No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Port-Based Network Access Control
... When a mesh STA joins the network, it chooses a MA which will act as a pass-through server for its EAP message sent to the AS. The supplicant STA authenticates itself with the AS using a 802.1X authentication [12]. It sends EAP frames to the MA encapsulated using the EAPOL protocol defined in [12]. ...
... The supplicant STA authenticates itself with the AS using a 802.1X authentication [12]. It sends EAP frames to the MA encapsulated using the EAPOL protocol defined in [12]. The first EAP frame is the EAPOL-start frame and the upcoming frames represent responses to the AS requests. ...
... Nowadays, most of the authentication schemes that are being proposed for wireless networks uses the 802.1X standard [12]. The authentication method proposed by this standard are either based on the verification of a secret shared between two STAs or a signature mechanism that uses certificates to authenticate the public/private key pair used for signing. ...
Nowadays, ID-based cryptography is reported as an alternative to Public Key Infrastructures (PKI). It proposes to derive the public key from the node's identity directly. As such, there is no need for public key certifcates, and direct beneft of this is to remove the burdensome management of certifcates. However, the drawback is the need for a Private Key Generator (PKG) entity which can perform a key escrow attack. In this article, we present an ID-based authentication scheme that is adapted to the IEEE 802.11s mesh networks and resistant against key escrow attacks.
... Nowadays, most of the authentication schemes proposed for wireless networks rely on the 802.1X standard [1]. The 802.1X standard was designed to integrate Extensible Authentication Protocol (EAP) into IEEE 802 wired networks . ...
... Particularly, it has been adapted to the 802.11 networks architectures in the IEEE 802.11i stan- dard [2] which extends the IEEE 802.1X specification [1]. The IEEE 802.1X defines the EAP over LAN protocol (EAPOL). ...
We propose in this paper, two ID-Based
authentication methods for the Extensible Authentication
Protocol (EAP), as an alternative to methods relying
on Public Key Infrastructure (PKI), to provide nodes
with private and public keys. ID-Based Cryptography
(IBC) proposes to derive the public key from the node’s
identity directly. As such, there is no need for deployment
of a Certification Authority (CA) and the burdensome
management of certificates is removed. IBC relies on a
Private Key Generator (PKG) for the computation of
stations private keys.
Our first presented authentication method corresponds
to a situation where the PKG is trustful. As such,
the PKG generates the private keys of all the network
stations. However, our second contribution presents an
authentication method which is resistant to the Key
Escrow Attack. That is, we make each station generate
its own ID-Based private key. In addition, results from
implementation tests are given and prove how efficient
IBC might be for use in wireless networks.
... IEEE802.1x is a port-based network access control protocol used to achieve mutual authentication and efficient key exchange mechanism between clients and servers in wired and wireless LANs [7]. It is based on three network elements, supplicant, authenticator and authentication server [28]. In the context of wireless LANs, the supplicant is the wireless station which tries to access the network. ...
... uses Extensible Authentication Protocol (EAP [29]) messages to handle authentication requests and replies [10]. EAP messages traveling between supplicants and the authenticator in wired or wireless LAN environment are encapsulated in an encapsulation technique called EAP over LAN or EAPoL [28], the terms EAPoL and EAP are used interchangeably when working in a LAN environment. Beside authentication, IEEE802.1x ...
Summary Wireless Local Area Networks (WLANs) are cost effective and desirable gateways to mobile computing. They allow computers to be mobile, cable less and communicate with speeds close to the speeds of wired LANs. These features came with expensive price to pay in areas of security of the network. This paper identifies and summarizes these security concerns and their solutions. Broadly, security concerns in the WLAN world are classified into physical and logical. The paper overviews both physical and logical WLANs security problems followed by a review of the main technologies used to overcome them. It addresses logical security attacks like man- in-the-middle attack and Denial of Service attacks as well as physical security attacks like rouge APs. Wired Equivalent Privacy (WEP) was the first logical solution to secure WLANs. Hiwever, WEP suffered many problems which were partially solved by IEEE802.1x protocol. Towards perfection in securing WLANs, IEEE802.11i emerged as a new MAC layer standard which permanently fixes most of the security problems found in WEP and other temporary WLANs security solutions. This paper reviews all security solutions starting from WEP to IEEE802.11i and discusses the strength and weakness of these solutions.
... When a mesh STA joins the network, it chooses a MA which acts as a pass-through server for its EAP message sent to AS. The supplicant STA authenticates itself to AS using a 802.1X authentication [11]. It sends EAP frames to MA encapsulated using the EAPOL protocol defined in [11]. ...
... The supplicant STA authenticates itself to AS using a 802.1X authentication [11]. It sends EAP frames to MA encapsulated using the EAPOL protocol defined in [11]. The first EAP frame is the EAPOL-start frame and the upcoming frames represent responses to AS requests. ...
Nowadays authentication in Wireless Mesh Networks (WMN) refers to the 802.1X authentication methods or a Preshared key authentication, and makes use of certifcates or shared secrets. In wireless environments, the management of certifcates is a cumbersome task as certifcates require deploying a Public Key Infrastructure (PKI) and Certifcation Authorities (CA). They also require defning a certifcate management policy to control the generation, transmission and revocation of certifcates. During the last decade, ID-Based Cryptography (IBC) appeared as a good alternative to PKI. IBC proposes to derive the public key from the node's identity directly thanks to the use of a Private Key Generator (PKG). In this article, we present an authentication method relying on an ID-Based signature and encryption schemes that use the Sakai-Kasahara key construction. The resulted authentication scheme is suitable to IEEE 802.11s mesh networks and resistant to the key escrow attack.
