Um esquema de autenticação resistente a taques de repetição de identidades em redes heterogêneas

Orientador : Aldri Luiz dos SantosCoorientador : Michele Nogueira LimaDissertação (mestrado) - Universidade Federal do Paraná, Setor de Ciências Exatas, Programa de Pós-Graduação em Informática. Defesa: Curitiba, 25/08/2016Inclui referências : f. 47-50Resumo: O desenvolvimento das redes heterogêneas sem fio (RHSFs) apresentou uma maior abrangência de comunicação suportando a demanda dos usuários de dispositivos móveis. Isso ocorre devido à possibilidade de interoperabilidade dos dispositivos com as redes locais sem fio e redes metropolitanas. Essa interoperabilidade consiste de vários serviços de rede e permite a manutenção de conectividade durante a mobilidade do usuário. Um desses serviços consiste da autenticação do usuário que fornece o controle de acesso às redes pelo usuário. A autenticação nas RHSFs precisa lidar com a limitação de recursos dos dispositivos móveis, a transparência dos serviços dos usuários na transição de redes, e as vulnerabilidades do meio sem fio. Assim, durante o procedimento de autenticação, vários tipos de ataques podem acontecer a fim de prejudicar a confidencialidade dos usuários que portam os dispositivos móveis. Dentre os principais ataques neste serviço, destaca-se o ataque de repetição de identidade, que busca obter o acesso não autorizado aos recursos da rede. As abordagens existentes para proteger o serviço de autenticação dos ataques de repetição de identidades não levam em conta as características heterogêneas dos dispositivos, logo, elas são custosas e inseguras contra esse ataque considerando as vulnerabilidades presentes nas RHSFs. Esta dissertação propõe um esquema de autenticação chamado de ARARAS (Autenticação Resistente a Ataques de Repetição de IdentidAdes em RedeS Heterogêneas), que tem como objetivo de anular os ataques de repetição de identidade no processo de autenticação. Esse esquema utiliza uma autenticação unificada entre as redes heterogêneas sem fio e faz uso de um mecanismo de proteção contra o ataque de repetição de identidades. Uma avaliação do esquema, a partir de simulações, analisou o desempenho e a segurança diante do ataque de repetição de identidades, comparando-o com o esquema de autenticação UHA (Unified Handover Authentication). Os resultados mostraram que o ARARAS detectou o ataque de repetição de identidades de forma mais eficaz e eficiente independente do tipo de tecnologia da rede e quantidade de usuários maliciosos. Palavras-chave: redes heterogêneas, interoperabilidade, autenticação, ataque de repetição de identidade.Abstract: The development of heterogeneous wireless networks (RHSFs) has offered a broader range of communication supporting the demand of mobile users. This is due to the possibility of interoperability of the devices with wireless local area networks and metropolitan networks. That interoperability consists of multiple network services and also allows the maintenance of connectivity during the mobility of the user. One of those services consists of the user authentication, which enables user access control to networks. Hoever, authentication in RHSFs needs to deal with the limitation of mobile device resources, the transparency of user services in network transition, and also wireless vulnerabilities. In this way, over the authentication procedure, various types of attacks may occur in order to impair the confidentiality of users who carry mobile devices. Among the main attacks on this service, we highlight the attack of repetition of identity, which seeks to obtain unauthorized access to network resources. On other the hand, the current approaches to protect the authentication service from identity replay attacks do not take into account the heterogeneous features of the devices, so they become costly and insecure against this sort of attack considering the vulnerabilities present in RHSFs. This dissertation proposes an authentication scheme called ARARAS (Autenticação Resistente a Ataques de Repetição de IdentidAdes em RedeS Heterogêneas), which aims avoiding attacks of identity replay under the authentication process. Thus, the scheme uses unified authentication between heterogeneous wireless networks, as well as makes use of a mechanism to defense it against identity replay. An evaluation of ARARAS by simulations analyzed its performance and security in face of identity replay attacks, also compared it to the Unified Handover Authentication (UHA) authentication scheme. The results pointed out that ARARAS is more effective to detect detected identity replay attacks regardless of the type of network technology and the number of malicious users. Keywords: heterogeneous networks, interoperability, authentication, identity replay attack

