WO2015084152A1 - Système et procédé d'autorisation de point d'accès dans un réseau - Google Patents
Système et procédé d'autorisation de point d'accès dans un réseau Download PDFInfo
- Publication number
- WO2015084152A1 WO2015084152A1 PCT/MY2014/000173 MY2014000173W WO2015084152A1 WO 2015084152 A1 WO2015084152 A1 WO 2015084152A1 MY 2014000173 W MY2014000173 W MY 2014000173W WO 2015084152 A1 WO2015084152 A1 WO 2015084152A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- scanner
- access point
- authentication string
- list
- server
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/18—Network architectures or network communication protocols for network security using different networks or channels, e.g. using out of band channels
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
- H04W12/121—Wireless intrusion detection systems [WIDS]; Wireless intrusion prevention systems [WIPS]
- H04W12/122—Counter-measures against attacks; Protection against rogue devices
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/73—Access point logical identity
Definitions
- This invention relates to a system and a method for verifying legitimacy of a device in a network, and more particularly to a system and a method for authorising an access point in a network and preventing spoofing attack.
- Spoofing such as media access control (MAC) spoofing
- WIPS wireless intrusion prevention system
- MAC media access control
- Another method that is commonly used to prevent access to unauthorised devices is by validating media access control (MAC) address of the devices.
- MAC media access control
- this approach does not prevent MAC spoofing where possible devices would alter its MAC address to an address that is authorised by the system.
- Another approach to overcome this matter would involve implementing more intelligent network switches. Nevertheless, this approach may not be economical. As the level of the security increase, the system may get more complicated to operate and the detection process will become more meticulous. As a result, this may cause a higher chance of false positive errors.
- WIPS detecting rogue access points including comparing encrypted and non-encrypted wireless links of the access point, validating fingerprint test, calculating relative location of the access points, and monitoring radio spectrum transmitted from the network to the access points.
- these approaches might be susceptible to service set identification (SSID) spoofing, MAC spoofing, and packet spoofing.
- SSID service set identification
- MAC spoofing MAC spoofing
- packet spoofing packet spoofing.
- patent no. EP 1 932 294 B1 relates to a method for detecting rogue access point based on inconsistencies perceived in the RSS reports which are assessed during the handover phase.
- the handover phase may be a window of vulnerability for an unauthorised device to enter into the network.
- the calculation and detection by matching path loss value may not be accurate in detecting rogue access point.
- US 7,965,842 B2 describes that the detection of a rogue access point involved the authorised access points (client devices).
- client devices In order to overcome MAC spoofing, the network monitors for spoofing by checking switch interface tables for MAC address that appears on more than one port and if the same MAC address appears on two different ports of a switch, one of the MAC address is identified as a rogue device.
- this method involves client devices and may be susceptible to network intrusion during the information transfer between the client device and the network.
- monitoring switch interface for the doubling of MAC address may not be accurate and possibly lead to MAC spoofing.
- the present invention relates to a method for authorising an access point in a network, which is characterized by: identifying at least one access point that is advertising the same service set identification (SSID) as the network and listing the identified access point in a first list; validating the MAC address of the access point in the first list against a list of authorised MAC address and listing the validated access point in a second list; generating an authentication string that corresponds to the access point in the second list; encrypting the authentication string and a scanner public key in a scanner by using a server public key; sending the encrypted authentication string and the encrypted scanner public key in a packet to a server via the access point in the second list; decrypting the encrypted authentication string and the encrypted scanner public key by using a server private key; encrypting the authentication string in the server by using the decrypted scanner public key; sending the encrypted authentication string to the scanner via a second network interface; decrypting the encrypted authentication string by using a scanner private
- the method for authorising an access point is used in a wireless or wired network.
- a system for authorising access point in a network comprising a scanner and a server; characterised by: the scanner further comprises: a scanner module for scanning and capturing access points; a first network interface for connecting the captured access point to the scanner; a scanner verification module as a center for communicating with other modules in the scanner; a scanner first data storage for storing a first list of access points that are advertising the same SSID as the network; a scanner second data storage for storing a list of access points that are advertising the same SSID as the network and having authorised MAC address; a scanner third data storage for storing a second list of MAC addresses of authorised access points; an encrypt and decrypt scanner module for encrypting and decrypting authentication string; the server further comprises: a server verification module as a center for communicating with other modules in the server; an en
- Figure 1 shows a flowchart of a method for authorising access point in a network
- Figure 2 shows a system for authorising access point in a network.