... Furthermore, during our design process we had taken into consideration the possibility of integration of the standard security solutions that comes with the SMART-Net 1 EU funded project IST STREP 223937 infrastructure (see [1], [2]), as well as, consecrated more general security mechanisms that could fulfill the SMART-Net security requirements (e.g. [3], [4]). ...
... EAP) that are independent of the link layer technology (IEEE 802.11 or IEEE 802.16), as well as, the cryptographic algorithms negotiation; • extensibility, based on underlying 802.1x security architecture model; • scalability, assured by lightweight cryptographic mechanisms; • centralized security system design facilitate credentials management and matches the general SMART-Net infrastructure design; • support for intra/inter-domain devices mobility, through efficient handover re-authentication mechanisms.; • support a separate single entity security administration for each network: RAN, BAN and CSN; • provides withstand security services for mitigation of MITM (Man-In-The-Middle) and DDoS (Distributed Denial Of Service) attacks, theft of network connectivity service [10] The main functional components of the SMART-Net security architecture are: user/device authentication, control network connectivity authorization and access to the RAN/BAN access network; the authentication, integrity and confidentiality of all packets passing the RAN or BAN networks; key management subsystem. The SMART-Net security architecture design relies on underlying 802.1x model for network authorization and access control (see [3]), due its capabilities for extensibility and flexibility. Each SMS-R/B or SMR-R/B entities must be capable to play supplicant, as well as, authenticator roles in order to allow incrementally build up of the SMART-Net secure mesh infrastructure, while the new entities are joining the infrastructure (see Figure 2). ...
Nowadays, the definition and integration of the security measures within the communication network infrastructure from its early stages of design represents a common required task. This paper focus on the overall security architecture we designed for hybrid mesh networks (802.11 and 802.16). The main objectives of our security architecture are the authentication and authorization (AA) of devices/users for granting access to the connectivity services. We point out the main design security requirements we addressed and define our IEEE 802.1x-based security architecture. Thereafter, we present the preliminary validation results achieved to date.
... First, the Service Port PEP (Policy Enforcement Point) has been introduced as the access control mechanism in the operator. It is based on IEEE 802.1X [12] standard to which some extensions has been defined. Then, a profile-based policy has been designed for AuthZ purposes. ...
... Control standard [12] (IEEE 802.1X) is also introduced, which defines the EAPoM (EAP over MAN or EAPoL-in- EAPoL) protocol. This extension adapts the 802.1X standard to a new scenario in which multiple services must be controlled, and is close related with the Service Port concept. ...
... Upon this Wi-Fi Alliance proposed Temporary Key Integration Protocol (TKIP) for fast re-keying to improve the secrecy. Furthermore an authentication protocol based on 802.1x [10] is developed to take place of the poor open system authentication and WEP authentication. Currently the latest IEEE std. ...
... We will compare three kinds of VoWLAN system. The first one is implemented without any security considerations, the second uses a simple Challenge-Response scheme for authentication and WEP for data encryption, the last one implements the strongest security by 802.1x [10] based authentication and TKIP for data encryption. However, we won't cover the complete implementation of 802.11i. ...
This project studies the effects of security features on the per packet delay and loss rate of voice traffic over WLAN. We model the security features by adding packets and extending the length of each data packets. Different authentication and encryption schemes (WEP with Challenge-Response authentication and TKIP with a long term shared key and 4-way handshake) are investigated to represent the common secure WLAN implementations. Based on our simulation, when the traffic load is light in the network, adding security features does not decrease the performance, while the network performance will decrease more rapidly when the traffic load is getting higher and higher. That is because in 802.11 MAC, the frame body is transmitted in a higher rate (11Mbps) than the packet overhead, the number of packets transmitted over 802.11MAC dominates the performance in this case, instead of the length of the packets.
... Nowadays, most of the authentication schemes proposed for wireless networks rely on the 802.1X standard [1]. The 802.1X standard was designed to integrate EAP (Extensible Authentication Protocol) into IEEE 802 wired networks. ...
... Particularly, it has been adapted to the 802.11 networks architectures in the IEEE 802.11i standard [2] which extends the IEEE 802.1X specification [1]. The IEEE 802.1X defines the EAP over LAN protocol (EAPOL). ...
This paper proposes an ID-Based authen-tication method for the Extensible Authentication Pro-tocol (EAP), as an alternative to methods relying on PKI (Public Key Infrastructure), to provide nodes with private and public keys. It proposes to derive the public key from the node's identity directly. As such, there is no need for deployment of CA (Certification Author-ity) and the burdensome management of certificates is removed. The presented authentication method is resistant to the Key Escrow Attack. In addition, the results from implementation tests are given and prove how efficient the ID-Based cryptography might be for use in wireless networks.
... Modern 802.11 security is based on the IEEE 802.1X standard [2]. 802.1X defines an extensible authentication framework using IETF's Authentication, Authorization and Accounting (AAA) protocols [3] [4]. ...
... On user demand, the solicited node retrieves the correspondent profile by using overlay's lookup method. Using the retrieved profile the serving AP follows the usual 802.1X procedure acting as Authenticator with a local Authentication Server [2]. ...
