Changguang Wang

Adaptive Security Policy

The rapid development and extensive application of computer networks have brought new challenges to the information security, especially the network security. The traditional static security model and a single security policy cannot solve the problems incurred by the complicated network structure and various intrusion patterns. As a result, it is required to study the security adaptability on the architecture level. Based on the analysis of the adaptive security policy of WLAN, a framework of the adaptive security architecture of WLAN is proposed. The management and the security intelligent reasoning module are mainly studied in this framework. Based on this, the policy-based security management framework of WLAN and its implementation process are proposed. A reasoning method for WLAN security situation assessment and a decision-making process to achieve the WLAN adaptive security policy are also provided.

Security Protocols in WLAN Mesh

WLAN mesh, the technological extension of WLAN, solves the problem for WLAN of limited coverage, relatively low bandwidth, etc., and has a promising prospect. Due to its characteristics and advantages of flexible networking, auto-configuration, high mobility, and fitness for backbone networks, wireless mesh network can provide fast, secure and reliable services. In this chapter, based on the analysis of mesh authentication protocols, an identity based authentication protocol is proposed. Consider that fast handoff and roaming of mesh devices are not supported by the existing access authentication protocols in WLAN mesh, and that the demand of users for identity protection is not satisfied in the roaming process, a comprehensive solution for the WLAN mesh network-secure access is given. The proposed access authentication protocol only needs four rounds to realize the authentication and key confirmation, without the necessity of four-way handshake for the key confirmation, based on which, the MP (Mesh Point) fast handoff and roaming authentication protocols are provided. The provable security analysis and performance simulation using NS2 shows that the proposed protocols are universally composable, and that they perform better than the existing ones. Finally, a simple mesh authentication system is designed and implemented for the purpose of verification and realization of authentication schemes in the wireless mesh network.

Authenticated Key Exchange Protocol

WLAN is characterized by the high data rate and mobility. Among the current security technologies, the Internet Protocol Security (IPSec) is applied into all Internet communications as a security solution. It is an extensible and complete network security program, which can protect the protocols operating in the upper layer. However, there are some problems to transfer IPSec into WLAN, especially for the key exchange protocols. This chapter first introduces the IKEv2 protocol, which is a popular IPSec key exchange protocol. Nevertheless, IKEv2 cannot be used in WLAN directly. Then a new WLAN key exchange protocol called WIKE, which is based on IKEv2, is proposed. The formal method of the provable secure key exchange protocol, Canetti-Krawczyk model, is analyzed. We also discuss the relationship between the security definitions of the CK model and the security properties of the key exchange protocol, and expand the CK model to make up the deficiency of the CK model that the forward secrecy is missed for an identity based system.

Security Access Protocol

To protect the information resource against unauthorized users, encryption and authentication are the mostly used security technologies. Authentication is to ensure that only authorized users can access the resources in the system. It is difficult to design a secure protocol satisfying the security object, and the execution of the protocol exhausts certain computation and communication resources. Thus, the security access protocol plays a very important role in resource constrained wireless networks. This chapter analyzes and improves the security protocol of WAPI, provides an improved scheme which is compatible with WAPI and IEEE 802.11i, and gives a self-certified public key based authentication and key agreement protocol in WAPI.

Security Architecture Framework

The explosive growth in the deployment of WLAN has ignited a serious concern of the WLAN security. The WLAN security is facing a series of challenges, such as the broadcast nature of wireless channels, user mobility, the heterogeneity of terminal devices, and the integration of WLAN with other networks. In this chapter, a study of WLAN security architecture is developed. Firstly, an overview of security attacks and requirements in WLAN is given. Then, a WLAN security architecture based on management is presented, which consists of three management layer: mobile terminal security platform, integrated WLAN access management platform, and WLAN security management platform. The existing WLAN security access architectures, i.e. Wep, 802.1x, WPA, 802.1 li, WAPI, and others are continued. Finally, to cope with the heterogeneity of security solutions, the integrated security authentication architecture for mobile terminals is proposed. Its feasibility is verified through realizing the software system.

Evaluation Method of Security Performance

The defense effect of WLAN security architecture can be evaluated by Quality of Security Service (QoSS), which indicates the quality level of the security service. The principal factor restricting security systems to provide high level security is the cost of security services, involving the influences of security on other Quality of Service (QoS) indicators. The users’ satisfaction degree refers to users’ security demands and the comparison between anticipated security service value and the factual value computed by QoSS of the security information system. This chapter proposes a fuzzy assessment method based on entropy-weight coefficient aiming at the randomness and fuzziness of WLAN attacks. The method performs quantitative evaluation of threats in WLAN from the perspective of probability, which eliminates subjectivity in the evaluation and makes the results more objective and authentic.