- the present invention relates to a method for authorising an access point in a network.
- the method starts with listing all access points in the network, and is characterized by: identifying (10) and listing at least one access point that is advertising the same service set identification (SSID) as the network in a first list (11); validating the MAC address of the access point against a list of authorised MAC address (20) and listing the validated access point in a second list (21); generating an authentication string that corresponds to the access point in the second list (30); encrypting the authentication string and a scanner public key in a scanner (800) by using a server public key (40); sending the encrypted authentication string and the encrypted scanner public key in a packet to a server (900) via the access point in the second list (50); decrypting the encrypted authentication string and the encrypted scanner public key by using a server private key (60); encrypting the authentication string in the server (900) by using the decrypted scanner public key (45); sending the encrypted authentication string to the scanner (
- the term "network” mentioned in this specification may refer to a wireless or a wired network.
- the step identifying (10) and listing at least one access point that is advertising the same service set identification (SSID) as the network in the first list (11) filters all the other access points in the vicinity and capture only the access point with the same SSID as the network. In an embodiment of the present invention, if there is no access point with the same SSID, the method is terminated (12).
- the first list contains a list of access points that will go through the next step.
- the scanner (800) informs the server (900) that the access point is unauthorised, thereafter store the information in a list of unauthorised access point (22), and then the method will be terminated (12).
- This step is to remove any possible access points that employ SSID spoofing.
- the second list contains a list of access points with authorised MAC address but may also contain any access points that employ MAC spoofing.
- the scanner (800) may continue generating authentication string for all the access points in the second list until the second list is exhausted.
- the encrypted authentication string in the scanner (800) can only be decrypted by using the server private key which is only known to the server (900).
- the step of sending the encrypted authentication string and the encrypted scanner public key in a packet to the server (900) via the access point in the second list (50) enables the packet to reach to the server (900) through the authorised access point. If the server (900) does not receive the packet, that would mean that the access point is not connected to the server (900), thus indicating that the access point is unauthorised (61), and thereafter the method will be terminated (12).
- the encrypted authentication string in the server (900) can only be decrypted by using the scanner private key which is only known to the scanner (800).
- the step of comparing the decrypted authentication string in the scanner (800) with the authentication string corresponds to the access point in the second list (70) if the decrypted authentication string matches with the authentication string that corresponds to the access point in the second list, the access point is authorised and removed from the second list (71) thereafter the method is terminated (12); and if the decrypted authentication string does not match with the authentication string that corresponds to the access point in the second list, the access point remains in the second list and is stored in the list of unauthorised access point (72), subsequently the method will be terminated (12).
- the decrypted authentication string in the scanner (800) that match with the authentication string corresponds to the access point in the second list verifies that the access point is authorised and may be removed from the second list. This eliminates access point that uses MAC spoofing that may be listed in the second list.
- the decrypted authentication string that matches may also indicate that the packet reach the server (900) through the authorised access point and thus eliminates packet spoofing. It also indicates that the access point is authorised to connect to the network.
- the decrypted authentication string in the scanner (800) does not match with the authentication string that corresponds to the access point in the second list, this may indicate that the access point is not authorised and may be using MAC spoofing or packet spoofing.
- the access point may be listed in the list of unauthorised access point.
- the scanner (800) and the server (900) share the same list of unauthorised access point.
- SSID service set identification
- the steps of decrypting the encrypted authentication string and the encrypted scanner public key by using a server private key (60); encrypting the authentication string in the server (900) by using the decrypted scanner public key (45); and sending the encrypted authentication string to the scanner (800) via a second network interface (55) take place in the server (900).
- the steps of decrypting the encrypted authentication string by using a scanner private key (65); and comparing the decrypted authentication string in the scanner (800) with the authentication string corresponds to the access point in the second list (70) take place in the scanner (800).
