This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
In this modern era, communication field has undergone a rapid development than any other technologies. In this drastic change and development, securing the data is the primary and important objective in the communication field. In computer networking this vulnerability can easily happen without the knowledge of the owners. In both the wired and wireless network, it is difficult and challenging task to keep the data protected and safer. When comparing with wired network, wireless network is more vulnerable due to its technological nature which can be intercepted quiet easily. In the upcoming chapters we are going to discuss about the best way to secure the wireless communication in detail.
1.1 PROBLEM STATEMENT
Static Key management in wireless authentication methods provides unsecured threats to the network infrastructure. Hacker will make use of vulnerability in wireless authentication method in a network and they can execute the attacks like Eavesdropping, Traffic Analysis, Masquerading, Replay, Message Modification, and Denial-of-Service (DoS). Performance like speed and load balancing will be drop due to encryption and decryption process in wireless authentication method and also performance depend IEEE 802.11 wireless networks standard. Password management, administrator cannot change the password in often for the whole wireless network which also leads to vulnerability.
1.2 OBJECTIVE OF RESEARCH
Aim of the thesis is to give detail report on vulnerability of protocols used for authentication in wireless network and report on advance alternative secured authentication method for the wireless network.
1.2.1 GENERAL OBJECTIVES
General objectives of the thesis are to know about the vulnerability of the protocols used for authentication in wireless network, hacking methods that are used against weakness in protocols. Finally the report will conclude with a rectified solution for the authentication problem facing by current and traditional wireless network.
1.2.2 SPECIFIC OBJECTIVES
Specific objective it to create a detailed report on high security and performance in the wireless network infrastructure. This will entail Dynamic key server to examine on both security and Performance standards. For security, Dynamic key server will be examined with the attacks such as Eavesdropping, Traffic Analysis, Masquerading, Replay, Message Modification, and Denial-of-Service (DoS). In performance wise, the throughput of Dynamic Key server will be analysis according to UDP Payload bytes, Number of Packets, packet size and Load Balancing. This analysis will be examined in all IEEE wireless standards such as 802.11a, 802.11b, and 802.11g. Finally intercomparison will be carryout on all IEEE 802.11 wireless standards to get better performance result in wireless network.
1.3 RESEARCH METHODS
To start a project, analysis is most important tasks than any other. For this research project, wireless users authentication methods and its vulnerability in WEP, WPA, EAP, LDAP, Dynamic WEP and its authentication techniques like Open System Authentication and Shared Key authentication will be analysis. Hacking attacks used against wireless network are Eavesdropping, Traffic Analysis, Masquerading, Replay, Message Modification, and Denial-of-Service (DoS) which are used against wireless network for hacking is examined. For performance analysis, throughput for IEEE wireless standards like 802.11a, 802.11b and 802.11g are examined by UDP Payload bytes, Number of Packets, packet size and Load Balancing.
In this project report, solution and suggestion for wireless security is conveying with theoretical explanation of technical methods and hardware information that support these techniques. Finally reader will come to know about the security issues in traditional wireless infrastructure, types of attacks made by hacker and how to overcome these issues with the security method provided by this report.
1.4 SCOPE AND LIMITATION OF THE RESEARCH WORK
This thesis report will cover the vulnerability of current and traditional wireless technology used in the network infrastructure and also covers the methods that used to attack against wireless network. Authentication protocols like WEP, WPA, EAP and LDAP all has Static key management where key can be change only by the administrator, and this Static key authentication can be easily hacked by any of the tools like AirTraf, AirCrack, SSIDsniff. DynamicWEP is secured authentication protocols which has Dynamic Key management, where the key will automatically change often by its Dynamic Key server. The server performance depends upon the Authentication protocols and IEEE 802.11 wireless standards. This performance can be calculated by its throughput, this will vary to each other for IEEE wireless 802.11 standards protocols. Average performance of the 802.11a will be 2.11Mbps, 802.11b will be 0.62Mbps and 802.11g will be 2.48Mbps. When compare with Static Key server, Dynamic Key server performance increased with 25% for all the IEEE 802.11 wireless standards 802.11a - 3.36Mbps, 802.11b - 0.79Mbps and 802.11g - 3.4Mbps. This thesis report mainly concentrated in the security level and performance in wireless network authentication and this report has limitation with the encryption standards in authentication methods. Where this report only specify the type of authentication method that can be more secure and provide high performance to the wireless network.
1.5 THESIS ORGANISATION
Chapter 1 is the Background of the thesis, which state introduction, problem statement, project objectives, research method, scope and limitation of the thesis. Chapter 1 also discuss the thesis organization
Chapter 2 is Literature Review, which gives detailed study of the wireless security, authentication techniques, vulnerability of the current and traditional wireless technology and attacks on wireless network in network infrastructure
Chapter 3 is Design of Systems, which state the physical and logical design of the thesis. Chapter 3 also discuss about the requirements of the project to carryout using hardware and software support
Chapter 4 is System Implementation, which discuss about current security measures and key management in authentication process.
Chapter 5 Experimentation chapter, is all about of research and analysis of a highly secured and best performing server for the wireless network.
Chapter 6 is Analysis of Experiment Results, a research and experiments have been carried out. In this chapter, the experiments results obtain are to be analyzed.
