In order to address a security loophole presented in the Wired Equivalent Privacy (WEP) security mechanism defined in the Wireless Local Area Network (WLAN) international standard ISO/IEC 8802-11, the national standard of WLAN and the first revision thereof have been published in China to adopt the WLAN Authentication and Privacy Infrastructure (WAPI) instead of the WEP to address security issues of WLAN. Almost concurrently, the IEEE organization also has published the IEEE 802.11i standard in which the Robust Security Network Association (RSNA) has been proposed based upon backward compatibility to remedy the security loophole presented in the WEP.
The WAPI makes use of authentication and key management protocols of public-key certificates or a pre-shared key, and the RSNA performs authentication and key distribution functions respectively according to the IEEE 802.1x based upon the Extended Authentication Protocol (EAP) and the 4-way handshake protocol. The WAPI can ensure security of WLAN, and the RSNA also alleviates the security issue presented in the original security mechanism of WLAN but suffers from the following drawbacks:
1. Operating in an IBSS network mode causes the protocols to be executed too complexly, and node resources (a power supply, a CPU, a storage capability, etc.) over a network in such a mode are usually limited;
2. No protection measure is performed on the first messages of the unicast key negotiation protocol of the WAPI and 4-way handshake protocol of the RSNA, and an attacker may perform a Denial of Service (DoS) attack, e.g., protocol blocking, storage exhausting, etc., by forging message 1.
These two drawbacks will be analyzed and described in details below.
For convenient descriptions, functionally similar or identical terms in the WAPI and the RSNA will firstly be defined collectively as follows:
1. Supplicant (S). An Authentication Supplicant Entity (ASUE) of the WAPI and a Supplicant of the RSNA are referred collectively to as a Supplicant.
2. Authenticator (A). An Authenticator Entity (AE) of the WAPI and an Authenticator of the RSNA are referred collectively to as an Authenticator.
3. Authentication Server (AS). An Authentication Service Entity (ASE) of the WAPI and an Authentication Server (AS) of the RSNA are referred collectively to as an Authentication Server.
4. Master Key (MK). A Base Key (BK) of the WAPI protocol and a Pairwise Master Key (PMK) of the RSNA protocol are referred collectively to as a Master Key.
5. Unicast Key (UK). A Unicast Session Key (USK) of the WAPI protocol and a Pairwise Temporal Key (PTK) of the RSNA protocol are referred collectively to as a Unicast Key.
6. Group Key (GK). A Multicast Master Key (MMK) of the WAPI protocol and a Group Master Key (GMK) of the RSNA protocol are referred collectively to as a Group Key.
Two networking modes, i.e., a Basic Service Set (BSS) and an Independent BSS (IBSS), are provided for a WLAN. In the BSS mode, an Authenticator A resides at a wireless Access Point (AP), and a Supplicant S resides at a user terminal, and after an authentication function is performed through an Authentication Server AS, unicast key negotiation between the Authenticator A and the Supplicant S and group (including multicast and broadcast) key announcement of the Authenticator A are performed. In the IBSS mode, respective terminal users joining the network are peer, and the respective stations also need to transmit their own multicast/broadcast data in addition to unicast data between every two of them, that is, the respective stations act as the Authenticator A and perform group key announcement with other stations acting as the Supplicant S, respectively.
The same network element acting as both the Authenticator A and the Supplicant S may cause a reflection attack of the key management protocol, and in view of this, such an attack can be prevented in such a way that the same entity acts as two authentication roles based upon different pre-shared keys, that is, the key management protocol executed by the same entity acting as the Authenticator A and the Supplicant S shall depend upon different Master Keys MKs and Unicast Keys UKs. Therefore in the IBSS mode, the respective sites will act as the Authenticator A to execute the entire authentication and key management protocols with the other respective sites.
Referring to FIG. 1, the entire authentication and key management protocols have to be executed for N(N−1) times for an IBSS network with N nodes, and such highly complicated calculations may make the protocols be difficult to apply in practice when a node frequently moves or there are limited resources.
Not only the protocols are executed complexly in the IBSS mode, but also the key management protocol is subject to a DoS attack. The unicast key negotiation protocol of the WAPI and the 4-way handshake protocol of the RSNA are very crucial components in the security mechanism for the purpose of verifying whether there is a Master Key MK between the Authenticator A and the Supplicant S resulting from successful authentication and negotiation and of deriving a fresh Unicast Key UK for use in subsequent data communication. In the unicast key negotiation protocol of the WAPI and the 4-way handshake protocol of the RSNA, any other message than the message 1 are authenticated and protected by the UK resulting from latest negotiation, and the bare message 1 may be utilized by an attacker. The attacker can forge the message 1 so that the UK resulting from negotiation between the Authenticator A and the Supplicant S are not in consistency to thereby cause protocol blocking, or the attacker can forge a large number of messages 1 to thereby introduce a DoS attack, e.g., storage exhausting, etc., at the Supplicant S. Such a forgery attack is easy to be implemented with a serious hazard, and a single successful attack may counteract various previous authentication efforts.