Designs of a Secure Wireless LAN Access Technique and an Intrusion Detection System for Home Network

IEEE 802.11i standard supports a secure access control for wireless LAN and IEEE 802.1x standard includes various authentication method protocols. It is expected that next generation wireless LAN security techniques will be based on IEEE 802.1x and IEEE 802.11i standards. However, at present users who are not familiar with a computer and an authentication details have difficulty to setup the network security based on IEEE 802.11i. Accordingly, this paper proposes authentication scenarios to minimize the process needed by users, a password method which is changed randomly and periodically, and authentication protocols. The proposed protocols provide convenience for nonprofessional computer users as well as secure the home network environment against the unwanted attacks such as a dictionary attack or a replay attack and it uses SNMP and the system to be able to detect an intrusion it supposes will occur.

* EAP-MD5: EAP-MD5 is the base security requirement in the EAP standard and uses username and passwords as the authentication credentials.EAP-MD5 protects the message exchange by creating a unique "fingerprint" to digitally sign each packet to ensure that the EAP messages are authentic.EAP-MD5 is very "light weight" and performs its operations very quickly, making it easy to implement and configure.EAP-MD5 does not use any PKI certificates to validate the client or provide strong encryption to protect the authentication messages between the client and the authentication server.This makes the EAP-MD5 authentication protocol susceptible to session hijacking and man-in-the-middle attacks.EAP-MD5 is best suited for EAP message exchanges in wired networks where the EAP client is directly connected to the authenticator and the chances of eavesdropping or message interception is very low.For wireless 802.1X authentication, stronger EAP authentication protocols are used.* EAP-TLS: EAP-TLS (Transport Level Security) provides strong security by requiring both client and authentication server to be identified and validated through the use of PKI certificates.EAP-TLS provides mutual authentication between the client and the authentication server and is very secure.EAP messages are protected from eavesdropping by a TLS tunnel between the client and the authentication server.The major drawback of EAP-TLS is requirement for PKI certificates on both the clients and the authentication servers -making roll out and maintenance much more complex.EAP-TLS is best suited for installations with existing PKI certificate infrastructures.Wireless 802.1X authentication schemes will typically support EAP-TLS to protect the EAP message exchange.Unlike wired networks, wireless networks send their packets over open air making it much easier to capture and intercept unprotected packets.* EAP-TTLS: Proposed by Funk and Certicom, EAP-TTLS (Tunneled TLS) is an extension of EAP-TLS and provides the benefits of strong encryption without the complexity of mutual certificates on both the client and authentication server.Like TLS, EAP-TTLS supports mutual authentication but only requires the authentication server to be validated to the client through a certificate exchange.EAP-TTLS allows the client to authenticate to the authentication server using usernames and passwords and only requires a certificate for the authentication servers.EAP-TTLS simplifies roll out and maintenance and retains strong security and authentication.A TLS tunnel can be used to protect EAP messages and existing user credential services such as Active Directory, RADIUS, and LDAP can be reused for 802.1X authentication.Backward compatibility for other authentication protocols such as PAP, CHAP, MS-CHAP, and MS-CHAP-V2 are also provided by EAP-TTLS.EAP-TTLS is not considered full proof and can be fooled into sending identity credentials if TLS tunnels are not used.EAP-TTLS is best suited for installations that require strong authentication without the use of mutual certificates.Wireless 802.1X authentication schemes will typically support EAP-TTLS.* PEAP: Protected EAP Protocol (PEAP) is an Internet-Draft that is similar to EAP-TTLS in terms of mutual authentication functionality and is currently being proposed by RSA Security, Cisco and Microsoft as an alternative to EAP-TTLS.PEAP addresses the weaknesses of EAP by: standardizing key exchanges • supporting fragmentation and reassembly • supporting fast reconnects PEAP allows other EAP authentication protocols to be used and secures the transmission with a TLS encrypted tunnel.It relies on the mature TLS keying method for it's key creation and exchange.The PEAP client authenticates directly with the backend authentication server and the authenticator acts as a pass-through device, which doesn't need to understand the specific EAP authentication protocols.Unlike EAP-TTLS, PEAP doesn't natively support username and password authentication against an existing user database such as LDAP.Vendors are answering this need by creating features to allow this.PEAP is best suited for installations that require strong authentication without the use of mutual certificates.Wireless 802.1X authentication schemes will typically support PEAP.* Cisco LEAP: Cisco's Lightweight EAP Protocol (LEAP) was developed in November 2000 to address the security issues of wireless networks.LEAP is a form of EAP that requires mutual authentication between the client and the authenticator.The client first authenticates itself to the authenticator and then the authenticator authenticates itself to the client.If both authenticate successfully, a network connection is granted.Unlike EAP-TLS, LEAP is based on username and password schemes and not PKI certificates, simplifying roll out and maintenance.The drawback is that it is proprietary to Cisco and has not been widely adopted by other networking vendors.LEAP is best suited for wireless implementations that support Cisco AP's and LEAP compliant wireless NIC cards.EAP was originally developed for use with PPP in RFC 2284 and has since been widely deployed with IEEE 802 on both wired and wireless networks.With the growing popularity of wireless networks, securing the authentication process between the client, authenticator, and authentication server have become a high priority.Security concerns that were once benign on wired networks have become challenges and open security holes on wireless networks.Depending on the EAP authentication protocol used, 802.1X authentication can help solve the following security issues:

