ESCORT: a decentralized and localized access control system for mobile wireless access to secured domains

In this work we design and implement ESCORT, a backward compatible, efficient, and secure access control system, to facilitate mobile wireless access to secured wireless LANs. In mobile environments, a mobile guest may frequently roam into foreign domains while demanding critical network services. ESCORT provides instant yet secure access to the mobile guest based on the concept of "escort", which refers to a special network object with four distinct properties: (1) The escort is already a trusted permanent or semi-permanent component of the secured wireless LAN; (2) The mobile guest and the escort have established transient but mutual trust; (3) Communication between the escort and its guests is localized. The escort forwards data packets between the mobile guest and the LAN; (4) The implementation of escort can be mobile and tamper-resistant, thus it can roam with the mobile guest without being compromised. Existing network concepts (e.g., router, gateway) and security concepts (e.g., existing access control models and authorities) do not possess at least one of the four essential properties.As a permanent component of wireless LAN, the communication channel between the escort and the LAN can be secured by effective countermeasures like 802.11i TKIP and AES-CCMP. Therefore, ESCORT addresses the challenge of providing efficient mobile privacy support between the escort and its mobile guests. Three aspects of mobile privacy, namely content privacy, identity privacy, and location privacy are covered in ESCORT design to maximize the protection offered to ESCORT's mobile guests. We use actual implementation to demonstrate that ESCORT design is feasible and efficient.

[1]  David A. Cooper,et al.  Preserving privacy in a network of mobile computers , 1995, Proceedings 1995 IEEE Symposium on Security and Privacy.

[2]  Guido Appenzeller,et al.  User-friendly access control for public network ports , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[3]  G. Tsudik,et al.  Authentication of mobile users , 1994, IEEE Network.

[4]  Andreas Pfitzmann,et al.  Anonymity, Unobservability, and Pseudonymity - A Proposal for Terminology , 2000, Workshop on Design Issues in Anonymity and Unobservability.

[5]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[6]  Mary Baker,et al.  Mitigating routing misbehavior in mobile ad hoc networks , 2000, MobiCom '00.

[7]  Adi Shamir,et al.  Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[8]  John Ioannidis,et al.  Using the Fluhrer, Mantin, and Shamir Attack to Break WEP , 2002, NDSS.

[9]  Hugo Krawczyk,et al.  Untraceable mobility or how to travel incognito , 1999, Comput. Networks.

[10]  N. Asokan,et al.  Untraceability in mobile networks , 1995, MobiCom '95.

[11]  Gene Tsudik,et al.  KryptoKnight Authentication and Key Distribution System , 1992, ESORICS.

[12]  Philip R. Zimmermann,et al.  The official PGP user's guide , 1996 .

[13]  Voon Chin Phua,et al.  Wireless lan medium access control (mac) and physical layer (phy) specifications , 1999 .

[14]  Nj Piscataway,et al.  Wireless LAN medium access control (MAC) and physical layer (PHY) specifications , 1996 .

[15]  Martin Roesch,et al.  SNORT: The Open Source Network Intrusion Detection System 1 , 2002 .

[16]  David A. Wagner,et al.  Intercepting mobile communications: the insecurity of 802.11 , 2001, MobiCom '01.

[17]  Alfred Menezes,et al.  Handbook of Applied Cryptography , 2018 .

[18]  Mary Baker,et al.  Secure Public Internet Access Handler (SPINACH) , 1997, USENIX Symposium on Internet Technologies and Systems.

[19]  Adi Shamir,et al.  On the Generation of Cryptographically Strong Pseudo-Random Sequences , 1981, ICALP.

[20]  Stephen T. Kent,et al.  Security Architecture for the Internet Protocol , 1998, RFC.