Security and mobility in 802.11 structured networks

Mestrado em Engenharia Electrónica e TelecomunicaçõesNesta tese é apresentado um protocolo que permite handovers rápidos e seguros em redes estruturadas 802.11. Este protocolo recupera o paradigma original do 802.11: autenticar primeiro, reassociar depois. Partindo deste paradigma, apresentamos duas novas operações 802.11 de autenticação e (re)associacão, que permitem que uma estacão móvel realize reautenticacões e reassociações com as mesmas funcionalidades do 802.1X. Esta nova aproxiamação requer pouca mudança na arquitectura da rede, nomeadamente só necessita de um novo Servidor de Reautenticação, para armazenar os dados usados pelas estações móveis durante as reautenticações. Nesta tese é também apresentada uma extensão do nosso protocolo, de maneira a permitir uma migração rápida e segura entre ESS usando Mobile IP. ABSTRACT: This thesis presents a fast, secure handover protocol that recovers the original 802.11 paradigm: authenticate first, reassociate next. Following this paradigm, we present two new 802.11 authentication and (re)association operations which allow a mobile station to perform network reauthentications and reassociations with the same functionality of a complete 802.1X authentication. This new approach requires very little from the environment, namely it only requires a new, central network Reauthentication Service, for storing data used in the reauthentication of stations. This thesis also presents a layer 3 extension of our protocol, to support fast, secure transitions between ESS using Mobile IP

Controlo de mobilidade com segurança em redes estruturadas 802.11

Mestrado em Engenharia Electrónica e TelecomunicaçõesEsta dissertação aborda o problema da gestão da mobilidade com segurança em redes 802.11. Assim, começa por apresentar um estudo detalhado do protocolo 802.11, do handoff de dispositivos móveis entre pontos de acesso e de soluções apresentadas por diversos autores com o objectivo de reduzir o tempo dispendido neste processo, com e sem segurança associada. Seguidamente, são apresentadas métricas e atributos de rede que podem ser considerados no estabelecimento de políticas de mobilidade que gerem as transições de AP que cada dispositivo móvel efectua. Uma vez feito este estudo inicial, é apresentada uma solução que potencía handoffs rápidos e seguros em redes estruturadas 802.11 e que minimiza o tempo da sua preparação. Este novo protocolo representa uma evolução do trabalho desenvolvido por Rodolphe Marques no trabalho intitulado “Segurança e Mobilidade em Redes Estruturadas 802.11” referenciado em [1]; a sua novidade consiste em usar tramas 802.11 de reconhecimento da rede (Probe Request/Response) para difundir associações de segurança com os pontos de acesso ao alcance de cada dispositivo móvel. A nova abordagem implica mudanças reduzidas na arquitectura de rede considerada em [1] e permite que, no âmbito das operações de reconhecimento de pontos de acesso, que são comuns e necessárias, um equipamento móvel instale paralelamente associações de segurança nos APs que poderá vir a usar num futuro próximo, ou seja, todos os que estão ao seu alcance. ABSTRACT: This thesis handles the problem of mobility management with security in 802.11 networks. Therefore it begins by presenting a detailed study of the 802.11 protocol, the handoff process of roaming mobile nodes between access points and solutions presented by many authors with the common goal of reducing the time spent in this process, with and without associated security. After this we present metrics and attributes of the network that may be considered on the establishment of mobility policies that handle the AP transitions made by every mobile node. Once finished this initial study we present a solution that enhances fast and secure handoffs in structured 802.11 networks and minimizes the time spent in its setting. This new protocol represents an evolution on the work developed by the author Rodolphe Marques in his work named “Security and Mobility in 802.11 Structured Networks” referred in [1]; its new feature consists in using 802.11 network scanning frames (Probe Request/Response) to distribute security associations to all access points in range of each mobile node. This new approach implies some changes on the architecture proposed in [1] and allows a mobile node to install security associations simultaneously while browsing the neighborhood for access points that may be used in a near future

Fast 802.11 handovers with 802.1X reauthentications

Fast handovers of roaming stations (STAs) between access points (APs) require preauthentication or fast reauthentication within new serving APs. The current standards address only over-the-DS (Distribution System) preauthentications for 802.1X authentications. However, over-the-DS preauthentication is not suitable for fast moving STAs, which may loose their connection with the currently serving AP before performing preauthentications in the neighbouring APs. This paper presents several ways to achieve fast 802.11 handovers while keeping the basic security features of 802.1X authentications. To do so, we designed a fast 802.1X reauthentication protocol. This protocol enables an STA to perform many fast 802.1X reauthentications after an initial, possible slow, 802.1X authentication. The reauthentication protocol requires little from the network environment, namely a new, central Reauthentication Service (RS) (possibly integrated with the local 802.1X Authentication Server). To speed up 802.1X reauthentications within handovers, the reauthentication protocol was piggybacked into 802.11 management frames that are ordinarily used during handovers. This way, we are able to perform 802.1X reauthentications while taking the normal, over-the-air 802.11 steps for performing handovers (network probing, authentication, and (re)association). Besides this over-the-air approach, we also show how the 802.1X reauthentication protocol can be implemented using an over-the-DS approach. A prototype implementation using over-the-air 802.1X reauthentication showed that handover delays can be dramatically reduced to 1.5 ms, while an 802.1X fast resume takes more than 150 ms

Fast, secure handovers in 802.11: Back to the basis

This article presents a fast, secure handover protocol for 802.11 networks. The protocol keeps the security functionalities of 802.1X but uses a new reauthentication protocol that promotes fast handovers during reassociations. The reauthentication protocol recovers the original 802.11 paradigm: authenticate first, reassociate next. Following this paradigm, we conceived two new 802.11 authentication and reassociation protocols, which allow a mobile station to perform 802.1X reauthentications before reassociations with the same functionality of a complete 802.1X authentication. Furthermore, reassociation protocols are authenticated, preventing denial-or-service scenarios that are not handled by 802.11i. Our new approach requires little from the environment, namely a new, central Reauthentication Service, for storing data used in the reauthentication of stations. The time of security-related tasks that contribute to handover delays was dramatically reduced to 1.5 ms, while an 802.1X fast resume takes more than 150 ms. Finally, our protocol addresses most design goals and problems stated by standards' working groups for fast, secure roaming in 802.11