•
Dictionary Attack: Attacker obtains the challenge and response message exchange from a password authentication session and uses a brute force method to crack the password.802.1X solves this type of attack with the use of TLS tunnels to protect the username and password exchanges between the client and the authenticator.

•
Session Hijack Attack: Attacker obtains the packets passed between the client and the authenticator and recovers the identity information of the client.It forces the "real" client off the network through a form of DoS attack and impersonates the client to continue the conversation with the authenticator.802.1X's authentication abilities with dynamic session-based keys (with user configurable re-keying) can help encrypt the conversation between the client and authenticator to thwart Hijacking attacks.

•
Man-in-the-Middle Attack: Attacker obtains the necessary information from the client and the authenticator and inserts their host between the two.The attacker's host becomes the "middle man" and has access to the packets that are passed between the client and the authenticator.Through 802.1X's authentication and dynamic sessionbased keys (with user configurable re-keying), the data stream between the client and authenticator is encrypted to prevent Man-in-the-Middle attacks.To apply these protocols mentioned above to the user's device, the user has to know how to setup these authentication protocols.Accordingly, it needs a simple and easy way to authenticate the home network users.In this research, we consider the home network user who is not familiar with the authentication method.We also discuss how to provide automatic authentication mechanism for the users.

IEEE 802.1x
IEEE 802.Ix standard specifies how to implement port based access control for IEEE 802 LANs, including wireless LAN.In IEEE 802.1x, the port represents the association between a WLAN station and an AP.Basically IEEE 802.Ix has three entities which are a supplicant, an authenticator, and a backend authentication server.In the context of a wireless LAN, the supplicant is a wireless LAN station, the authenticator is an AP, and the authentication server can be a centralized remote access dial-in user service (RADIUS) server.802.1X port authentication can be coupled with MAC port security for tighter access control (see Figure 2).With MAC port security enabled, the network port can control access through enforcement of the client's MAC address as well as the user's 802.1X credentials.The authenticator controls the authorized state of its controlled port depending on the outcome of the authentication processes.Before the supplicant is authenticated, the authenticator uses an uncontrolled port to communicate with the supplicant.The authenticator blocks all traffics except the EAP messages before the supplicant is authenticated.IEEE 802.Ix employs EAP as an authentication framework that can carry many authentication protocols, between the supplicant and the authenticator.The protocol between the authenticator and the authentication server is not specified in the IEEE 802.Ix standard.Instead, IEEE 802.1x provides RADIUS usage guidelines in the Annex.The advantages of using 802.1Xport-based network authentication include:

SNMP (Simple Network Management Protocol)
The SNMP is a management protocol used to manage TCP/IP networks.Nowadays, it is widely used in several commercial networks, since it is a relatively simple protocol, but powerful enough to be used in the management of heterogeneous networks.The SNMP management comprises an agent, a manager and a MIB (Management Information Base), as shown in Figure .5 The MIB is a database composed of objects that will be managed and/or monitored through the SNMP protocol.A manageable object represents a real resource in the network, such as a rotator, a switch and also the final system resources, like, for example, CPU, memory, etc.Each manageable object has a set of variables of which values can be read or altered by the agents.The management agent is a software resident in a final system or in some network device about to be managed that collects information from the MIB and send it to the managing process.The latter (NMS -Network Management System) resides in a management station (by acting remotely), or in a local station (by acting in the site) and sends messages to the agent processes in order to read or alter the value of a manageable object.Using the information replied from the RADIUS server, access policy of the requesting client can be determined at AP.The authentication results are passed to behavior analysis unit for further processing.
Policy Management Unit: According to the vulnerabilities and threats we described in last section, there exist certain patterns for each potential security flaw.The characteristics of each attack or abnormal behavior are analyzed and predefined as security policies.
Depending upon the management requirement, a policy could also be updated by security configuration management.
Response Unit: The response unit is responsible for notifying the network management server an abnormal behavior or for updating security configuration.Management applications of alarm reporting react upon receiving the messages from response unit correspondingly.
All five management units are integrated together to provide precaution security application services.Specifically, by cooperating with an authentication server, access control in the link layer is provided; by monitoring and analyzing data packages, the security threats prevention can be achieved in IP layer.Fig. 7. Security home gateway system server architecture

