A problem that is arising in communication networks, such as an IEEE 802.11 i Wi-Fi (wireless fidelity) network, is the ease with which access can be obtained to a these communication networks. For example, an unauthorized or “rogue” terminal or access point could be added to a network without having authorization to do so by spoofing a Media Access Control (MAC) address. In this case, this unauthorized user, or anyone in proximity to the “rogue” access point, could access (i.e. snoop) the network for illicit purposes. Of course, such unauthorized access poses a security threat to the communication network.
Wi-Fi Protected Access (WPA) and later WPA2 was introduced to address this problem. In particular, WPA and WPA2 uses pairwise transient key (PTK) support shared between stations to detect MAC address spoofing and data forgery by binding the addresses of the stations to the pairwise key. However, there is still a flaw in the WAP2 system, referred to as the “Hole 196” flaw, for group communications, such as multicast and broadcast traffic, which uses only a single group (temporal) key (GTK). In this case, an unauthorized user can inject their own data into a packet to a client by spoofing the group key. For example, an unauthorized user can inject faked Address Resolution Protocol (ARP) information in an encrypted group-addressed message to a victim (i.e. ARP poisoning), which indicates that the unauthorized user's address (or other false address) is now to be used as the client's gateway address. The faked ARP information makes the victim change their ARP cache to include the faked gateway address (of the unauthorized user), which results in the victim sending data packets to the unauthorized user, or anyone else the unauthorized user has indicated in the faked ARP gateway address.
One solution to this problem is for the network operator to use a randomly generated GTK at periodic time intervals. However, the unauthorized user will still be able to access the network during the time when any one particular GTK is in use. Another solution is to convert group traffic to pairwise (unicast) traffic. However, this requires a significant amount of messaging overhead, which defeats the purpose of group communications in the first place. Another solution is to install specialized security software on each client. However, this has extra cost.
Accordingly, there is a need for a technique to detect an unauthorized change in an ARP cache in a communication network.
Skilled artisans will appreciate that elements in the figures are illustrated for simplicity and clarity and have not necessarily been drawn to scale. For example, the dimensions of some of the elements in the figures may be exaggerated relative to other elements to help to improve understanding of embodiments of the present invention.
The apparatus and method components have been represented where appropriate by conventional symbols in the drawings, showing only those specific details that are pertinent to understanding the embodiments of the present invention so as not to obscure the disclosure with details that will be readily apparent to those of ordinary skill in the art having the benefit of the description herein.