location based security

8/14/2019 Location Based Security

1/6

No Long-term Secrets: Location-based Security inOverprovisioned Wireless LANs

Daniel B. Faria

[email protected] Science Department

Stanford University

David R. Cheriton

[email protected] Science Department

Stanford University

ABSTRACT

Current wireless access control solutions make use oflong-term secrets, such as user passwords and privatekeys, incurring non-trivial management costs while be-ing incapable of defining physical limits for wirelesscoverage. In this paper we describe an architecturethat replaces long-term secrets with overprovisioning,using higher densities of access points in order to pro-vide location-based access control. We show that net-work administrators can define geographical boundariesfor wireless coverage, serving clients with little manage-ment overhead while imposing impractical resource de-mands on attackers outside the intended coverage area.

1. INTRODUCTION

Providing suitable security with low managementoverhead has been the major challenge when deployingwireless LANs. Consider the problem of controlling ac-

cess to a LAN (wired or wireless) located inside a phys-ically secure enterprise building, protected for exampleby fences and personal badges. All clients located insidethe building are considered within the intended servicearea (SA) and should be granted access to the network,given the screening already performed at the buildingentrances. With a wired network, distinct access controllevels can be easily implemented by leveraging the dif-ferent levels of physical security. For instance, sensitiveports are inherently protected inside the building, andcan accept any plugged device; public ports in cafeteriasand other outdoor facilities provide users with externalviews of the network, properly safeguarded by firewalls.

A wireless LAN constitutes a more challenging scenario.The broadcast nature of the wireless medium extendsnetwork connectivity beyond physical boundaries, cre-ating the need for an extra mechanism to limit networkusage.

In this paper we focus on the problem of limitingwireless coverage to a geographical area, bringing theaccess control problem in wireless LANs closer to thewired world. Current wireless security mechanisms donot address this problem; connectivity is limited to a

set of users able to prove their identities through theuse of long-term secrets (e.g. user passwords or pri-vate keys), independently of their physical location. Asa consequence, a user inside the intended service areais indistinguishable from an attacker accessing the net-work from outside the building using a compromisedcredential. Moreover, the use of long-term secrets in-

curs additional management costs. While users haveto manage and protect multiple identities used for dif-ferent domains, network administrators are responsiblefor granting access to new users through certificates orpasswords, providing timely revocation, and in the caseof a local PKI, keeping the certification authoritys pri-vate key protected to the highest possible degree.

We propose an architecture that is able to impose ge-ographical boundaries for wireless coverage, effectivelycontrolling access to the network with minimal man-agement overhead. We refer to our approach as Key-independent Wireless Infrastructure (KIWI). The phi-losophy behind KIWI is simple: overprovision the de-

sired service area with access points and implementlocation-based access control by requiring proximity be-tween clients and access points. Connectivity is limitedto the targeted SA through the use of short-range au-thentication and robust localization. During an authen-tication handshake, a device needs to prove its proxim-ity to one of the APs, not its (or its owners) identity.The removal of identity-based authentication eliminatesthe need for long-term secrets, considerably decreasingmanagement costs while enabling instantaneous connec-tivity to visitors escorted into the protected infrastruc-ture. The localization system is used to track authenti-cated devices (which can have their sessions terminated

upon exiting the SA) and to locate rogue access pointsor other devices implementing active attacks against thenetwork.

We argue that our architecture and its services are:

(i) viable. We show that due to lower managementcosts, KIWI installations incur costs comparable tostandard installations while enabling location-based se-curity and providing higher capacity and robustness.


2/6

(ii) sufficient for physically protected installations. Wedemonstrate that clients within the SA and provisionedwith off-the-shelf wireless cards authenticate success-fully and can be accurately located. Moreover, we showthat resource requirements placed on external attack-ers (e.g. additional antenna gain) increase with higherseparation from the SA and rapidly achieve impracticallevels.

(iii) necessary. KIWI enables network administratorsto define geographical boundaries for wireless coveragewhile allowing the network to react to incidents that de-mand physical action, such as the introduction of rogueaccess points.