- the present invention is also related to a system for authorising an access point in a network comprising a scanner (800) and a server (900); characterised by: the scanner (800) further comprises: a scanner module (801) for scanning and capturing access points; a first network interface (802) for connecting the captured access point to the scanner (800); a scanner verification module (803) as a center for communicating with other modules in the scanner (800); a scanner first data storage (804) for storing a first list of access points that are advertising the same SSID as the network; a scanner second data storage (805) for storing a list of access points that are advertising the same SSID as the network and having authorised MAC address; a scanner third data storage (806) for storing a second list of MAC addresses of authorised access points; an encrypt and decrypt scanner module (807) for encrypting and decrypting authentication string; the server (900) further comprises: a server verification module (901) as a center for communicating with other modules in the
- the network may be a wireless or wired network.
- the first network interface is a wireless LAN interface.
- the second network interface is a LAN interface.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
- Computer And Data Communications (AREA)
Abstract
La présente invention concerne un système et un procédé d'autorisation de point d'accès dans un réseau sans la participation de dispositif client. La présente invention identifie (10) et met en liste seulement un point d'accès ayant le même SSID que le réseau (11) et vérifie ensuite le point d'accès relativement à la validité de l'adresse MAC (20). Seul un point d'accès doté d'un SSID et d'une adresse MAC valides possède une chaîne d'authentification (30). La chaîne d'authentification et une clé publique de scanneur sont chiffrées au moyen d'une clé publique de serveur dans un scanneur (800) (40). Le scanneur (800) envoie ensuite la chaîne d'authentification chiffrée et la clé publique de scanneur chiffrée à un serveur (900) par l'intermédiaire du point d'accès (50) afin qu'elles soient déchiffrées. Puis, le serveur (900) chiffre la chaîne d'authentification au moyen de la clé publique de scanneur déchiffrée (45) et envoie la chaîne d'authentification chiffrée au scanneur (800) (55). Le scanneur (800) qui reçoit la chaîne d'authentification chiffrée déchiffre la chaîne au moyen de la clé privée de de scanneur (65) et compare la dite chaîne déchiffrée (70) à la chaîne d'authentification antérieure au processus de chiffrement et de déchiffrement. Si une correspondance est trouvée, le point d'accès est autorisé et peut avoir surmonté trois attaques par mystification dans le réseau.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
MYPI2013702354A MY178188A (en) | 2013-12-04 | 2013-12-04 | System and method for authorising an access point in a network |
MYPI2013702354 | 2013-12-04 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2015084152A1 true WO2015084152A1 (fr) | 2015-06-11 |
Family
ID=51688378
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/MY2014/000173 WO2015084152A1 (fr) | 2013-12-04 | 2014-06-12 | Système et procédé d'autorisation de point d'accès dans un réseau |
Country Status (2)
Country | Link |
---|---|
MY (1) | MY178188A (fr) |
WO (1) | WO2015084152A1 (fr) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170265081A1 (en) * | 2016-03-14 | 2017-09-14 | Fujitsu Limited | Wireless communication device, wireless communication method, and computer readable storage medium |
US10798125B2 (en) * | 2016-10-27 | 2020-10-06 | Reliance Jio Infocomm Limited | System and method for network entity assisted honeypot access point detection |
CN115022099A (zh) * | 2022-08-09 | 2022-09-06 | 北京华云安软件有限公司 | 基于udp传输协议的身份认证方法和系统 |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20050141498A1 (en) * | 2003-10-16 | 2005-06-30 | Cisco Technology, Inc | Network infrastructure validation of network management frames |
US20080141369A1 (en) * | 2005-01-26 | 2008-06-12 | France Telecom | Method, Device and Program for Detecting Address Spoofing in a Wireless Network |
US7965842B2 (en) | 2002-06-28 | 2011-06-21 | Wavelink Corporation | System and method for detecting unauthorized wireless access points |