Privacy Protection for WLAN

Personal privacy involves personal information, personal activities and personal areas, among which the privacy of personal information is one of the core contents. It decides the development of the future mobile e-commerce and e-government. In this chapter, anonymity, a key technology to realize the privacy protection, is discussed. It is a very important feature for the WLAN security. The anonymity in WLAN is different from that in wired networks, which involves the identification anonymity, location anonymity, communication anonymity, action anonymity, and so forth. This chapter is a further study on the WLAN anonymity from the aspects of the anonymous connection method, and universally composable secure anonymous model. As for the anonymity connection, combined with the ESP protocol and AH protocol in IPSec and using the agent function of the Foreign Agent (FA) and Home Agent (HA) in Mobile IP, a WLAN anonymous schedule based on IPSec is introduced, which provides a mutual and real-time WLAN anonymous communication. It can efficiently prevent the traffic analysis attack in WLAN. Finally, an anonymous Hash certification ideal functionality and a more universal certificate CA model are proposed. We define the security requirements and security notions for this model in the framework of universally composable security and prove in the plain model (not in the random-oracle model) that these security notions can be achieved using combinations of a secure digital signature scheme, a symmetric encryption mechanism, a family of pseudorandom functions, and a family of one-way collision-free Hash functions.

Architecture of Trusted Terminal

In the traditional client-server architecture, the server is the focus of security, but the huge numbers of terminals have the relatively small consideration. Through the practice of the information security, people have realized that the security problem mainly comes from network terminals. To ensure the source security of network terminals, the solution must be brainstormed synthetically from the chips, hardware architectures, operating systems, etc., which comes into being the original idea of the Trusted Computing (TC). TC binds a trusted platform modular (TPM) to the terminal to ensure the security of the client, by which a trusted chain is established to protect the whole system and network. In this section, we introduce the TC technology, TC framework, trusted platform module, and trusted mobile platform. Especially, we research the TC based client security architecture, and indicate that the key point is the security operating system which can support TC. Finally, a comparison among the secure kernel based, micro kernel based, and virtual machine based terminal architectures is proposed.

Architecture of Trusted Network Connect

Based on the TNC architecture and combined with the trusted mobile platform architecture, the Trusted Mobile IP platform (TMIP) framework is proposed. Such framework realizes the consistency between the trusted terminal and trusted network. It also gives a logical structure for the implementation of a trusted mobile terminal and trusted network. Meanwhile, a TPM-based mobile device accessing trusted network architecture is put forward. The architecture, by taking advantage of the feature of the security protection and TTP, achieves the mutual authentication and trust verification between the mobile device and trusted network access point which based on the trust boot of mobile devices. The trusted network access point makes its decision according to the verification results to isolate the mobile device from the trusted network, or add it into the different trust domains according to its security level.

Security Protocols for Fast BSS transition

Along with the rapid deployment of WLAN, the density of the wireless AP will increase dramatically. In this circumstance, the continuity of service requires the wireless system to provide enough credence for those frequent handoffs among different base stations. Taking audio services over WLAN for example, the capacity should be guaranteed that the mobile client devices can establish a new association with another new AP as soon as possible after they terminate the connection with the former one. The latency derived from a handoff process is composed of three parts, including time for probing and detection, authentication and service re-association. If the latency exceeds 50 ms, the interruption will be sensed obviously by ears. Nevertheless, the latency in the present IEEE 802.11 network is usually several hundred milliseconds on average, which may lead to negative influences, such as the occasional transmission interruption, connection loss and deteriorated audio quality, and so forth. Therefore, the fast handoff protocol plays an essential part in the extensive deployment of audio services over IEEE 802.11 networks. In this chapter, according to a close scrutiny to IEEE 802.11r, which specifies fast handoff among APs in a WLAN ESS, the used security protocols are presented. To make up the deficiency in DoS-resilience of the scheme in the standard, we propose two new secure fast handoff schemes, which are MIC based and Hash chain based. At last, we present the secure and fast handoff solution based on location. This solution is characterized by the following functions, QoS guaranteeing, location probing, and location based fast switching.