter effektivt kan särskiljas. En studie syftar till att bevisa genomförbarheten av autentisering med CSI-identitet genomförs och noggrannheten för autentisering och spooferdetektering beräknas. Med profilmatchningsalgoritmen bas ed på OCSVM förblir autentiseringsnoggrannheten och spooferdetekteringsnoggrannheten runt 98% till 99% respektive 100%. Slutligen, med ovanstående metoder och tekniker och övervägandet av begränsningar i relaterat arbete, som fasfelsfingeravtrycksfelet som inte är tillräckligt effektivt över alla band, och instabiliteten i autentiseringsresultaten, ett lättviktigt och flexibelt autentiseringsschema baserat på kombination av traditionell kryptoautentisering och CSI-autentisering designas och implementeras framgångsrikt. Grundfunktionen och datorprestanda observeras och prestandan för den nya metoden analyseras under olika potentiella attackscenarier. Efter experimenten kan datorresurser sparas åtminstone 36,92% och som mest 79,73% jämfört med olika traditionella kryptoautentiseringar. Dessutom är den grundläggande funktionen och försvarsförmågan giltig och tillfredsställande under olika scenarier.

Wireless security

Spoofing attacks

Physical layer authentication

Channel State Information

Machine learning

Trådlös säkerhet

Spoofing attack

Autentisering av fysiska lager

Kanaltill Stånds Information

Maskinin lärning

Elektroteknik och elektronik

Principy zabezpečení bezdrátových standardů / Principles of the Wireless Standards Security

Vokál, Martin

January 2007

Computer networks are in the scope of the IEEE organization normalized by the 802 board which currently comprises six working groups for wireless communications. IEEE 802.11 for wireless local area networks, IEEE  802.15 for wireless personal area networks, IEEE 802.16 for wireless metropolitan area networks, IEEE 802.20 for mobile broadband wireless access, IEEE 802.21 for media independent handover and IEEE 802.22 for wireless regional area networks. This master's thesis focuses on a security analysis of particular standards, describes threats, vulnerabilities, current security measures and mutually compares wireless specifications from a security point of view. The conclusion is devoted to overall evaluation of the project, to its contributions, possible enhancements and continuation in the form of consequential studies.