• 沒有找到結果。

A Multi-Key Encryption Scheme for the Next Generation Wireless Network

N/A
N/A
Protected

Academic year: 2021

Share "A Multi-Key Encryption Scheme for the Next Generation Wireless Network"

Copied!
20
0
0

加載中.... (立即查看全文)

全文

(1)

A Multi-Key Encryption Scheme for the Next Generation Wireless Network

Chia-Chen Hung Eric Hsiaokuang Wu* Cheng-Lin Wu Ruei-Liang Gau Yi-Cyuan Chen

Department of Computer Science and Information Engineering National Central University

Chung-Li 320, Taiwan, ROC

{cory, Hsiao, graffine, gary, emn178}@wmlab.csie.ncu.edu.tw

Received 16 November 2007; Revised 30 November 2007; Accepted 9 December 2007

Abstract. The fast growth of Internet technology has suggested that the next Generation Wireless Network (NGWN) will be an all-IP based integrated wireless network architecture. This evolving network will realize a great number of novel mobile network applications and innovated ubiquitous computing services. As more and more emerging interactive service developments proceed within the wireless network, the security of con-fidential data and individual privacy become a critical issue. Current wireless security technologies have faced potential challenges; thus they might not be able to satisfy some special requirements of NGWN. We have been devoted to a long term research project to provide solutions to meet the requirements of mobility and security for NGWN. This paper is demonstrating our first stage research accomplishment, a novel wire-less security mechanism called Multi-Key Encryption (MKE) mechanism. This mechanism enhances the key management of Wi-Fi Protected Access 2 (WPA2), which has a strong robustness and the similar computa-tion overhead. Through the formal proof and experimentacomputa-tion result, we can show that our mechanism is ef-fective and able to provide necessary security. In the future, we will continue to extend it to generic security solutions for NGWN.

Keywords: next generation wireless network, wireless security, 802.11i, key management, multi-key encryp-tion

1 Introduction

In recent years, the fast-developing Internet network has begun to have a great effect on human’s life [1, 2]. Through the progress of wireless network and popularization of mobile devices, people can access data or com-plete business transactions at any time and anywhere. In addition, the successful combination of wireless commu-nication and electronic commerce further prompts the e-commerce trend to become portable and ubiquitous. As more and more activities proceed within the Internet, communications through network are not only data, but also multimedia information. At the turn of the last century, telecommunications objective changed considerably, for example, from traditional wired telephony-oriented services to data-based services, from unintelligent machines to digital assistants and mobile computers, and from homogeneous networks to heterogeneous networks. It has been evolving to construct an IP-based next generation network (NGN).

International Telecommunication Union Telecommunication Standardization Sector (ITU-T) had defined NGN [3]: NGN is an integrated network based on packet transmission. It can supply current telecommunications services and offer efficient wideband transmission capability and appropriate quality of service (QoS) guarantee. In this service platform, services will not be constrained by transmission technologies. Users are free to connect to NGN without limitations and select different telecommunication provider and services. Driven by Internet technology, it is highly desirable to offer adaptive multimedia services via different wireless technologies (such as WLAN, WiMAX, WPAN) and distinct network architecture (such as cellular infrastructure, or mesh network). This great combination of the growth of the Internet and the wide deployment of wireless technologies will revo-lute a great number of new generation mobile applications and context-aware ubiquitous services. We refer to this integrated network as the Next Generation Wireless Networks (NGWN).

NGWN carries several key criteria:

 Mobility management. For worldwide networked environment, NGWN must provide automatic roaming.  IP transparency. All elements both in the fixed and mobile parts of the network must support IP.  Addressing. NGWN must allocate an absolute address to each user. IPv6 will be adopted in the future.  Integrated digital services. Supporting broad services, applications, and frameworks, which including

(2)

real-time video streaming, non-real time services, and multimedia services.  Transmission. Capabilities for wideband and end-to-end QoS transmissions.

 Security and digital rights management. NGWN must be fit in with all kinds of security rules such as privacy, integrity, and so on.

The vision of NGWN can be realized over various wireless networking access technologies such as Bluetooth, Wireless Fidelity (Wi-Fi), Worldwide Interoperability for Microwave Access (WiMAX), and High Speed Packet Access/Universal Mobile Telecommunications System (HSPA/UMTS). Apart from innovations in network tech-nologies and mobile applications, the security of confidential data and individual privacy will become a critical issue.

