A scheme for authentication and dynamic key exchange in wireless networks

Abstract

Despite significant shortcomings in the initial security architecture, 802.11 wireless LANs have experienced explosive growth in recent years. Ongoing work in IEEE standards bodies is currently attempting to fix these shortcomings. One specific topic that has received extensive attention is how to enable these networks to authenticate users and to dynamically establish per-user per-session cryptographic keys. The IEEE 802.1x Port-Based Access Control standard, which formalizes a new EAP-over-LAN (EAPOL) protocol, has emerged as the preferred way to achieve this. The EAPOL protocol employs the extensible authentication protocol (EAP), standardized by the Internet Engineering Task Force, to allow the use of existing and new authentication methods and authentication, authorization, and accounting (AAA) infrastructure. In this paper we present a new EAP scheme — called shared key exchange (SKE) — suitable for use in 802.11 private or public access wireless LANs. The scheme relies on secure pre-shared secret keys in wireless LAN mobile nodes devices and AAA servers. When instantiated with relatively minor changes to RADIUS and EAP, the resulting protocol is provably secure and offers a full set of security features. A second, simplified protocol results from minimal modifications to existing RADIUS and EAP standards, but it provides a lower level of security. Both protocols efficiently support roaming scenarios wherein an end user roams across different networks and requires frequent re-authentication with low latency. The protocols can easily be extended to support migration to new AAA protocols such as DIAMETER.