Proceedings of ISCIT2005

A Password Based Authentication Protocol for

Access

Control in WLAN

Jingxin Liu, Bihua Tang, Yue Liu, Cheng Liu and Yuan'an Liu School of telecommunication engineering Beijing University of Posts and Telecommunications, Beijing, China Tel: +86-010-62286676 E-mail: tulipljxgl63.com; liuyue@chis.com.cn; yuliu@bupt.edu.cn
Abstract- WLAN technologies are becoming popular and the device are widely used everywhere nowadays, so more attentions are paid to when it comes to wireless security. Since the current security protocol in IEEE 802.11 namely Wired Equivalent Privacy is known to be quite insecure, the IEEE 802.1x and IEEE 802.11i were proposed to resolve some problems in 802.11. However, the 802.1x still have some drawbacks and could be hijacked through middle of communication session. In this paper, we proposed a password-based authentication and key exchange protocol suitable to construct a secure connection for regular communication security. To overcome the drawback of password-based protocols causing by short length and randomness of password, the proposed protocol uses the signature techniques of ECDSA and the authentication protocol SRP based on Diffie-Hellman key exchange method. Keywords: WLAN, WEP, 802.1x, SRP, ECDSA

I.

INTRODUCTION

802.1 li to resolve some problems in 802.11. IEEE 802.1 1 i is specifying a Robust Security Network (RSN) to address security issues with infamous WEP encryption as well as WEP based authentication. IEEE802lx port based access control is used and extended in RSN to conduct mutual authentication. IEEE 802.lx uses an additional authentication server, called RADIUS/DIAMETER, to authenticate the supplicants' identities and uses TLS [3] to generate session keys. Recently, Mishra and Arbaugh [4] also discovered some weaknesses of IEEE 802.1x. From their descriptions, the main problems are they distribution and mutual authentication between the supplicant and the AP. When

Because the wireless environment is a shared media networks, everyone can access to the network and the transmitted messages can be intercepted easily. Therefore it is important to protect the privacy of the transmitted data over the wireless environment. Wired Equivalent Privacy (WEP) is the security scheme defined in the IEEE 802.11. Several research studies report the vulnerabilities of WEP and concluded that WEP is insecure [1] [2]. Several alternative schemes have been proposed to make wireless work more secure. Later, IEEE proposed 802.1x in IEEE

EAP-TLS are used to authentication supplicant, PKI are needed, and in PKI private secure information and public key are issued by a third party Certificate Authority (CA). Utilizing a third party CA provides a convenient and relatively secure mechanism. But the open technique has several unwanted drawbacks. The increase in traffic introduced by frequent certificates and key administration overhead are included in the problems. To avoid the above problems many strategies have been proposed. Among the efforts, one efficient way is to provide a new security authentication and key exchange protocol to resolve these main problems in IEEE wireless security standard and a possible solution for IEEE 802.1x to conquer the authentication leak between supplicants and AP. There are many protocols to implement the strategy. Among them, utilizing password set by a client is good candidate for simple implementation. To make the protocol safe and secure, many considerations should be taken. As one effort of authentication and key exchange protocol, this paper proposes a protocol that allows user authentication and key exchanging without help of third party. At the same time, the proposed protocol utilizes of the ECDSA signature technique that enhances the security level of user authentication and key exchange done through relatively less secure networks. The rest of the paper is organized as follows. Section two of this paper describes the related works and the third section proposed a new password based protocol SRP for user authentication and key exchange utilizing the ECDSA. The characteristics and safety level of the proposed protocol are studied in section four. Performance analysis is present in section five and the last section wraps up the paper.
II.

RELATED WORKS

A.

Password based authentication protocols Password based authentication protocols authenticate client's accesses and create session key by passwords, are

0-7803-9538-7/05/$20.002005 IEEE

1099

the most widely used methods for user authentication. There are many famous password based authentication protocols but in this paper we use the protocol based on SRP for one way authentication. SRP protocol: SRP (Secure Remote Password) is one of the most widely used password-based authentication protocol. It can strongly authenticate a user without risks of dictionary attacks faced by other password-based authentication protocols. SRP protocol uses Diffie-Hellman key exchange method to establish the knowledge of information required for authentication with discrete logarithm [5] [6]. And then a hash function is used for mutual certification between two participants involved in a session. The figure belov shows each authentication and key exchange step of SRP protocol.
Client
~'.