Chapter 7 is Comparison of the Work against Previous Work, in this chapter, the work report is compare with another corresponds or related report worked in the same area.
Chapter 8 Conclusion, suggest of my work towards the public and work contribution towards the thesis is discussed
Chapter 9 Future Work will suggests toward for future enhancement of the security measure in mobile.
In this Introduction chapter we have discussed about Problem Statement, Aim and Objectives of the project, Research Methods, Scope and Limitation and Thesis Organization. In following chapters we are going to look detailed study of this project.
2. LITERATURE REVIEW
A decade before wired network is in use to connect the entire computers in an industry and them so called as Local Area Network (LAN). In wired Local Area Network (LAN) has restrictions like the work station should be in stable and they cannot move. Wireless LAN has been introduced to replace this traditional networking which works under the spread spectrum. In the industries communication, information should be confidential that cannot be share with any of the persons in the industries, with the vulnerability of the wireless communication the confidential communication can be hacked without the knowledge of the communicators in the network. In this chapter we are going to discuss about the vulnerability and performance of the wireless network.
2.1 AUTHENTICATION METHODS
Authentication methods help to connect the wireless clients and base station in secured way by providing key. This key is then used for communication between each other in the way of encryption and decryption.
2.1.1 WIRED EQUIVALENT PRIVACY (WEP)
Wired Equivalent Privacy is a security protocol which is used in the wireless local (WLAN). This WEP is designed to offer same level of security as we found in the wired LAN. The wired LAN has external security like Firewall and many more to avoid intruders to the network, but in WLAN is using radio waves to transmit and receive information where intruders easily hack it. So WEP is developed to make wireless transmission secured in the way of encryption and decryption. WEP is developed with help of last two layer of Open Source Interconnection reference Model (OSI Model) the DATA LINK LAYER AND PHYSICAL LAYER. Later it has been found WEP is not secured for the wireless communication.
In WEP encryption and decryption a shared secret 40 or 64 bit key is used for data transmission. Access point will encrypt the data and send to the work station where the station is use the same key for the decrypt the data this will done only the Access point and the work station is manually configure with the same key. WEP is the part of 802.11 protocols. Later they find WEP is insecure for the wireless transmission because of the static key, where this key is used for encryption and decryption to all the data packets. Where this helps the hacker to collect the enough packets find the key streams which are similar to each data packet, which leads to hack the WEP network easily.
188.8.131.52 WEP AUTHNETICATION
The WEP provides two types of authentication methods they are:
- Open System Authentication
- Shared Key Authentication
184.108.40.206.1 Open System Authentication
This is null authentication which is default service provide by the WEP, where client send a request to access point for authentication and access point authenticate the client. Finally the client associate with the access point.
220.127.116.11.2 Shared Key Authentication
Shared key authentication is sharing of secret key between Access Point and client station. This key will authenticate the work station to join in the network. This shared key is stored in management information base (MIB) in the access point as a write-only enable format which is used WEP mechanism.
The process of shared key authentication method:
- Work station send authentication request to Access Point
- Access Point reply with a challenging text generated with the help of WEP encryption engine using pseudorandom number generator (PRNG).
- Work station then encrypt the challenging text with shared key and send back to the Access Point
- Access Point then decrypts the text with the same shared key and compare with the text send earlier, if the text are equal the association with network will done or the request will denied.
2.1.2 Wi-Fi PROTECTED ACCESS (WPA)
Wi-Fi protected access is improved security feature for data protection and access control in wireless LAN network, upgrade version of WEP is called as WPA. WPA is improved with security and extended features compare to older version WEP they are:
- Improved Data Encryption
- Robust key management
- User Authentication
- Data Integrity
18.104.22.168 Key Features of WPA Security
These are the features that are included in WPA security, they are
- WPA Network Authentication
- WPA Key Management (Encryption)
- Temporal Key Integrity Protocol (TKIP)
- Michael message integrity code (MIC)
- AES Support
- Support both WPA and WEP clients
22.214.171.124 WPA Authentication:
WPA is required EPA authentication method to implement the security feature. EPA prevents 802.1 x ports from full access control to the network until the complete authentication process.
2.2 PERFORMANCE OF IEEE 802.1X STANDARDS
802.1x standards are defined by Institute of Electrical and Electronics Engineers (IEEE) for the wireless networking operations. At present the Access Points (AP) for wireless networking are using the 802.11 standards designed by IEEE. This 802.11 has different type they are 802.11a, 802.11b, 802.11g and 802.11n. These different standards have different characteristics. Below Table column
2.3 WEAKNESSES IN WIRELESS NETWORK
There are most serious Wireless network issues that can be affect whole network infrastructure.
a) SIMPLE ACCESS
Wireless network can easily find with any of the 802.11 card, and this will help the other network people to associate the WirelessLAN. Beacons are special frames that help 802.11 to broadcast its presents to the campuses. This beacons frame doesn't have any security function which helps every user around available to the network. This problem can be solved by providing strong access control and encryption solution.
