Access control protocols with two-layer architecture for wireless networks
Introduction
The demand for access to wireless networks in public places, such as airport lounges, college campuses and city centers, has surged dramatically over the recent few years. This is mainly due to the growing popularity of mobile devices and the increasing pervasiveness of wireless technologies, such as IEEE 802.11, HomeRF, HIPERLAN/2 and Bluetooth. A major concern in wireless networking is security and in particular network access control. Since deployment of wireless network technologies in public places bears the danger of unauthorized users gaining access to network services, it is extremely important to be able to restrict access to the network only to authorized users. Therefore, secure user authentication and authorization, and a reliable access control mechanism are vital for wireless networks.
Two protocols which have similar two-layer access control architectures for wireless networks in public places have been proposed in the literature recently. The first access control protocol, called the Lancaster protocol [28], [17], is designed for a wireless overlay network around Lancaster city, UK; it employs user password for authentication and enforces access control at the IP layer. However, the design flaws of the Lancaster protocol make it vulnerable to various attacks.
The second access control protocol, referred to as the Stanford protocol [16], aims to overcome several security deficiencies in 802.1X [24] and to provide access control in both wireless and wired networks; it uses public key cryptosystems (PKC) for authentication and performs access control at the link layer. Although this protocol is supposed to resist DoS attacks, it is unfortunately susceptible to DoS attacks as well as to other types of attacks.
The models of these two protocols are representative for access control in overlay wireless access networks. Both models adopt a two-layer access control architecture, in which a higher layer is responsible for authentication and key agreement while a lower layer is responsible for per-packet access control. The difference of the two models is the different credentials on which the two protocols are based. The Lancaster protocol relies on a secret password shared between the client and the server, while the Stanford protocol depends on the certificates of the client and the server for authentication and access control. Password-based and certificate-based access control protocols are two different approaches with different advantages: the former approach is more convenient and user-friendly, while the latter can offer more security features like DoS resistance and identity anonymity.
In this paper, we discuss in detail the flaws of these two access control protocols and propose two secure protocols in place of the Lancaster protocol and the Stanford protocol, respectively. Our first proposed protocol uses weak passwords for authentication and key exchange. The protocol provides great user-friendliness and convenience for users since they do not require any PKC infrastructure but only human-memorable passwords. Our second protocol, which is a PKC-based protocol, is designed for wireless networks where PKC infrastructure is available. Other than mutual authentication and secure key exchange, our protocols provide more protection for wireless networks: it employs the cookie mechanism to defend against DoS attacks, while protects clients’ identities from disclosure to offer identity confidentiality for clients.
The remainder of this paper is organized as follows. In Section 2, we review related work on authentication and access control protocols for wireless networks. Then we discuss the security requirements for access control protocols in Section 3. After that we first present the Lancaster protocol and our detailed security analysis in Section 4; we then introduce a password-authenticated key exchange protocol to replace the Lancaster protocol. In Section 5 we mention the Stanford protocol and analyze its security loopholes; we then give an alternative PKC-based protocol. At last, we draw our concluding remarks in Section 6.
For ease of reference, important notations used throughout the paper are listed in Table 1.
Section snippets
Related work
Due to prevalence of wireless networks, there has been a lot of research focusing on access control and authentication protocols for wireless networks. Unfortunately, existing solutions for wireless networks cannot fulfill all the security requirements, and some of them even have serious security flaws.
The IEEE standard 802.11 [23] used the Wired Equivalent Privacy (WEP) protocol, which is a symmetric cryptosystem based protocol, for access control in wireless networks. WEP is intended to
Security requirements
Before proceeding with the description of the authentication and access control protocols for wireless networks, we list below a number of security requirements for such protocols.
- •
Mutual Authentication: Authentication of the client to the authentication server and authentication of the server to the client. The network wants to be sure that it is communicating with a genuine client; otherwise there is a danger that spurious client will be able to fraudulently gain a level of service without
Password-based access control protocols
In this section, we first review the Lancaster access control architecture considered in [28], [17], present the Lancaster protocol designed for the architecture, discuss its security weaknesses and then introduce our protocol for the access control architecture. Both the Lancaster protocol and our protocol use user passwords for authentication and key exchange. Password-based schemes are still the dominate approach for user authentication, and this is particularly true for mobile users who may
Public key cryptosystem based access control protocols
In the last section, we focused on password-based access control protocols. Such protocols are easy to use especially for mobile users who move from one device to another device. In this section, we are concerned with access control protocols based on public key cryptosystem (PKC). For this purpose, we first review the Stanford access control architecture and protocol as proposed by Faria and Cheriton [16]. We then point out some weaknesses in the Stanford protocol and present our access
Conclusions
Security issues are crucial for wireless communications, and a secure and efficient access control mechanism is the first line of defense for secure wireless networking. In this paper we reviewed two two-layer access control architectures, the Lancaster architecture [28], [17] and the Stanford architecture [16]. We analyzed the access control protocols in the two architectures and identified various weaknesses and flaws.