Security goals for wireless networks can be summarized as follows. Message authentication provides integrity of the message authentication, corresponding to the attacks of message modification. Confidentiality and privacy is fundamental for secure communication, which provides resistance to interception and eavesdropping. Access control prevents unauthorized access. Anti-replay detects and neglects any message that is a replay of a previous message. Non-repudiation is against denial and pretense. Detailed discussion of the security requirements, to-gether with corresponding attacks and possible solutions, can be found in [4] and [5].

Fig. 1. SMS-NGWN architecture

To provide and satisfy the requirements of mobility and security for NGWN, a three years project, named Se-cure Mobile Service for Next Generation Wireless Network (SMS-NGWN), is proposed and shown as Fig.1. In first stage, we attempt to solve key management issues of current wireless local area network (such as Wi-Fi) security mechanisms. Besides, we also survey the network structure and security mechanism of wireless metro-politan area network (such as WiMAX). The second year, we will transplant first year’s achievements to Wi-MAX network. In addition, we intend to propose a generic security solution, which could be constructed on vir-tual private network (VPN) [6], to heterogeneous networks for NGWN. Finally, we will also extend the security function over ad hoc network and integrates the three stages for NGWN.

In this paper, we focus on the first stage of our project. Section 2 introduces common wireless security attacks and current security mechanisms of Wi-Fi and WiMAX. In Section 3, we proposed a key management scheme to enhance Wi-Fi security. In Section 4 and Section 5, we validate our scheme through formal proof and experimen-tation. Section 6 concludes this paper and talks about our future work.

2 Related Work

2.1 Common Wireless Security Attacks

The traditional attack modes in wireless network can roughly be divided into two parts: passive attack and active attack [7].

A passive attack is one in which the cryptanalysis can’t interact with any modification involved, attempting to break the system solely based upon observed data. The common approaches of passive attack are Eavesdropping and Traffic Analysis. The Eavesdropping is to surreptitiously overhear a private conversation. Traffic Analysis is

(3)

the process of intercepting and monitoring in order to deduce information from flows, contents, and behaviors in communication. Both they can be performed even when the messages are encrypted and cannot be decrypted.

Contrast to passive attack, active attack means attack forges or modifies the communication contents. It can operate by Man-in-the-Middle (MITM), Replay, Denial of Service (DoS), and Dictionary. In MITM, an attacker is able to read, insert, and modify messages between two parties by observing and intercepting messages between the two preys. A replay attack intends a valid data transmission is fraudulently repeated or maliciously, so adver-sary can masquerade a legitimate user to illegally access system resources. Message modification implies that aggressor inserts, deletes, or modifies transmission data. The goal of a DoS attack is to retransmit a lot of useless packets in a few times to deny legitimate users to access to a resource by breaking down the resource itself.

A dictionary attack is a technique that trying to crack the decryption key or passphrase by searching a large number of words. It only tries possibilities typically derived from a list of words in a dictionary.

As the wireless network develops, some burgeoning attack activities were spring up, too. War driving [8] means that using certain mobile device, such as Laptop or PDA, to search usable Access Point (AP) nearby. Attacker hides in the car and drives everywhere, and nobody can be aware of that. Some attackers think that war driving is one kind of activity. Even they share the result which they searched everywhere on the web. Although there are developed some secure mechanisms, such as WEP, WPA and WPA2, some weaknesses and attacks were discovered, too. Some people say they only want to access internet, and some people say they do this just for fun. However, it implies problems of wireless network. It is a simple action to search AP from the beginning, and it developed methods of attack later. Nowadays, we call all actions of attack in wireless network to “War driving”.

The other newly risen way is Evil Twin [9]. Evil Twin is a term for a rogue Wi-Fi AP that appears to be a le-gitimate station provided on the premises, but actually has been set up by a hacker to eavesdrop on wireless communications. An attacker may use Evil Twin Attack to steal the passwords of unaware users by either phish-ing or snoop the communication, which settphish-ing up a crooked Web site and enticphish-ing people there. A rogue Wi-Fi connection can be built up on a laptop with a simple program and a special Universal Serial Bus (USB) drive that acts as an AP. The APs are hard to seek, since they can immediately be shut off, and are easy to set up. An at-tacker can appear to be legal by simply making their AP a similar name to the Wi-Fi network on the premises. Because of the attacker may be physically closer to the dupes than the real AP, their signal will be stronger. The attacker also can be configured to pass the person through to the true AP while monitoring the traffic of commu-nication. Attackers typically build up Evil twin attacks near free hotspots, such as cafes or airports.

While most classical ciphers are vulnerable to this form of attack, the most modern ciphers should be designed to prevent this type of attack above all others.