b) WEAKNESS IN ACCESS CONTROL
This weakness is based on the Access Point that we use in the wireless network, there are two weaknesses found in Access Point they are (i) Lucent's proprietary access control (ii) Ethernet MAC Address Access Control Lists
i. Lucent's proprietary access control
Sharing of secret key in the wireless network communication bring a strong secured network. In Lucent's proprietary access control, Service Set Identifier (SSID) or network name are transfer with message between client work station and Access Point. This will leads hacker to hack the secured network by sniffing the network name and its shared key.
ii. Ethernet MAC Address Access Control Lists
Access control list provide a strong security when it has a strong identity. In Medium Access Control (MAC) cannot be strong access list because Medium Access Control (MAC) can easily sniff from the Wireless network. Access Point will communication with the client work station with help of MAC address of the Wireless Card, while communication with the client work station the MAC address is also send with message. Here by hacker can easily find the MAC address by eavesdropping, and with the option of changing MAC address of his Wireless card hacker can get access secured network.
c) MESSAGE LEVEL INTEGRITY CHECKS
WEP will not do message integrity but, secure the packet only by encrypting it. Here are the issues will leads to an unsecure wireless network
- Cryptographic integrity of message is not available in 802.11 protocols. 802.11 accept the MAC address deliver by STAtion (STA) Device such as Access Point (AP) or client workstation. Hacker can easily hack the authenticated STA since there is no per-packet cryptographic integrity check. Hacker can send some virus packet in the network by MAC address and IP address of the workstation within the network which is leaves by the STAtion (STA)
- Workstation can be act as Access Point when workstation has Extended Service Set (ESS). The other workstation in the network will associate with this fake STA.
- Denial Of Service attack against a station can be made, because of lack message integrity service.
- An encrypted packet can be replace by the hacker in the way of decrypting with 802.11 and show as a valid frame.
d) RADIUS SHARED SECRET ISSUE
Static secret key is used to authentication between the Access Point (AP) and AS Access RADIUS server. In the static secret key authentication method the secret key is rarely change by the user or by the administrator manually. This type of authentication method helps the hacker to hack the network by different hacking method such as eavesdropping, a man in the mid attack and many more; we will discuss the type of attacks later in this chapter.
e) WLAN PACKET PROTECTION
In the WLAN authentication between the Access Point and workstation is the first access control and Encryption is an optional in it for privacy. As we discussed before WEP has only packet encryption. Type of attacks on WLAN has been published in internet in the year December 2000 and mid of 2001 a source code has been published in the internet for the attacks.
2.3 TYPES OF ATTACK IN WIRELESS NETWORK
There are two types of threat that can affect the wireless network. The chart below will show the sub-division of the attacks.
2.3.1 PASSIVE ATTACKS
The attack without changing its content of the network is called as a passive attack. There are two types of passive attack they are Eavesdropping and Traffic Analysis.
The attacker will always listen to the communication between the access point and client workstation in WLAN and then the attacker will attack the wireless network from the collected packets.
b) Traffic Analysis
The attacker will get sufficient information from monitoring the traffic between access point and client workstation by which the attacker can easily understand the pattern of the communication. This can be possible by monitoring the sequence communication.
2.3.2 ACTIVE ATTACKS
The attack in which modification of files, packets, messages or to the data stream after attacking the network is known as active attack. This type of attack can be recognized and secured from the attackers. Active attack has four types (i) Masquerading (ii) Replay (iii) Message Modification (iv) Denial-of-Service (DoS).
Masquerading is communication security issue, where the attacker will act as an authorized user of the wireless network to get authenticated connection in the wireless network. Masquerading is an attack that may be caused by stealing the username and password or by attempting connection through black hole of security in wireless network. This type of attack is only possible in the weak authentication mechanism.
II. Replays (Man-in-the-middle)
Replay or Man-in-the-middle attack on wireless network is much easier to the attacker than the wired network. This Replay or Man-in-the-middle attack will be done with the help of eavesdropping and with some calculation.
In replay or man-in-the-middle attack, the attacker will collect the encrypted message from the sender. Then the attacker will replay the same message to the receiver without doing any modification such as decrypting. Here the risk is that the attacker will send same data to the receiver and he will gain the same privilege as sender has. The attacker can act as administrator for the whole system.
III. Message Modification (cut-and-paste attack)
Message Modification is also called as a cut-and-paste attack, where the attacker will modify the encrypted data with other encrypted data which looks same as the original encrypted data, which leads to invalid data when it's decrypted. This type of attack will affect the integrity of the data communication.
IV. Denial-of-service (DoS)
Denial-of-service (DoS) attack is based on the OSI layer. Denial-of-service (DoS) attack is much easier in wireless than wired, because denial-of-service (DoS) attack is in the physical layer. Physical layer of wireless is air, so any one can attack easily with entering into the building. First the attacker will create more traffic in the wireless network.
There is Denial-of-service (DoS) second type of attack using the data link layer. The common way of attack in data link layer is by directional of diversity in access points. Using data link layer the attacker attacks by cloning the users MAC address, which is faced to one of the diversity access point antennas. By increasing the attacker's signals equal to users signal, the attacker will get access to the users through directional of diversity access point antennas. Spoofing is one of the types of attack in Denial-of-service (DoS) with data link layer. Where the attacker will spoof the service set identifier (SSID) of the access point and client, which will automatically associate with the attacker wireless network. Then the attacker will collect the information by capturing packets. By these packets the attacker will find the WEP key used for encryption and decryption in the wireless network.