The proposed protocol
To support the mentioned scenarios, the authentication protocol requires additional message exchanges including information which is not specified in Standards.Periodic changes may be problems from the viewpoint of users, when the password is changed while a user takes the WLAN station out of home.The WLAN station needs to be authenticated again when the user brings the WLAN station back to home.However the WLAN station can't obtain the authority without user's assistance since the password is already changed.
Other devices in home network also are needed to know the new password to keep the authority.

MAC Address
Authentication number 00:00:F0:7A:B1:B7 1 00:00:F1:7A:B4:77 2 00:00:F1:8A:BB:A7 3 ... ... The proposed protocol solves the problem by adding the authentication number.The authentication number is an index number which corresponds to each password.It is numbered randomly whenever the password is changed.The security home gateway server manages two tables.One is the MAC address management table which records the MAC addresses of the authenticated devices and the authentication number.The other is the authentication number table.When the password is changed, the password and the authentication number are recorded in the authentication table.For example, there is a device which has the MAC address of 00:00:F0:7A:81:B7.After the device is authenticated when the password is 1234, the server records its MAC address with the current authentication number in the MAC address management table as shown in Table 1.Then the server transmits the current authentication number to the device.In this case, the current authentication number is 1.When the password is changed to 5678, as shown in Table 2, the authentication number is also changed to 2 and recorded in the authentication number table.
Figure .8 presents the EAP-TTLS procedure to support the proposed authentication protocol.In this figure, the solid lines represent legitimate message exchanges and the dashed lines indicate supplementary message exchanges.As shown in Figure .8, the EAP-TTLS procedure by using the authentication number is as follows.
1.The user's WLAN station associates with an AP using open authentication with wired equivalent privacy (WEP) turned off.Then the AP asks for the user's identity 2. The WLAN station transmits an EAP-request message encapsulated in an EAPoL-EAP frame to the AP, which contains the MAC address of the WLAN station.3. The server is authenticated to the WLAN station using its security certificate and a TLS connection is established between them.The encryption key for the TLS connection will be used for air traffic encryption.
or 4 that is a success or a failure, these messages contain no data.In case of EAP-TLS, Data field is divided into more parts as shown in Figure.9 (b).L, M, S, R, and V are flags which mean the length included, more fragments, start flag, Reserved, and Version number respectively.
For the backward compatibility, the proposed protocol uses the same packet format.In case of the EAP-TTLS protocol, we can use the existing packet format because the packet format for new messages and the additional information is able to use the same format as other messages.We change only the reserved bit with the C bit that means the authentication number is included.If the C bit is set in the EAP message, it means that the message includes the authentication number or the authentication information.But when EAP-MD5 or EAP-TLS is used, the authentication number is added to identity message.The authentication server can't separate the authentication number from the user's identity.Therefore, it needs a new type instead of 1 which means the identity.It can be other number for the Type field.In addition, the Data field can be divided into two parts: the former part is used for the authentication number and the latter part is used for the identity.Additional messages that carry the authentication information are used in the same packet format as EAP-TTLS.

The proposed intrusion detection system
In the proposed intrusion-detection system, the secure home-gateway server (i.e., SNMP server) identifies whether or not the terminal node is an authenticated MAC address by polling (See Figure . 7).If this MAC address is violated, an alarm message notifies the response unit inside the home.This solves some leakage.Now the user should enroll the MAC address of the AP.Additionally, SNMP can obtain some traffic information (i.e., ICMP, TCP and UDP, etc.).If this traffic quantity is increased beyond a specific threshold, the user may consider it an intentional/unintentional leakage (i.e., an attack of intentional connection or DoS attack).Thus, the response unit warns of the leakage inside the home by giving an alarm message.