2.2 Overview of Wi-Fi Security

Wi-Fi networks adopted as a framework for wireless local area network (WLAN). It based on IEEE 802.11b/g standards and has become popular in recent years. Many users have installed Wi-Fi AP at home, and numerous enterprises have already constructed WLAN environment. The individuals are easier to access services and pub-lic data through wireless network.

Since the wireless environment is a shared media networks, the transmitted messages can be intercepted easily. Therefore, it is important to protect the privacy of the transmitted data over the wireless environment. There are three major security components (authentication, integrity, and privacy) defined by IEEE 802.11 [10].The au-thentication has been divided into two parts: Open System and Shared Key. The main purpose of auau-thentication services is to verify the legitimacy of a user or a system. The integrity protects the data against non-authorized insertions, modifications, or deletions. The privacy service guards the data against non-authorized revelations. In 802.11, the privacy service is implemented by the Wired Equivalent Privacy (WEP) protocol which is based on the RC4 symmetric algorithm. Several vulnerabilities of WEP protocol have be analyzed and discovered in the last few years [11, 12, 13]. In order to keep key changing ceaselessly, WEP uses a 64-bits key long, formed by an Initialization Vector (IV, 24bits) and a secret key (40bits).

One of WEP’s security problems is that its secret key is not longer enough. The other problem is the initializa-tion vector (IV) was sent to receiver in plaintext, which means that attackers can directly snatch IV of each key used in WEP. The same IV might be reused after short period of time. An attacker could easily collect IV and use it to retrieve the secret key. Besides, WEP also suffers from a poor method for key management, which adopts unchanged keys for long periods of time.

In order to improve the secure defects of 802.11, IEEE proposed a new amendment to IEEE 802.11 named IEEE 802.11i [14]. It defined a protocol that uses the Temporal Key Integrity Protocol (TKIP) as a short-term solution as well as Wi-Fi Protected Access (WPA) [15, 16]. The Wi-Fi Alliance created the WPA standard, which defines security mechanisms for authentication, data integrity, message privacy, and key distribution in

(4)

software promote and is compatible with the new IEEE 802.11i standard.

To improve message protection, WPA adopts the TKIP, which is designed to position all known attacks against and drawbacks in WEP algorithm. TKIP defends against perceives message modification, replay and brute-force attacks, and averts key reusing. In the long term, 802.11i might provide a framework which adopts the Advanced Encryption Standard (AES) [17].

For authentication solution, WPA implements the IEEE 802.1X standard for port-based access control [18] and the Extensible Authentication Protocol (EAP) [19]. 802.1X is now widely deployed in many IEEE 802 series standards with the RADIUS (Remote Authentication Dial-in User Service) [20], a central authentication server, to authenticate each user on the network. RADIUS could provide authentication, authorization, and accounting (AAA) services, but it still can’t solve all security threats in wireless networks. Therefore, Diameter [21] is de-veloping to improve RADIUS to supply more security.

EAP is a transport protocol fitted to the demands of upper-layer authentication protocols. It provides a plug-in structure for numerous popular upper layer application (ULA) protocols using today [22]. These protocols gener-ate keys for data encryption on wireless transmission between AP and mobile stations. They are also in support of a mutual authentication exchange between the Radius server and a mobile station locating on the network. For small office/home office (SOHO) environment, where there is no EAP framework or central authentication server, WPA operates in a pre-shared key (PSK) mode, for which a user must enter passwords before join the network.

In pre-shared key mode, the passphrase may be stored both on the user's computer and Wi-Fi AP. However, the weak passphrases which users typical adopt are vulnerable to password cracking attacks (also called dictionary attack). A straightforward formula, proposed from [23, 24], that would reveal the passphrase by performing a dictionary attack against WPA-PSK networks. By capturing the 4-way authentication handshake, the attacker can have the essential data which needed to subject the passphrase to dictionary attack. Some WPA cracker tools [25, 26] have released. They are written on Linux systems and perform a brute-force dictionary attack against WPA-PSK networks. The users only have to supply a dictionary file and a dump file that contains the WPA-PSK four-way handshake.

Another attack way is DoS attack [27]. For example, an attacker could generate numerous connection requests to a server, effectively blocking this server for a long time. Because of Wi-Fi networks lack of encryption and integrity protection even when WPA or 802.11i is utilized, an attacker can easily forge management packets and send unauthorized packets or disassociation packets to the mobile station or AP, thereby denying legal packets. Radio-frequency-based DoS attacks at a Wi-Fi network’s physical layer are also possible. There are no efficient countermeasures against DoS attacks [22].

