The plethora of Internet of Things (IoT) devices and their diversified requirements have opted to design security mechanisms that cover all major security requirements. Wireless Local Area Networks ...(WLANs) is the most common network domains where IoT devices are launched, particularly because of its easy availability. Security, in other words authentication however, remains to be a major constriction for IoT-WLAN deployments. Though there are IoT based authentication protocols prevailing, such protocols are either prone to threats such as perfect forward secrecy violations, insider with database access attack, traceability attack, stolen device attack, ephemeral secret leakage, or they consume excessive computational and communication resources that result in an unprecedented burden for the IoT system. This paper presents an Extensible Authentication Protocol (EAP) based mechanism for IoT devices deployed in a WLAN that addresses the above security issues and achieves cost-effectiveness. Validation follows an informal and formal approaches (using GNY and BAN logic, and Scyther verification tool) for the proposed protocol, demonstrating its robustness. Our performance analysis shows that the proposed protocol is lightweight and more secure in contrast to the state-of-the-art solutions. In addition, performance of the proposed protocol subjected to unknown attacks is investigated, which deduces that the proposed protocol has less overhead under unknown attacks than its competitors. A prototype of the protocol has been developed to demonstrate its feasibility and accuracy.
Several symmetric and asymmetric encryption based authentication protocols have been developed for the wireless local area networks (WLANs). However, recent findings reveal that these protocols are ...either vulnerable to numerous attacks or computationally expensive. Considering the demerits of these protocols and the necessity to provide enhanced security, a lightweight extensible authentication protocol based authentication protocol for WLAN-connected Internet of Things devices is presented. We conduct an informal and formal security analysis to ensure robustness against the attacks. Furthermore, the empirical performance analysis and comparison show that the proposed protocol outperforms its counterparts, reducing computational, communication, storage costs, and energy consumption by up to 99%, 80%, 91.8%, and 98%, respectively. Simulation results of the protocol using the NS3 and its overhead under unknown attacks demonstrate that the proposed protocol performs better in all scenarios. A prototype implementation of the protocol has also been tested to evaluate its feasibility in real-time applications.
In the renowned Internet of Things (IoT) networks, it is expected a vast number of devices with IP connectivity and constrained capabilities. Due to reduced resources they are the target of different ...type of attacks and providing security has become a basic pillar for the success and evolution of IoT. Among the specific key security aspects are the authentication, access control and key distribution for data protection. In particular, all these aspects are included in the process of bootstrapping , which allows a Smart Object to join a network domain in a secure fashion. This process, which indeed involves authentication, authorization, and key distribution, typically requires communication between the smart object and an entity, the Controller , in charge of steering the bootstrapping process within the network's domain. However, direct communication between both might be impeded, e.g., when the entity is unreachable by radio, or the smart object does not have a routable IP address until it is successfully authenticated and authorized to join the network. A common solution is to use an intermediate entity (the Intermediary ) to aid in this task. For example, the ZigBee IP standard defines a relay for the protocol for carrying authentication for network access (PANA). Moreover, the IETF is exploring the use of an intermediary to help this process. In this paper, we analyze, explore, and design an intermediary based on constrained application protocol (CoAP). We pay attention to the authentication with the extensible authentication protocol (EAP) and CoAP, which has resulted in a more constrained alternative to PANA for EAP-based bootstrapping in IoT. Nevertheless, our design of the CoAP-based intermediary is so general that it is independent of the authentication protocol in use. In particular, we have analyzed as intermediary the usage of a CoAP proxy , as defined in the CoAP standard; alternatively we have introduced the concept of the CoAP relay and CoAP stateless proxy . We evaluate the performance of each solution and we compare between them and with PANA relay.
It is necessary to authenticate users who attempt to access resources in Wireless Local Area Networks (WLANs). Extensible Authentication Protocol (EAP) is an authentication framework widely used in ...WLANs. Authentication mechanisms built on EAP are called EAP methods. The requirements for EAP methods in WLAN authentication have been defined in RFC 4017. To achieve user efficiency and robust security, lightweight computation and forward secrecy, excluded in RFC 4017, are desired in WLAN authentication. However, all EAP methods and authentication protocols designed for WLANs so far do not satisfy all of the above properties. This manuscript will present a complete EAP method that utilizes stored secrets and passwords to verify users so that it can 1) fully meet the requirements of RFC 4017, 2) provide for lightweight computation, and 3) allow for forward secrecy. In addition, we also demonstrate the security of our proposed EAP method with formal proofs.