Security analysis
EAP-MD5 is more vulnerable to unwanted attacks than other authentication methods.One of such attacks is a brute force attack.A brute force attack is a method of defeating a cryptographic scheme by trying a large number of possibilities, for example, exhaustively working through all possible keys in order to decrypt a message.To protect the brute force attack, at least, the password should be changed by every month.The proposed protocol is robust to the brute force attack since it changes the password periodically.
It also helps to detect a replay attack.By using the replay attack, an attacker could pretend to be an authorized user to access a network.For example, an attacker could simply intercept and replay a station's identity and password hash to be authenticated.When a user doesn't use the authentication number, a hacker can receive the challenge message and transmit the response message repeatedly.On the contrary, when the authentication number is used, a hacker also should know it.It is easy to know user's identity.But it is not easy to know the authentication number because it is transmitted under encryption in the previous authentication procedure.Therefore, the server can detect a hacker who uses the authentication number invalid.
In case of the mutual authentication, these security problems will be eliminated.Instead of security, the proposed protocol gives automatic re-authentication under the environment the password is changed.

Password dictionary attack
A method used to break security systems, specifically password based security systems, in which the attacker systematically tests all possible passwords beginning with words that have a higher possibility of being used, such as names and places.The word dictionary refers to the attacker exhausting all of the words in a dictionary in an attempt to discover the password.This research proposes authentication scenarios to minimize the process needed by users, a password method which is changed randomly and periodically, and authentication protocols.Also because it added a new parameter, being safe consequently, more it will be able to provide the home network environment which is convenient.

Replay attack
By using the replay attack, an attacker could pretend to be an authorized user to access a network.For example, an attacker could simply intercept and replay a station's identity and password hash to be authenticated.When a user doesn't use the authentication number, a hacker can receive the challenge message and transmit the response message repeatedly.On the contrary, when the authentication number is used, a hacker also should know it.It is easy to know user's identity.But it is not easy to know the authentication number because it is transmitted under encryption in the previous authentication procedure.Therefore, the server can detect a hacker who uses the authentication number invalid.In our authentication protocol, additional parameters (i.e., old authentication number and authentication status) are padded into challenge response messages, thus protecting from replay attack

Denial of service and rogue attack
A DoS(Denial of Service) attack is a malicious attempt by a single person or a group of people to cause the victim, site, or node to deny service to its customers.When this attempt derives from a single host of the network, it constitutes a DoS attack.On the other hand, it is also possible that a lot of malicious hosts coordinate to flood the victim with an abundance of attack packets, so that the attack takes place simultaneously from multiple points.This type of attack is called a Distributed DoS, or DDoS attack, exactly an attacker overloads an AP in various ways so that the AP is unable to serve legitimate users.The attacker does not directly benefit but creates a nuisance, and rogue station attack is a rogue station affinitizing itself with an AP.The attacker benefits by becoming a participant in the wireless network and thus gaining the ability to send and receive data.
In our authentication protocol, additional parameters (i.e., old authentication number and authentication status) are padded into challenge response messages, thus protecting from denial of service attack and rogue station attack.Also, this proposed intrusion detection system, If this MAC address is violated, alarm message is notified to response unit inside home.This solves some leakage that user should enroll MAC address of AP.Additionally, SNMP can obtain some traffic information(i.e., ICMP, TCP and UDP etc).If this traffic quantity is increased more than specific threshold, user may consider an intentional/unintentional leakage (i.e., an attack of intentional connection or DoS attack).Thus, response unit alarms the leakage inside home by alarm message.

Conclusion
We introduced secure and convenient mechanisms for home network WLAN access.We also proposed the authentication protocol to provide the automatic authentication when the password is changed.The automatic-password change method enables users to use the home network without periodic password changes.Under the threats we considered, the proposed protocol appeared to give a protection against a dictionary attack, a replay attack, a denial of service attack and a rogue station attack.Although the password used before is changed for some reasons, the users do not need to enter the new password or other information again.From the viewpoint of users, the mechanisms applied in the proposed protocol are convenient since users do not need to know the authentication mechanism.Also, it used the SNMP protocol so that the inside home user will be able to perceive an attack.
For the backward compatibility between the authentication methods, we modified the packet format using a reserved bit.The C bit is added for the authentication number and the new type number which indicates not only the user's identity but also the authentication number should be used.
Compared with the current security set up procedure for WLAN, the proposed protocol can provide a simple procedure for WLAN users and protect them from unwanted attacks in home network environment.

Acknowledgement
This work was supported by National Research Foundation of Korea Grant funded by the Korean Government (KRF-2007-313-D00503)

Fig. 4 .
Fig. 4. IEEE 802.11i-based authentication procedure flow The agents use SNMP primitives to read or change the values of the MIB objects.These are some examples of primitives: get-request, get-response, getnext, set-request and trap.

Fig. 5 .
Fig. 5. Relation between components of the SNMP management

Table 1 .
The MAC address management table

Table 2 .
The authentication number management table