WO2015084152A1 - Système et procédé d'autorisation de point d'accès dans un réseau - Google Patents

Système et procédé d'autorisation de point d'accès dans un réseau Download PDF

Info

Publication number
WO2015084152A1
WO2015084152A1 PCT/MY2014/000173 MY2014000173W WO2015084152A1 WO 2015084152 A1 WO2015084152 A1 WO 2015084152A1 MY 2014000173 W MY2014000173 W MY 2014000173W WO 2015084152 A1 WO2015084152 A1 WO 2015084152A1
Authority
WO
WIPO (PCT)
Prior art keywords
scanner
access point
authentication string
list
server
Prior art date
Application number
PCT/MY2014/000173
Other languages
English (en)
Inventor
Mohd Ariff Abdullah
Muhammad Faheem Mohd Ezani
Sridhar Sivanand
Putri Shahnim Khalid
Shariq Haseeb
Original Assignee
Mimos Berhad
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Mimos Berhad filed Critical Mimos Berhad
Publication of WO2015084152A1 publication Critical patent/WO2015084152A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/06Authentication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0876Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/18Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/12Detection or prevention of fraud
    • H04W12/121Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
    • H04W12/122Counter-measures against attacks; Protection against rogue devices
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04WWIRELESS COMMUNICATION NETWORKS
    • H04W12/00Security arrangements; Authentication; Protecting privacy or anonymity
    • H04W12/60Context-dependent security
    • H04W12/69Identity-dependent
    • H04W12/73Access point logical identity