In this paper, we propose COMPASS, a new decentralized access control architecture for modern WLANs. As traditional centralized access control systems like AAA do not scale well, we propose the use of P2P technologies for the distribution of management data directly between the deployed WLAN access points. Our system COMPASS does not require any additional equipment or central entities. Using auto-organization and fault recovery mechanisms of modern P2P systems, it is robust and easier to maintain. Standard 802.1X mechanisms on the user link guarantee compatibility to the existing user equipment.
... Two main security areas can be identified: the first is related to the access of client terminals, while the second is related to the mesh backbone. Client authentication and access control can be provided using standard techniques [18,19,20], which guarantee a high level of flexibility and transparency: all users can access the mesh network without any change to their client devices and software. However, client mobility can pose severe problems to security architectures, especially when real-time traffic is transmitted. ...
Wireless mesh networks have emerged recently as a technology for next generation wireless networking. Due to multi-hop communication and routing on layer two in mesh networks, attacks on the routing, selective forwarding and eavesdropping on confidential data become relatively easy. To avoid such attacks, a differentiated security approach which is based on protection levels associated with nodes in the network is introduced in this paper. Participation in the MAC layer routing is facilitated according to the respective protection level of a node. Using additional cryptographic protection, the approach introduced in this paper would greatly help in avoiding unintentional disclosure of confidential data.
... Figura 7.Arquitectura de un sistema de autenticación 802.1x.12 ...
La falta de seguridad en las redes inalambricas es un problema que, a pesar de su gravedad, no ha recibido la atencion debida por parte de los administradores de redes y los responsablesde la informacion. Este articulo presenta las tecnologias existentes para mejorar el nivel de seguridad en las redes inalambricas 802.11, con sus ventajas, desventajas y escenarios de aplicacion.
... The related devices may be an endpoint logging into a Windows domain in an environment where an inline PEP is able to intercept the Windows login, an endpoint running an 802.1X supplicant but no TNCC, or a laptop running a TNC stack which is configured not to share information with the network. EM 2: RADIUS-Based 802.1X [8] Authentication. The 802.1X standard is a layer 2 protocol executing access control and identity authentication based on Client/Server. ...
Trusted Network Connect (TNC) proposes a hierarchical and scalable architecture to securely and efficiently controlendpoint admission to the trusted computing platform to implement message passing and resource sharing. But, not all endpoints support or run a functional TNC client performing integrity checking, which represents a security risk in lots of environments. We have to consider the problem how to make these "clientless endpoints" access to trusted networks. It is of significance for improving the TNC mechanism. To solve the problem above, under the framework of TNC, this paper comes up with a clientless endpoint authentication scheme named CEAS. CEAS designs five enforcement mechanisms and the related message format to authenticate and authorize clientless endpoints. Furthermore, after the endpoints have connected to the networks, their initial determinations may be dynamically modified according to the updated circumstances. The experiment results prove that CEAS has the capability of effectively and flexibly making clientless endpoints access to trusted networks in a controlled and secure manner.
... control and data communication encryption. These requirements were specified in the IEEE 802.1X standard [14], which implements the media-independent Extensible Authentication Protocol (EAP) [15]. The authentication and access control process involves two entities: a wireless users device and an Access Point (AP) that plays a role of authenticator. ...
This article discusses security issues of passenger verification platforms, deploying mobile and portable devices, which will enable authorities to conduct fast, secure and reliable checks at land/railway border crossing points. The automated passengers verification facilitates the efficient, high-speed processing of biometric information and documentation at border control points without compromising security or requiring major infrastructure investments. From the passengers point of view, faster cross border checking increases convenience by eliminating the need of waiting in long queues.
... An alternative to our architecture could be to utilize 802.1X [19] and EAP-TTLS [20] for authentication. Using this solution, authentication of IPCs can still be performed. ...
Europe is experiencing a rapid growth in residential broadband coverage, but due to usage pat- terns and cost structures, only a fraction of the available bandwidth is actually being consumed. This implies that most residential broadband subscribers have excess capacity, and the idea of the Open Broadband Access Network (OBAN) project is that this capacity can be shared with passers-by. In order for the residential broadband subscribers to open up their networks, and for the potential wireless customers to sign up for OBAN service, the security of both parties must be ensured. OBAN needs to solve the problems posed by the fact that a visiting OBAN user and a residential access point operator have no pre-existing trust relationship. This paper describes an architecture that achieves this. In addition, the architecture ensures that all participating parties are able to prove the amount of tra-c transferred in any given OBAN session. This enables a broader range of business models with respect to charging of visiting OBAN users, remuneration of residential subscribers, and cooperation between service providers. This may in turn result in new business opportunities.
... In the long term, 802.11i might provide a framework which adopts the Advanced Encryption Standard (AES) [17]. For authentication solution, WPA implements the IEEE 802.1X standard for port-based access control [18] and the Extensible Authentication Protocol (EAP) [19]. 802.1X is now widely deployed in many IEEE 802 series standards with the RADIUS (Remote Authentication Dial-in User Service) [20], a central authentication server, to authenticate each user on the network. ...