2. KIWI

2.1 Architecture

Organization. In a KIWI network, access points

(APs) are simple devices controlled by a centralizedwireless appliance (WA). The WA is responsible fortasks such as channel assignment, load balancing, andtransmission power control. In terms of functionality,the demands put on the APs are modest, with mostof the services performed by the WA. Effectively, APsare simply remote radio interfaces; in a 802.11 network,APs would handle control frames and forward manage-ment and (encrypted) data frames to the WA. Our ideasclosely follow the design of industry standards such asLWAPP [3], and the philosophy is the same: make ac-cess points as cheap and simple as possible and placemost of the functionality in the WA, which is computa-

tionally more powerful.For the purposes of this paper, this architecture pos-

sesses three important properties. First, the lower APprices allows for faster and cheaper deployment. In-stead of performing a site survey to determine the bestlocation for a few access points, the administrator canincrease the number of APs and install them in a uni-form fashion (e.g. a grid). Second, the higher densityof access points decreases the average distance betweenclients and APs, increasing communication quality anddecreasing undesired coverage outside the service area.Finally, it allows for a localization system to achievebetter accuracy, given the increased number of vantage

points.

Test scenario. As an evaluation scenario we employin this paper a standard 70x70m (approx. 52,000 s.f.)enterprise building with IEEE 802.11 access points. Asin most enterprise campuses, we assume access to thebuilding to be physically controlled, i.e. some form ofscreening (e.g. through user badges) is performed atthe building entrances. The intended service area en-compasses the interior of the building.

2.2 Service model

KIWI aims to provide services similar to the providedby IEEE 802.1X/EAP in wireless networks [2]:

Network access control. KIWI provides a set of ser-vices that are used by the network to decide whetheror not to relay the frames sent by a given wireless de-vice. Note that, like other WLAN security solutions,

KIWI does not attempt to provide end-to-end security,just control access to a resource (in this case, the wire-less links). Application-level security and services thatrequire end-to-end protection should still rely on mech-anisms such as SSL, SSH, and IPSec, and thus on long-term secrets.

Authentication, the act of verifying the authenticityof some assertion (e.g. someones identity or location),is frequently used as a means for access control de-cisions. Common identity-based mechanisms authen-ticate a user by verifying the knowledge of some se-cret believed to be known only by the party in ques-tion. Despite the fine granularity, when used to control

the access to a wireless network, such mechanisms aregenerally employed to make a simple binary decision:whether or not to allow the user to enjoy network con-nectivity. KIWI explores the fact that in physically se-cure installations, such decision has already been madeat the entrances.

Last-hop privacy and data integrity. A client thatis granted access to the network should be provided withshort-term keys to be used to encrypt and protect theintegrity of packets sent over the wireless link. Such ser-vices are needed to avoid eavesdropping or traffic injec-tion by unauthorized devices. As in several other proto-

cols, KIWI generates fresh key material through stan-dard Diffie-Hellman operations. These keys are thenpassed to a lower-level mechanism (e.g. the next ver-sion of WEP) to protect the traffic sent over the wirelesslink during the established session.

2.3 Short-range authentication

Objective. The objective of the authentication hand-shake is to limit wireless coverage to the intended ser-vice area. Specifically, it imposes a maximum range Rfor authentication, a function of the density and place-ment of access points. I.e., clients located more thanR meters from their closest APs should not be able to

complete the handshake successfully. For instance, withaccess points in a 10-meter grid, the WA can target touse R = 10m. The increased number of access pointsdecreases the maximum separation between client andAPs, allowing for lower values for R and decreased cov-erage outside the SA.

Handshake. The authentication handshake is shownin figure 1. During an authentication round, which canhappen periodically or be triggered by clients seeking


3/6

Client AP/WA

N1

N2...

Nn, y

x, Ek(H(N[1..n]||x||y))

-

Ek(H(N[1..n] ||y||x))

Figure 1: Key exchange.

authentication, the WA selects one access point to actas transmitter. Over the course of several messages,the WA broadcasts through the selected AP a set ofn random nonces (N[1..n]), which are created fresh andare unpredictable to clients. In order to successfullycomplete the authentication handshake, a client onlyneeds to prove to the server that it correctly received allthe nonces. To do so, it computes a secure hash H (e.g.using SHA-1) of the random stream and encrypts it with

a session key k which is generated by the underlyingDiffie-Hellman (DH) key exchange. (In the figure, x isshort for x mod p; k and the session keys are derivedfrom the DH shared secret: xy mod p.)