In this chapter we have discussed the weakness of wireless authentication and related topic that are used for this thesis to analysis. In later chapters the same topics will be examined in detail.
DESIGN OF SYSTEM
3. DESIGN OF SYSYTEM
System design is to define the specific requirements of the project in the form of feasibility report. There are two system designs, logical and physical design. Logical design defines the structure like input and output files. Physical design defines software's hardware's and flow of logical design.
3.1 LOGICAL DESIGN
Transferring the data will be the input and average throughput of the data transfer will be the output. Throughput is calculated by UDP payload Bytes, No. of packets, packet size and load balancing. This analysis will be repeated to all IEEE standards 802.11a, 802.11b and 802.11g until the best result attain. The below diagram show the logical design:
3.2 PHYSICAL DESIGN
In physical design, Dynamic key server act as an input device to send the data to the wireless clients which is attached to its network. Cisco 1200 series Wireless Access Point is configure to IEEE standards. These standards can be change according to the experiments to get the throughputs. The final throughput of the each IEEE standards will be the output.
In this chapter, we have discussed about the logical and physical design of the system with a flow diagram and physical and logical design compare diagram. System Requirements like hardware and software are also discussed.
4. SYSTEM IMPLEMENTATION
System implementation is a set of procedures to prepare a new system available for the users. This research thesis is to provide a secured and well performing network to the users. This chapter is to discuss about current security measures and key management in authentication process.
4.1 INTRODUCTION TO ENCRYPTION AND DECRYPTION
Encryption and decryption is the basic requirements of the security. In wireless networking encryption and decryption widely used in all type of communications. Encryption is process that changes the plain text to incoherent and unreadable cipher text using mathematical algorithm and secret key. Decryption is the reverse process of the encryption with the help of same mathematical algorithm and secret key. The collective process of encryption, decryption, mathematical algorithm and secret key is called as a cryptographic system or cryptosystem. The below diagram show the illustration of the cryptographic system
There are two basic requirements of cryptography
- Getting of plaintext from the cipher text should be impossible without decryption key
- Getting of cipher text from the plaintext should be impossible without encryption key
There are two basic cryptographic systems there are
- Symmetric Key commonly known as public key
- Asymmetric Key commonly known as private key
4.1.1 Symmetric Key
Symmetric key system uses one secret key, by sharing between the two transmissions nodes. The same key is used for both encryption and decryption of the communication data between the nodes. Wired Equivalent privacy (WEP) uses these techniques for encryption and decryption in all types of 802.11 protocols. The key given by the network administrator for Access Point (AP) is act as the secret key for the encryption and decryption. This same key is used to associate between wireless workstation and Access Point. When the hacker found the associate key then he can find easily decrypt the secret communication within the network by spoofing technique.
In the wireless network, stream chipper generator is used for single bit encryption of data. This stream chipper generator will works according to the algorithm. In WEP stream chipper is generator is combining with RC4 algorithm for encryption of the packet and it is called as RC4 stream chipper. 64-bit RC4 key will encrypted each packet with help of RC4 stream chipper generator. 24bit IV and 40-bit WEP key will combine to form RC4 key.
4.1.2 Asymmetric Key
Asymmetric key use different method, as one key is used for data encryption and another key is used for data decryption. These two keys are unrelated with each other and difficult to relate and impossible to find another key with one. One of these is called as public key and another is called as private key. Public is used for encrypting the data and private key is used for decrypting the data.
4.2 ENCRYPTION IN WIRELESS NETWORK
Secured communication between two wireless stations is possible with suitable encryption method. Data encryption process is done by sending station and decryption process is done in the receiving station. Encryption will protect all the data that are transfer from one station to another station from eavesdropping.
There are two type of encryption in the network they are end-to-end encryption and link layer encryption. The below diagram how these two layer works in network
Combination of both, end-to-end encryption and link layer encryption make the wireless network more secure. The communication information that is data will be encrypted using end-to-end encryption in the host. Then link layer encryption will take care of transport of the data. Data is fully protected because the client station can read only the header information and not the data, so data is fully protected.
4.3 KEY MANAGEMENT AND AUTHENTICATION
There are two types of method in key management for 802.11 WEP. The first method is manually entered four keys in the windows. Any one of the four key is used by client workstation or Access Point for encryption and decryption. This type of key management is limited for secured communication with four key provide by the user or administrator and this is called as default key. Key Mappings Table is the second method used in WEP key management. In this method all individual wireless station which has MAC address can owned a separate key. According to 802.11 standards the Key Mapping Table should have ten key and maximum is depend on the chip used in the wireless station. The problem in the key management is changing key manually.
WPA is new authentication method in wireless network. Wireless Ethernet Compatibility Alliance (WECA) developed a temporary solution for wireless security which is known as Wi-Fi Protected Access. In authentication key management, authentication between client workstation and authentication server is done by EAP - TLS by generating Pairwise Master Key (PMK). PMK key use directly as the pre-shared key when WPA-PSK as an authentication management.
4.4 NETWORK ACCESS CONTROL SERVER
Access Control server (ACS) is used to connect the client user and the server in secured authentication method from then the client user can access the network for their data transfer and communication in secured way. Generally this Access Control Server is used for security purposes to avoid the intruders or hacker to login in the network in both wired and wireless network. Since wireless is weaker in security concern this Access Control Server is used.