Definitions

  • This invention relates to a system and a method for verifying legitimacy of a device in a network, and more particularly to a system and a method for authorising an access point in a network and preventing spoofing attack.
  • Spoofing such as media access control (MAC) spoofing
  • WIPS wireless intrusion prevention system
  • MAC media access control
  • Another method that is commonly used to prevent access to unauthorised devices is by validating media access control (MAC) address of the devices.
  • MAC media access control
  • this approach does not prevent MAC spoofing where possible devices would alter its MAC address to an address that is authorised by the system.
  • Another approach to overcome this matter would involve implementing more intelligent network switches. Nevertheless, this approach may not be economical. As the level of the security increase, the system may get more complicated to operate and the detection process will become more meticulous. As a result, this may cause a higher chance of false positive errors.
  • WIPS detecting rogue access points including comparing encrypted and non-encrypted wireless links of the access point, validating fingerprint test, calculating relative location of the access points, and monitoring radio spectrum transmitted from the network to the access points.
  • these approaches might be susceptible to service set identification (SSID) spoofing, MAC spoofing, and packet spoofing.
  • SSID service set identification
  • MAC spoofing MAC spoofing
  • packet spoofing packet spoofing.
  • patent no. EP 1 932 294 B1 relates to a method for detecting rogue access point based on inconsistencies perceived in the RSS reports which are assessed during the handover phase.
  • the handover phase may be a window of vulnerability for an unauthorised device to enter into the network.
  • the calculation and detection by matching path loss value may not be accurate in detecting rogue access point.
  • US 7,965,842 B2 describes that the detection of a rogue access point involved the authorised access points (client devices).
  • client devices In order to overcome MAC spoofing, the network monitors for spoofing by checking switch interface tables for MAC address that appears on more than one port and if the same MAC address appears on two different ports of a switch, one of the MAC address is identified as a rogue device.
  • this method involves client devices and may be susceptible to network intrusion during the information transfer between the client device and the network.
  • monitoring switch interface for the doubling of MAC address may not be accurate and possibly lead to MAC spoofing.
  • the present invention relates to a method for authorising an access point in a network, which is characterized by: identifying at least one access point that is advertising the same service set identification (SSID) as the network and listing the identified access point in a first list; validating the MAC address of the access point in the first list against a list of authorised MAC address and listing the validated access point in a second list; generating an authentication string that corresponds to the access point in the second list; encrypting the authentication string and a scanner public key in a scanner by using a server public key; sending the encrypted authentication string and the encrypted scanner public key in a packet to a server via the access point in the second list; decrypting the encrypted authentication string and the encrypted scanner public key by using a server private key; encrypting the authentication string in the server by using the decrypted scanner public key; sending the encrypted authentication string to the scanner via a second network interface; decrypting the encrypted authentication string by using a scanner private
  • the method for authorising an access point is used in a wireless or wired network.
  • a system for authorising access point in a network comprising a scanner and a server; characterised by: the scanner further comprises: a scanner module for scanning and capturing access points; a first network interface for connecting the captured access point to the scanner; a scanner verification module as a center for communicating with other modules in the scanner; a scanner first data storage for storing a first list of access points that are advertising the same SSID as the network; a scanner second data storage for storing a list of access points that are advertising the same SSID as the network and having authorised MAC address; a scanner third data storage for storing a second list of MAC addresses of authorised access points; an encrypt and decrypt scanner module for encrypting and decrypting authentication string; the server further comprises: a server verification module as a center for communicating with other modules in the server; an en
  • Figure 1 shows a flowchart of a method for authorising access point in a network
  • Figure 2 shows a system for authorising access point in a network.
  • the present invention relates to a method for authorising an access point in a network.
  • the method starts with listing all access points in the network, and is characterized by: identifying (10) and listing at least one access point that is advertising the same service set identification (SSID) as the network in a first list (11); validating the MAC address of the access point against a list of authorised MAC address (20) and listing the validated access point in a second list (21); generating an authentication string that corresponds to the access point in the second list (30); encrypting the authentication string and a scanner public key in a scanner (800) by using a server public key (40); sending the encrypted authentication string and the encrypted scanner public key in a packet to a server (900) via the access point in the second list (50); decrypting the encrypted authentication string and the encrypted scanner public key by using a server private key (60); encrypting the authentication string in the server (900) by using the decrypted scanner public key (45); sending the encrypted authentication string to the scanner (
  • the term "network” mentioned in this specification may refer to a wireless or a wired network.
  • the step identifying (10) and listing at least one access point that is advertising the same service set identification (SSID) as the network in the first list (11) filters all the other access points in the vicinity and capture only the access point with the same SSID as the network. In an embodiment of the present invention, if there is no access point with the same SSID, the method is terminated (12).
  • the first list contains a list of access points that will go through the next step.
  • the scanner (800) informs the server (900) that the access point is unauthorised, thereafter store the information in a list of unauthorised access point (22), and then the method will be terminated (12).
  • This step is to remove any possible access points that employ SSID spoofing.
  • the second list contains a list of access points with authorised MAC address but may also contain any access points that employ MAC spoofing.
  • the scanner (800) may continue generating authentication string for all the access points in the second list until the second list is exhausted.
  • the encrypted authentication string in the scanner (800) can only be decrypted by using the server private key which is only known to the server (900).
  • the step of sending the encrypted authentication string and the encrypted scanner public key in a packet to the server (900) via the access point in the second list (50) enables the packet to reach to the server (900) through the authorised access point. If the server (900) does not receive the packet, that would mean that the access point is not connected to the server (900), thus indicating that the access point is unauthorised (61), and thereafter the method will be terminated (12).
  • the encrypted authentication string in the server (900) can only be decrypted by using the scanner private key which is only known to the scanner (800).
  • the step of comparing the decrypted authentication string in the scanner (800) with the authentication string corresponds to the access point in the second list (70) if the decrypted authentication string matches with the authentication string that corresponds to the access point in the second list, the access point is authorised and removed from the second list (71) thereafter the method is terminated (12); and if the decrypted authentication string does not match with the authentication string that corresponds to the access point in the second list, the access point remains in the second list and is stored in the list of unauthorised access point (72), subsequently the method will be terminated (12).
  • the decrypted authentication string in the scanner (800) that match with the authentication string corresponds to the access point in the second list verifies that the access point is authorised and may be removed from the second list. This eliminates access point that uses MAC spoofing that may be listed in the second list.
  • the decrypted authentication string that matches may also indicate that the packet reach the server (900) through the authorised access point and thus eliminates packet spoofing. It also indicates that the access point is authorised to connect to the network.
  • the decrypted authentication string in the scanner (800) does not match with the authentication string that corresponds to the access point in the second list, this may indicate that the access point is not authorised and may be using MAC spoofing or packet spoofing.
  • the access point may be listed in the list of unauthorised access point.
  • the scanner (800) and the server (900) share the same list of unauthorised access point.
  • SSID service set identification
  • the steps of decrypting the encrypted authentication string and the encrypted scanner public key by using a server private key (60); encrypting the authentication string in the server (900) by using the decrypted scanner public key (45); and sending the encrypted authentication string to the scanner (800) via a second network interface (55) take place in the server (900).
  • the steps of decrypting the encrypted authentication string by using a scanner private key (65); and comparing the decrypted authentication string in the scanner (800) with the authentication string corresponds to the access point in the second list (70) take place in the scanner (800).
  • the present invention is also related to a system for authorising an access point in a network comprising a scanner (800) and a server (900); characterised by: the scanner (800) further comprises: a scanner module (801) for scanning and capturing access points; a first network interface (802) for connecting the captured access point to the scanner (800); a scanner verification module (803) as a center for communicating with other modules in the scanner (800); a scanner first data storage (804) for storing a first list of access points that are advertising the same SSID as the network; a scanner second data storage (805) for storing a list of access points that are advertising the same SSID as the network and having authorised MAC address; a scanner third data storage (806) for storing a second list of MAC addresses of authorised access points; an encrypt and decrypt scanner module (807) for encrypting and decrypting authentication string; the server (900) further comprises: a server verification module (901) as a center for communicating with other modules in the
  • the network may be a wireless or wired network.
  • the first network interface is a wireless LAN interface.
  • the second network interface is a LAN interface.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Mobile Radio Communication Systems (AREA)
  • Computer And Data Communications (AREA)