Sr
Retrieve (ItT,
S. x-)

I
-f

User nanm U

X=H(s. P)
B 1 + c, S=(.AAv *X e K=H(S) Verifier M I 1 MNi) H .X. 1 .K )
=

4
5

ECDSA, a derivative of DSA, maps the algorithm of DSA to an eclipse curve domain. ECDSA is a standard of ANSI, X9.62. Three major parts of ECDSA is key generation, signature generation and signature. ECDSA key creation: In this phase first select an Elliptic Curve E that is defines in Zp and select a point PE(Zp) with n order. Then Calculate Q=d*P with a random selected inumber d E [2, n-2]. So the user's public key becomes (E, P, n, Q) and private key becomes d. ECDSA signature generation: In this phase first select a random number aE [1,n-1] and calculate a*P=(xi,yi) and r=x1mod n. (xl is an integer). If r=O return to step 1. Then calculate a-'mod n and calculate s=a-'{h(m)+dr}mod n, where h is SHA-1 hash function of message m. If s=O, return to step 1. So the (r, s) is the signature about message m. ECDSA Signature verification: In this phase the server gets a certificated public key (E, P, n, Q) of user to verify user's signature (r, s). If r and s in [1, n-l], the server will calculate w= S-1mod n and h(m)confirm at first. Then calculate ul=h(m) w mod n and u2=rw mod n. At last the server will calculate u1P+u2Q=(xO, yo) and v=x0 mod n. If v=r, the signature is a right one.
III. THE PROPOSED PROTOCOL The goal of the proposed protocol is to get mutual authentication between the client and the network through applying the ECDSA to the one way optimized SRP, and to create a secure association between the client and the access point to protect communication data on air. When air interface is protected, it can avoid several attacking methods such as Man in the Middle attack, session attack, dictionary attack, replay attack etc. Before running the authentication procedure, a client should prepare the following steps. At first, the client should select an elliptic curve E(Zp) defined on Zp. (E(Zp)that must be divied by a large prime number n.) Then select a random point over elliptic curve P ( E(Zp) with order n and select a safe uni-directional hash function ho. At last, the client sets his password pw and selects a salt value s and calculate private key x=h(s, pw) and a random point over elliptic curve Q=x*P. Once the parameter is generated, the authentication procedure will execute as the following figure illustrates. Step 1: The client generates strong prime number p and q where p=2*q+1, and transfers them with E, P, Q to the AP, and then AP will transfers (E, P, Q, p, q) to the server. The E is an Elliptic Curve that selected by ECDSA. Step 2: The server selects randomly generated private key b and random hidden parameter u, calculates agreed public key B=b*P+Q, and transmits (B, u) to the AP, and then AP will transmits them to client.

S=(ft-g )K,
N'tI

K=H(S) g M 1 H(A.B.K) 9 Verifier MI?

Fig. 1.

N12

authentication and key exchange process of SRP protocol

According the procedure represent in fig 1, the client and the server completed the mutual authentication and an open secure session could be established for the communications. B. Digital signature If the use of password spreads widely and electronic messages and cyber documents are hired for business or individual purpose, the electronic messages and documents may need something like signatures that are used on papers. Digital signature is the method frequently hired for the purpose. A digital signature is an electronic data that is affixed and logically associated to a certain data that requires digital signature. The signature is used to verify the owner of data and to express the approval of owner. There are various digital signature algorithms such as Digital Signature Algorithm (DSA). DSA is a public key algorithm based on the Discrete Logarithm Problem (DLP), and DSA is a base of ECDSA which is employed in the proposed algorithm in this paper. ECDSA:

1100

Client

AP

Seer

Generate (

-_,P,Q'n,s)
Select randot number b, u and calcula te 31bP+ (B,u)
-

.,_

,,([Lu ) -,,

Select rand in number a and calcu ate A=aP

0-

Calculate Sia+LLX)(B-Q) Calcul te h(S)+xrl

C
Calettlate I =b(A+uQ)

-lh(S)w mod n.-A, mod n, calculate

,, succeiscces

calculate5 w-nJo, n and calculates

P+ Q

xm -nod n.