EP2372971A1 (fr) * | 2010-03-30 | 2011-10-05 | British Telecommunications Public Limited Company | Procédé et système d'authentification d'un point d'accès |
EP2600648A1 (fr) | 2011-11-30 | 2013-06-05 | British Telecommunications public limited company | Détection d'un point d'accès sans fil non autorisé |
EP1932294B1 (fr) | 2005-10-05 | 2013-08-21 | Alcatel Lucent | Detection de point d acces defectueux dans les reseaux sans fil |
-
2013
- 2013-12-04 MY MYPI2013702354A patent/MY178188A/en unknown
-
2014
- 2014-06-12 WO PCT/MY2014/000173 patent/WO2015084152A1/fr active Application Filing
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7965842B2 (en) | 2002-06-28 | 2011-06-21 | Wavelink Corporation | System and method for detecting unauthorized wireless access points |
US20050141498A1 (en) * | 2003-10-16 | 2005-06-30 | Cisco Technology, Inc | Network infrastructure validation of network management frames |
US20080141369A1 (en) * | 2005-01-26 | 2008-06-12 | France Telecom | Method, Device and Program for Detecting Address Spoofing in a Wireless Network |
EP1932294B1 (fr) | 2005-10-05 | 2013-08-21 | Alcatel Lucent | Detection de point d acces defectueux dans les reseaux sans fil |
EP2372971A1 (fr) * | 2010-03-30 | 2011-10-05 | British Telecommunications Public Limited Company | Procédé et système d'authentification d'un point d'accès |
EP2600648A1 (fr) | 2011-11-30 | 2013-06-05 | British Telecommunications public limited company | Détection d'un point d'accès sans fil non autorisé |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20170265081A1 (en) * | 2016-03-14 | 2017-09-14 | Fujitsu Limited | Wireless communication device, wireless communication method, and computer readable storage medium |
US10638323B2 (en) * | 2016-03-14 | 2020-04-28 | Fujitsu Limited | Wireless communication device, wireless communication method, and computer readable storage medium |
US10798125B2 (en) * | 2016-10-27 | 2020-10-06 | Reliance Jio Infocomm Limited | System and method for network entity assisted honeypot access point detection |
CN115022099A (zh) * | 2022-08-09 | 2022-09-06 | 北京华云安软件有限公司 | 基于udp传输协议的身份认证方法和系统 |
Also Published As
Publication number | Publication date |
---|---|
MY178188A (en) | 2020-10-06 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US8418252B2 (en) | Intelligent network interface controller | |
US7877805B1 (en) | Apparatus, method and computer program product for detection of a security breach in a network | |
US9619946B2 (en) | Securely providing diagnostic data from a vehicle to a remote server using a diagnostic tool | |
US20110179267A1 (en) | Method, system and server for implementing security access control | |
US20090031399A1 (en) | Method and Apparatus for Content Based Authentication for Network Access | |
US9755824B2 (en) | Power line based theft protection of electronic devices | |
CN1901452A (zh) | 用于网络单元认证的多层次和多因素安全证书管理 | |
CN108712364B (zh) | 一种sdn网络的安全防御系统及方法 | |
EP1995908B1 (fr) | Procédé, système, appareil et entité à fonction de service d'amorçage aux fins de prévention d'attaques | |
Daily et al. | Securing CAN traffic on J1939 networks | |
WO2015084152A1 (fr) | Système et procédé d'autorisation de point d'accès dans un réseau | |
US20210099875A1 (en) | Offloaded sensor authentication for internet of things | |
CN107968777B (zh) | 网络安全监控系统 | |
KR101663935B1 (ko) | 피싱 및 파밍 방지 시스템 및 방법 | |
KR101424916B1 (ko) | M2m 서비스를 제공하는 에어 프로텍터 서버 및 그 동작 방법 | |
US20060075229A1 (en) | Method and apparatus for maintaining a communications connection while guarding against bandwidth consuming attacks | |
CN117579403B (zh) | 一种可信应用接入的装置 | |
JP2003143126A (ja) | セキュリティ保持方法及びその実施システム並びにその処理プロセス | |
CN111131200B (zh) | 网络安全性检测方法及装置 | |
AU2021106427A4 (en) | System and Method for achieving cyber security of Internet of Things (IoT) devices using embedded recognition token | |
KR101393180B1 (ko) | 패킷 워터마킹을 통한 로그 ap 탐지 방법 및 시스템 | |
KR101627281B1 (ko) | 사설 dns 시스템 및 그 운영 방법 | |
Mishra et al. | Designing a secure network interface by thwarting mac spoofing attacks | |
US20120131169A1 (en) | System and method for controlling an un-addressable network appliance | |
CN118200036A (zh) | 网络安全隔离方法、装置、计算机设备和存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 14781957 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 14781957 Country of ref document: EP Kind code of ref document: A1 |