Abstract

La présente invention concerne un système et un procédé d'autorisation de point d'accès dans un réseau sans la participation de dispositif client. La présente invention identifie (10) et met en liste seulement un point d'accès ayant le même SSID que le réseau (11) et vérifie ensuite le point d'accès relativement à la validité de l'adresse MAC (20). Seul un point d'accès doté d'un SSID et d'une adresse MAC valides possède une chaîne d'authentification (30). La chaîne d'authentification et une clé publique de scanneur sont chiffrées au moyen d'une clé publique de serveur dans un scanneur (800) (40). Le scanneur (800) envoie ensuite la chaîne d'authentification chiffrée et la clé publique de scanneur chiffrée à un serveur (900) par l'intermédiaire du point d'accès (50) afin qu'elles soient déchiffrées. Puis, le serveur (900) chiffre la chaîne d'authentification au moyen de la clé publique de scanneur déchiffrée (45) et envoie la chaîne d'authentification chiffrée au scanneur (800) (55). Le scanneur (800) qui reçoit la chaîne d'authentification chiffrée déchiffre la chaîne au moyen de la clé privée de de scanneur (65) et compare la dite chaîne déchiffrée (70) à la chaîne d'authentification antérieure au processus de chiffrement et de déchiffrement. Si une correspondance est trouvée, le point d'accès est autorisé et peut avoir surmonté trois attaques par mystification dans le réseau.
PCT/MY2014/000173 2013-12-04 2014-06-12 Système et procédé d'autorisation de point d'accès dans un réseau WO2015084152A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
MYPI2013702354A MY178188A (en) 2013-12-04 2013-12-04 System and method for authorising an access point in a network
MYPI2013702354 2013-12-04

Publications (1)

Publication Number Publication Date
WO2015084152A1 true WO2015084152A1 (fr) 2015-06-11

Family

ID=51688378

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/MY2014/000173 WO2015084152A1 (fr) 2013-12-04 2014-06-12 Système et procédé d'autorisation de point d'accès dans un réseau

Country Status (2)

Country Link
MY (1) MY178188A (fr)
WO (1) WO2015084152A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170265081A1 (en) * 2016-03-14 2017-09-14 Fujitsu Limited Wireless communication device, wireless communication method, and computer readable storage medium
US10798125B2 (en) * 2016-10-27 2020-10-06 Reliance Jio Infocomm Limited System and method for network entity assisted honeypot access point detection
CN115022099A (zh) * 2022-08-09 2022-09-06 北京华云安软件有限公司 基于udp传输协议的身份认证方法和系统

