Visible to the public WI-FAB: Attribute-based WLAN Access Control, Without Pre-shared Keys and Backend Infrastructures

TitleWI-FAB: Attribute-based WLAN Access Control, Without Pre-shared Keys and Backend Infrastructures
Publication TypeConference Paper
Year of Publication2016
AuthorsPisa, Claudio, Caponi, Alberto, Dargahi, Tooska, Bianchi, Giuseppe, Blefari-Melazzi, Nicola
Conference NameProceedings of the 8th ACM International Workshop on Hot Topics in Planet-scale mObile Computing and Online Social neTworking
PublisherACM
Conference LocationNew York, NY, USA
ISBN Number978-1-4503-4344-2
Keywordsattribute-based access control, attribute-based encryption, composability, linux operating systems security, Metrics, privacy preserving, pubcrawl, Resiliency, WLAN federation, WPA, WPA2
Abstract

Two mainstream techniques are traditionally used to authorize access to a WiFi network. Small scale networks usually rely on the offline distribution of a WPA/WPA2 static pre-shared secret key (PSK); security hence relies on the fact that this PSK is not leaked by end user, and is not disclosed via dictionary or brute-force attacks. On the other side, Enterprise and large scale networks typically employ online authorization using an 802.1X-based authentication service leveraging a backend online infrastructure (e.g. Radius servers/proxies). In this work, we propose a new mechanism which does not require neither online operation nor backend access control infrastructure, but which does not force us to rely on a static pre-shared secret key. The idea is very simple, yet effective: directly broadcast in the WLAN beacons an encrypted version of the secret key required to access the WLAN network, so that only the users which possess suitable authorization credentials can decrypt and use it. This proposed approach clearly decouples the management of authorization credentials, issued offline to the authorized end users, from the actual secret key used in the WLAN network, which can thus be in principle changed at each new user's access. The solution described in the paper relies on attribute-based encryption, and is designed to be compatible with WPA2 and deployable within standard 802.11 management frames. Since no user identification is required (access control is based on attributes rather than on the user identity), the proposed approach further improves privacy. We demonstrate the feasibility of the proposed solution via a concrete implementation in Linux-based devices and via relevant testing in a real-world experimental setup.

URLhttp://doi.acm.org/10.1145/2944789.2949546
DOI10.1145/2944789.2949546
Citation Keypisa_wi-fab:_2016