Nonce messages are sent by APs without CRCs andare not retransmitted by the link layer. The lack ofCRCs prohibits a receiver from acquiring extra infor-mation about the payload. For example, a receiver isunable to discover which bits have been corrupted, evenif the number is small. The WA avoids retransmissionsby sending nonces as link-layer broadcasts, which arenot retransmitted [1].

The proof generated by the client is encrypted in or-

der not to provide other clients with extra informationabout the nonces. Let M denote the concatenation ofall the nonces. A client in the close range receives Mwithout bit errors, while an adversary far from the APmay be able to receive partial information; for exam-ple, it may gather a value M which differs from M in bbits. If the hash (over M) were to be sent unencrypted,an attacker could locally search for the correct valuebased on its initial value M and the hash transmittedby another client.

Principle of operation. The effectiveness of the pre-sented protocol relies on a well-established property ofthe wireless channel: while signal strength is expectedto to oscillate in an environment-dependent way (dueto reflection, diffraction, and scattering of waves), theaverage signal strength tends to decrease as a power-lawfunction of the distance [6].

The quality of a wireless channel is a function of thesignal-to-noise ratio (SNR), the difference between thestrength of the intended signal and the noise in the en-vironment. As the distance between client and AP in-creases, the SNR decreases due to the lowering signal

0

20

40

60

80

100

10 15 20 25 30 35 40 45 50 55Corruptedpackets(%)

SNR (dB)

Figure 2: Frame corruption vs. SNR.

strength. As the SNR drops below a certain threshold,a client can no longer decode messages without suffer-ing from bit errors, thus becoming unable to completethe handshake. Therefore, the WA accepts a correctproof sent by a client as an indication of its physicalproximity to the infrastructure.

To verify this property, we performed measurementswith off-the-shelf IEEE 802.11a hardware. We usedtwo laptop computers, one acting as transmitter andthe other as receiver (both stationary). We then exe-cuted 73 measurement rounds, each consisting of 500

2000-byte raw 802.11 frames containing a random pay-load. All rounds were executed over the same channel,with the default transmission power, using the 54 Mbpsmode, and with the receiver in promiscuous mode andignoring CRC checks.

Figure 2 shows frame corruption as a function of thedetected SNR level. As seen in the graph, the receiverexperiences negligible frame corruption when SNR30dB. As the SNR decreases below this threshold, framecorruption increases rapidly, with corruption rates closeto 100% when SNR


4/6

510

20

30

40

50

-10 0 10 20 30 40 50 60 70 80

SNR(dB)

attacker distance (m)

outside buildingwall

alpha=2.0alpha=2.5

Figure 3: SNR outside the building.

free-space, signal strength decays as a function of thesquare of the distance; translating from Watts to a loga-rithmic scale (e.g. dBm) yields the so-called log-distancemodel [6]:

P r(d) = P t L0 10log(d) (1)

where P r is the received power (in dBm), d is the dis-tance in meters, P t is the transmission power (dBm), L0

is the total signal attenuation 1 meter from the trans-mitter (dB), and is known as the path loss exponent.Free-space propagation is equivalent to using equation1 with = 2.

This model has been successfully used to model prop-agation within buildings [6, 5], with values beingstrongly environment dependent and usually found em-pirically. In a KIWI installation, the high number ofAPs allows the system to autonomously find the bestfit for .

Authentication in close range. As a consequenceof the transmission power control, clients within the in-tended range enjoy high SNR levels ( 30 dB) and low

probability of failing authentication. Let perr denotethe probability of receiving an error frame; at 30 dB ofSNR, figure 2 yields perr = 0.0142. If the WA sends40 KB of random data divided into 20 frames, and ifwe assume uniformly distributed frame losses, a clientcompletes the handshake successfully with probabilityhigher than 0.75 when provided with SNR=30 dB. Sim-ilarly, the probability of two consecutive failures liesbelow 0.07.

