Wireless LAN security and IEEE 802.11i

This article reviews wireless LAN security with a focus on the evolving new IEEE 802.11i standard. The major security enhancements in encryption and authentication defined by 802.11i are illustrated. In addition, the newly introduced key management in 802.11i is discussed. Because 802.11i incorporates IEEE 802.1X as its authentication enhancement, 802.1X with consideration of roaming users is depicted. Both intrasubnet and intersubnet roaming are illustrated.     

WLAN电信级应用安全系统设计方案

本文WLAN网络技术的背景以及可能存在的风险威胁出发,通过分析当前WLAN的若干种常用认证方法的优劣,最后提出了一种较为安全并且具备可操作性的解决方案,即以IEEE802.11i-2004国际标准为核心,在IEEE802.11i标准框架下,采用802.1X/EAP方式实现强壮网络联合安全的强身份认证,完成身份认证后,使用基于AES算法(FIPS PUB 197-2001)的CCMP实现数据保密性与完整性保护。     

Secure and efficient scheme for fast initial link setup against key reinstallation attacks in IEEE 802.11ah networks

IEEE 802.11ah is a recently released IEEE standard to specify a wireless communication system with a long‐range, low‐power, and low data transmission rate over smart devices used in Internet of Things (IoT) systems. This new standard belongs to IEEE 802.11 wireless local area networks (WLANs) protocol family. It requires lightweight protocols to support the low‐power and low‐latency features of the IoT devices. On the other hand, an upcoming solution of fast initial link setup (FILS) specified by IEEE 802.11ai standard is a brand‐new approach aiming to establish fast and secure links among devices in WLANs to meet this new demand. It is natural and feasible to apply it to the 802.11ah networks to support massively deployed wireless nodes. However, security concerns on the link connection by the FILS scheme have not been fully eliminated, especially in the authentication process. It has been explored that a type of recently revealed malicious attack, key reinstallation attack (KRA) might be a threat to the FILS authentication. To prevent the success of the KRAs, in this paper, we proposed a secure and efficient FILS (SEF) protocol as the optional substitute of the FILS scheme. The SEF scheme is designed to eradicate potential threats from the KRAs without degrading the network performance.     

无线局域网安全技术研究

本文针对现有无线局域网标准IEEE802.11的安全机制的严重不足，深入分析了基于IEEE802.1X的扩展认证协议（EAP）和Kerberos认证协议，阐述了加密算法中WEP/WEP2和AES的解决方案，并对密钥再生技术做了初步探讨，最后给出了进一步的研究方向。     

无线局域网IEEE 802.11的安全缺陷分析

文章主要分析了无线局域网（Wireless Local Area Network，WLAN）IEEE802．11的安全机制，从认证和加密的角度讨论了IEEE802．11存在的主要安全问题。给出了Wireless LAN安全机制应具备的安全性质，并提出了改善WLAN安全性的解决方案和安全措施。     

IEEE 802.11i标准与WLAN安全性分析

详细分析了WLAN(无线局域网)的最新安全标准IEEE 802.11i,包括标准体系结构、接入认证和访问控制以及加密机制;同时,分析了该标准的网络认证与授权、密钥生成与管理和数据加密机制;最后指出了WLAN安全领域需要进一步研究的课题及802.11i目前仍存在的问题.     

Prediction-based secured handover authentication for mobile cloud computing

Mobile cloud computing (MCC) is a new technology that brings cloud computing and mobile networks together. It enhances the quality of service delivered to mobile clients, network operators, and cloud providers. Security in MCC technology, particularly authentication during the handover process, is a big challenge. Current vertical handover authentication protocols encounter different problems such as undesirable delays in real-time applications, the man in the middle attack, and replay attack. In this paper, a new authentication protocol for heterogeneous IEEE 802.11/LTE-A mobile cloud networks are proposed. The proposed protocol is mainly based on the view of the 3GPP access network discovery and selection function, which uses the capacities given by the IEEE 802.11 and the 3GPP long term evolution-advanced (LTE-A) standards interconnection. A prediction scheme, with no additional load over the network, or the user is utilized to handle cloud computing issues arising during authentication in the handover process. The proposed handover authentication protocol outperformed existing protocols in terms of key confidentiality, powerful security, and efficiency which was used to reduce bandwidth consumption.