SKjh8(S)
t

~~~SK<

SKj(S)

Fig. 2.

the proposed protocol in WLAN

Step 3: The client selects randomly generated private key a, calculates agreed public key A=a*P, and transmit it to the AP, and then transmits to server by AP. Step 4: Both the client and the server calculate a common value S, in the client the value S= (a+ux)*(B-Q) and in the server the value S= b*(A+uQ) Step 5: The client calculates i=al {h(S)+xr}. And (A, i) becomes the signature pair and transfers i to the AP, and then to the server. Step 6: The server calculates w=i-tmod n and calculates u1=h(S)w mod n, u2=Aw mod n. Then calculate u1P+ u2Q - (xo,yo), v=xo mod n. If the v=A, it is the correct one. Step 7: The client and the server generate the session key SK=h(S). In the proposed protocol we modify the Diffie-Hellman key exchange method to safely exchange keys between client and server. The client will select a prime key a and then calculate the public key A=a*P. The server also selects prime numbers b and u, and then calculates the public key B=b*P+Q. The client and server keeps a and b respectively and send A and B to each other. The client calculates S with S=(a+ux)*(B-Q) and the server calculates S with S=b*(A+uQ). If the protocol works correctly, both the client and server generate the same value. Then the client will calculate the value i that with A compose of the signature pair (A, i) and transmit i to the server to certificate his identity. After authentication, the session key will be produced, and sent to the AP by the
server.

IV. SECURITY ANALYSIS In our system, we assume that there is a secure encryption algorithm. Here we focus on the security analysis about the authentication among the client and the AP and the server. In IEEE 802.11 standards, the WEP standard is used to authentication and protecting the transmitting data, however the adversary can easily get the encryption key and the transmitting data by intercepting packets [7][8][9]. The IEEE 802.11 working group tries to solve the weakness of WEP and do a lot of works such as draft IEEE 802.1 li standard. In the following, we present that our protocol will withstand the security weakness of WEP. Meanwhile, the protocol is secure against other attacks as follows: A. Man in Middle attack: An adversary who receives a packet with the identity authentication bit, and modifies the content and not the identity authentication bit in the payload or header field, could launch a Man in Middle attack, the attacked client will not advance in the identity authentication stream and send new data packets due to the nature of the absence of response packets. Therefore, a man in middle attack of this kind would not succeed against the proposed protocol. B. Dictionaty attack: In dictionary attack, the attacker finds the real password by repeating a process of guessing the password of legal client and applying the passwords. In the proposed protocol, a client uses a private key x which generates by the password that is selected by itself and s salt value that is received from the server. The salt value ensures the randomness of password. Even if the attacker tries to do something with the salt, it is impossible to get the real password. Since a one way hash function is applied to the password and salt value the guessing or dictionary attacks
do not work.

Replay attack: If a attacker intercepted a legal message and old session key, he resends the message to the AP or client. Since the client and the server generates new a and b value every new session, the attack is not possible in the proposed protocol. The old key cannot be generated inherently. D. Impersonation attack: An attacker tries to impersonate the MT to use the WLAN work. If the attacker intercepted message, he must decrypt the message. However, the proposed protocol does not save the password and the session key is established between the client and AP using the proposed authentication procedure. The new verifying value is produced by a hash function that utilizes the password and a salt value together so the session key is different in each session. By the indirect password management method,

C.

1101

impersonation attack is not success in the proposed protocol.

V. PERFORMANCE ANALYSIS

At last we discuss the performance of the proposed protocol. The complexities of protocols are directly related with the number of interactions of the hash functions and exponential functions in protocols. The total message bytes transmitted, approximate latency, and energy required by the protocol of several famous protocols are depicted in the table 1. from the table we can see that compare with other protocol the proposed protocol shows a better performance. The proposed protocol that uses less traffic obvious shows a better performance in terms of network bandwidth utilization. But it has to maintain the same security level as the one that uses much traffic. At the same time the proposed protocol meets the requirement of low authentication latency and small energy consumption with
TABLE I COMPARISON OF PERFORMANCE

that introduced by the IEEE 802.1 1i. Instead of gaining authentication through CA as in many previously published protocols, the proposed algorithm gets user certification without help of CA. The protocol uses the SRP protocol based on Diffie-Hellman key exchange mechanism and applies the ECDSA's signature technique to level up its safely and efficiency. We have show that the proposed protocol can resist the Man in Middle attack, dictionary attack, replay attack, impersonation attack, but it could not cover all the flaws in WLAN environment, so in the future we have many things to do to improve the security of WLAN and all wireless networks.
REFERENCES
J. Walker, "Unsafe at any key size: an analysis of the WEP encapsulation," Tech. Rep. 03628E, IEEE 802.11 committee, March 2000. [2] N. Borisov, I. Goldberg, and D. wanger, "Intercepting Mobile Communications: The Insecurity of 802.1 1 " [3] B. Aboba, "PPP EAP-TLS Authentication Protocol," IEFT RFC 2716. [4] A. Mishra and W. A. Arbraugh, "An Initial Security Analysis of the IEEE 802.1x Standard," Department of Computer Science University of Maryland, Feb 6, 2002, CS-

[1]

Total

Protocol
AKA

(bytes
185 1489 1360 1157 149

size

Latency
(ins)
320.2281 47.259 53.119 51.367 93.258

Energy
(uJ)
887.69 6842.11 6000.23 5887.21 1009.57

TLS-RSA TLS-ECC TTLS-RSA Proposed Protocol

better performances.

TR-43228. [5] Thomas Wu, "The Secure Remote Password Protocol", Intemet Society Symp. Network and Distributed Systems Security Symposium, 1998. [6] ANSI X9.62, The elliptic curve digital signature algorithm (ECDSA), draft standard, 1997. [7] J. Hill, "An Analysis of the RADIUS Authentication Protocol", http://www.untruth.org/-

[8] A. Strubblefield, J. loannidis, and A. D. Rubin, "Using the Fluhrer, Mantin, andShamir Attack to Break WEP", AT&T Labs Technical Report TD-4ZCPZZ, 2001. [9] W. A. Arbaugh, N. Shankar, Y.C. J. Wan, "Your 802.11 Wireless Network has No Clothes", IEEE Wireless Communications, Vol.9, No.6, 2002.

josh/secutity/radius/radius-auth.html.

VI. CONCLUSION In this paper, a new password based authentication protocol for access control in WLAN network has been presented. The proposed protocol can fix the main problems of key distribution and mutual authentication that the drawback introduced by the short length and randomness of password in the exiting password based protocols, and improves the safely level in IEEE 802.1 x

1102