2.3 Overview of WiMAX Security

WiMAX is a framework, proposed by the WiMAX forum, based on the IEEE 802.16 standard. IEEE Standard 802.16-2001 [28], completed in October 2001, promises to deliver high data rates (75Mbps) over wide areas (50Km) for a large number of users. The IEEE 802.16-2004 standard [29] aims to provide broadband wireless access for Wireless Metropolitan Area Networks (WMAN) and the recently released IEEE 802.16e [30] supports mobility and multicasting. Multicast in WMAN is a guaranteeing service, which suitable for many applications such as pay per view TV broadcasting, stock option bidding, video conferencing, and etc, for both fixed and mobile subscriber stations.

[31] gives a technical overview of 802.16. There are also some other papers or books that review this standard. It is clear that so far WMAN has been less studied than WLAN. With its great potential in the future’s wireless service, WMAN deserves more attention than what it gets now. The authors of [32] review the 802.16 standard, and analyze its security in many aspects, such as vulnerability in authentication, data encryption algorithm, key management protocols, and lack of explicit definition for some materials. In [33], the architecture for point-to-point (PMP) mode was given too.

Mutual authentication is the major contribution proposed by [32], which enables SS to authenticate BS as well. Although the need for mutual authentication has been widely studied in WLAN, the authentication and key man-agement protocols in 802.11 and 802.16 are based on different methods. IEEE 802.11 applies the shared-key authentication method, but IEEE 802.16 is based on public-key authentication algorithm. Therefore, the authenti-cation and key management scheme in IEEE 802.16 needs separate study. In the standard IEEE 802.16e, mobil-ity is supported in WMAN. The author of [34] gives an overview of handoff schemes on different kinds of net-works and proposes the requirements for handoff procedures in IEEE 802.16. Due to the limited capability of wireless devices, such as power, storage, and computation ability, it is important to reduce the computation over-head for encryption or decryption. The authentication scheme of fast handover is based on EAP, which is imple-mented in IEEE 802.16 PKMv2 [35].

[36] gives comments on modifying some keying materials which should be exchanged during the roaming. Several types of attacks mentioned before, such as replay attack and interception, are also applicable to this pro-tocol.

(5)

2.4 Summary

Nowadays, more and more products adopted wireless technologies (such as WLAN and WMAN), as the basic equipment, the security issues on wireless network become more important, too. From above mentioned, we can conclude that wireless security still suffer some attacks like War Driving and Evil Twin. Both WLAN and WMAN still have some security problems such as authentication, key management, message integrity, and so on. In this paper, we proposed a key management scheme called multi-key encryption (MKE) for dictionary attack to enhance existing Wi-Fi security system. In the future, we will extend it to WiMAX network and to propose a generic security solution for NGWN.

3 Multi-Key Encryption Mechanism

In WPA and WAP2 protocol, 4-way handshake performs the key management role as refreshing the temporal key for data encryption. As the original design, there exists a vulnerability in 4-way handshake stage, some attacking

tools such as Aircrack [37] can crack the PMK key using dictionary attack. Hence, we modified the key man-agement state in WPA as Fig. 2. The detail of the original 4-way handshake in 802.11i is as Fig. 3.

Fig. 2. MKE Encryption procedure

(6)

Obviously, ANonce, SNonce and MIC transmit in plaintext. We recall that PTK is generated by the PRF-384 hash function as follows:

PTK = PRF-384 (ANonce, SNonce, PMK,

MAC

Auth,MACSupplicant) (1)

It’s easy to get the

MAC

Auth and MACSupplicant from packet header; hence, the only unknown value is PTK. How-ever, the integrated check value MIC is generated from PTK using HMAC-MD5 or HMAC-SHA1-128 hash function and transmit in plaintext either. Therefore, the attacker can apply dictionary attack against PMK and verify the MIC to confirm the guessing.

3.1 Multi-Key Encryption (MKE)

Due to this vulnerability, we proposed the Multi-Key Encryption (MKE) mechanism to enhance the key man-agement state in 802.11i. We introduce another SPK (second pre-share key) which installed on both authenticator and supplicants and the length is 32 byte just like PMK. The procedure of constructing PTK is modified as Equa-tion (2), (3) (which DSK is stands for Derived Second pre-share Key):

DSK = PRF-256 (ANonce, SPK,

MAC

Auth ,MACSupplicant) (2) PTK = PRF-384 (DSK, SNonce, PMK,

MAC

Auth,MACSupplicant) (3)

Moreover, the 4-way handshake in our scheme is modified as Fig. 4.

