Design, implementation, and performance analysis of DiscoSec — Service pack for securing WLANs

Abstract

To improve the already tarnished reputation of WLAN security, the new IEEE 802.11i security standard provides means for an enhanced user authentication and strong data confidentiality. However, the standard focuses on securing higher-layer data, i.e., protecting IEEE 802.11 data frames. Management frames used for connection administration are left unprotected and a wide spectrum of known attacks is still applicable and even extended against the IEEE 802.11i/IEEE 802.1Xprotocol execution. This work describes DiscoSec, a service pack for "patching" WLANs against the most prominent vulnerabilities resulting in resource-depletion and impersonation attacks. DiscoSec provides DoS-resilient key exchange, an efficient frame authentication, and a performance-oriented implementation. By means of extensive real-world measurements the performance of DiscoSec is evaluated showing that even on very resource-limited devices the throughput is decreased by only 22 % compared to the throughput without any authentication, and by 6% on more powerful hardware. To demonstrate its effectiveness, DiscoSec is available as an open-source WLAN device driver.