WI-FAB: attribute-based WLAN access control, without pre-shared keys and backend infrastructures

Two mainstream techniques are traditionally used to authorize access to a WiFi network. Small scale networks usually rely on the offline distribution of a WPA/WPA2 static pre-shared secret key (PSK); security hence relies on the fact that this PSK is not leaked by end user, and is not disclosed via dictionary or brute-force attacks. On the other side, Enterprise and large scale networks typically employ online authorization using an 802.1X-based authentication service leveraging a backend online infrastructure (e.g. Radius servers/proxies). In this work, we propose a new mechanism which does not require neither online operation nor backend access control infrastructure, but which does not force us to rely on a static pre-shared secret key. The idea is very simple, yet effective: directly broadcast in the WLAN beacons an encrypted version of the secret key required to access the WLAN network, so that only the users which possess suitable authorization credentials can decrypt and use it. This proposed approach clearly decouples the management of authorization credentials, issued offline to the authorized end users, from the actual secret key used in the WLAN network, which can thus be in principle changed at each new user's access. The solution described in the paper relies on attribute-based encryption, and is designed to be compatible with WPA2 and deployable within standard 802.11 management frames. Since no user identification is required (access control is based on attributes rather than on the user identity), the proposed approach further improves privacy. We demonstrate the feasibility of the proposed solution via a concrete implementation in Linux-based devices and via relevant testing in a real-world experimental setup.

[1]  Bobby Bhattacharjee,et al.  Persona: an online social network with user-defined privacy , 2009, SIGCOMM '09.

[2]  Xiaoli Chu,et al.  Coexistence of Wi-Fi and heterogeneous small cell networks sharing unlicensed spectrum , 2015, IEEE Communications Magazine.

[3]  Brent Waters,et al.  Fuzzy Identity-Based Encryption , 2005, EUROCRYPT.

[4]  H. Boland,et al.  Security issues of the IEEE 802.11b wireless LAN , 2004, Canadian Conference on Electrical and Computer Engineering 2004 (IEEE Cat. No.04CH37513).

[5]  Paul Arana,et al.  Benefits and Vulnerabilities of Wi-Fi Protected Access 2 (WPA2) , 2006 .

[6]  Joon S. Park,et al.  WLAN Security: Current and Future , 2003, IEEE Internet Comput..

[7]  Michael Luby,et al.  A digital fountain approach to reliable distribution of bulk data , 1998, SIGCOMM '98.

[8]  FrikkenKeith,et al.  Attribute-Based Access Control with Hidden Policies and Hidden Credentials , 2006 .

[9]  Brent Waters,et al.  Attribute-based encryption for fine-grained access control of encrypted data , 2006, CCS '06.

[10]  Guevara Noubir,et al.  A Practical, Targeted, and Stealthy Attack Against WPA Enterprise Authentication , 2013, NDSS.

[11]  Brent Waters,et al.  Ciphertext-Policy Attribute-Based Encryption , 2007, 2007 IEEE Symposium on Security and Privacy (SP '07).

[12]  Guevara Noubir,et al.  Authenticating Privately over Public Wi-Fi Hotspots , 2015, CCS.

[13]  David F. Ferraiolo,et al.  Guide to Attribute Based Access Control (ABAC) Definition and Considerations , 2014 .

[14]  D. Richard Kuhn,et al.  Attribute-Based Access Control , 2017, Computer.

[15]  Wun-She Yap,et al.  Cryptanalysis of a CP-ABE scheme with policy in normal forms , 2016, Inf. Process. Lett..

[16]  Tooska Dargahi,et al.  ABAKA: A novel attribute-based k-anonymous collaborative solution for LBSs , 2016, Comput. Commun..

[17]  Xiang-Yang Li,et al.  Control Cloud Data Access Privilege and Anonymity With Fully Anonymous Attribute-Based Encryption , 2016, IEEE Transactions on Information Forensics and Security.

[18]  Hamid Aghvami,et al.  A survey on mobile data offloading: technical and business perspectives , 2013, IEEE Wireless Communications.

[19]  Tooska Dargahi,et al.  On the Feasibility of Attribute-Based Encryption on Smartphone Devices , 2015, IoT-Sys@MobiSys.

[20]  Mikhail J. Atallah,et al.  Attribute-Based Access Control with Hidden Policies and Hidden Credentials , 2006, IEEE Transactions on Computers.