The Journal of Korean Institute of Communications and Information Sciences (한국통신학회논문지)

The Korean Institute of Commucations and Information Sciences (한국통신학회)
권호 표지
DOI QR코드

DOI QR Code

A Method of Authenticating WLAN APs for Smartphones

스마트폰을 위한 무선 AP 인증 방법

  • 신동오 (인하대학교 컴퓨터정보공학과 정보호호연구실) ;
  • 강전일 (인하대학교 컴퓨터정보공학과 정보호호연구실) ;
  • 양대헌 (인하대학교 컴퓨터정보공학과 정보호호연구실) ;
  • 이석준 (한국전자통신연구원 사이버보안연구본부) ;
  • 이경희 (수원대학교 전기공학과)
  • Received : 2013.12.05
  • Accepted : 2014.01.08
  • Published : 2014.01.31
Download PDF
⟨ Previous Next ⟩

Abstract

The increase of smartphone users have made mobile carriers offload increasingly congested traffic of 3/4G by providing Wi-Fi hot-spots in the public places such as coffee shops and subway stations. In the traditional authentication in WLAN, the users should convince the service providers that they are valid customers before they use WLAN services. Since the authentication protocol is designed for service providers. Even with the mutual authentication based on the IEEE 802.1X, which is supported by IEEE 802.11 standard, it is difficult to be convinced of that the service providers really have installed the WLAN APs, which users are confronted with. An attacker can install rogue APs that masquerade as legitimate APs by copying the SSID, MAC address, etc. in order to obtain users' private information. In this paper, we introduce a method of authenticating legitimate APs for smartphone users. And we show our proposal can be well utilized for the current Wi-Fi hot-spots as a security plug-in and prove it through our experiments.

스마트폰 사용자의 증가는 이동 통신사업자에게 커피숍, 지하철과 같은 공공장소에 와이파이 핫스팟을 제공함으로써 폭증하는 3/4G 트래픽을 분산시키는 노력을 하게 하였다. 전통적인 무선랜에서의 인증은 서비스 제공자측면에서 설계되었기 때문에, 서비스 이용자는 서비스 제공자에게 자신이 고객임을 증명하는 방식으로 이루어진다. 802.11 표준에서는 802.1X를 이용한 상호인증이 지원되지만, 서비스 이용자는 자신이 접속하려는 무선 AP가 정말 서비스제공자가 설치한 것인지 확인하는 것은 어렵다. 공격자는 사용자들의 개인 정보를 얻어내기 위하여 서비스 제공자가 설치한 AP와 동일한 SSID를 가진 위장 AP를 설치할 수 있다. 이 논문에서는 스마트폰 사용자 입장에서 정상적인 무선 AP를 인증하는 기법에 대해 소개한다. 그리고 이 논문의 제안이 이미 제공된 와이파이 핫스팟에서 보안 플러그인 형태로 잘 동작할 수 있음을 보이고, 이를 실험을 통해 증명한다.

Keywords

References

  1. Editors of IEEE 802.11, "Wireless LAN medium access control (MAC and physical layer (PHY) specification, draft," Standard IEEE 802.11, 1997.
  2. I. Kim, J. Cho, T. Shon, and J. Moon, "A method for detecting unauthorized access point over 3G network," J. The Korea Institute of Information Security & Cryptology(JKIISC), vol. 22, no. 2, pp. 259-266, Apr. 2012.
  3. S. Kang, D. Nyang, J. Choi, and S. Lee, "Relaying rogue AP detection scheme using SVM," J. The Korea Institute of Information Security & Cryptology(JKIISC), vol. 23, no. 3, pp. 431-444, Jun. 2013. https://doi.org/10.13089/JKIISC.2013.23.3.431
  4. H. Han, B. Sheng, C. C. Tan, Q. Li, and S. Lu, "A measurement based rogue ap detection scheme," in Proc. INFOCOM, pp. 1593-1601, Rio de Janeiro, Brasil, Apr. 2009.
  5. H. Han, B. Sheng, C.C. Tan, Q. Li, and S. Lu, "A timing-based scheme for rogue AP detection," IEEE Trans. Parallel and Distributed Syst., vol. 22, no. 11, pp. 1912-1925, Nov. 2011. https://doi.org/10.1109/TPDS.2011.125
  6. A. J. Nicholson, Y. Chawathe, M. Y. Chen, B. D. Noble, and D. Wetherall, "Improved access point selection," in Proc. MobiSys '06, pp. 233-245, NY, Jun. 2006.
  7. D. Denning and P. Macdoran, "Location-based authentication: Grouding cyberspace for better security," Computer Fraud & Security, vol. 2, pp. 12-16, Feb. 1996.
  8. H. Takamizawa and K. Kaijiri, "A web authentication system using location information from mobile telephones," in Proc. IASTED Int'l Conf. Web-based Education, pp. 31-36, Phuket, Thailand, Mar. 2009.
  9. F. Zhang, A. Kondoro, and S. Muftic, "Location-based authentication and authorization using smart phones," in Proc. Trust, Security and Privacy in Computing and Commun. (TrustCom), pp. 1285-1292, Liverpool, UK, Jun. 2012.
  10. Korea Internet & Security Agency, Wireless LAN security guide, Dec. 2011.
  11. SKT, T Wi-Fi zone, Retrieved Dec., 5, 2013, from http://www.twifi.co.kr/.
  12. KT, olleh Wi-Fi zone, Retrieved Dec., 5, 2013, from http://zone.wifi.olleh.com/.
  13. LG U+, U+ Wi-Fi zone, Retrieved Dec. 5, 2013, from http://www.wifiworld.co.kr/main.s2.
  14. Daum DNA Developer Network, Local API, Retrieved Dec. 5, 2013, from http://dna.daum.net/apis/local.
  15. Naver Developer Center, Map API, Retrieved Dec. 5, 2013, from http://developer.naver.com/wiki/pages/MapAPI.
  16. Google Developers, Google Maps API, Retrieved Dec. 5, 2013, from https://developers.google.com/maps/.
  17. IEEE Report 802.11-03/845r1. (2003). Receiver sensitivity tables for MIMO-OFDM 802.11n, Nov. 2003.
  18. J. M. Keenan, and A. J. Motley, "Radio coverage in buildings," J. British Telecom Technol., vol. 8, no. 1, pp. 19-24, Jan. 1990.
  19. B. Schneier, Applied Cryptography, Second Edition, John Wiley & Sons, 1996.
  20. E. Spafford, "Opus: Preventing weak password choices," Computer and Security, vol. 11, pp. 273-278, May 1992. https://doi.org/10.1016/0167-4048(92)90207-8
  21. Y. Maeng, K. Kang, D. Nyang, and K. Lee, "On nessage length efficiency of two security schemes using bloom filter", KIPS Trans.: Part C, vol. 19C, no, 3, pp. 173-178, Jun. 2012. https://doi.org/10.3745/KIPSTC.2012.19C.3.173
  22. S. von Watzdorf and F. Michahelles, "Accuracy of positioning data on smartphones," in Proc. 3rd Int'l Workshop on Location and the Web (LOCWEB), Article no. 2, NY, USA, Nov. 2010.
  23. Ministry of Science, ICT and Future Planning, Plan to increase the number of public Wi-Fi zones to 12,000 by 2017, Retrieved Jul., 12, 2013, from http://www.msip.go.kr.