Heterogeneous Wireless Networks QoE Framework

With the appearance of small cells and the move of mobile networks towards an all-IP 4G network, the convergence of these with Wi-Fi becomes a possibility which at the same time opens the path to achieve what will become 5G connectivity. This thesis describes the evolution of the different mainstream wireless technologies deployed around the world and how they can interact, and provides tools to use this convergence to achieve the foreseen requirements expected in a 5G environment and the ideal user experience. Several topics were identified as needing attention: handover between heterogeneous networks, security of large numbers of small cells connected via a variety of backhaul technologies to the core networks, edge content distribution to improve latency, improvement of the service provided in challenging radio environments and interference between licensed and unlicensed spectrum. Within these topics a contribution was made to improve the current status by analysing the unaddressed issues and coming up with potential improvements that were tested in trials or lab environment. The main contributions from the study have been: 1. A patent in the wireless security domain that reuses the fact that overlapping coverage is and will be available and protects against man in the middle attacks (Section 5.3). 2. A patent in the content distribution domain that manages to reduce the cost to deliver content within a mobile network by looking for the shortest path to the requested content (Section 6.3). 3. Improvements and interoperability test of 802.21 standard which improves the seamlessness of handovers (Section 4.2). 4. 2 infill trials which focus on how to improve the user experience in those challenging conditions (Sections 7.2 and 7.3). 5. An interference study with Wi-Fi 2.4GHz for the newly allocated spectrum for 4G (Section 8.2). This thesis demonstrates some of the improvements required in current wireless networks to evolve towards 5G and achieve the coverage, service, user experience, latency and security requirements expected from the next generation mobile technology

Investigation of an intelligent personalised service recommendation system in an IMS based cellular mobile network

Success or failure of future information and communication services in general and mobile communications in particular is greatly dependent on the level of personalisations they can offer. While the provision of anytime, anywhere, anyhow services has been the focus of wireless telecommunications in recent years, personalisation however has gained more and more attention as the unique selling point of mobile devices. Smart phones should be intelligent enough to match user’s unique needs and preferences to provide a truly personalised service tailored for the individual user. In the first part of this thesis, the importance and role of personalisation in future mobile networks is studied. This is followed, by an agent based futuristic user scenario that addresses the provision of rich data services independent of location. Scenario analysis identifies the requirements and challenges to be solved for the realisation of a personalised service. An architecture based on IP Multimedia Subsystem is proposed for mobility and to provide service continuity whilst roaming between two different access standards. Another aspect of personalisation, which is user preference modelling, is investigated in the context of service selection in a multi 3rd party service provider environment. A model is proposed for the automatic acquisition of user preferences to assist in service selection decision-making. User preferences are modelled based on a two-level Bayesian Metanetwork. Personal agents incorporating the proposed model provide answers to preference related queries such as cost, QoS and service provider reputation. This allows users to have their preferences considered automatically

Performance Analysis of Drive-thru Internet Access

Drive-thru Internet is considered to be an important solution to provide Internet access for vehicles. By deploying cost-effective and high bandwidth roadside WiFi networks, a vehicle can upload/download considerable data when drive through the coverage area, whereby a myriad of automotive applications can be employed, such as intelligent transportation system, infotainment applications like video/audio streaming, webpage browsing, etc. However, the high mobility of vehicles leads to the intermittent connection between a vehicle and roadside Access Points (APs), which would cause the Internet access delay and throughput degradation. In this thesis, we propose comprehensive modeling and analysis for the drive-thru Internet access performance considering the overhead of the access procedure, which includes the steps of network detection, user authentication and network parameters assignment. We also consider the situation that a vehicle drives through multiple roadside APs' coverage areas and evaluate the performance of traffic offloading from cellular networks to roadside WiFi networks. In specific, firstly, we develop an analytical model to study the dependency of the drive-thru Internet access delay with different factors, i.e., the wireless channel conditions, the number of co-associated WiFi clients, and the employed authentication mechanism, such as the WiFi Protected Access II (WPA2)-Pre-Shared Key (PSK) and the WPA2-802.1X modes. The access procedure is modeled as a discrete Markov chain to calculate the time to exchange all management frames and to evaluate the Internet access delay. The accuracy of the analytical model is studied via computer simulations, as well as experimental testing using Commercial Off-The-Shelf (COTS) WiFi products, together with a channel emulator that emulates the wireless channel conditions in a vehicular environment. Simulation and experiment results validate the accuracy of the proposed analytical model which provides useful guidelines for future selection/development of suitable WiFi network access schemes in a vehicular environment. Secondly, we take a further step to analyze the throughput performance of the drive-thru Internet access. The mobility of the vehicle is modeled as the transition of a series of zones in the coverage area, which is defined based on the relationship between the WiFi link rate and the distance of the AP and the vehicle. A three dimensional (3D) Markov model is proposed to combine the zone transition process and the transmission of the management frames and calculate the average throughput under conditions of different numbers of co-associated WiFi clients, channel qualities and different access protocols. Thirdly, we consider that when the vehicle drives through multiple roadside WiFi networks, and employ the Vehicle-to-Vehicle (V2V) assisted WiFi offloading mechanism, where nearby vehicles that associated to different APs can use their idle WiFi resource to offload part of peer's data traffic. The offloading performance is calculated by modeling the intermittent WiFi transmission as an M/G/1/K queueing process, and the performance gain of the V2V assistance is also analyzed. In summary, the research works in this thesis should provide guidelines for future research and development of drive-thru Internet