The fast growth of Internet technology has suggested that the next Generation Wireless Network (NGWN) will be an all-IP based integrated wireless network architecture. This evolving network will realize a great number of novel mobile network applications and innovated ubiquitous computing services. As more and more emerging interactive service developments proceed within the wireless network, the security of con- fidential data and individual privacy become a critical issue. Current wireless security technologies have faced potential challenges; thus they might not be able to satisfy some special requirements of NGWN. We have been devoted to a long term research project to provide solutions to meet the requirements of mobility and security for NGWN. This paper is demonstrating our first stage research accomplishment, a novel wire- less security mechanism called Multi-Key Encryption (MKE) mechanism. This mechanism enhances the key management of Wi-Fi Protected Access 2 (WPA2), which has a strong robustness and the similar computa- tion overhead. Through the formal proof and experimentation result, we can show that our mechanism is ef- fective and able to provide necessary security. In the future, we will continue to extend it to generic security solutions for NGWN.
... This service level agreement among different organizations requires several efforts related to user mobility, exchange of security information, integration of heterogeneous proposals, etc. Concerning to user mobility, the TERENA Mobility Task Force provided a forum for exchanging experiences and knowledge about the different roaming development activities in the European Union. As a result of this effort, this task force defined and tested an inter-NREN roaming architecture, called eduroam [7], based on AAA servers (RADIUS) [21] and the 802.1X standard [13], which is currently composed by 19 countries. Eduroam was proposed after identifying the most suitable techniques, standards-based, currently deployed in the NRENs, paying special attention to those elements needed for an inter-NREN WLAN architecture. ...
Identity federations are emerging in the last years in order to make easier the deployment of resource sharing environments among organizations. One common feature of those environments is the use of access control mechanisms based on the user identity. However, most of those federations have realized that user identity is not enough to offer a more grained access control and value added services. Therefore, additional information, such as user attributes, need to be taken into account. This paper presents the overview and some preliminary results of the DAMe project. We will show how one of those real and widely spread identity federations, eduroam, has been extended in order to make use of the user attributes defined in his home domain, to adopt authorization decisions during the access control process. This authorization framework has been integrated by means of the NAS-SAML infrastructure, which defines a network access control service based on SAML and the AAA architecture. Additionally, we present the details of a Single Sign On proposal which takes advantage of the previously deployed authentication and authorization mechanisms. In this way we will be able to establish a link between authentication and authorization methods at different levels in order to provide a seamless global SSO.
... However, the mitigation process continued as it was realized that if a WEP key is changed often enough, it was possible to eliminate the practical threat-attackers will not have enough time to compromise the network. EAP based solutions which frequently re-key emerged and are being recommended by vendors [10,9,18]. ...
The 802.11 encryption standard Wired Equivalent Privacy (WEP) is still widely used today despite the numerous discussions on its insecurity. In this paper, we present a novel vulnerability which allows an attacker to send arbitrary data on a WEP network after having eavesdropped a single data packet. Furthermore, we present techniques for real-time decryption of data packets, which may be used under common circumstances. Vendor produced mitigation techniques which cause frequent WEP re-keying prevent traditional attacks, whereas our attack remains effective even in such scenarios. We implemented a fully automatic version of this attack which demonstrates its practicality and feasibility in real networks. As even rapidly re-keyed networks can be quickly compromised, we believe WEP must now be abandoned rather than patched yet again.
... In the first stages of 802.11 development, the WLAN security was based on two mechanisms: Service Set Identifier (SSID) and Wireless Equivalent Privacy (WEP). When the weaknesses of WEP were identified, IEEE ratified a new standard, IEEE 802.1X, that provides a way to leverage traditional strong authentication mechanisms such as RADIUS Server in a wireless network [5]. The IEEE 802.1x defines a mechanism for port-based network access control. ...
Wireless network have gained popularity due to the flexibility and mobility that allow users access to the information. This research evaluated the effect of multiple security mechanisms of the performance for IEEE 802.11g wireless network using server-client architecture. The results showed that security mechanisms degrade the performance of network and we must know how much we pay for security features.
... Only authorized devices (both SNOWNET nodes and mobile clients) are allowed to access and be served by the SNOWNET. The security mechanism of SNOWNET is an extension of the IEEE 802.1X specification [4] which supports dynamic keying for both client and for multi-hop backbone communications and is compatible with the Wi-Fi Protected Access (WPA) standard. Due to the size limitation of this paper, we will only focus on the system architecture, data forwarding mechanisms, and the design and implementation of the SNOWNET system in this paper and report on other aspects of SNOWNET such as our security related designs, auto-configuration and performance in future publications. ...
In this paper we address the need for secure and portable wireless data networking. Our solution, named the Secure Nomadic Wireless Network (SNOWNET) is a hierarchical network consisting of a dynamic, multi-hop, wireless backbone network interconnecting a number of local access service areas. SNOWNET provides a secure, quickly deployable, modular networking infrastructure for many networking applications such as extending existing networks to environments with no existing trusted infrastructure as in battle field situations, disaster relief operations, or temporary events (e.g. conventions, parades, fairs, etc). Design and implementation aspects of SNOWNET nodes, which use IEEE 802.11 WLAN technology to form the backbone network as well as provide local access services, are discussed. The overall architecture of the SNOWNET, the data forwarding protocols executed by SNOWNET nodes, and the functions of several types of SNOWNET nodes are described.
... The IEEE has proposed long-term security architecture for 802.11, which they called Robust Security Network (RSN). It utilized the IEEE 802.1X standard [6] as basis for access control, authentication, and key management. 802.1X had three components: a client (user), an authenticator (AP) and an authentication server. ...
