The present invention is directed to the field of security measures for wireless LAN technology. In a wireless local area network (or WLAN) a wireless client seeks to connect to the network in order to exchange data. There are three states in connecting to the network as specified by the IEEE 802.11 specification for WLANs:
1. Unauthenticated and Unassociated
2. Authenticated and Unassociated
3. Authenticated and Associated.
Authentication is the process of verifying the credentials of a client desiring to join a WLAN. Association is the process of associating a client with a given Access Point (AP) in the WLAN. IEEE 802.11 defines two types of authentication methods—Open Key System Authentication and Shared Key Authentication. A successful completion of the association and authentication phases allows a WLAN node successful entry into the WLAN subsystem.
The IEEE 802.11b standard attempts to provide “privacy of a wire” using an optional encryption scheme called “Wired Equivalent Privacy” (or WEP) in which a data frame or “payload” is run through an encryption algorithm, the output of which replaces the original payload. With “open key authentication” the entire authentication process is done in clear text. This means since the entire process is performed without encryption, a client can associate to the AP with the wrong WEP key or no WEP key. But as soon as the client tries to send or receive data it is denied access for not having the correct key to process the packet. With “shared key authentication” there is a challenge text packet that is sent within the authentication process. If the client has the wrong key or no key it will fail this portion of the authentication process and will not be allowed to associate to the AP.
This choice (open or shared key) is manually set on each device (AP and client). There should be a match in the method chosen by the client and the AP for the association to succeed. The default value is for open authentication.
The entire process can be broken down into three phases:
1) Probe Phase
When a client is initialized it first sends a “probe request” packet out on all the channels. The APs that hear this packet will then send a “probe response” packet back to the station. This probe response packet contains information such as SSID (Service Set Identifier), which the client utilizes to determine which AP to continue the association process with.
2) Authentication Phase
After the client determines which AP to continue association process with, it begin the authentication phase based upon the probe response packet. This phase can be performed in either open or shared key mode. The client and the access point both have to be set-up to the same authentication scheme for this phase to be performed properly.
OPEN AUTHENTICATION SCHEME: The client sends an authentication request to the AP. The AP then processes this request and determines (based on the configured policies) whether or not to allow the client to proceed with the association phase. The AP sends an authentication response packet back to the client. Based upon the type of response (pass or fail) from the AP, the client will either continue or discontinue the association process.
SHARED KEY AUTHENTICATION: The client sends an authentication request to the AP. The AP processes this request, generates and sends a challenge text packet to the client. The client is then required to encrypt the packet utilizing its already-configured WEP key and send the packet back up to the AP. The AP then determines if it can decipher the packet correctly. Based upon this test, the AP will send either a pass or fail in the authentication response packet to the client that determines if the client is allowed to continue the association phase or not.
3) Association Phase
When the client successfully completes the authentication phase (for example, receives a successful authentication response packet from the AP), it proceeds to the association phase. The client sends an association request packet to the AP. The AP analyses the information in this packet and if it passes, the AP adds the client to its association table. It then sends an association response packet to the client, which completes the association phase.
One of the primary drawbacks with the IEEE 802.11 shared key authentication scheme is that there is no mutual authentication between the client and the AP. Only the client authenticates to the access point but the access point does not authenticate to the client. This opens up the doors for denial of service attacks via rogue APs in the WLAN. Such attacks redirect legitimate users having their data open to plaintext or other attacks by associating with APs that are masquerading as members of the WLAN sub system. Mutual authentication between the client and the AP that requires both sides to prove their legitimacy within a reasonable time is critical to detecting and isolating rogue access points.
The existing IEEE 802.11b standard is severely handicapped with its availability for only the current open and shared key authentication scheme that is essentially non-extensible. WLAN customers will demand and expect to receive flexibility in next generation security solutions. Some of these requirements include the addition of new 802.11 authentication methods. The authentication methods need to remain independent of the underlying 802.11 hardware to the greatest extent possible since hard-coding any authentication methods makes it difficult to respond to security vulnerabilities that are constantly discovered and that require quick rollout of fixes. Extensibility is required in order to support Public Key Infrastructure (PKI) and certificate schemes
There is no standard mechanism that allows a network administrator to control access to and from a LAN segment based on the authenticated state of a port user. Simple network connectivity affords anonymous access to enterprise data and the global internet. As 802 LANs are deployed in more accessible areas, there is an increasing need to authenticate and authorize basic network access. The proposed project will provide common interoperable solutions using standards based authentication and authorization infrastructures already supporting schemes such as dial up access.