Efficient Security Protocols for Fast Handovers in Wireless Mesh Networks

Wireless mesh networks (WMNs) are gaining popularity as a flexible and inexpensive replacement for Ethernet-based infrastructures. As the use of mobile devices such as smart phones and tablets is becoming ubiquitous, mobile clients should be guaranteed uninterrupted connectivity and services as they move from one access point to another within a WMN or between networks. To that end, we propose a novel security framework that consists of a new architecture, trust models, and protocols to offer mobile clients seamless and fast handovers in WMNs. The framework provides a dynamic, flexible, resource-efficient, and secure platform for intra-network and inter-network handovers in order to support real-time mobile applications in WMNs. In particular, we propose solutions to the following problems: authentication, key management, and group key management. We propose (1) a suite of certificate-based authentication protocols that minimize the authentication delay during handovers from one access point to another within a network (intra-network authentication). (2) a suite of key distribution and authentication protocols that minimize the authentication delay during handovers from one network to another (inter-network authentication). (3) a new implementation of group key management at the data link layer in order to reduce the group key update latency from linear time (as currently done in IEEE 802.11 standards) to logarithmic time. This contributes towards minimizing the latency of the handover process for mobile members in a multicast or broadcast group

Radio Communications

In the last decades the restless evolution of information and communication technologies (ICT) brought to a deep transformation of our habits. The growth of the Internet and the advances in hardware and software implementations modified our way to communicate and to share information. In this book, an overview of the major issues faced today by researchers in the field of radio communications is given through 35 high quality chapters written by specialists working in universities and research centers all over the world. Various aspects will be deeply discussed: channel modeling, beamforming, multiple antennas, cooperative networks, opportunistic scheduling, advanced admission control, handover management, systems performance assessment, routing issues in mobility conditions, localization, web security. Advanced techniques for the radio resource management will be discussed both in single and multiple radio technologies; either in infrastructure, mesh or ad hoc networks

Security and Privacy Issues in Wireless Mesh Networks: A Survey

This book chapter identifies various security threats in wireless mesh network (WMN). Keeping in mind the critical requirement of security and user privacy in WMNs, this chapter provides a comprehensive overview of various possible attacks on different layers of the communication protocol stack for WMNs and their corresponding defense mechanisms. First, it identifies the security vulnerabilities in the physical, link, network, transport, application layers. Furthermore, various possible attacks on the key management protocols, user authentication and access control protocols, and user privacy preservation protocols are presented. After enumerating various possible attacks, the chapter provides a detailed discussion on various existing security mechanisms and protocols to defend against and wherever possible prevent the possible attacks. Comparative analyses are also presented on the security schemes with regards to the cryptographic schemes used, key management strategies deployed, use of any trusted third party, computation and communication overhead involved etc. The chapter then presents a brief discussion on various trust management approaches for WMNs since trust and reputation-based schemes are increasingly becoming popular for enforcing security in wireless networks. A number of open problems in security and privacy issues for WMNs are subsequently discussed before the chapter is finally concluded.Comment: 62 pages, 12 figures, 6 tables. This chapter is an extension of the author's previous submission in arXiv submission: arXiv:1102.1226. There are some text overlaps with the previous submissio

Enhanced Quality of Experience Based on Enriched Network Centric and Access Control Mechanisms

In the digital world service provisioning in user satisfying quality has become the goal of any content or network provider. Besides having satisfied and therefore, loyal users, the creation of sustainable revenue streams is the most important issue for network operators [1], [2], [3]. The motivation of this work is to enhance the quality of experience of users when they connect to the Internet, request application services as well as to maintain full service when these users are on the move in WLAN based access networks. In this context, the aspect of additional revenue creation for network operators is considered as well. The enhancements presented in this work are based on enriched network centric and access control mechanisms which will be achieved in three different areas of networks capabilities, namely the network performance, the network access and the network features themselves. In the area of network performance a novel authentication and authorisation method is introduced which overcomes the drawback of long authentication time in the handover procedure as required by the generic IEEE 802.1X process using the EAP-TLS method. The novel sequential authentication solution reduces the communication interruption time in a WLAN handover process of currently several hundred milliseconds to some milliseconds by combining the WPA2 PSK and the WPA2 EAP-TLS. In the area of usability a new user-friendly hotspot registration and login mechanisms is presented which significantly simplifies how users obtain WLAN hotspot login credentials and logon to a hotspot. This novel barcode initiated hotspot auto-login solution obtains user credentials through a simple SMS and performs an auto-login process that avoids the need to enter user name and password on the login page manually. In the area of network features a new system is proposed which overcomes the drawback that users are not aware of the quality in which a service can be provided prior to starting the service. This novel graceful denial of service solution informs the user about the expected application service quality before the application service is started