由於具有低成本、無線存取及可移動的特性，無線區域網路（ＷＬＡＮ）近年來已被廣泛地佈建於各場所，包括私人企業，校園與機場等公共區域，以及台北市政府委由民間企業建置的Wi-Fly無線網路所覆蓋的台北市區。相對於蜂巢式電話系統，無線區域網路的高頻寬促使行動多媒體應用的適用性大為提昇，多媒體與語音的應用通常需要穩定順暢的播放能力，為了提供用戶一個較佳的通訊品質，無線區域網路必須支援無縫隙漫遊功能。然而，過長的ＷＰＡ認證時間使它難以達成這項目標。本篇論文提出植基於改良式相鄰圖的快速安全認證方法來縮短認證延遲，透過行動工作站(Mobile Station)與相鄰無線接取器(Access Point)間預先交換金鑰資訊產生密鑰的方式，並予以簡化Handoff認證程序，本協定可以有效縮減使用者跨無線接取器漫遊時重新認證的時間。此外，改良式相鄰圖可以適當地決定哪些無線接取器應事先與行動工作站協議產生認證金鑰，不以相鄰圖(Neighbor Graph)上所有相鄰無線接取器為協議標的，此方法僅選擇該使用者下次漫遊機率較高的數個無線接取器作為與行動工作站進行前置溝通的對象。因此，認證協定在維持一定認證效率的水準同時，仍可減少不必要的網路通訊負載。

Wireless local area network (WLAN) has grown in popularity recently due to the characteristics of wireless access and mobility. Multimedia and voice applications on WLAN usually are required to access network resource without interruption. In order to maintain high quality of communication for mobile users employing these applications, WLAN system must provide the ability of fast handoff across different access point (AP). However, the WPA authentication requires much time such that WLAN is difficult to support the fast handoff. In this paper, we propose a secure accelerated authentication scheme based on refined neighbor graph. Through key pre-agreement between each mobile station (STA) and neighbor APs in advance and the reduction of handover authentication process, our protocol can reduce significantly the authentication latency as user re-associates with another AP. Moreover, a refined neighbor graph is proposed to determine the APs which can negotiate key material with STA and generate cipher key in a proactive fashion. Instead of picking all neighbor APs on Neighbor Graph, this scheme only selects certain APs where the STA is most likely to roams further to anticipate in key pre-generation prior to subsequent handoff. Consequently, our scheme can minimize efficiently network traffic load that results from key pre-agreement while providing the fast authentication of handoff.

Chapter 1 Introduction 1
1.1 Background 1
1.1.1 Remote Authentication Dial In User Service 1
1.1.2 Port Based Network Access Control 3
1.1.3 IEEE 802.11f 4
1.1.4 IEEE 802.11i 5
1.2 Motivation 9
1.3 Goal 11
1.4 Synopsis 11
Chapter 2 Related work 12
2.1 Predictive Authentication Scheme 12
2.2 Proactive Key Distribution 14
2.3 Selective Neighbor Graph 15
2.4 Dual State Transition Predictability Algorithm 16
Chapter 3 Accelerated Authentication Protocol 18
3.1 Assumption and Notation 18
3.2 802.1X AKM 19
3.2.1 Connection Procedure 20
3.2.2 Handover Procedure 27
3.3 PSK authentication 34
3.3.1 Connection Procedure 34
3.3.2 Handover Procedure 36
Chapter 4 Refined Neighbor Graph 41
4.1 Handoff Model 41
4.2 Refined Neighbor Graph Scheme 43
Chapter 5 Protocol analysis 48
5.1 Function Analysis 48
5.2 Security Analysis 50
Chapter 6 Experiment 55
6.1 Experiment on Handoff Authentication 55
6.1.1 Experiment Environment 55
6.1.2 Experiment Result 56
6.2 Experiment on Refinement Neighbor Graph 59
6.2.1 Experiment Environment 59
6.2.2 Experiment Result 60
Chapter 7 Conclusion 65
Bibliography 66