     

基于动态群签名的802.11s Mesh网络接入认证

802.11s Mesh网络作为新一代的无线局域网（WLAN）标准能有效弥补802.11b协议在易布署性和安全性方面中存在的不足。由于802.11s Mesh网络原有接入认证协议时间复杂性较高,针对性地提出了一种基于动态群签名技术的接入认证协议,在认证服务器、密钥分发者和接入点之间通过四轮交互即可实现所有接入点之间的相互认证。通过论证,该接入认证协议能有效提高接入认证过程的计算性能和通信性能,并保证接入认证过程的安全性。     

无线局域网的安全策略研究

针对无线局域网上资源面临的危险,标准的安全缺陷以及无线局域网欺诈、劫持等安全漏洞,提出了无线局域网的安全策略方案。在信息传输安全隐患上,通过数据加密和数据完整性校验就可以为无线局域网提供一个类似有线网的物理安全的保护。在网络标准上,一方面,可以采用新一代安全标准IEEE 802.11i,通过扩展认证协议EAP和3种加密机制(临时密匙完整性协议TKIP,以及基于高级加密标准AES的CCMP和WRAP)保障无线局域网的安全性;另一方面,采用中国无线局域网安全标准WAPI,通过公开密钥体制的椭圆曲线密码算法和秘密密钥体制的分组密码算法,实现了WLAN在多种安全机制下的兼容性。结果表明,以上针对无线局域网的安全策略,为提高无线局域网的相对安全性以及与其他网络实现互联互通提供了技术保障。     

Security protocol for IEEE 802.11 wireless local area network

As Wireless Local Area Networks (WLANs) are rapidly deployed to expand the field of wireless products, the provision of authentication and privacy of the information transfer will be mandatory. These functions need to take into account the inherent limitations of the WLAN medium such as limited bandwidth, noisy wireless channel and limited computational power. Moreover, some of the IEEE 802.11 WLAN characteristics such as the use of a point coordinator and the polling based Point Coordination Function (PCF) have also to be considered in this design. In this paper, we introduce a security protocol for the IEEE 802.11 PCF that provides privacy and authentication, and is designed to reduce security overheads while taking into account the WLAN characteristics. We prove this protocol using the original and modified BAN logic.     

WLAN security processor

A novel wireless local area network (WLAN) security processor is described in this paper. It is designed to offload security encapsulation processing from the host microprocessor in an IEEE 802.11i compliant medium access control layer to a programmable hardware accelerator. The unique design, which comprises dedicated cryptographic instructions and hardware coprocessors, is capable of performing wired equivalent privacy, temporal key integrity protocol, counter mode with cipher block chaining message authentication code protocol, and wireless robust authentication protocol. Existing solutions to wireless security have been implemented on hardware devices and target specific WLAN protocols whereas the programmable security processor proposed in this paper provides support for all WLAN protocols and thus, can offer backwards compatibility as well as future upgrade ability as standards evolve. It provides this additional functionality while still achieving equivalent throughput rates to existing architectures.     

基于混沌算法的无线安全认证技术研究

针对无线网络安全威胁。提出了一种基于混沌算法的无线安全认证方案，利用混沌对初始条件的依赖性可以生成混沌序列，以此作为无线用户的身份，这种身份具有惟一性和不可伪造性，并且是可以动态变化的。同时还给出了IEEE802．11无线局域网环境中基于混沌理论的动态认证方案和过程。研究结果表明．该方案具有良好的加密效果，运算量小，抗攻击强，有较高的安全性。     

WLAN安全机制

随着无线局域网技术的广泛应用,新的无线局域网安全标准被提出以增强无线局域网的安全性能.本文介绍了IEEE 802.11i和WAPI两个无线网络安全技术标准的实现机理和具体流程,重点分析了我国自主研发的WAPI的技术特征和应用状况,并将其与IEEE 802.11i技术标准做了分析对比.     