Fig. 4. 4-way handshake in MKE scheme

3.2 The whole encryption process with MKE

In IEEE 802.11i, the standard provides many solutions to secure the wireless communications. Consider a long tern solution, we discuses using 802.1X to do the authentication. Then in key management state, we use our MKE scheme to enhance it. Finally, the data is encrypted by Counter-mode/CBC-MAC Protocol (CCMP).

Hence, in our scheme, the authentication follows the standard and we using EAP-TLS with radius server (AS) to implement it. The complete process is illustrated as Fig. 5 and Fig. 6.

(7)

Fig. 5. Establishing the IEEE 802.11 association

Fig. 6. IEEE 802.1X EAP authentication

After successful EAP authentication, both supplicant and authenticator hold the same PMK. Moreover, these two ends have the same SPK which we install in the initial state as well. Then it will perform the MKE 4-way handshake as Figure 2 to periodically refresh PTK. We do not change the architecture of PTK. Hence, the hierar-chy of PTK (pairwise transient key) is as Figure 7.

Pairwise Transient Key (PTK) (384bits) Key Confirmation Key (KCK)

0 bit~127 bit (128bits)

Key Encryption Key (KEK) 128bit~255bit (128bits)

Temporal Key (TK) 256bit~383bit (128bits)

Fig. 7. PTK architecture

Finally, in data encryption state, we follow the IEEE 802.11i standard which is using AES-CCM algorithm to provide data confidentiality, integrity and replay protection. The procedure of AES-CCM encryption is shown as Fig. 8.

(8)

Fig. 8. AES-CCM encryption procedure

3.3 The effectiveness and secrecy of MKE

MKE just modify the key management state without changing data encryption algorithm. Therefore, the en-crypted data payload is the same as WPA2. The only additional overhead is that we use two hash functions to compute the PTK during 4-way handshake. However, this handshake procedure just executes periodically. Hence, the computation overhead of the system is small enough to neglect, we enhance WPA2 security mechanism with-out producing too much overhead.

4 Correctness Proof of Algorithm

In order to proof the correctness of our scheme, we employ the protocol composition logic (PCL) [38] which contains three main component as modeling protocols, protocol logic with the proof system and compositional proof method. This system is proposed by security laboratory in Stanford University [39, 40, 41]. Therefore, we won’t describe the details about PCL here. Instead, we’ll promote the extra axioms to suit our scenario. Finally, we’ll apply this system to proof the Multi-Key Encryption (MKE) step by step.

4.1 A brief of the proof system and some axioms

This system contains some terms (variables), actions and axioms. The goal is to use these axioms and some as-sumption to derive the theories step by step. Finally, apply these theories to conclude the correctness of the pro-tocol. Terms:

c

constant term

x

variable

N

participator

K

key

,

t t

tuple of terns ( ) K

SIG t term signed with key

K

(private-key) ( )

K

ENC t term encrypted with key

K

(public-key)

pmk

pairwise master key

spk

second pre-share key

dsk

derived second pre-share key

ptk

pairwise transient key

Actions:

Send(A,m) participator A executed action send m

(9)

New(A,m) participator A generate a new data m

Encrypt(A, ENCK{|m ) |} participator A encrypt data m with public-key

K

Decrypt(A, ENCK{|m ) participator A decrypt data m with private-key |}

K

Sign(A, SIGK{|m|}) participator A using private-key

K

to make a digital signature to data m Verify(A, SIGK{|m|}) participator A executed the signature verification action verifySIGK{|m|}

(10)
(11)
(12)
(13)
(14)

5 Implementation & Experiment

In this section, we implement MKE mechanism as we proposed above. We will use some methods which are usually adopted in wireless network to attack the standard and our secure mechanism individually. Finally, we compare results of two mechanisms.

5.1 Attack System Implementation

There are a lot of weaknesses and attack methods, such as FSM attack [23], PTW attack [43], Fragmentation attack [44], dictionary attack and so on. Some hackers implement those theories to applications, such as Aircrack, and so on. They share those applications free on the web, so everyone can get easily. We also use those applica-tions to do experiment.

We implemented the attack system based on the Aircrack. The procedures of attacking system are as Fig. 9. First, our system will scan the APs and end users within coverage range. Then it will choose the target AP to crack and send de-authentication packet to its clients. Right after that, it can capture the 4-way handshake packet since the clients doing re-authentication. Finally, it can use these 4-way handshake messages with a dictionary file to compute and crack the key.