4.4.1 Objective of Access Control Server
The main goal of access control is to avoid entry of intruders and hacker and to guard the data which is confidentiality, resource, infrastructure and the integrity. This access control server protect both wired and wireless network. Access control server will control the network from unauthorized user entry not only the outsider but also the less authorised users. This is will helps in data integrity not to done modification by the internal user and the external users like hacker and intruders.
4.4.2 Types of Access Control
There are four types of access control 1. Discretionary access control systems 2. Mandatory access control systems 3. Role-based access control systems and 4. Rule-based access control systems
A discretionary access control system is created by the owner of the network, where the authorised user can enter into the network and can make modification to information and data. The user one who uses unauthorised machines such as laptops and other systems are restricted.
A mandatory access control systems will not give permission any permission to the owner to grand modification to the network and do not data. This modification can only done by the administrator, and he can grand permission to other user to do modification
A role-based access control systems will permit the user to access to the system only based on the designation role in the organisation. This access can apply for an individual or to a group.
A rule-based access control systems will grand permission to a users to access system only the when the user comes under the pre-programmed configuration of the system. These rules can be based on IP Address, Domain name, Host or another network.
4.4.3 Access Control Technologies
There are more no of access control technologies which helps for access control authentication. Most common technologies in Access control authentication are password, encryption and smart card and many more. Since access control is used in the network technology encryption is used for secured authentication.
4.5 SECURITY PROTOCOLS
4.5.1 AAA Protocol
AAA protocol is IP-based networking access control protocols for the network users in three ways authentication, authorization and accounting.
Authentication is a security method to identify a user by another method; usually it will be as username and password. Authentication is method to conform the user is a genuine, where username password is set by the users.
Authorization is a security method for granting or to denying the user from the network access. The user can authenticate by username and password. This might be changed according to the access control rules which is discuss earlier in this chapter.
Accounting is a process of tracking the users behaviors in the network, this process also track personal information like duration of the user in the network, file he access, amount of file transfer for the network resources. This accounting process is used for analysis and cost allocation such that billings.
4.5.2 RADIUS protocol
Remote Authentication Dial In User Service protocol (RADIUS) is client-server protocols which helps in secured centralized authentication and authorization between the client and server. In this topic we are going to analysis User-Password attributes of RADIUS protocols.
4.5.3 RADIUS protocols packets
RADIUS client should match RADIUS respond with an identifier which will be octet value generated by MD5 hash which is shared by the server. If the identifier matches with RADIUS, then RADIUS will be respond. Here the username and password attribute will have random number with attribute field in the RADIUS packet according to the attribute the RADIUS protocols works. The below diagram will show the packet structure and
4.4.6 Client Request Processing
When a client need a connection with the server then Access-Request packet is created with username password attribute. The identifier field is generated by the client not by the protocols to sever. Access-Request packet has 16 octet authenticator in the authenticator field which is generated by MD5 hash. In this packet username and password are only protected.
4.5.5 Server Respond Processing
When the RADIUS Access-Request reach the server, then server will verify the shared key for the client if doesn't match it will drop the packet or if it match then take to the next level. In the next level the username and password is verified if the password is matched then server will send Access-Accept packet, if the password is unmatched then server will send Access-Reject Packet to the client.
4.6 RADIUS SERVER
Remote Authentication Dial In User Service (RADIUS) is used for passing user configuration between the two server which is RADIUS server and Network Access Control server by means of secured authentication and authorization method. RADIUS protocol is used to connect between the RADIUS server and the user clients where RADIUS server has list username and password of the clients. RADIUS server shared a key with client for encryption of username and password. Below topic will give a brief description about the RADIUS server.
Security server protocols are standard internet protocols which provide centralized authentication account management and IP management service for a remote client user access in a network. In this chapter we are going to discuss about one of the security protocols that are used in the project so called Remote Authentication Dial In User Service (RADIUS). Since Remote Authentication Dial In User Service (RADIUS) has centralized authentication management, database like username and password which is stored and maintain in the system.
When a client is authenticated by the RADIUS server then client is so called RADIUS client. When there is a communication between RADIUS server and RADIUS client service are first authenticated and communication are encrypted by shared secret key. This key is not transmitted during the communication.
4.6.1 RADIUS Background
Remote Authentication Dial In User Service (RADIUS) is a access control server which use AAA protocol for its security services, as it helps to denied access in network from unauthorized user. There are three mechanisms wrapped with RADIUS they are
- A frame format protocol
- A server
- A client
4.6.2 Client/Server Model
RADIUS server act as client server model for its authentication and authorization, where network access server (NAS) act as a RADIUS client, such that it is also responsible for transferring client information to the RADIUS server. Then RADIUS will send back with configuration information to the client if the user is authorized to do so if not the access will be denied by the RADIUS server. This RADIUS server can act as a proxy server for the user client when user has to authorized by the another server.
4.6.3 Network Security
Authenticate communication in the network between the RADIUS serve and client done by the shared key, where the key is never transferring between each other the network. In additional to the security, encrypted username and password communication is handled by the RADIUS server and the client, this reduce the possibility of snooping of username password over the secured network and in unsecured network.