[1] “Information technology– Telecommunications and information exchange between systems- Local and metropolitan area networks- Specific requirements- Part 11:Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications”, IEEE std 802.11-1997.
[2] IETF, RFC 2865 “Remote Authentication Dial In User Service(RADIUS)”, June 2000
[3] IEEE std 802.1X-2001, “Local and metropolitan area networks – Port-Based Network Access Control”, Oct. 2001.
[4] IETF, RFC 3748 “Extensible Authentication Protocol (EAP)”, June 2004.
[5] IETF, RFC 2716 “PPP EAP TLS Authentication Protocol”, October 1999.
[6] P. Funk, S. Blake-Wilson, “EAP Tunneled TLS Authentication Protocol”, Internet-Draft , April 2004.
[7] A. Palekar, D. Simon, J. Salowey, H. Zhou, and G. Zorn, “Protected EAP Protocol (PEAP) Version 2”, INTERNET-DRAFT , 15 October 2004.
[8] “IEEE Trial-Use Recommended Practice for Multi-Vendor Access Point Interoperability via an Inter-Access Point Protocol Across Distribution Systems Supporting IEEE 802.11 Operation”, 80211.f, 14 July 2003.
[9] “Information technology– Telecommunications and information exchange between systems- Local and metropolitan area networks- Specific requirements- Part 11:Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications, Amendment 6: Medium Access Control (MAC) Security Enhancements”, IEEE std 802.11i-2004.
[10] N. Borisov, I. Goklberg, and D. Wagner, “Intercepting Mobil Communications: The Insecurity of 802.11.”, the proceedings of the seventh annual international conference on Mobile Computing and Networking, July 16-21, 2001
[11] W. A. Arbaugh, N. Shankar, and Y.C. J. Wan, “Your 802.11 Wireless Network has no Clothes.”, IEEE Wireless Communications Magazine, 2002, Vol. 9, No. 6, pp.44-51.
[12] S. Pack and Y. Choi, “ Fast Inter-AP Handoff using Predictive Authentication Scheme in a Public Wireless LAN” in Proc. Of Networks 2002, Aug. 2002.
[13] A. Miashra, M. Shin, N.L. Petroni Jr., T.C. Clancy and W. Arbaugh, “Proactive Key Distribution Using Neighbor Graphs” IEEE Wireless Comm. Magazine, Feb. 2004.
[14] A. Mishra, M. Shin and W. Arbaugh, “Context Caching using Neighbor Graphs for Fast Handoffs in a Wireless Network”, in Proc of IEEE INFOCOM, Mar. 2004.
[15] X. Zheng, C. Chen, C. T. Huang, M. M. Matthews, “A Dual Authentication Protocol for IEEE 802.11 Wireless LANS”, Wireless Communication Systems, 2005. 2nd International Symposium on 5-7 Sept. 2005 Page:565-569.
[16] M. S. Bargh, R. J. Hulsebosch, E. H. Ertink, A. Prasad, H. Wang, P. Schoo, “Fast authentication methods for handovers between IEEE802.11 wireless LANS”, Proceedings of the 2nd ACM international workshop on Wireless mobile applications, 2004.
[17] L Maccari, R Fantacci, T Pecorella, F Frosali, “Secure, fast handoff techniques for 802.1X based wireless network”, IEEE ICC 2006 proceedings.
[18] P Kiratwintakorn, P Krishnamurthy, “An Energy Efficient Authentication and Key Management Protocol for 802.11 WLANs”, Information, Communications and Signal Processing, 2005 Fifth international Conference. Dec. 2005 pp 448-453.
[19] S. Pack and Y. choi, “Fast handoff scheme based on mobility prediction in public wireless LAN systems”, communications IEE proceeding, 24 Oct 2004 pp 489-495.
[20] A.R. Prasad and H. Wang “Roaming key based fast handover in WLANS”, Wireless Communications and Networking Conference, 2005 IEEE.
[21] S. Pack, H. Jung, T. Kwon, and Y. Choi “A Selective Neighbor Caching Scheme for Fast Handoff in IEEE 802.11 Networks”, in Proc. IEEE ICC, May 2005.
[22] P. J. Huang, Y. C. Tseng, K. C. Tsai “A fast Handoff Mechanism for IEEE 802.11 and IAPP Networks”, Vehicular Technology Conference, 2006. VTC 2006-Spring. IEEE 63rd Volume 2, pp.966-970, 2006.
[23] H. Velayos, G. Karlsson “Techniques to reduce the IEEE 802.11b handoff time”, Proceedings of IEEE international Conference on Communications, vol.7, pp. 3844-3848, 2004.
[24] M. Shin, A. Mishra, W. A. Arbuagh “Improving the latency of 802.11 hand-offs using neighbor graphs”, Proceedings of the 2nd international Conference on Mobile Systems, Applications, and Services, 2004, pp.70-83.
[25] A.Mishra, M.Shin, and W.Arbaugh “An Empirical Analysis of the IEEE 802.11 MAC Layer Handoff Process”, ACM Computer Communication Review, 2003, pp.93-102.
[26] International Telecommunication Union, “General Characteristics of International Telephone Connections and International Telephone Circuits.”, ITU-TG.114. 1988.
[27] C. He and J.C. Mitchell “Analysis of the 802.11i 4-Way Handshake”, Proceedings of the 2004 ACM workshop on Wireless security, 2004 pp 43-50.
[28] J. Bellardo, and S. Savage “Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions”, Proceedings of the USENIX Security Symposium, August 2003 pp 15-28.
[29] J.C. Chen, M.C. Jiang, and Y.W Liu “Wireless LAN Security and IEEE 802.11i”, IEEE Wireless Communications, vol.12, no.1, pp. 27-36, Feb 2005.
[30] A. Bhattacharya and S.K. Das “LeZi-Update: An Information-theoretic framework for personal mobility tracking in PCS networks”, in ACM/Kluwer Wireless Networks Journal, vol. 8, no. 2-3 pp.121-135, Mar. 2002.
[31] T. Joshi, A. Mukherjee, and D.P. Agrawal “Exploiting Mobility Patterns to Reduce Re-Authentication Overheads in Infrastructure WLAN Networks” Electrical and Computer Engineering, Canadian Conference on 2006.