Fig. 9. Cracking Procedure of Attack System

5.2 MKE Implementation

To get and modify source codes easily, we use Linux-based OS to implement. We setup two PCs as AP and cli-ent (supplicant). We want one of PCs to play the role of AP, so we use the module called “hostapd” to do it. Then, we install “wpa_supplicant” to the other PC for supporting WPA. We implement MKE mechanism by modifying these two modules. The relative equipment information is as following tables (Table 1, Table 2):

(15)

Table 2. AP’s equipment and related module

The following is the pseudo code of our modification: DSK: 32-byte Derived Second Pre-shared Key SPK: 32-byte Second Pre-shared Key

PTK: 48-byte or 64-byte Pairwise Transient Key PMK: 32-byte Pairwise Master Key

Part of wpa_supplicant: program first_step_of_4_way_handshake () begin ... generate Snonce ...

if adopt MKE mechanism

DSK := sha1_prf(SPK,"Pairwise key expansion", Anonce);

PTK := wpa_pmk_to_ptk(PMK, "Pairwise key expansion", Supplicant MAC Address, AP MAC Address, Snonce, DSK);

else

PTK := wpa_pmk_to_ptk(PMK, "Pairwise key expansion", Supplicant MAC Address, AP MAC Address, Snonce, Anonce); ...

end

First step of 4-way handshake is that AP sends Anonce to the supplicant. Second, the supplicant generates a Snonce, and then it would adopt MKE mechanism to generate PTK or not. If we don’t adopt MKE mechanism, the supplicant will compute PTK in standard mechanism by using PMK, a static string, supplicant’s MAC ad-dress, AP’s MAC adad-dress, Snonce, and Anonce. If we adopt MKE mechanism, the supplicant will use Anonce, SPK and a static string to compute DSK by sha1 hash function. Then, it adopts standard mechanism to compute PTK which DSK replaces the position of Anonce.

Part of hostapd:

program second_step_of_4_way_handshake () begin

...

if adopt MKE mechanism

DSK := sha1_prf(SPK,"Pairwise key expansion", Anonce);

PTK := wpa_pmk_to_ptk(PMK, "Pairwise key expansion", Supplicant MAC Address, AP MAC Address, Snonce, DSK);

else

PTK := wpa_pmk_to_ptk(PMK, "Pairwise key expansion", Supplicant MAC Address, AP MAC Address, Snonce, Anonce); ...

end

Second step of 4-way handshake is that the supplicant sends Snonce to AP. At this time, the action is similar with the part of wpa_supplicant but AP doesn’t need to generate Snonce.

5.3 Experimentation Environment and Results Our experimentations include two parts as below:

(16)

2. AP and clients share the same key “12345678”. 3. The word “12345678” is in our dictionary.

We monitor the packets of the AP and wait for the 4-way handshake packets. When we capture the packet, we use the packet to do dictionary attack. Because the word “12345678” is included in the dictionary, so we can crack and retrieve the key successfully (Fig. 10).

Fig. 10. Experimentation I result Experimentation II:

1. Secure mechanism uses our MKE.

2. AP and clients share two key “12345678” and “12345678”. 3. The word “12345678” is in our dictionary.

We monitor the packets of the AP and wait for the 4-way handshake packet. When we capture the packet, we use the packet to do dictionary attack. Although “12345678” is in the dictionary, we can’t succeed to crack and get the key (Fig. 11).

Fig. 11. Experimentation II result

6 Conclusion and Future Work

Next Generation Wireless Networks will be expected to support numerous mobile applications and provide ubiq-uitous computing environment. As more and more activities evolve in the wireless network, the security of confi-dential data and individual privacy will become a key issue. In order to provide and satisfy the requirements of mobility and security for NGWN, we propose a three years project, named Secure Mobile Service for Next Gen-eration Wireless Network (SMS-NGWN).

In the current stage, we mainly propose Multi-Key Encryption mechanism to solve key management issues of current WLAN security mechanisms. MKE just modified the key management state and didn’t change data en-cryption algorithm. So the encrypted data payload is the same as WPA2. The only additional overhead is that we using two hash functions to compute the PTK during 4-way handshake. Thus, we enhance WPA2 security

(17)

mechanism without producing much overhead and validate its correctness through the formal proof and the ex-perimentation.