The authentication mechanisms in Broadband Wireless Networks (BWN) are predominantly based on Extensible Authentication Protocol (EAP). However, the complexity of EAP causes an impediment in BWN ...networks which involve high speed mobility. Even though it provides a highly secured mechanism, the current authentication process has high authentication overheads which affect the Quality of Service (QoS) in time sensitive data applications such as VoIP and VoD. The alternative would be to consider re-authentication approach which reduces the number of full EAP authentications but at the same time provides a secure handoff to the mobile users at a lower latency and hence does not impact the QoS of the applications. The proposed Frequency-based Re-authentication Protocol (FRP) is an extension to EAP, aiming to reduce the network access time and in turn reduce the authentication latency, by taking into account the frequency of visits of a particular mobile user to an access domain. In addition, we also propose a frequent – User Authentication Process (f-UAP) which when used with FRP significantly minimizes the EAP authentication overhead. A mathematical model is formulated to illustrate the tradeoff achieved when FRP along with EAP is used in the f-UAP approach. The security evaluation of the proposed FRP is carried out using Automated Validation of Internet Security Protocols and Applications (AVISPA) tool. Furthermore, simulation analysis show that the FRP authentication latency is lower compared to the existing re-authentication mechanisms.
Since the 802.16e standard has been released, there are few authentication pattern schemes and Extensible Authentication Protocol (EAP) selection proposals for manufacturers to choose from in ...large-scale network systems. This paper focuses on the re-authentication method’s design, improvement, and optimization for the PMP mode of the IEEE 802.16e standard in large-scale network systems to ensure the security of the keys. We first present an optimized scheme, called EAP_AKAY, based on the EAP-AKA authentication method (Arkko and Haverinen in Extensible Authentication Protocol Method for UMTS Authentication and Key Agreement (EAP-AKA),
2004
), and then a self-adaptive
K
selection mechanism is proposed for re-authentication load balancing based on EAP_AKAY in large-scale network systems. This presented mechanism considers the cost of authentication, not only at the server end, but also at the client end. Thus, this scheme would minimize the total cost and resolve the limitation in current schemes. Furthermore, the
K
value would be re-selected, not only when MS is roaming to another BS region, but also in residing time to adapt to network environment changes. The simulation results and relevant analysis demonstrate that our scheme is effective in terms of the total cost of authentication, master key renewal, and good security.
Multicast receiver access control by IGMP-AC Islam, Salekul; Atwood, J. William
Computer networks (Amsterdam, Netherlands : 1999),
05/2009, Volume:
53, Issue:
7
Journal Article
Peer reviewed
IP multicast is best-known for its bandwidth conservation and lower resource utilization. The present service model of multicast makes it difficult to restrict access to authorized End Users (EUs) or ...paying customers. Without an effective receiver access control, an adversary may exploit the existing IP multicast model, where a host or EU can join any multicast group by sending an Internet Group Management Protocol (IGMP) join message without prior authentication and authorization. We have developed a novel, scalable and secured access control architecture for IP multicast that deploys Authentication Authorization and Accounting (AAA) protocols to control group membership.
The principal feature of the access control architecture, receiver access control, is addressed in this paper. The EU or host informs the multicast Access Router (AR) of its interest in receiving multicast traffic using the IGMP protocol. We propose the necessary extensions of IGMPv3 to carry AAA information, called IGMP with Access Control (IGMP-AC). For EU authentication, IGMP-AC encapsulates Extensible Authentication Protocol (EAP) packets. EAP is an authentication framework to provide some common functions and a negotiation of the desired authentication mechanism. Thus, IGMP-AC can support a variety of authentications by encapsulating different EAP methods. Furthermore, we have modeled the IGMP-AC protocol in PROMELA, and also verified the model using SPIN. We have illustrated the EAP encapsulation method with an example EAP method, EAP Internet Key Exchange (EAP-IKEv2). We have used AVISPA to validate the security properties of the EAP-IKEv2 method in pass-through mode, which fits within the IGMP-AC architecture. Finally, we have extended our previously developed access control architecture to accomplish inter-domain receiver access control and demonstrated the applicability of IGMP-AC in a multi-domain environment.
802.1x Mechanism Perez, André
Network Security,
2014, 2014-10-02
Book Chapter
The 802.1x access control mechanism is deployed in the Local Area Network (LAN) implementing the following technologies: Ethernet technology and Wireless‐Fidelity (Wi‐Fi). The Extensible ...Authentication Protocol (EAP) Over LAN (EAPOL) protocol is exchanged between the supplicant and the authenticator. It initiates the supplicant's identity announcement and the capacities of each end. The EAPOL‐Logoff message is transmitted without a message body. This message, transmitted by the supplicant, is used to terminate the 802.1x mechanism. At the end of this message, the supplicant is no longer authenticated and its access to the LAN network is blocked. The EAP protocol is composed of a 4 byte header and possibly an EAP‐Method message. The EAP‐Method Notification message is used before or during the authentication phase. The RADIUS protocol is used for transporting EAPMethod messages between the authentication server and the authenticator.
Network Security
Designing and Developing Scalable IP Networks,
07/2004
Book Chapter
This chapter contains sections titled:
Securing Access to Your Network Devices
Securing Access to the Network Infrastructure
Protecting Your Own and Others' Network Devices