Visible to the public The improvement of wireless LAN security authentication mechanism based on Kerberos

TitleThe improvement of wireless LAN security authentication mechanism based on Kerberos
Publication TypeConference Paper
Year of Publication2018
AuthorsMa, Y., Ning, H.
Conference Name2018 International Conference on Electronics Technology (ICET)
Keywords802.1X / EAP authentication protocol, asymmetric key encryption method, authentication, authentication server, computer network security, cryptographic protocols, cryptography, dictionary attacks, EAP, EAP-TLS authentication protocol, Human Behavior, KEAP protocol, Kerberos, Kerberos extensible authentication protocol, Kerberos protocol authentication, man-in-the-middle attack, message sequence number, message serial number, Metrics, OPNET simulation, password, Protocols, pubcrawl, public key cryptography, public key encryption, replay attacks, request message, Resiliency, retransmission message, Servers, transfer message, vulnerable password guessing attacks, wireless LAN, wireless LAN security authentication mechanism

In order to solve the problem of vulnerable password guessing attacks caused by dictionary attacks, replay attacks in the authentication process, and man-in-the-middle attacks in the existing wireless local area network in terms of security authentication, we make some improvements to the 802.1X / EAP authentication protocol based on the study of the current IEEE802.11i security protocol with high security. After introducing the idea of Kerberos protocol authentication and applying the idea in the authentication process of 802.1X / EAP, a new protocol of Kerberos extensible authentication protocol (KEAP) is proposed. Firstly, the protocol introduces an asymmetric key encryption method, uses public key encryption during data transmission, and the receiver uses the corresponding private key for decryption. With unidirectional characteristics and high security, the encryption can avoid password guessing attacks caused by dictionary attacks as much as possible. Secondly, aiming at the problem that the request message sent from the client to the authentication server is vulnerable to replay attacks, the protocol uses a combination of the message sequence number and the random number, and the message serial number is added to the request message sent from the client to the authentication server. And establish a list database for storing message serial number and random number in the authentication server. After receiving a transfer message, the serial number and the random number are extracted and compared with the values in the list database to distinguish whether it is a retransmission message. Finally, the protocol introduces a keychain mechanism and uses an irreversible Hash function to encrypt the final authentication result, thereby effectively solving the man-in-the-middle attack by the pretender. The experiment uses the OPNET 14.5 simulation platform to model the KEAP protocol and simulate simulation attacks, and compares it with the current more common EAP-TLS authentication protocol. Experimental results show that the average traffic of the KEAP protocol is at least 14.74% higher than the EAP-TLS authentication protocol, and the average bit error rate is reduced by at least 24.00%.

Citation Keyma_improvement_2018