Our future work will continue on the WiMAX network security and heterogeneous network security. We no-tice that WiMAX’s authorization key also suffers from dictionary attack. Thus, in the second stage, we will adopt the MKE concept to enhance the key management part of WiMAX system. Finally, heterogeneous network secu-rity will be considered. Since NGWN is an integrated network architecture, a well designed secusecu-rity policies should be developed in traditional cellular system and dynamic ad hoc system as well.

7 Acknowledgement

This work was supported by Institute of Information Industry under the "Wireless Broadband Communication Technology & Application Plan" project and National Science Council under the "Robokid" project.

References

[1] Keith Holt , “Wireless LAN: Past, Present, and Future,” IEEE Computer Society, Vol. 3, March 2005, pp. 92-93. [2] Sasha Dekleva, J.P. Shim, Upkar Varshney, Geoffrey Knoerzer, “Evolution and emerging issues in mobile wireless

net-works,” ACM Press, Vol. 50, No. 6, June 2007, pp. 38-43.

[3] ITU-T Recommendation Y.2001, "General overview of NGN," Dec. 2004.

[4] Kaveh Pahlavan, Prashant Krishnamurthy, “Principles of Wireless Networks: A unified Approach,” Pearson Education, Prentice Hall PTR, 2002.

[5] William Stalling, “Cryptography and Network Security:Principles and Practices, 3rd edition,” Pearson Education, Pren-tice Hall PTR, 2003.

[6] B. Gleeson, A. Lin, J. Heinanen, G. Armitage, A. Mails, “A Framework for IP Based Virtual Private Networks”, RFC-2764, February 2000.

[7] Adrian Leunga, Yingli Sheng, Haitham Cruickshank, “The security challenges for mobile ubiquitous services,” Elsevier Information Security Technical Report, Vol. 12, No. 3, Jan. 2007, pp. 162-171.

[8] Biju Issac, Seibu Mary Jacob and Lawan A. Mohammed, “The Art of War Driving and Security Threats -A Malaysian Case Study,” IEEE International Conference on Networks, Vol. 1, Nov. 2005.

[9] “Wi-Phishing” and “Evil Twins” at Hotspots How to secure your mobile workforce, AirDefense White Paper, 2005 [10] IEEE Standard 802.11-1999, IEEE Standard for Telecommunications and Information Exchange Between Systems –

LAN/MAN Specific Requirements – Part 11: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications, IEEE Press, 1999.

[11] J. R. Walker, “Unsafe at any key size; An analysis of the WEP encapsulation”, Intel Corporation, doc. IEEE 802.11-00/362, October 2000.

[12] A. Stubblefield, J. Ioannidis, A. D. Rubin, “Using the Fluhrer, Mantin, and Shamir Attack to Break WEP”, AT&T Labs Technical Report TD–4ZCPZZ, August 2001.

[13] S. Fluhrer, I. Mantin and A. Shamir, “Weaknesses in the Key Scheduling Algorithm of RC4”, in 8th Annual Workshop on Selected Areas in Cryptography, Vol. 2259, August 2001, pp. 1-23.

(18)

Access Control (MAC) Security Enhancements,” July 2003

[15] A. Bakirdan, J. Qaddour and I.K. Jalozie, “Security algorithms in Wireless LANs: Proprietary or non Proprietary”, IEEE Globecom, Vol. 3, 2003, pp. 1425-1429.

[16] IEEE 802.11i/D4.1 (D6), “Draft Supplement to IEEE Std 802.11. Part 11: Specifications for Enhanced Security”, IEEE draft, July (September), 2003.

[17] J. Park, and D. Dicoi, “WLAN Security: Current and Future”, IEEE Internet Computing, Vol.7, No. 5, September – October, 2003, pp. 60-65.

[18] IEEE Std 802.1x, Port-based Network Access Control, June 2001.

[19] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, H. Levkowetz, Ed, “Extensible Authentication Protocol (EAP),” RFC 3748, June, 2004

[20] C. Rigney, S. Willens, A. Rubens, W. Simpson, “Remote Authentication Dial In User Service (RADIUS),” IETF RFC 2865, June, 2000.

[21] P. Calhoun, J. Loughney, E. Guttman, G. Zorn, J. Arkko, “Diameter Base Protocol,” IETF RFC 3588, September, 2003. [22] J. Edney and W.A. Arbaugh, “Real 802.11 Security: Wi-Fi Protected Access and 802.11i,” Addison-Wesley, 2004. [23] Robert Moskowitz, Weakness in Passphrase Choice in WPA Interface, November 4, 2003. http://www.wifinetnews.

com/archives/002452.html

[24] John L. MacMichael, “Auditing Wi-Fi Protected Access (WPA) Pre-Shared Key Mode,” Linux Journal, Vol. 2005, No. 137, September 2005.