4.6.4 RADIUS Authentication Mechanisms
RADIUS server handles different type of authentication method to authenticate a user when a user provide username password manually. The methods are Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP) Point-to-Point (PPP), UNIX login and other type of authentication method.
4.6.5 Packet Encryption
While transferring Access-Request from client to RADIUS serve the username and password alone is encrypted and the rest of the information is unencrypted since RADIUS serve use RADIUS protocols.
4.6.6 RADIUS Authorization
When a Client sent a Access-Request to the RADIUS server, RADIUS server will reply with Access-Accept packet with authorization information to the client, where the RADIUS server combine both authentication and authorization together.
In this chapter we have seen the encryption and decryption of WirelessLAN, transfer of Keys between wireless station and wireless Client, Keystreams, end-to-end encryption,link layer encryption, RADIUS server and its protocols
Experimentation chapter is all about of research and analysis of a highly secured and best performing server for the wireless network. In this chapter, characteristic and functions of a server that will help in performance of Dynamic key authentication will be examined. Experimentation for server performance will be examine with the RADIUS server that support Dynamic Key by transferring data from server to wireless client. In previous chapter we have gone through encryption, decryption, security technique, key management and authentication.
5.1 DYNAMIC KEY EXCHANGE AND AUTHENTICATION
Authorization of a user in wireless network is more important, because the hacker or an intruder can hack the whole system without the knowledge of the administrator or the user. In the previous chapter we have seen type attacks in wireless network. This hacking execute on the encryption packet that transfer from wireless client node to Access Point which has static key encryption. Hacker collect sufficient size of packet by eavesdropping method and hacker can find the static key by cracking tools using the packets which is collected. This happens only because of static key in encryption. Dynamic Key generator which can exchange the key by per session, per node for secured encryption and decryption communication between the wireless client node and Access point with same infrastructure and authentication method which provides more secure to the network. There are two type of authentication method they are
- Per-Session Authentication
- Per-Node Authentication
5.5.1 Per-Session Authentication
Per-Session authentication, when a user completes first session communication with the access point the key generate by the wireless client node will be expire. Then after, when wireless client communicate second time with the Access Point for the another session, Access Point reply with a second random number which is generated by MD5 hash. Wireless client node generates a key from the random no and sent back to the Access point. This will repeat for ever session when wireless node communicates with Access Point.
5.5.2 Per-Node Authentication
Per-Node authentication, when a no of node is communicate with the Access Point for the Authentication then Access point will reply with unique random no to all node which is generated by MD5 hash. All nodes will reply with key generated by the generator. Finally Access Point checks the key from the different node and match with the key list if the key is matches with each other Access Point provide authentication to the node else access will be denied.
There are three illustration diagrams which shown below will show how the Wireless Network connected to an Access Point.
In this illustration, Authentication server has authentication module, an access secret key generation module, a database of secrets, a profile generation module, a binding module and an executable generation module. (Buddhikot et al.2007)
Authentication Module is use to verify the user to authenticate or to deny to the network. The verification can be done through username and password provide by the user. Then username and password will compare with stored database by the authentication module. Secret key generation module will generate a secret key randomly for all the users. This secret key formed using various algorithms. The secret key will be authenticated by the wireless device then wireless client can get access to the network. Secret database consist of information about secret generator and also has the user information regarding associated secret key. Profile generation has the information of the user's secret key. This module also contain users authentication, security information and user performance. Binding module is use to bind the user to wireless interface device. Executable generation module will develop and configure executable application to associate with wireless interface and wireless network.
In this flowchart illustration, techniques for paired dynamic secret key between user and wireless network is been stated. In this situation a user is authenticated by secret key generator which will be a random and unique paired secret key. Authenticate methods allow user to use the wireless network; to identify himself to the network user should provide username and password. A unique secret key will be generating for the user by the generator module. This authentication user will associate with user access profile for further association of the device. Secret key and user access profile will also store in the secret database for further association.
5.2 PERFORMANCE TEST
Performance test is to test the performance of dynamic key server according to availability, stability, load balancing for wireless network. The performance tests conduct by transferring data from server to the client as an input. This performance test is will conduct in three IEEE wireless standards accordingly 802.11a, 802.11b and 802.11g. Throughput is successful delivering of a packet to the node through communication channel. To calculate the throughput of dynamic key server wireless following attributes should be noted UDP payload, number of packets and packet size of the data is calculated. According to (Saleh M, and Khatib I A., 2005) throughput can be calculate by the formula
This chapter analysis how Dynamic Key server works with security measures with illustrated flowchart and performance of the server by performance test.
ANALYSIS OF EXPERIMENT RESULTS
6. ANALYSIS OF EXPERIMENT RESULTS
The aim of the thesis is to analysis the secured and well perform server for wireless network. For that objective, a research and experiment have been carried out. In this chapter, the experiments results obtain are to be analyzed.
6.1 SECURITY IN DYNAMIC KEY SERVER
In dynamic key server, exchanging of shared key between the server and the user in frequent interval will be more secured and so called as Dynamic Key Management. According to ( iLabs Wireless Security Team, 2002) sharing of single secret key between server and the node will be the weakness of the static key management and the wireless network.
