Toward Adjustable Lightweight Authentication for Network Access Control

Sammanfattning: The increasing use of Internet access networks raises the demand for secure and reliable communication for both users and businesses. Traditionally, the aim has been to provide the strongest possible security. However, with the demand for low-power computing it has become desirable to develop security mechanisms which efficiently utilize available resources. The tradeoff between performance and security plays an important role. In general, strong security is added even if there is no attack. The implementation of strong and resource demanding security often implies more than a secure system; it may deteriorate the performance of a device with limited resources and pave the way for new threats such as resource exhaustion. It is, therefore, unwise to use strong cryptographic algorithms for devices with limited resources in the absence of an adversary. It is more efficient to begin with lightweight security, taking further measures when an attack is detected. The overall focus of this thesis is on adjustable and lightweight authentication protocols for network access control. The thesis studies the performance degradation of strong security using empirical tests on IP security (IPSec) with a visual bottleneck indicator based on the time-discrete fluid flow model and throughput histogram differences. The results emphasize the possibility of a Denial of Service (DoS) attack against IPSec itself. The redundant authentication performed in a Wireless Local Area Network (WLAN) also motivates the development and evaluation of novel lightweight authentication protocols for the link and network layer. The developed authentication protocols are resource efficient, per-packet based, and robust in terms of handling packet loss. The protocols are further used as part of a hierarchical defense structure, which has been implemented and evaluated in order to mitigate protocol based DoS attacks. Finally, this thesis presents the concept of Always Best Security (ABS) and a practical decision making model based on the Analytic Hierarchy Process. The model takes a number of factors into consideration, including subjective and objective aspects of security in order to select an adequate authentication level. It is a flexible model which formalizes quantitative and qualitative considerations of a defined set of criteria, keeping Quality of Service in mind.