Based on the same two-layer architectures, we proposed two access control
Acknowledgement
This paper is partly funded by Office of Research, Singapore Management University.
Zhiguo Wan is currently a Ph.D. candidate at National University of Singapore. His main research interests include cryptography, security in wireless networks. He received his B.S. in computer science from Tsinghua University in 2002.
References (31)
- W. Aliello et al., Just fast keying (JFK), IETF Draft (work in progress). Available from:...
- W. Aliello et al., Efficient, DoS-resistant, secure key exchange for internet protocols, in: Proceedings of ACM...
- et al.
Privacy authentication for wireless local area networks
IEEE Personal Communications
(1994) - K. Aoki, H. Lipmaa, Fast implementations of AES candidates, Third AES Candidate Conference, New York City, USA, 13–14...
- W.A. Arbaugh, N. Shankar, J. Wang, Your 802.11 networks has no clothes, in: Proceedings of the First IEEE International...
- et al.
Privacy and authentication on a portable communications system
IEEE Journal on Selected Areas in Communications
(1993) - S.M. Bellovin, Problem areas for the IP security protocols, in: Proceedings of the 6th USENIX Security Symposium, San...
- N. Borisov, I. Goldberg, D. Wagner, Intercepting mobile communications: the insecurity of 802.11, in: Proceedings of...
- et al.
Encrypted key exchange: password-based protocols secure against dictionary attacks
- et al.
Augmented encrypted key exchange: a password-based protocol secure against dictionary attacks and password file compromise
Cited by (6)
TDANE: Mechanism for validation of domain certificates for trusted browsing
2021, Proceedings - 5th International Conference on Intelligent Computing and Control Systems, ICICCS 2021Steganographic access control in data hiding using run-length encoding and modulo-operations
2016, Security and Communication NetworksAn asymmetric encryption algorithm for wireless sensor networks based on elliptic curve cryptosystem
2012, International Review on Computers and SoftwareWireless LAN security management with location detection capability in hospitals
2012, Methods of Information in MedicineCountermeasures against MAC address spoofing in public wireless networks using lightweight agents
2010, 2010 The 5th Annual ICST Wireless Internet Conference, WICON 2010CEBAC: A decentralized cooperation enforcement based access control framework in MANETs
2008, Communications in Computer and Information Science
Zhiguo Wan is currently a Ph.D. candidate at National University of Singapore. His main research interests include cryptography, security in wireless networks. He received his B.S. in computer science from Tsinghua University in 2002.
Robert H. Deng is Professor and Director of SIS Research Center, School of Information Systems, Singapore Management University. Prior to this, he was Principal Scientist and Manager of Infocomm Security Department, Institute for Infocomm Research. He has 23 patents and more than 140 technical publications in international conferences and journals in the areas of computer networks, network and distributed system security and information security. He has served as general chair, program chair, and program committee member of numerous international conferences. He received the University Outstanding Researcher Award from the National University of Singapore in 1999 and the Lee Kuan Yew Fellow for Research Excellence from the Singapore Management University in 2006.
He received his B.Eng from National University of Defense Technology, China, in 1981, his M.Sc and Ph.D. from Illinois Institute of Technology, USA, in 1983 and 1985, respectively.
Feng Bao received his BS in mathematics and MS in computer science from Peking University in 1984 and 1986, respectively, and his Ph.D. in computer science from Gunma University in 1996. Currently he is the Principal Scientist and the Department Manager of the Systems & Security Department of Institute for Infocomm Research, Singapore. He has 15 patents and over 150 journal/conference publications in cryptography and information security. He served numerous international conferences in this area as general chair, program chair and program committee member.
Akkihebbal L. Ananda is an Associate Professor in the Computer Science Department of the School of Computing at the National University of Singapore. His research areas of interest include transport protocols, IP mobility, IPv4 and IPv6 transition mechanisms, and wireless and sensor networks.
Ananda obtained M.Tech degree in Electrical Engineering from the Indian Institute of Technology, Kanpur in 1973, and M.Sc and Ph.D. degrees in computer science from the University of Manchester, UK, in 1981 and 1983 respectively.