Integration of the Captive Portal paradigm with the 802.1X architecture

In a scenario where hotspot wireless networks are increasingly being used, and given the amount of sensitive information exchanged on Internet interactions, there is the need to implement security mechanisms that guarantee data confidentiality and integrity in such networks, as well as the authenticity of the hotspot providers. However, many hotspots today use Captive Portals, which rely on authentication through Web pages (thus, an application-level authentication approach) instead of a link-layer approach. The consequence of this is that there is no security in the wireless link to the hotspot (it has to be provided at upper protocol layers), and is cumbersome to manage wireless access profiles (we need special applications or browsers' add-ons to do that). This work exposes the weaknesses of the Captive Portals' paradigm, which does not follow a unique nor standard approach, and describes a solution that intends to suppress them, based on the 802.1X architecture. This solution uses a new EAP-compliant protocol that is able to integrate an HTTP-based registration or authentication with a Captive Portal within the 802.1X authentication framework.

[1]  Donald E. Eastlake,et al.  US Secure Hash Algorithm 1 (SHA1) , 2001, RFC.

[2]  Erik C. Rye,et al.  A Study of MAC Address Randomization in Mobile Devices and When it Fails , 2017, Proc. Priv. Enhancing Technol..

[3]  Glen Zorn,et al.  Protected EAP Protocol (PEAP) Version 2 , 2004 .

[4]  David Cooper,et al.  Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile , 2008, RFC.

[5]  Roy Want,et al.  Near field communication , 2011, IEEE Pervasive Computing.

[6]  Benny Bing,et al.  Wi‐Fi Hotspots , 2005 .

[7]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 1997, RFC.

[8]  Partha Dasgupta,et al.  Secure wireless gateway , 2002, WiSE '02.

[9]  Larry J. Blunk,et al.  PPP Extensible Authentication Protocol (EAP) , 1998, RFC.

[10]  Olivier Richard,et al.  On Robust Covert Channels Inside DNS , 2009, SEC.

[11]  Paulo Trezentos,et al.  Secure hotspot authentication through a Near Field Communication side-channel , 2012, 2012 IEEE 8th International Conference on Wireless and Mobile Computing, Networking and Communications (WiMob).

[12]  Bernard Aboba,et al.  Extensible Authentication Protocol (EAP) , 2004, RFC.

[13]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[14]  Dan Simon,et al.  The EAP-TLS Authentication Protocol , 2008, RFC.

[15]  Edgar R. Weippl,et al.  Browser History Stealing with Captive Wi-Fi Portals , 2016, 2016 IEEE Security and Privacy Workshops (SPW).

[16]  Jihyuk Choi,et al.  Secure MAC-Layer Protocol for Captive Portals in Wireless Hotspots , 2011, 2011 IEEE International Conference on Communications (ICC).

[17]  Ram Dantu,et al.  EAP methods for wireless networks , 2007, Comput. Stand. Interfaces.

[18]  José Carlos Brustoloni,et al.  Detecting and Blocking Unauthorized Access in Wi-Fi Networks , 2004, NETWORKING.

[19]  Sheila Frankel,et al.  IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap , 2011, RFC.

[20]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.3 , 2018, RFC.

[21]  Dan Simon,et al.  PPP EAP TLS Authentication Protocol , 1999, RFC.

[22]  Peter Saint-Andre,et al.  Deprecating the "X-" Prefix and Similar Constructs in Application Protocols , 2012, RFC.

[23]  Tim Wright,et al.  Transport Layer Security (TLS) Extensions , 2003, RFC.

[24]  Steve Sheng,et al.  Captive-Portal Identification Using DHCP or Router Advertisements (RAs) , 2015, RFC.

[25]  Carlisle M. Adams,et al.  X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP , 1999, RFC.

[26]  Dan Harkins,et al.  Opportunistic Wireless Encryption , 2017, RFC.

[27]  Adi Shamir,et al.  Identity-Based Cryptosystems and Signature Schemes , 1984, CRYPTO.

[28]  Simon Blake-Wilson,et al.  Funk Request for Comments : 5281 Unaffiliated Category : Informational , 2008 .

[29]  M. Bellare,et al.  HMAC: Keyed-Hashing for Message Authentication, RFC 2104 , 2000 .

[30]  Mauro Brunato,et al.  WilmaGate: a new open access gateway for hotspot management , 2005, WMASH '05.

[31]  Suku Nair,et al.  Bypassing Security Toolbars and Phishing Filters via DNS Poisoning , 2008, IEEE GLOBECOM 2008 - 2008 IEEE Global Telecommunications Conference.

[32]  Donald Eastlake rd,et al.  Transport Layer Security (TLS) Extensions: Extension Definitions , 2011 .

[33]  Roy T. Fielding,et al.  Additional HTTP Status Codes , 2012, RFC.

[34]  Jim Schaad,et al.  Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF) , 2005, RFC.