IPv6 Network Mobility

Network Authentication, Authorization, and Accounting has been used since before the days of the Internet as we know it today. Authentication asks the question, “Who or what are you?” Authorization asks, “What are you allowed to do?” And fi nally, accounting wants to know, “What did you do?” These fundamental security building blocks are being used in expanded ways today. The fi rst part of this two-part series focused on the overall concepts of AAA, the elements involved in AAA communications, and highlevel approaches to achieving specifi c AAA goals. It was published in IPJ Volume 10, No. 1[0]. This second part of the series discusses the protocols involved, specifi c applications of AAA, and considerations for the future of AAA

EAP-CRA for WiMAX, WLAN and 4G LTE Interoperability

Today we are moving into a “post-PC” world! Not many people sit in front of custom built PCs to do their businesses any more. Hand held devices such as iPod Touch, iPhone, Galaxy S3, iPad, Galaxy Tab, Airbook, Notepad etc. are bringing in a new paradigm as to how people use and communicate information. These devices can be thought as a theoretical “black-box”. They are for people who want to use it without wanting to know how they work. Such devices have third generation user interfaces – multi touch, physics and gestures (MPG). They need updates, but the user is not worried of how and where the files are stored. When a new application is installed, the user sees the icon and starts using it. The user is not interested in, what files were installed or where it was installed – there is no file management. The post-PC approach to dealing with software is that it’s discovered on an app store, downloaded with a single touch and deleted with another touch. Updates all come at once from the app store and it all happens behind the scene with minimal user involvement. All this is happening and adopted rapidly because people are able to do a number of things without being restricted to one place. They can download apps, watch movies, listen to news, browse the web etc. while on the move.Griffith Sciences, School of Information and Communication TechnologyFull Tex

Inter-Domain Authentication for Seamless Roaming in Heterogeneous Wireless Networks

The convergence of diverse but complementary wireless access technologies and inter-operation among administrative domains have been envisioned as crucial for the next generation wireless networks that will provide support for end-user devices to seamlessly roam across domain boundaries. The integration of existing and emerging heterogeneous wireless networks to provide such seamless roaming requires the design of a handover scheme that provides uninterrupted service continuity while facilitating the establishment of authenticity of the entities involved. The existing protocols for supporting re-authentication of a mobile node during a handover across administrative domains typically involve several round trips to the home domain, and hence introduce long latencies. Furthermore, the existing methods for negotiating roaming agreements to establish inter-domain trust rely on a lengthy manual process, thus, impeding seamless roaming across multiple domains in a truly heterogeneous wireless network. In this thesis, we present a new proof-token based authentication protocol that supports quick re-authentication of a mobile node as it moves to a new foreign domain without involving communication with the home domain. The proposed proof-token based protocol can also support establishment of spontaneous roaming agreements between a pair of domains that do not already have a direct roaming agreement, thus allowing flexible business models to be supported. We describe details of the new authentication architecture, the proposed protocol, which is based on EAP-TLS and compare the proposed protocol with existing protocols

Enhanced Quality of Experience Based on Enriched Network Centric and Access Control Mechanisms

In the digital world service provisioning in user satisfying quality has become the goal of any content or network provider. Besides having satisfied and therefore, loyal users, the creation of sustainable revenue streams is the most important issue for network operators [1], [2], [3]. The motivation of this work is to enhance the quality of experience of users when they connect to the Internet, request application services as well as to maintain full service when these users are on the move in WLAN based access networks. In this context, the aspect of additional revenue creation for network operators is considered as well. The enhancements presented in this work are based on enriched network centric and access control mechanisms which will be achieved in three different areas of networks capabilities, namely the network performance, the network access and the network features themselves. In the area of network performance a novel authentication and authorisation method is introduced which overcomes the drawback of long authentication time in the handover procedure as required by the generic IEEE 802.1X process using the EAP-TLS method. The novel sequential authentication solution reduces the communication interruption time in a WLAN handover process of currently several hundred milliseconds to some milliseconds by combining the WPA2 PSK and the WPA2 EAP-TLS. In the area of usability a new user-friendly hotspot registration and login mechanisms is presented which significantly simplifies how users obtain WLAN hotspot login credentials and logon to a hotspot. This novel barcode initiated hotspot auto-login solution obtains user credentials through a simple SMS and performs an auto-login process that avoids the need to enter user name and password on the login page manually. In the area of network features a new system is proposed which overcomes the drawback that users are not aware of the quality in which a service can be provided prior to starting the service. This novel graceful denial of service solution informs the user about the expected application service quality before the application service is started

Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks

Wireless mesh networks (WMNs) have emerged as a promising concept to meet the challenges in next-generation wireless networks such as providing flexible, adaptive, and reconfigurable architecture while offering cost-effective solutions to service providers. As WMNs become an increasingly popular replacement technology for last-mile connectivity to the home networking, community and neighborhood networking, it is imperative to design efficient and secure communication protocols for these networks. However, several vulnerabilities exist in currently existing protocols for WMNs. These security loopholes can be exploited by potential attackers to launch attack on WMNs. The absence of a central point of administration makes securing WMNs even more challenging. The broadcast nature of transmission and the dependency on the intermediate nodes for multi-hop communications lead to several security vulnerabilities in WMNs. The attacks can be external as well as internal in nature. External attacks are launched by intruders who are not authorized users of the network. For example, an intruding node may eavesdrop on the packets and replay those packets at a later point of time to gain access to the network resources. On the other hand, the internal attacks are launched by the nodes that are part of the WMN. On example of such attack is an intermediate node dropping packets which it was supposed to forward. This chapter presents a comprehensive discussion on the current authentication and privacy protection schemes for WMN. In addition, it proposes a novel security protocol for node authentication and message confidentiality and an anonymization scheme for privacy protection of users in WMNs.Comment: 32 pages, 10 figures. The work is an extended version of the author's previous works submitted in CoRR: arXiv:1107.5538v1 and arXiv:1102.1226v

Greenpass Client Tools for Delegated Authorization in Wireless Networks

Dartmouth\u27s Greenpass project seeks to provide strong access control to a wireless network while simultaneously providing flexible guest access; to do so, it augments the Wi-Fi Alliance\u27s existing WPA standard, which offers sufficiently strong user authentication and access control, with authorization based on SPKI certificates. SPKI allows certain local users to delegate network access to guests by issuing certificates that state, in essence, he should get access because I said it\u27s okay. The Greenpass RADIUS server described in Kim\u27s thesis [55] performs an authorization check based on such statements so that guests can obtain network access without requiring a busy network administrator to set up new accounts in a centralized database. To our knowledge, Greenpass is the first working delegation-based solution to Wi-Fi access control. My thesis describes the Greenpass client tools, which allow a guest to introduce himself to a delegator and allow the delegator to issue a new SPKI certificate to the guest. The guest does not need custom client software to introduce himself or to connect to the Wi-Fi network. The guest and delegator communicate using a set of Web applications. The guest obtains a temporary key pair and X.509 certificate if needed, then sends his public key value to a Web server we provide. The delegator looks up her guest\u27s public key and runs a Java applet that lets her verify her guests\u27 identity using visual hashing and issue a new SPKI certificate to him. The guest\u27s new certificate chain is stored as an HTTP cookie to enable him to push it to an authorization server at a later time. I also describe how Greenpass can be extended to control access to a virtual private network (VPN) and suggest several interesting future research and development directions that could build on this work.My thesis describes the Greenpass client tools, which allow a guest to introduce himself to a delegator and allow the delegator to issue a new SPKI certificate to the guest. The guest does not need custom client software to introduce himself or to connect to the Wi-Fi network. The guest and delegator communicate using a set of Web applications. The guest obtains a temporary key pair and X.509 certificate if needed, then sends his public key value to a Web server we provide. The delegator looks up her guest\u27s public key and runs a Java applet that lets her verify her guests\u27 identity using visual hashing and issue a new SPKI certificate to him. The guest\u27s new certificate chain is stored as an HTTP cookie to enable him to push it to an authorization server at a later time. I also describe how Greenpass can be extended to control access to a virtual private network (VPN) and suggest several interesting future research and development directions that could build on this work