Demands on attackers. In order to cope with theweaker signal strength perceived outside the building,attackers have to increase their gain towards the access

point broadcasting nonce messages. The lack of CRCsprovides no information on whether the frames havebeen received correctly, so the attacker (as any otherreceiver) relies on the detected SNR values to decidewhether to complete the handshake. The most cost-effective way for a receiver to increase SNR is to use anantenna with gain Gr > 0. For example, if providedwith a SNR of 20 dB an attacker could use an antennawith 10 dBi of gain to achieve SNR=30 dB and properlyreceive nonce messages.

After tens of meters outside the service area, theamount of gain needed by external receivers reaches im-practical levels. Figure 3 plots SNR outside a buildingas a function of distance (the AP is located indoorsat x = 10). The curve uses two path loss models;a higher = 3 value is used indoors (x [10, 0])while lower attenuation is assumed outside the build-ing ( = 2 or 2.5). We use 10 dB of attenuation to

model the external wall, with agrees with publishedmeasurements [6]. Notice that clients within the in-tended range (indoors) achieve SNR30 dB, a conse-quence of the power control mechanism. However, evenassuming free-space propagation outside the building( = 2), the SNR drops below 5 dB 40 meters from theexternal wall. In this case, an attacker would need atleast 20-25 dBi of gain to have a chance to complete thehandshake (25 dBi would give him SNR= 30 dB).

Most antennas in the market provide gain below15 dBi. Antennas with higher gains are usually notportable, precluding a stealth approach to the SA.A fast online product search performed by the au-

thors yielded a grid antenna with 23.5 dBi (weight=9lb,size=32), a yagi antenna with 18 dBi (w=8lb, sz=40),and a parabolic antenna providing 24 dBi (sz=35). Tomake attacks even more complicated, these antennasonly provide such high gain over narrow angles (5-10),meaning an external receiver needs to point its antennaexactly to the transmitting AP.

2.4 Robust localization

Objective. The input to the localization system is aset of signal strength values for a given client, as esti-mated by the APs in the environment. The system has

two main objectives. First, as it can be used in accesscontrol decisions, it aims at verifying whether or notthe client in question is geographically located insidethe intended service area. Second, clients inside theSA should be located accurately, enabling the infras-tructure to react to high rates of invalid authenticationrequests, other forms of DoS attacks, or remove rogueaccess points.

Formally, the input to the system is a set of tuples ofthe form (xi, yi, P ri), where (xi, yi) is the location of theith access point and P ri is the signal strength detectedfor the client being located. The objective is to estimatethe location and transmission power level used by the

client (transmitter): (xT, yT, P t). The search occursover a tridimensional space S: the location (xT, yT) islimited to the service area and Pt is limited to a range oftransmission power representative of off-the-shelf wire-less cards (e.g. 15-20 dBm).

Preconditions. Before a location is estimated, thesystem performs a set of sanity checks on the inputvector. If any of these checks fails, the input is re-

jected and an unknown location is attributed to the


5/6

client (which could be denied access to the network).Our current system employs two checks that take ad-vantage of the higher density of access points providedby KIWI. First, the algorithm checks whether the inputvector contains a minimum number of entries, Q (min-imum quorum). Given that most available off-the-shelfwireless cards are provisioned with omni-directional an-tennas, intended clients located within the SA should

not have problems satisfying this condition. As of at-tackers, this precondition eliminates the cases in whichthe system would estimate an incorrect location as aconsequence of the use of few access points.

The second condition makes sure that the client is de-tected by at least one access point above a pre-definedsignal strength threshold T; i.e., the algorithm contin-ues only ifi|P ri T. A positive answer to this testis taken by the system as an indication of the clientsproximity to the network. The exact value of T is cal-culated based on the power levels used by off-the-shelfcards, the path loss model calculated for the environ-ment, and the number and location of access points.

With more access points, the smaller the average rangeto the closest AP, and the higher the network can setthe threshold T.