基于软件无线电的无线设备指纹识别

无线局域网由于其开放的信道环境和传统的密钥身份验证机制,安全问题十分严峻。通过射频指纹识别技术,提取无线设备硬件特征进行身份验证,能够大大提高无线网络安全性。本文基于通用软件无线电外设(USRP)和GNU Radio开源平台,提取IEEE 802.11a/g信号载波频偏作为指纹,结合神经网络分类器进行识别。首先接收信号并提取每帧信号载波频偏,然后训练神经网络分类器,最后利用此分类器对无线设备进行识别。在办公室和体育馆2种典型室内环境进行无线设备个体识别实验,识别率均大于90%。实验结果说明,基于软件无线电提取信号载波频偏可以识别出不同的无线设备,检测出非法设备接入,能够提高无线网络安全性。     

IEEE802.11s路由协议漏洞与攻击

IEEE802.11s是IEEE关于无线Mesh网络的规范。802.11s虽然沿用了IEEE802.11i的安全规范,但是对于路由协议的安全并没有做过多的定义,由此产生了一定的安全隐患。文章分析了IEEE802.11s标准(草案)中的路由协议的漏洞,并针对IEEE802.11s中使用的混合无线网状网协议(HybridWirelessMeshProtocol,HWMP)设计了两种攻击方式,从而破坏无线网状网络的可用性。通过在自行设计的路由器平台上实现无线攻击,并分析攻击对网络造成的影响来验证安全漏洞的存在性和可利用性。     

Analysis of secure handover for IEEE 802.1x-based wireless ad hoc networks

The handover procedure in secure communication wireless networks is an extremely time-consuming phase, and it represents a critical issue in relation to the time constraints required by certain real-time traffic applications. In particular, in the case of the IEEE 802.1X model, most of the time required for a handover is used for packet exchanges that are required for authentication protocols, such as Extensible Authentication Protocol Transport Layer Security (EAP-TLS), that require an eight-way handshake. Designing secure re-authentication protocols to reduce the number of packets required during a handover is an open issue that is gaining interest with the advent of a pervasive model of networking that requires realtime traffic and mobility. This article presents the 802.1X model and evaluates its application to ad hoc networks based on IEEE 802.11 i or IEEE 802.1 be standards, focusing on the problems that must be evaluated when designing handover procedures, and suggesting guidelines for securing handover procedures. It also presents a novel protocol to perform secure handovers that is respectful of the previous analysis and that has been implemented in a mesh environment.     

无线局域网络安全技术研究

分析了现有的无线局域网(WLAN)标准IEEE802．11b的WEP安全机制及其在加密和认证上的漏洞,SPRNG协议用同步伪随机码发生器产生认证变量,并为每帧数据加密,是基于双向认证和加密;并分析了其实现技术的复杂性和安全性。     

A secure n-secret based client authentication protocol for 802.11 WLANs

Authentication has strong impact on the overall security model of every information system. Various authentication techniques are available for restricting the access of unauthorized users to the enterprise scale networks. IEEE 802.1X defines a secure and reliable authentication framework for 802.11 WLANs, where Extensible Authentication Protocol (EAP) provides the base to this architecture. EAP is a generic architectural framework which supports extensibility by incorporating the new and improved authentication schemes, which are based on different types of credentials. Currently there exist a number of EAP and Non-EAP methods with varying level of security and complexity. In this work, we have designed a new n-secret based authentication scheme referred here as Personal Dialogue Based Authentication, for the client authentication to the network. It is a Transport Layer Security (TLS) protected authentication protocol, which will be executed inside the secure TLS tunnel for providing the privacy and credential security to the wireless client. The developed authentication protocol has a reasonable set of features like; strong security, user privacy, simplicity and extensibility. For the formal analysis of the protocol we have used SPAN–AVISAP model checker on Ubuntu platform for validating the realization of the specified security goals. The experimental results obtained by simulation performed with the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool shows that our protocol is efficient and secured.

     

一种基于WLANMESH网络中的EAP-TLS接入认证方案

MESH是一种新型的无线网络,安全的认证机制是确保WLAN MESH网络安全问题的前提条件。研究了WLAN MESH网络的结构特点,提出一种基于IEEE802.1x标准下的EAP-TLS协议认证方案,利用EAP-TLS双向认证机制来实现WLAN MESH网络中安全接入认证。并对该协议的认证流程及安全性进行了描述与分析。     

Mesh WLAN networks: concept and system design

In recent years WLAN technology has become the common wireless access technology for mobile computing. Additional to infrastructure access to WLAN networks, peer-to-peer and mesh networking are currently gaining in interest. Mesh networking techniques using WLAN are being standardized in IEEE 802.11s. This article describes use cases, the main technical issues, and a set of potential solutions for mesh network development. Furthermore, an overview of the standardization activities in IEEE 802.11s is presented. The key technical aspects of mesh networks identified are topology creation, routing, medium access control, security, quality of service, and power efficiency.