Step 1 User Provide Authentication Details
Step 2 RADIUS Server Authenticates Users and User Authenticate RADIUS Server
Step 3 RADIUS Server Delivers Pair-wise Master Key (PMK) to Access Point
Step 4Access point and Client exchange message to derive the encryption key
Step 5 Access Point encrypts broadcast encryption key and delivers it to client
Step 6 Client and Access Point activate encryption
Static key management brings the problem to the network and 802.11x doesn't support the exchange of key between the server and the node. Deploying dynamic key distribution definitely improves the security of wireless LANs. (Jim Geire, 2002). Since dynamic key server change and exchange the encryption key between server and the client in the frequent interval brings the secured environment to the wireless network.
6.2 PERFORMACE OF DYNAMIC KEY SERVER
Performance of a server depends upon the encryption used in the network. When implementing high secured encryption methods to IEEE 802.11x standards slow down the network performance. IEEE 802.11x standards transmission rate are given below in the table
The IEEE 802.11x standards transmission rates will change accordingly to its throughput. Average performance of the 802.11a, 802.11b and 802.11g will be 2.11Mbps, O.62Mbps and 2.48Mbps respectively. This result was taken from a performance tests without using Dynamic key server with same data transferring from server to wireless client.
- For IEEE 802.11 b standards
- For IEEE 802.11 g standards
- For IEEE 802.11 a standards
And thus Performance experiment proved, when compared with Static Key server, Dynamic Key server performance increases with 25% for all the IEEE 802.11 wireless standards 802.11a - 3.36Mbps, 802.11b - 0.79Mbps and 802.11g - 3.4Mbps.
In this chapter, Dynamic key server security and performance of Dynamic key server has been analysis and it has been proved with the related experiment.
COMPARISION OF WORK AGAINST PREVIOUS WORKS
7. COMPARISON OF WORK AGAINEST PREVIOUS WORKS
In this chapter, the work report to be compare with another corresponds or related report worked in the same area.
There are few reports and books available with related to the topic with lot of limitation.
- Students from the University of Maryland submitted a report "Your 802.11 Wireless Network has No Clothes" (Arbaugh W.A, Shankar N and Wan Y.C.J.2001). In report, they state vulnerability of the 801.11x protocols, 802.11 standards security, static shared key authentication mechanism and weaknesses in WEP. They clearly explain the topic without any remedy for the problem.
- A White Paper from ISS (INTERNET SECURITY SYSTEMS) "Wireless LAN Security" has explained the attacks and its type made against wireless LAN. They conclude the paper by suggesting security mechanism.
- "Wireless Security Handbook" (2006) by Aaron E. Earle published by Taylor & Francis Group, LLC. Author explains chapter by chapter about the characteristics and functions of wireless network, explains the risks and threats in wireless network, and explains about 802.11 x standards, Wireless LAN security, wireless security architecture and tools used for wireless hacking.
- A White Paper from Madge Limited "Wireless LAN Security" has explains the Important of security, Weaknesses in 802.11x, encryption and wireless standard. In future enhancement they recommended Dynamic key for secured wireless LAN.
All the previous work has explained about the security, characteristics and function, attacks, and also recommended security mechanism but they didn't suggested or recommend the security feature along with the performance. In this report, security features, key management, authentication methods, hacking techniques, encryption standards and server performance has been explained. Finally a solution has been recommended. Dynamic key server does all feature that need for Wireless LAN like security and performance and this has been proved by analysis and experiment.
In this chapter, view of various authors in the same field is studied. The research undergone and other authors work in the same field are compared.
In today's world there was lots of security features available in network communication filed. Even though, these security features cannot secure the network completely. This thesis comes forward with the new idea with existing security techniques to make wireless network more secure and give better performance. Main causes of security vulnerability are key management and authentication mechanism. The objective of this thesis dose not pertain to only security issues but also performance of the wireless system. In consideration of security and performance a new idea emerged "Dynamic Key Server". Analyses of the Dynamic Re-Keying key management technique and authentication technique indicates that to wireless network is secured level. This Dynamic Key server should work with performance, so a performance test has been conducted with IEEE 802.11 standard WEP security protocols. The test proves that a better performance than any other security protocols. This result has been achieved because of Dynamic Re-keying security mechanism and WEP security protocol. Dynamic Key mechanism is similar to static key mechanism with Re-keying technique and using WEP security protocol which encrypt only authentication key with 128 bit encryption. When comparing performance results with other security server has been increased with 25% in all IEEE 802.11 standard wireless protocols (Chapter 5 and Chapter 6). When this thesis work is compared with other research papers and journals work, delivers only the security features, wireless vulnerability, attacks on wireless network and security mechanism. None of the research papers and journals work comes forward to suggest a security mechanism but this thesis comes forwards to suggest a security mechanism with proven results (Chapter 7). In conclusion, this thesis suggests that Dynamic Key Server with Dynamic Re-keying mechanism provides security and better performance to wireless network. This security technique remains secured until the hacker or intruders find vulnerability in the network.
9. FUTURE WORK
Every day there is an invention in all technologies. In networking technology the world is waiting for IPv6 to introduce, where IPv6 brings dramatic change and growth in network technology especially in mobile technology. After introduction of IPv6 smart phone mobiles comes with static IP address which enable more data communication between mobile networks thus it needs a secured data communication. This Dynamic key server can be use with protocol alteration according to mobile network.