Today, Wireless Network has become more and more present in open area or large companies and security enhancement is needed to control authentica-tion and confidentiality. The 802.11 Working Group introduced the 802.11i amendment as the final stage of the Robust Security Network standard, superseded the old WEP technology. This paper describes the technical evo-lution of wireless security and introduces the future 802.11i with the most recent IEEE draft.
... IEEE 802.1x IEEE 802.1x [19], port-based network access control, is a way to enhance local area networks of the IEEE 802 series with increased security. It provides a framework for centralised authentication, access control and key exchange, but it does not specify any mandatory security mechanism or policy for achieving this goal. ...
The deployment of Wireless Local Area Networks (WLAN) has been subject to a tremendous growth, due to the efforts of the various standardisation and certification organisations, to the increased interest of manufacturers and operators, and to a general increased availability of the related technologies. Data-security becomes consequently a big issue, because of the particular features of the transmission-medium, i.e. the air, which, for instance, does not have any well-defined boundaries. IEEE 802.11 and HIPERLAN/2 are two standards for wireless LANs. Both of them specify security mechanisms and practices to protect the radio link, but in both cases there are weaknesses and lacks: no effective key management system and a weak encryption algorithm, in the case of IEEE 802.11; strong computational requirements on the Access Points (APs) in the case of HIPERLAN/2. Solutions to overcome these problems might either be standard-based, e.g. IEEE 802.1x (provides a framework for centralised authentication and authorisation), IEEE 802.11i (a task force aiming to improve the security features in the current IEEE 802.11 standard), or ad-hoc solutions (VPN, IPSec, Kerberos), distinguishing between public access and private corporate access.
... To address the security concerns new standards were introduced. The related standards are IEEE Standard 802.1x [4] and IEEE Standard 802.11i [5]. The IEEE 802.1x, a port-level access control protocol provides a security framework for networks, including wired and wireless both. ...
Wireless Local Area Networks (WLAN) provide connectivity along with flexibility at low cost. Appreciating the exponential growth in this area, Institute of Electrical and Electronics Engineers (IEEE) ratified IEEE standard 802.11 in 1999 which was widely accepted as the defacto industry standard for interconnection of portable devices. Due to the scarcity of battery power in portable devices operating in WLANs, 802.11 directly addresses the issue of Power Saving (PS) and defines a whole mechanism to allow stations (STA) to go into sleep mode without losing information, as access point (AP) keeps buffering the messages directed to the sleeping STA. Growing use of 802.11 lead to the identification of flaws in security specifications of the standard known as Wired Equivalent Privacy (WEP). These flaws were addressed by the introduction of amendments/enhancements. However, IEEE's security enhancements failed to achieve the desired objectives especially availability, which is the main concern of any network administrator. Identity theft due to unauthenticated management and control frames left a window open for hackers to launch successful Denial of Service (DoS) attacks. The PS functions of 802.11 present several identity based vulnerabilities, exploiting which, an attacker can spoof the polling message on behalf of the STA and cause the AP to discard the buffered packets of the client while it is asleep. As a result, an attacker can block the victim STA from receiving frames from the AP, thus launching a successful DoS attack. In this paper we have explained the spoofed PS-Poll based DoS attack and proposed a robust solution to this problem.
... To address these security concerns new standards were introduced. The related standards are IEEE Standard 802.1x [6] and IEEE Standard 802.11i [7]. The IEEE 802.1x, a port-level access control protocol provides a security framework for networks, including wired and wireless both. ...
- Wireless Local Area Networks (WLAN) provide connectivity along with flexibility at low cost. Appreciating the exponential growth in this area, the Institute of Electrical and Electronics Engineers (IEEE) ratified IEEE standard 802.11 in 1999 which was widely accepted as the defacto industry standard for interconnection of portable devices. Due to the scarcity of battery power in portable devices operating in WLANs, IEEE 802.11 directly addressed the issue of Power Saving (PS) and defined a whole mechanism to allow stations (STA) to go into sleep mode without losing information, as Access Point (AP) keeps buffering the messages directed to the sleeping STA. Growing use of IEEE 802.11 lead to the identification of flaws in security specifications of the standard known as Wired Equivalent Privacy (WEP). These flaws were addressed by the introduction of amendments/enhancements. However, IEEE‟s security enhancements failed to achieve desired objectives especially availability, which is the main concern of any network administrator. Identity theft due to unauthenticated management and control frames left a window open for hackers to launch successful Denial of Service (DoS) attacks. The PS functions of 802.11 present several identity based vulnerabilities, exploiting which, an attacker can spoof a polling message on behalf of STA and cause AP to discard buffered packets of the client while it is asleep. As a result, an attacker can block victim STA from receiving frames from AP, thus launching a successful DoS attack. The mechanism proposed in [1] addresses
... The home architecture should include enough security mechanisms at the link-level (e.g. WEP [15], WPA [17], 802.1X [18], 802.11i [19], Bluetooth Security [20]), network-level (e.g. IPsec [21]), transport-level (e.g. ...
A number of technologies are emerging that enable the creation of a market for networked consumer electronic devices for home use. As this market emerges, the research area of home networking is increasing in importance. In this paper, we first present some motivating use cases from the application area of networked home entertainment to illustrate the requirements posed on home networks, both for local and for remote access. The emphasis is on the use of mobile devices. We describe the challenges facing both the manufacturers and consumers in creating and using such home networks. Since the users of these systems are non-expert consumers, we argue that the most important challenge is creating easy-to-use, self- configuring and self-healing home networks. Finally, we present a de-centralized architecture and an overview of technologies that can be used to enable local and remote access to home networks using mobile devices.