IEEE 802.11 i Security and Vulnerabilities

Despite using a variety of comprehensive preventive security measures, the Robust Secure Networks (RSNs) remain vulnerable to a number of attacks. Failure of preventive measures to address all RSN vulnerabilities dictates the need for enhancing the performance of Wireless Intrusion Detection Systems (WIDSs) to detect all attacks on RSNs with less false positive and false negative rates

Token-based Fast Authentication for Wireless Network

Wireless Networks based on WIFI or WIMAX become popular and are used in many places as compliment network to wired LAN to support mobility. The support of mobility of clients, the continuous access anywhere and anytime make WLAN preferable network for many applications. However, there are some issues associated with the usage of WLAN that put some restriction on adapting this technology everywhere. These issues are related to using the best routing algorithm to achieve good performance of throughput and delay, and to securing the open access to avoid attacks at the physical and MAC layer. IEEE 802.1x, suggested a solution to address the security issue at the MAC layer and but there are varieties of implementations address this solution and they differ in performance. IEEE 802.1af tried to address other security issue remained at the MAC layer but it is still at early stage and need verification for easy deployment. In this paper a new technique for securing wireless network using fast token-based authentication has been invented to address the vulnerability inherited by the wireless network at the MAC layer using fast authentication process. This technique is based on an authentication server distributing a security token, public authentication key, and network access key parameter to eligible mobile client MCs during registration. All messages will be encrypted during registration using temporary derived token key, but it will use derived valid token key during authentication. Authenticated MCs will then use derived group temporal key generated from the network access parameter key to encrypt all messages exchanged over the wireless network. The token, the authentication key and the access network parameter key will be only distributed during registration. This makes the security parameters known only to authentication server, authenticator and MC. Hence, this technique will protect the wireless network against attack since attackers are unable to know the token and other security keys. Moreover, it will avoid the exchange of public keys during authentication such as the one used in other existing technologies, and consequently speedup the authentication phase which is very critical to wireless technologies

Using secure coprocessors to enforce network access policies in enterprise and ad hoc networks

Nowadays, network security is critically important. Enterprises rely on networks to improvetheir business. However, network security breaches may cause them loss of millions of dollars.Ad hoc networks, which enable computers to communicate wirelessly without the need forinfrastructure support, have been attracting more and more interests. However, they cannotbe deployed effectively due to security concerns.Studies have shown that the major network security threat is insiders (malicious orcompromised nodes). Enterprises have traditionally employed network security solutions(e.g., firewalls, intrusion detection systems, anti-virus software) and network access controltechnologies (e.g., 802.1x, IPsec/IKE) to protect their networks. However, these approachesdo not prevent malicious or compromised nodes from accessing the network. Many attacksagainst ad hoc networks, including routing, forwarding, and leader-election attacks, requiremalicious nodes joining the attacked network too.This dissertation presents a novel solution to protect both enterprise and ad hoc networksby addressing the above problem. It is a hardware-based solution that protects a networkthrough the attesting of a node's configuration before authorizing the node's access to thenetwork. Attestation is the unforgeable disclosure of a node's configuration to another node,signed by a secure coprocessor known as a Trusted Platform Module (TPM).This dissertation makes following contributions. First, several techniques at operatingsystem level (i.e., TCB prelogging, secure association root tripping, and sealing-free attestation confinement) are developed to support attestation and policy enforcement. Second, two secure attestation protocols at network level (i.e., Bound Keyed Attestation (BKA) andBatched Bound Keyed Attestation (BBKA)) are designed to overcome the risk of a man-inthe-middle (MITM) attack. Third, the above techniques are applied in enterprise networks todifferent network access control technologies to enhance enterprise network security. Fourth,AdHocSec, a novel network security solution for ad hoc networks, is proposed and evaluated. AdHocSec inserts a security layer between the network and data link layer of the networkstack. Several algorithms are designed to facilitate node's attestation in ad hoc networks,including distributed attestation (DA), and attested merger (AM) algorithm