Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
  • H04W12/06—Authentication
  • H04W12/069—Authentication using certificates or pre-shared keys
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
  • H04W12/50—Secure pairing of devices
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W76/00—Connection management
  • H04W76/10—Connection setup
  • H04W76/19—Connection re-establishment
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W84/00—Network topologies
  • H04W84/02—Hierarchically pre-organised networks, e.g. paging networks, cellular networks, WLAN [Wireless Local Area Network] or WLL [Wireless Local Loop]
  • H04W84/10—Small scale networks; Flat hierarchical networks
  • H04W84/12—WLAN [Wireless Local Area Networks]
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04W—WIRELESS COMMUNICATION NETWORKS
  • H04W88/00—Devices specially adapted for wireless communication networks, e.g. terminals, base stations or access point devices
  • H04W88/08—Access point devices

Definitions

• the present invention relates to a method for increasing the security level of a Wi-Fi access point capable of communicating with several Wi-Fi stations in a communication network.
• Such a network is in particular a home network equipped with a gateway as an access point allowing local equipment to be connected to the Internet.
• Wi-Fi is the most widely used medium for transmitting data at home. It is used by a large and growing number of different devices (Smartphone, tablet, PC, TV decoder, IOT equipment, etc.) and for a wide variety of uses: email, telephony, “Live” video, “OTT” video, IOT monitoring, etc.
• Wi-Fi technologies are becoming more complex and provide additional tools that allow certain characteristics of the flows to be optimized, while taking into account certain constraints: 802.11e, 802.1 lu, 802.1 lax, OFDMA, . . .
• Some stations may sometimes have difficulty using a gateway's Wi-Fi network. These difficulties manifest themselves by an inability to establish a Wi-Fi connection, the reasons may be multiple: incompatibility of the Wi-Fi station with a particular Wi-Fi standard or even incompatibility with a security mode currently in use by the home gateway.
• Security protocols such as WEP (for Wired Equivalent Privacy), WPA (for Wi-Fi Protected Access), and WPA2 provide user authentication, encryption, and data confidentiality to ensure the security of wireless connections.
• WEP Wired Equivalent Privacy
• WPA Wi-Fi Protected Access
• WPA2 Wi-Fi Protected Access
• Wi-Fi equipment is not compatible with new Wi-Fi security protocols such as WPA2/WPA3 or WPA3. This forces some telecommunications operators to use only the most widespread security mode (WPA2) for all of these home gateways in order to avoid interoperability issues. As a result, an operator is not able to offer the best Wi-Fi security for its customers.
• WPA2 most widespread security mode
• the present invention aims to dynamically increase the level of Wi-Fi security between Wi-Fi stations and a gateway within a home network.
• Another aim of the invention is to optimize the management of Wi-Fi stations within an access point of the communication network.
• At least one of the objectives is achieved with a method for increasing the security level of a Wi-Fi access point capable of communicating with several Wi-Fi stations in a communication network, this method comprising the following steps:
• the method according to the present invention aims to increase the security level of Wi-Fi access points in a home depending on the Wi-Fi equipment present.
• the operator can therefore dynamically increase the security of the Wi-Fi access points of a part of its domestic gateway fleet, only for homes with equipment compatible with the latest standards.
• the purpose of this dynamic increase is to benefit from the highest or most recent level of security while maintaining the access point compatible with all the Wi-Fi stations that are used to connecting to this access point.
• the protocols contemplated in the present invention may include the following protocols: WEP, WPA, WPA2, WPA2/WPA3 or WPA3.
• the method according to the invention thus makes it possible to dynamically activate several security protocols in succession; each attempt is followed by a verification phase to see if the Wi-Fi stations continue to connect. In the event of no connection, the previous protocol is returned to.
• the verification is initiated as soon as the security level on the access point is changed.
• This verification includes waiting for association of each of the stations that were associated or connected before the security level change.
• the verification duration is configurable, for example a few seconds or several minutes, in particular 2 min.
• the verification may consist of checking only whether some Wi-Fi stations, already known by the Wi-Fi access point, manage to connect again. These few Wi-Fi stations can be the Wi-Fi stations that have connected since a predetermined time in the past and/or those that have connected beyond a predetermined number of times.
• the alert signal may for example only be emitted when, for a given duration, the ratio between the number of Wi-Fi stations which manage to connect and the number of Wi-Fi stations which fail to connect is less than a predetermined threshold.
• the present invention advantageously implements an association anomaly detection. It is verified by various means whether a Wi-Fi station can no longer connect to the Wi-Fi access point.
• the detection of an association anomaly between a Wi-Fi station and the Wi-Fi access point can comprise the following steps:
• a Wi-Fi standard management frame is used, the “Probe Request”.
• the latter is used by Wi-Fi stations to identify nearby networks. This is a relevant indicator because during an association attempt, this “Probe Request” is systematically sent by the Wi-Fi station.
• this Wi-Fi standard management frame is present but if the Wi-Fi station linked to this Wi-Fi standard management frame is not associated with the network access point, then it is considered that there is an interoperability problem between the access point and this Wi-Fi station.
• the present invention therefore makes it possible to detect the presence of this “Probe Request” by associating it with a Wi-Fi station known to the access point.
• the Wi-Fi station will therefore send a “Probe Request”, if the unique code calculated from this “Probe Request” is known to the access point and the Wi-Fi station linked to this unique code is not connected, then the access point considers that this Wi-Fi station is unable to associate and sends an alert. If the station manages to connect, then the alert is raised.
• Checking whether the Wi-Fi station linked to the unique code has already been associated with the access point consists of checking whether the Wi-Fi station has subsequently been associated and then disassociated from the access point, i.e. whether there has already been a successful association before.