... Therefore , security is of utmost concern in wireless LANs because malicious users can intercept and eavesdrop data in transit on shared and broadcast medium [3]. In response to the demand for security, several security protocols such as wired equivalent privacy (WEP), 802.1x port access control with extensible authentication protocol (EAP) support are designed to address security issues456. Moreover, IP security protocol (IPsec) used in wired networks is also considered as an alternative for wireless networks as well [7]. ...
Wireless local area networks (LANs) are vulnerable to malicious attacks due to their shared medium in unlicensed frequency
spectrum, thus requiring security features for a variety of applications even at the cost of quality of service (QoS). However,
there is very little work on investigating to what extent system performance is affected by security configurations with respect
to mobility scenarios, heterogeneous networks, and different applications. In order to exploit the full potential of existing
security solutions, we present a detailed experimental study to demonstrate the impacts of security features on performance
by integrating cross-layer security protocols in a wireless LAN testbed with IP mobility. We introduce a quality of protection (QoP) model to indicate the benefits of security protocols and then measure the performance cost of security protocols in terms
of authentication time, cryptographic overhead and throughput. Our measurements demonstrate that the effects of security protocols
on QoS parameters span a wide range; for example, authentication time is between 0.11 and 6.28s, which can potentially affect
packet loss dramatically. We also find that for the same security protocol throughput in non-roaming scenarios can be up to
two times higher than that in roaming scenarios. However, some protocols are robust against mobility with little variation
in system performance; thus, it is possible to provision steady service by choosing security protocols when users’ mobility
pattern is unknown. Furthermore, we provide observations on cross-layer security protocols and suggestions to the design of
future security protocols for real-time services in wireless LANs.
... There exists various network level schemes for authenticating network access, such as PANA [4], but they typically require that the client already is in the possession of IP level connectivity. This can, of course, include 802.1X type of controlled access [5] or any other filtering mechanism that ensures that no additional communication is possible, before the authentication has succeeded, or the provided preliminary address is very short lived. Also, the access point controlling the access can receive configuration information concerning the client, like IP address, through mechanisms like RADIUS or Diameter. ...
The most typical configuration procedure of a host involves the provision of an IP address and most often this is done with the help of dynamic host configuration protocol (DHCP). Unfortunately, the security of this procedure is largely non-existent. While the closed nature of the access networks has mitigated the vulnerability, the evolvement of the networks and increase in wireless use demand more stringent secure measures. This paper proposes the integration of DHCP with host identity protocol (HIP) mechanisms, so that the security measures inherent to HIP can be extended to protect the configuration information and its provisioning as well
... Especially the latter ones have a major role in performing authentication of nodes and authorizing them to use networks through attachment points. Examples of such systems are IEEE 802.11 [4] with EAP-based 802.1X [5] authentication, 3G/UMTS networks where AKA is used (e.g. [6] ), and mechanisms based on PPP [7] together with CHAP [8]. ...
In this paper we examine how network attachment can be handled in a system where all communication, both on a data link and in a network, is based on the publish/subscribe paradigm instead of the traditional send/receive model. We present and discuss an early clean-slate solution to the problem of establishing and maintaining network connectivity between nodes in a secure and efficient way. The solution includes a basic protocol for pub/sub-based attachment, which addresses certain pertinent security challenges and conforms with the principle of receiver-driven communication. In addition, we report initial experiences from implementing the concepts outlined in our protocol design.
... Rude utility is used for emulating VoIP traffic [5]. 3) IPSec Protection Policies: There are several security protocols such as Wired Equivalent Privacy (WEP) protocol , 802.lx framework with extensible authentication support (EAP) support, socket security layer (SSL), IP security (IPSec) and 802.1 li designed to ensure protected communication over wireless networks [3], [7], [11], [15], [16]. WEP is supported in the firmware of wireless cards and the access point, and can be configured whenever required. ...
Radio links exhibit highly unpredictable properties such as variable bandwidth and bit error rates that affect the performance of applications in wireless networks. Besides, another critical concern is the protection of applications due to shared and open wireless medium. However, protection services add additional performance overhead to carry out their operations, and incur varying effects on the network performance, depending on link characteristics. Thus, how to provide protected and high performance service is a challenging issue in wireless networks. The problem is even more challenging for real-time applications such as voice over IP (VoIP) with stringent delay and packet loss requirements. In this paper, we present a novel approach to improve application performance by implementing Link Aware Protection (LAP) in wireless local area networks (LANs). LAP exploits dynamic security policy management (DSPM) scheme for adapting protection with varying link quality. We present a real-time implementation of LAP in our wireless LAN testbed. As a case study, we demonstrate VoIP performance on our LAP enabled wireless clients. The results show the possibility of maintaining an adequate protection and achieving improved performance for VoIP streams under link variations.
... Trusted Network Connect (TNC) is a new concept as well as an open architecture solution which was defined and promoted by the Trusted Computing Group (TCG). The TNC architecture will leverage and integrate with existing network access control mechanisms such as 802.1X [4] and others. ...