Books and journals
- Aaron E. Earle (2005) , 'Wireless Security Handbook' published by Auerbach Publications
- An ISS Technical White Paper '802.11b Wireless LAN Security' Wireless LAN Security 802.11b and Corporate Networks
- Arbaugh W A Shankar N and Wan J (2001) 'Your 802.11 Wireless Network has No Clothes' Department of Computer Science University of Maryland College Park, Maryland 20742
- Azzedine Boukerche (2006) ) 'Handbook of Algorithms for Wireless Networking and Mobile Computing' published by Taylor & Francis Group, LLC
- Cisco Systems (2004), ' CISCO AIRONET 1200 SERIES ACCESS POINT ' 1992-2004 Cisco Systems
- Jaakko Tuomimäki (2003) 'Overview, details and analysis of Radius protocol' Helsinki University of Technology, Telecommunications Software and Multimedia Laboratory
- Madge (2002) 'white Paper - Wireless LAN Secuiryt ', 2002-2003 Madge Limited
- MatthewGast (2005) '802.11® Wireless Networks The Definitive Guide', 2nd edn, published by O'Reilly
- Microsoft Corporation (2009) 'Extensible Authentication Protocol Method for Microsoft Challenge Handshake Authentication Protocol (CHAP) Specification' , 2009 Microsoft Corporation
- Sklavos N and Zhang X (2007) 'Wireless Security and Cryptography: Specifications and Implementations' published by CRC press
- Tara M., Charles R. Elden (2003) 'Wireless Security and Privacy: Best Practices and Design' Techniques, published by Addison Wesley
- Zhang Y,Ma M (2008) , 'Handbook of Research on Wireless Security', Place: New York , Information science reference
- Access Control 101 (2003), http://www.intranetjournal.com/articles/200311/ij_11_10_03a.html (Accessed on 28.08.2009)
- access point, wireless (2006) ,available at http://compnetworking.about.com/cs/wireless/g/bldef_ap.htm (Accessed on 13.08.2009)
- ACS (2007), http://www.interlinknetworks.com/whitepapers/WLAN_Access_Control.pdf (Accessed on 16.08.2009)
- An Analysis of the RADIUS Authentication Protocol (2001),available at http://www.untruth.org/~josh/security/radius/radius-auth.html (Accessed on 18.09.2009)
- Attacks (2008),available at http://en.kioskea.net/contents/attaques/rejeu.php3 (Accessed on 15.08.2009)
- cut-and-paste attack (2007),available at http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci525899,00.html (Accessed on 18.08.2009)
- masquerade (2005),available at http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci498695,00.html (Accessed on 20.08.2009)
- Michelle Finch, The New Wi-Fi Protocol (2008) available at http://mobiletechnology.suite101.com/article.cfm/wifi_protocols (Accessed on 30.07.2009)
- network access server (2005), http://searchnetworking.techtarget.com/sDefinition/0,,sid7_gci512084,00.html (Accessed on 28.08.2009)
- Scheme for authentication and dynamic key exchange (2007),available at http://www.patentstorm.us/patents/7231521/description.html (Accessed on 15.07.2009)
- Security Watch A guide to Wireless Security (2005),available at http://126.96.36.199/en-us/magazine/2005.11.securitywatch.aspx (Accessed on 10.08.2009)
- Seven Security Problems of 802.11 Wireless (2005),available at http://www.oreillynet.com/pub/a/wireless/2002/05/24/wlan.html (Accessed on 13.08.2009)
- WEP (2005),available at http://www.cs.fsu.edu/~yasinsac/group/slides/cubukcu.pdf (Accessed on 15.08.2009)
- WEP (wired equivalent privacy) (2006),available at http://www.networkworld.com/details/715.html (Accessed on 15.08.2009)
- WEP open system authentication (2006), http://documentation.netgear.com/reference/sve/wireless/WirelessNetworkingBasics-3-08.html (Accessed on 1.08.2009)
- What is Cisco LEAP/EAP? (2007), available at http://searchnetworking.techtarget.com/news/article/0,289142,sid7_gci843996,00.html (Accessed on 3.08.2009)
- What is RADIUS (2005), http://www.untruth.org/~josh/security/radius/radius-auth.html (Accessed on 15.09.2009)
- Wireless 802.11 Standards (2007),available at http://www.ja.net/documents/publications/factsheets/055-wireless802.pdf (Accessed on 28.07.2009)
- Wireless LAN Security White Paper (2004),available at http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/ps4076/prod_white_paper09186a00800b469f_tk809_TSD_Technologies_White_Paper.html (Accessed on 10.09.2009)
- Wireless Networking Basics (2006), available at http://documentation.netgear.com/reference/sve/wireless/pdfs/Chapter.pdf (Accessed on 1.08.2009)
- Wireless Networking Standards (2005),available at http://www.webopedia.com/ quick_ref/WLANStandards.asp (Accessed on 28.07.2009)
- Writing the Research Report (2005),available at http://web.utk.edu/~wrobinso/540_lec_write.html (Accessed on 18.07.2009)