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050141498A1 (en) * 2003-10-16 2005-06-30 Cisco Technology, Inc Network infrastructure validation of network management frames
US20080141369A1 (en) * 2005-01-26 2008-06-12 France Telecom Method, Device and Program for Detecting Address Spoofing in a Wireless Network
US7965842B2 (en) 2002-06-28 2011-06-21 Wavelink Corporation System and method for detecting unauthorized wireless access points
EP2372971A1 (fr) * 2010-03-30 2011-10-05 British Telecommunications Public Limited Company Procédé et système d'authentification d'un point d'accès
EP2600648A1 (fr) 2011-11-30 2013-06-05 British Telecommunications public limited company Détection d'un point d'accès sans fil non autorisé
EP1932294B1 (fr) 2005-10-05 2013-08-21 Alcatel Lucent Detection de point d acces defectueux dans les reseaux sans fil

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7965842B2 (en) 2002-06-28 2011-06-21 Wavelink Corporation System and method for detecting unauthorized wireless access points
US20050141498A1 (en) * 2003-10-16 2005-06-30 Cisco Technology, Inc Network infrastructure validation of network management frames
US20080141369A1 (en) * 2005-01-26 2008-06-12 France Telecom Method, Device and Program for Detecting Address Spoofing in a Wireless Network
EP1932294B1 (fr) 2005-10-05 2013-08-21 Alcatel Lucent Detection de point d acces defectueux dans les reseaux sans fil
EP2372971A1 (fr) * 2010-03-30 2011-10-05 British Telecommunications Public Limited Company Procédé et système d'authentification d'un point d'accès
EP2600648A1 (fr) 2011-11-30 2013-06-05 British Telecommunications public limited company Détection d'un point d'accès sans fil non autorisé

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170265081A1 (en) * 2016-03-14 2017-09-14 Fujitsu Limited Wireless communication device, wireless communication method, and computer readable storage medium
US10638323B2 (en) * 2016-03-14 2020-04-28 Fujitsu Limited Wireless communication device, wireless communication method, and computer readable storage medium
US10798125B2 (en) * 2016-10-27 2020-10-06 Reliance Jio Infocomm Limited System and method for network entity assisted honeypot access point detection
CN115022099A (zh) * 2022-08-09 2022-09-06 北京华云安软件有限公司 基于udp传输协议的身份认证方法和系统

Also Published As

Publication number Publication date
MY178188A (en) 2020-10-06

Similar Documents

Publication Publication Date Title
US8418252B2 (en) Intelligent network interface controller
US7877805B1 (en) Apparatus, method and computer program product for detection of a security breach in a network
US9619946B2 (en) Securely providing diagnostic data from a vehicle to a remote server using a diagnostic tool
US20110179267A1 (en) Method, system and server for implementing security access control
US20090031399A1 (en) Method and Apparatus for Content Based Authentication for Network Access
US9755824B2 (en) Power line based theft protection of electronic devices
CN1901452A (zh) 用于网络单元认证的多层次和多因素安全证书管理
CN108712364B (zh) 一种sdn网络的安全防御系统及方法
EP1995908B1 (fr) Procédé, système, appareil et entité à fonction de service d'amorçage aux fins de prévention d'attaques
Daily et al. Securing CAN traffic on J1939 networks
WO2015084152A1 (fr) Système et procédé d'autorisation de point d'accès dans un réseau
US20210099875A1 (en) Offloaded sensor authentication for internet of things
CN107968777B (zh) 网络安全监控系统
KR101663935B1 (ko) 피싱 및 파밍 방지 시스템 및 방법
KR101424916B1 (ko) M2m 서비스를 제공하는 에어 프로텍터 서버 및 그 동작 방법
US20060075229A1 (en) Method and apparatus for maintaining a communications connection while guarding against bandwidth consuming attacks
CN117579403B (zh) 一种可信应用接入的装置
JP2003143126A (ja) セキュリティ保持方法及びその実施システム並びにその処理プロセス
CN111131200B (zh) 网络安全性检测方法及装置
AU2021106427A4 (en) System and Method for achieving cyber security of Internet of Things (IoT) devices using embedded recognition token
KR101393180B1 (ko) 패킷 워터마킹을 통한 로그 ap 탐지 방법 및 시스템
KR101627281B1 (ko) 사설 dns 시스템 및 그 운영 방법
Mishra et al. Designing a secure network interface by thwarting mac spoofing attacks
US20120131169A1 (en) System and method for controlling an un-addressable network appliance
CN118200036A (zh) 网络安全隔离方法、装置、计算机设备和存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14781957

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14781957

Country of ref document: EP

Kind code of ref document: A1