Wireless local area networks remain vulnerable to attacks initiated during the connection establishment (CE) phase. Current Wi-Fi security protocols fail to fully mitigate attacks like man-in-the-middle, preamble spoofing, and relaying. To fortify the CE phase, in this paper we design a backward-compatible scheme using a digital signature interwoven into the preambles at the physical (PHY) layer with time constraints to effectively counter those attacks. This approach slices a MAC-layer signature and embeds the slices within CE frame preambles without extending frame size, allowing one or multiple stations to concurrently verify their respective APs' transmissions. The concurrent CEs are supported by enabling the stations to analyze the consistent patterns of PHY-layer headers and identify whether the received frames are the anticipated ones from the expected APs, achieving 100% accuracy without needing to examine their MAC-layer headers. Additionally, we design and implement a fast relay attack to challenge our proposed defense and determine its effectiveness. We extend existing open-source tools to support IEEE 802.11ax to evaluate the effectiveness and practicality of our proposed scheme in a testbed consisting of USRPs, commercial APs, and Wi-Fi devices, and we show that our relay attack detection achieves 96-100% true positive rates. Finally, end-to-end formal security analyses confirm the security and correctness of the proposed solution.
翻译:无线局域网在连接建立阶段仍易遭受攻击。现有的Wi-Fi安全协议未能完全抵御中间人攻击、前导码欺骗和中继等威胁。为强化连接建立阶段,本文设计了一种向后兼容的方案,通过在物理层前导码中嵌入具有时间约束的数字签名,以有效应对上述攻击。该方法将MAC层签名切片,并将切片嵌入连接建立帧的前导码中,无需扩展帧长度,允许多个站点同时验证各自接入点的传输。通过使站点能够分析物理层头部的一致模式,并识别接收到的帧是否为预期接入点发送的预期帧,本方案支持并发连接建立过程,且无需检查MAC层头部即可达到100%的准确率。此外,我们设计并实现了一种快速中继攻击,以挑战所提出的防御机制并评估其有效性。我们扩展了现有开源工具以支持IEEE 802.11ax标准,在由USRP设备、商用接入点和Wi-Fi设备组成的测试平台上评估了所提方案的有效性与实用性,结果表明我们的中继攻击检测实现了96%-100%的真阳性率。最后,端到端的形式化安全分析证实了所提方案的安全性与正确性。