Location estimation. If all preconditions are satis-fied, the system estimates the location for the trans-mitter. For a tentative solution s = (xT, y

T, P t), its

error is defined as

i(P ri P r(d

i))2. This formula is

simply the square of the difference between the value re-ported by each AP (P ri) and the value predicted by thepath loss model fitted to the environment(P r), whichis a function of the Euclidean distance between s andeach AP (di). This phase thus is reduced to finding the

best solution s S s.t. error(s) error(s

), s

S,and various minimization methods can be used.

Confidence test. A confidence test is used by thesystem to reject improbable signal patterns and thecorresponding solutions yielded by the location estima-tion step. The mechanism just described always findsa best solution s S, but provides no confidenceregarding the value found. For example, s could havetoo high an error, which could yield a false positive (anexternal transmitter is wrongly considered to be insidethe SA).

We test the confidence on an estimated location bymodeling the distribution of the error function and per-forming an statistical test. Let E denote the cumulativedistribution of our error function and Ep denote its p

th

percentile. For instance, we say a solution s can berejected with 95% confidence if error(s) > E95. Wemodel E with a chi-square distribution, which arises asthe sum of the squares of independent standard nor-mal variables. Other researchers have successfully usednormal variables to model the difference between ex-perimental values and the mean predicted by the log-

AUTH KIWI

CAPEX

Access points 400.00 3,200.00

RADIUS server/WA 5,000.00 8,000.00

OPEX

AP installation 1,200.00 4,800.00

AP config. 280.00 -

Site survey 4,000.00 -

Yearly maitenance 3,640.00 -

TCO $14,520.00 $16,000.00

Table 1: Estimated TCO for both architectures.

distance model fitted to the environment [6]. Our errorfunction is the sum of the squares of such differences,which explains the use of the chi-square distribution.

Accuracy and false negatives. The high numberof APs enables autonomous calibration (determinationof the path loss model) while allowing our system toachieve accuracy comparable to previously published

systems [7, 4]. For instance, when using a log-distancemodel with deviations following a normal distributionwith standard deviation of 7 dB, the simulation of anoffice building with one AP every 10 meters yielded anaverage error of 2.55m (75th percentile of 4.15m). Therate of false negatives (system unable to locate clientsinside the SA) was found to be low; for the same simula-tion scenario and discarding solutions with error aboveE90, false negatives occurred with probability inferiorto 0.05.

False positives. Even when facing attackers with un-bounded transmission power, the false-positives ratewas found to be low. An attacker needs to increasetransmission power in order to satisfy the threshold pre-condition, which enables the system to more easily dif-ferentiate his signal pattern from the one expected fromclients within the SA. With one AP every 10 meters,attackers more than 40 meters from the external wallswere blocked with probability higher than 0.95, evenwith unbounded power. Clients with bounded power(e.g. with regular cards) are rapidly rejected by thesystem, mostly due to failing the threshold precondi-tion.

3. COST ANALYSIS

Despite the increased number of APs, we show thatthe costs associated with a KIWI installation are com-parable to standard networks. We derive back-of-the-envelope total cost of ownership (TCO) estimates toprovision our test scenario following two architectures:KIWI and a standard installation using fewer accesspoints and a back-end server for authentication (termedAUTH). In the AUTH installation, we provision thenetwork with 8 access points and a RADIUS server used


6/6

for authentication. In the KIWI installation, we use 64access points (one every 10 meters, forming a grid) con-trolled by a wireless appliance. We focus on capitalexpenses (CAPEX) and simplified operational expenses(OPEX), a summary of which is shown in table 1.

CAPEX. Given the falling prices of IEEE 802.11 ac-cess points, we assume a cost of $50 per AP (there

are SOHO APs already being sold at this price range).For the wireless appliance we assume a cost of $8,000(so-called wireless switches have prices in the $5,000-12,000 range). While not dependent on a wireless ap-pliance per see, the AUTH configuration needs at leastan authentication server to control the access to thenetwork. We attribute a cost of $5,000 for the authen-tication server, which includes both hardware and com-mercial RADIUS software.

