Biblio

The Internet Protocol Version 6 (IPV6) proposed to replace IPV4 to solve scalability challenges and improve quality of service and security. Current implementation of IPv6 uses static value that is determined from the Media Access Control (MAC) address as the Interface Identifier (IID). This results in a deterministic IID for each user that is the same regardless of any network changes. This provides an eavesdropper with the ability to easily track the physical location of the communicating nodes using simple tools, such as ping and traceroute. Moreover, this address generation method provides a means to correlate network traffic with a specific user which can be achieved by filtering the IID and traffic analysis. These serious privacy breaches need to be addressed before widespread deployment of IPv6. In this paper we propose a privacy-enhanced method for generating IID which combines different network parameters. The proposed method generates non-deterministic IIDs that is resistance against correlation attack. We validate our approach using Wireshark, ping and traceroute tools and show that our proposed approach achieves better privacy compared to the existing IID generation methods.

Two mainstream techniques are traditionally used to authorize access to a WiFi network. Small scale networks usually rely on the offline distribution of a WPA/WPA2 static pre-shared secret key (PSK); security hence relies on the fact that this PSK is not leaked by end user, and is not disclosed via dictionary or brute-force attacks. On the other side, Enterprise and large scale networks typically employ online authorization using an 802.1X-based authentication service leveraging a backend online infrastructure (e.g. Radius servers/proxies). In this work, we propose a new mechanism which does not require neither online operation nor backend access control infrastructure, but which does not force us to rely on a static pre-shared secret key. The idea is very simple, yet effective: directly broadcast in the WLAN beacons an encrypted version of the secret key required to access the WLAN network, so that only the users which possess suitable authorization credentials can decrypt and use it. This proposed approach clearly decouples the management of authorization credentials, issued offline to the authorized end users, from the actual secret key used in the WLAN network, which can thus be in principle changed at each new user's access. The solution described in the paper relies on attribute-based encryption, and is designed to be compatible with WPA2 and deployable within standard 802.11 management frames. Since no user identification is required (access control is based on attributes rather than on the user identity), the proposed approach further improves privacy. We demonstrate the feasibility of the proposed solution via a concrete implementation in Linux-based devices and via relevant testing in a real-world experimental setup.