In this paper, based on the trusted network connect architecture, we designed a novel TNC-compatible network access control system which ensures that network administrators enforce security policies on endpoint connection and communication with corporate network depending on the endpoint integrity and security status. The platform framework is built on the Intel IXP2400 network processor and a set of network access control mechanisms is implemented. The paper introduces the system design and implementation based on hardware characteristic of the IXP2400 architecture, presents emulation performance results of the system, and then proposes systemic performance optimizations, especially cryptographic performances, according to IXP2400 shared memory hierarchy and access latency, which averagely boost the throughput more than 25%. The novelty of system design is the utilization of IXP2400 multi-core and multi-thread network processor's software and hardware platform to implement the NAC system framework through secure and reliable communication to ensure endpoint integrity and platform-authentication, which is compatible with trusted network connect.
This article presents the progressive evolution of NFV from the initial SDN-agnostic initiative to a fully SDN-enabled NFV solution, where SDN is not only used as infrastructure support but also influences how virtual network functions (VNFs) are designed. In the latest approach, when possible, stateless processing in the VNF shifts from the computing element to the networking element. To support these claims, the article presents the implementation of a flowbased network access control solution, with an SDN-enabled VNF built on IEEE 802.1x, which establishes services as sets of flow definitions that are authorized as the result of an end user authentication process. Enforcing the access to the network is done at the network element, while the authentication and authorization state is maintained at the compute element. The application of this proposal allows the performance to be enhanced, while traffic in the control channel is reduced to a minimum. The SDN-enabled NFV approach sets the foundation to increase the areas of application of NFV, in particular in those areas where massive stateless processing of packets is expected.
In IEEE 802.11 wireless networks, continuous connectivity which allows user mobility and maintains network utilization is one of the most important requirements. In order to establish and keep service state information during the handoff process, the context transfer protocol is used to transfer service state from the originally associated base station to another base station. These base stations exchange messages to establish a secure channel between the APs for transmitting the STA context information. The entire process, however, inevitably increases the overall handoff latency. To resolve the predicament, we propose the Selective Proactive Context Caching (SPCC) technique to proactively propagate security context of the mobile client to a selected set of neighboring base stations before re-association occurs. Unlike the conventional 802.11 handoff mechanism in which cooperation among neighboring base stations does not exist, a selected neighboring base stations in SPCC exchange link quality information of the mobile client through LAN and this information is stored into cache memory. Based on the link quality information, the originally associated AP selects a set of neighboring APs and forwards the security context of mobile station through the LAN. Simulation results show an improvement of 62% in reducing the re-association handoff delay. Specifically, the re-association delay is reduced from 3.2 ms in the 802.11 handoff mechanism to 1.2 ms when SPCC is applied.
Wireless LAN (WLAN) is type of wireless service that has higher data transmission than current cellular networks. The usage is continually increasing. There are a lot of vulnerabilities in wireless network, due to the properties of the wireless environment, regardless of its popularity. IEEE announced the 802.11i security standard to solve these problems. The vulnerable point of messages used in the process of key distribution for 802.11i makes the target node attacked lose memory through continuous messages and blocks the legitimate WLAN service. In this paper, we proposed new schemes to solve this problem and compared our proposals with the current process. The proposed protocol eliminates the memory exhaustion problem on the client side by using methods for reduction of memory usage.
The existing wireless LAN standard IEEE802.11b has many vulnerabilities from security point of view. The authentication mechanisms in IEEE802.11b have many vulnerabilities. As a result to complement the weak of IEEE802.11b authentication, the IEEE802.1x had been developed in the sense of providing strong user authentication with appropriate mechanism. But this mechanism does not perform AP authentication and there are also some weak points. And in confidentiality and message Integrity case, WEP is weak from key stream reuse attack, IV reuse attack and so on. For that reason, in this paper we propose secure wireless LAN system. Our system provides strong user authentication, confidentiality, and message integrity based on existing IEEE802.1x framework and TLS.
Using Mobile Ad hoc Networks (MANETs) is growing with advances in technology. MANETs consist of few nodes with constrict resources and without any special structure. Each node can be connected to other nodes in its own transition rate. Network access control with respect to the development of networks is very important. In this paper, we explain the Network Access Control (NAC), the mechanism of action in the networks and also compare some NAC vendors. We briefly describe four network access control protocols for MANET and also compare them in terms of efficiency, communication complexity, overhead, and the techniques which is used. In the other part we describe the attacks in MANETs.
In this work we analyze topology discovery and the procedure for joining the network in the information-centric context. We develop and evaluate such a network attachment procedure in an information-centric network utilizing the publish-subscribe paradigm for the data exchange. In our work the publish-subscribe concept is not only used as a communication means, but we aim at fully exploiting its characteristics for native merging of fine-grained network operations such as topology management and network connectivity establishment. Such an integration adds not only to the simplicity of the network and efficiency of the network information gathering, but includes the means for handling mobility issues. We examine the performance characteristics of the proposed solution particularly focusing on complexity and introduced message overhead. The evaluation results obtained from the testbed experiments show the outstanding performance in terms of delay, while the signaling overhead remains at a very low level.
This document provides a taxonomy of the architectures employed in the existing IEEE 802.11 products in the market, by analyzing Wireless LAN (WLAN) functions and services and describing the different variants in distributing these functions and services among the architectural entities.