OPEX. The first component affects both architectures:the cost of physically installing the access points. Weassume a cost of $150 per drop, with two access pointssharing each connection to the wired infrastructure in

the KIWI scenario. Other two factors affect instal-lation costs in the AUTH architecture. First, accesspoints need to be individually configured by the ad-ministrator; we assume this task to take approximately1 hour per AP, assuming labor of $35 per hour. Thesecond term accounts for a site survey, for which weassign a $4,000 cost. This estimate includes a 1-dayvisit of a specialized technician that manually sam-ples the wireless environment looking for interferencesources and the best AP locations. For simplicity, weassume an equal amount of time to configure both theWAS and the authentication server; these terms wereleft out of our analysis.

Finally, assume that a network administrator needson average 2 hour/week to manage the authenticationinfrastructure and perform tasks such as certificate dis-tribution and revocation and AP management (channelassignment, transmission power control, and other gen-eral configurations). Assuming an hourly rate of $35,these management tasks account for $3,640 just duringthe first year.

The estimated costs associated with both configura-tions are comparable, with the KIWI scenario beingapproximately 10% more expensive than in the AUTHcase. Due to lower management costs, the KIWI sce-nario should be cheaper in the long run, while still pro-viding higher capacity and robustness. Though raw,these numbers show that a KIWI deployment is com-petitive in terms of costs while providing much highercapacity and robustness.

4. CONCLUSION

In this paper we have presented KIWI, an architec-ture that takes advantage of overprovisioned WLANsin order to geographically limit wireless coverage. We

showed that our architecture is viable; for instance, wefound similar total cost of ownership estimates for astandard installation with 8 access points and a KIWIinstallation with 64 lightweight APs.

We have also shown that KIWI provides enterprise en-vironments with sufficient security. For instance, clientsprovided with off-the-shelf hardware within a servicearea with one AP every 10 meters are located accu-

rately (average error below 3 meters) and authenticatesuccessfully (probability of two consecutive failures be-low 0.07).

We also showed that attackers located outside the in-tended coverage area need impractical amounts of an-tenna gain. In the same scenario, an attacker needsat least 20 dBi of antenna gain when located fartherthan 40 meters from the external walls. Consequently,such attempts require sophisticated wireless receptionequipment, making the costs of compromising wirelesssecurity comparable to other forms of attack, includingthose on the wired infrastructure.

In general, KIWI follows a direction of past success

in computing, namely throwing more resources at theproblem, access points in this case. In contrast, keymanagement-based approaches introduce a whole levelof complexity and operator involvement that did notexist before, bringing in additional failures and com-promises. Given that social engineering is recognizedas the most effective form of attack on corporate net-works, the KIWI approach may not only reduce costsby reducing operator overhead and costs of key man-agement systems, but also significantly increase actualsecurity by eliminating operator participation.

5. REFERENCES

[1] LAN MAN Standards Committee of the IEEE ComputerSociety. Wireless LAN Medium Access Control (MAC) andPhysical Layer (PHY) Specifications. Technical Report 1999Edition, IEEE Standard 802.11, 1999.

[2] LAN MAN Standards Committee of the IEEE ComputerSociety. Standard for Port based Network Access Control.Technical Report Draft P802.1X/D11, IEEE ComputerSociety, Mar. 2001.

[3] P. Calhoun, B. OHara, S. Kelly, R. Suri, D. Funato, andM. Vakulenko. Light Weight Access Point Protocol(LWAPP). IETF Internet Draft, June 2003.

[4] A. M. Ladd, K. E. Bekris, A. Rudys, G. Marceau, L. E.Kavraki, and D. S. Wallach. Robotics-Based LocationSensing using Wireless Ethernet. In Proc. of the 8th AnnualInternational Conference on Mobile Computing andNetworking (Mobicom02), Atlanta, GA, USA, Sept. 2002.

[5] D. Molkdar. Review on Radio Propagation Into and WithinBuildings. IEE Proceedings-H, 138(1):61-73, Feb. 1991.

[6] T. S. Rappaport. Wireless Communications - Principles andPractice. Prentice Hall PTR, 1996.

[7] T. Roos, P. Myllymaki, H. Tirri, P. Misikangas, andJ. Sievanen. A Probabilistic Approach to WLAN UserLocation Estimation. International Journal of WirelessInformation Networks, 9(3):155-164, July 2002.

location based security

Documents