[25] Takehiro Takahashi, WPA Cracker tool, available via website: http://www.tinypeap.org/wpa_cracker.html. [26] Josh Wright, coWPAtty, available via website: http://www.wirelessdefence.org/Contents/coWPAttyMain.htm.

[27] John Bellardo, Stefan Savage, “802.11 denial-of-service attacks: real vulnerabilities and practical solutions,” USENIX Security Symposium, 2003, pp. 15-28.

[28] IEEE Std. 802.16-2001, IEEE Standard for Local and Metropolitan Area Networks, part 16: Air Interface for Fixed Broadband Wireless Access Systems, IEEE Press, 2001.

[29] IEEE 802.16-2004, IEEE Standard for Local and metropolitan area networks part 16: Air Interface for Fixed Broadband Wireless Access Systems, IEEE Press, 2004.

[30] IEEE Std 802.16e, IEEE Standard for Local and Metropolitan Area Networks, part 16, Air Interface for Fixed and Mo-bile Broadband Wireless Access Systems, IEEE Press, February 2006.

[31] Carl Eklund, Roger B. Marks, Kenneth L. Standwood and Stanley Wang, “IEEE Standard 802.16: A Technical Over-view of the Wireless MAN Air Interface for Broadband Wireless Access,” IEEE Communications Magazine, Vol. 40, No. 6, June 2002, pp. 98-107.

[32] David Johnston, Jesse Walker, “Overview of IEEE 802.16 Security,” IEEE Security & Privacy, May/June 2004. [33] Fan Yang, Huaibei Zhou, Lan Zhang, Jin Feng, “An Improved Security Scheme in WMAN based on IEEE Standard

802.16”, 0-7803-9335-X/05 2005 IEEE

(19)

C802.16sgm-02/24, 2002.

[35] Jeff Mandin, 802.16e Privacy Key Management (PKM) version 2, IEEE C802.16e-02/131r1, 2002

[36] Feng Tian, DongXin Lu, Rui Li, “Comment on Security Roaming of Key association for Fast Handover,” C802.16e-04/571r1, 2005.

[37] Aircrack-ng tool, available via website: http://www.aircrack-ng.org/.

[38] Nancy Durgin, John Mitchell, and Dusko Pavlovic, “A compositional logic for protocol correctness,” IEEE Computer Security Foundations Workshop, 2001, pp. 241-255.

[39] Stanford Security Lab website: http://crypto.stanford.edu/seclab/index.html

[40] A. Datta, A. Derek, J.C. Mitchell, D. Pavlovic, “A derivation system and compositional logic for security protocols,” Journal of Computer Security, Vol.13, No.3, 2005, pp. 423-482.

[41] He, C., Sundararajan, M., Datta, A., Derek, A. and J. Mitchell, "A Modular Correctness Proof of IEEE 802.11i and TLS," CCS '05, November 7-11, 2005, pp. 2-15.

[42] Anupam Datta, Ante Derek, John C. Mitchell and Arnab Roy , “Protocol Composition Logic (PCL),” Electronic Notes in Theoretical Computer Science, Vol. 172, 2007, pp. 311-358.

[43] Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin , “Breaking 104bit WEP in less than 60 seconds,” Cryptology ePrint Archive, URL. http://eprint.iacr.org/2007/120.pdf , 2007

(20)

數據

Fig. 1.  SMS-NGWN architecture
Fig. 3.  4-way handshake defined in 802.11i
Fig. 4.  4-way handshake in MKE scheme
Fig. 6.  IEEE 802.1X EAP authentication
+5

參考文獻

相關文件

- Informants: Principal, Vice-principals, curriculum leaders, English teachers, content subject teachers, students, parents.. - 12 cases could be categorised into 3 types, based

The Senior Secondary Health Management and Social Care Curriculum and Assessment Guide incorporates the key recommendations in the Curriculum Development Council's

Through study in various knowledge contexts and through engaging in a range of learning activities, students will acquire technological concepts and knowledge and develop

Continue to serve as statements of curriculum intentions setting out more precisely student achievement as a result of the curriculum.

In implementing the key tasks, schools should build on past experiences and strengthen the development of the key tasks in line with the stage of the curriculum reform, through

Junior Secondary Curriculum Self- Audit: PSHE Key Learning

Activate prior knowledge about the genre Language access strategies. While-reading activities Reading in

• Describe the role and importance of the following key business functions: human resources management, financial management, operations management, marketing management, information