A number of green technologies such as Smart Power Grids, Smart Buildings, Smart Industrial Process and Smart Transportation rely on sensor technology. Sensor networks consist of a network of autonomous sensors that can reconfigure themselves so as to sense the environment in the most efficient manner. However, a significant challenge in the practical application of sensor networks is the need for credible network security. An important problem in wireless network security is sender authentication. The existing schemes for sender authentication that are based on IP and MAC address can be easily spoofed by the sender. In this paper, we propose a method to apply signal prints to WSNs so as to detect identity-based attacks. The use of signal prints allows us to identify the sender based on the received signal characteristics thereby making it harder to spoof. However, in a Wireless Sensor Network (WSN), battery discharge causes received signal characteristics to vary. Also, WSNs are dense networks and, generally, do not have a centralized authority. These must be taken into a consideration while designing a solution.
There is a growing interest for VoWLAN (Voice over Wireless LAN) services in the advent of network convergence and user mobility. As we design a VoWLAN system capable of handling both intra-and inter-handover real-time data, we should likewise consider its security architecture as compared to WLAN (Wireless LAN) systems. In this paper, we propose a method for VoWLAN that would provide handover and security standards designed to enhance and speed up the authentication process while handover.
Improving authentication delay is a key issue for achieving seamless handovers across networks and domains. This paper presents an overview of fast authentication methods when roaming within or across IEEE 802.11 Wireless-LANs. Besides this overview, the paper analyses the applicability of IEEE 802.11f and Seamoby solutions to enable fast authentication for inter-domain handovers. The paper proposes a number of possible changes to these solutions (typically in terms of network architectures and/or required trust relationships) for inter-domain operation. In addition, the paper identifies the crucial research issues therein. Possible solutions and directions for future research include: update to security infrastructure, inter-layer communication and discovery of appropriate networks.
The increasing amount of wireless and wired public network access areas under the administration of separate instances has driven forward the idea that roaming between these areas should be developed. In the academic world research co-operation and the exchange of students, lec-turers and researchers is very common. This increases the need of roaming between related organisations. Several ideas and attempts to standardise WLAN roaming exist but in the combined wireless and wired environ-ment the roaming has not been considered. One idea for roaming is to use RADIUS protocol to carry authentication information. In Finland this idea was first presented for commercial operators by WirLab 1 . With standard RADIUS proxying it is possible to carry authentication, autho-risation and accounting information to the RADIUS server of the user's home university. Because the idea is to make the RADIUS servers in dif-ferent universities to look like a one big RADIUS system there is a need for some kind of hierarchy. This paper describes an application of that idea and an architecture to bring not just WLAN but also general public access roaming into FUNET network and beyond. The hierarchy will be designed also to be interoperable for roaming between other European universities and university networks, for example as a part of TERENA mobility task force.
This paper presents a set of proposals to improve the security mechanisms implemented in the wireless local area networks. The fragilities related to the current security mechanisms, implemented in the IEEE 802.11 and 802.1X standards are identified. Also some improvements which possibility rising the security level are proposed. An evaluation of this new propose is still presented.
Enterprise firewalls can be easily circumvented, e.g. by attack agents aboard infected mobile computers or telecommuters’
computers, or by attackers exploiting rogue access points or modems. Techniques that prevent connection to enterprise networks
of nodes whose configuration does not conform to enterprise policies could greatly reduce such vulnerabilities. Network Admission
Control (NAC) and Network Access Protection (NAP) are recent industrial initiatives to achieve such policy enforcement. However,
as currently specified, NAC and NAP assume that users are not malicious. We propose novel techniques using secure coprocessors
to protect access to enterprise networks. Experiments demonstrate that the proposed techniques are effective against malicious
users and have acceptable overhead.
Handoff in IEEE 802.11 requires the repeated authentication and key exchange procedures, which will make the provision of
seamless services in wireless LAN more difficult. To reduce the overhead, the proactive caching schemes have been proposed.
However, they require too many control packets delivering the security context information to neighbor access points. Our
contribution is made in two-fold: one is a significant decrease in the number of control packets for proactive caching and
the other is a superior cache replacement algorithm.
Metro Ethernet services are now being delivered over nation wide metro Ethernet networks, which are switched layer 2 networks. Delivering IP control protocols like ARP and DHCP over these networks is a challenge. There are inherent scalability problems in the way these protocols use broadcast to discover the services. This paper presents a uniform and scalable architecture based on distributed directory for service, location and path discovery for all services (including IP control protocols like ARP & DHCP and IP Routing service) over Carriers' Metro Ethernet networks (MENs). It provides two methods of maintaining the distributed directory to ensure that a service can be discovered at the earliest and at the same time making sure that the Directory doesn't grow too big. It also proposes how IP networks can be overlaid and how IP routing service can be delivered over a single public MEN without using IP routers and IP routing protocols. It is a novel, unified and comprehensive service delivery architecture for delivering any service over a Carrier's MEN.
Concepts for future energy networks envision the distribution of measurement and control infrastructures to the customers to allow for improved reactions to certain events in the energy grid and to ease the measurement process. Such a distribution of control functionalities requires a corresponding device on the customer side that performs or mediates between the energy grid requirements and the customer infrastructure. These Smart Energy Gateways (SEGs) are owned by the energy network operator and but enforce the contracts between network operator and customer for both parties. They can also support additional value-added services. Due to the different uses, SEGs will be exposed to more and other attacks than current end-user devices such as DSL or WLAN routers. The impact of attacks to SEGs is also a peril to the overall operation of the energy grid. This paper provides an approach to the reliable identification of SEGs based on already established industry standards, namely Trusted Computing and Trusted Network Connect.
ResearchGate has not been able to resolve any references for this publication.