• the unique identification algorithm can be a hash function.
• This function can more precisely be an MD5 cryptographic hash function. Such a function makes it possible to calculate a unique identifier from digital content. This makes it possible to distinguish Wi-Fi stations from each other.
• the communication network can comprise several access points including a gateway and at least one repeater, the steps of storing the unique code and verification being carried out within the gateway.
• the step of checking whether the Wi-Fi station linked to the unique code has already been associated concerns all the access points. In fact, it is checked whether the Wi-Fi station has not already been associated with one of the access points.
• a processing unit of the gateway can be configured to carry out the steps of the method according to the invention.
• the intelligence is in the gateway.
• the content may comprise a number of antennas of the Wi-Fi station or a maximum frequency band of the Wi-Fi station. These are elements relating to the Wi-Fi capabilities of the equipment. Obviously, the content of the Wi-Fi standard management frame may comprise other elements than those mentioned.
• the content is the “IEEE 802.11 Wireless management” part.
• variable information such as the destination address or the source address is not retained.
• the communication network may be a home network, the access point comprising an Internet connection router.
• Such a router may be, for example, a gateway, a “homegateway” in English or any other device capable of connecting user equipment to the Internet.
• a communication network is proposed for increasing the security level of a Wi-Fi access point capable of communicating with several Wi-Fi stations; this access point being configured to implement a method according to the invention.
• the present invention also relates to a computer program product comprising instructions which, when the program is executed by a processing unit in an access point or in a remote server, for example in the cloud, lead the latter to implement the method according to the invention.
• FIG. 1 Figure 1 is a schematic view of a house equipped with an access point in the form of an Internet gateway and a user's Wi-Fi stations;
• Figure 2 is a flowchart illustrating steps of the method according to the invention;
• FIG. 3 is a flowchart illustrating steps of a method according to the invention.
• Figure 4 is a schematic view illustrating the fields in a “Probe Request” type Wi-Fi standard management frame according to the invention.
• Figure 5 is a simplified schematic view of frames sent by a Wi-Fi station to an access point.
• FIG. 6 is a simplified schematic view of frames sent by a Wi-Fi station to an access point according to the invention.
• Figure 1 is a schematic view illustrating a house 1 equipped with an access point 2 which is a gateway allowing access to the Internet 3 via a wired connection 4 based on coaxial cable or optical fiber.
• the access point 2 comprises a processing unit 7, such as a microcontroller for example, for implementing the method according to the invention and a Wi-Fi module 8 for wireless communication with equipment.
• a processing unit 7 such as a microcontroller for example
• Wi-Fi module 8 for wireless communication with equipment.
• the invention also provides an embodiment in which the processing unit implementing the invention, as an alternative to the processing unit 7 or in a complementary manner, is a remote server 9. Such a remote server can control several processing units arranged in different residences.
• home equipment can connect wired or wirelessly to the access point 2 to access the Internet 3.
• FIG. 1 there is a television 5 and a Wi-Fi station such as a mobile telephone 6 of the “smartphone” type, both connected to the gateway 2 wirelessly by Wi-Fi.
• a Wi-Fi station such as a mobile telephone 6 of the “smartphone” type
• the gateway 2 wirelessly by Wi-Fi.
• a digital television service is notably activated between the television 5 and the access point 2.
• the mobile phone 6 is able to connect to the gateway 2 to access the Internet by implementing different types of services: web, downloading, telephony, . . .
• the access point 2, television 5 and mobile telephone 6 assembly forms a home network in which communications take place according to a secure protocol.
• This secure protocol prevents unauthorized external connection to the wireless network and encodes the data exchanged.
• the access point 2 comprises conventional hardware and software means for serving as an access point and repeater between equipment and the Internet and further comprises one and/or the other a computer program product for implementing the method according to the invention.
• Wi-Fi security protocols are undergoing evolutions and new protocols are emerging to improve security.
• Figure 2 is a schematic view of a flowchart illustrating a dynamic security enhancement sequence according to the invention.
• a first step 10 is distinguished which is the start of a procedure according to the invention consisting in particular in noting that the access point 2 is capable of communicating according to the WPA2 protocol.
• step 11 the processing unit 7 activates a change of security protocol to switch from the WPA2 protocol to the WPA2/WPA3 protocol. At this time, the access point 2 can only communicate according to the WPA2/WPA3 protocol.
• step 12 it is checked whether Wi-Fi stations already known to the access point are able to connect or not. If one or more Wi-Fi stations are no longer able to connect to the access point which is now in WPA2/WPA3, the processing unit 7 then commands the activation of the previous protocol which is the WPA2 protocol. The security increase process ends there. A new attempt can be put in place later.
• the verification duration is for example 2 minutes. This duration can be configurable depending on the number of Wi-Fi stations that were associated before the change of security protocol.
• step 12 if all the Wi-Fi stations manage to connect to the access point which is now in WPA2/WPA3, the processing unit 7 then commands in step 13 an activation of another WPA3 security protocol considered superior to the WPA2/WPA3 protocol.
• the access point can then communicate only according to the WPA3 protocol.
• step 14 it is checked whether Wi-Fi stations already known to the access point are able to connect or not. If one or more Wi-Fi stations are no longer able to connect to the access point which is now in WPA3, the processing unit 7 then commands the activation of the previous protocol which is the WPA2/WPA3 protocol. The security increase process ends there. A new attempt can be made later.
• step 14 if all the Wi-Fi stations manage to connect to the access point which is now in WPA3, the processing unit 7 maintains the WPA3 protocol and the improvement process thus ends in step 15.
• the mobile phone 6 when for example the mobile phone 6 is activated, it seeks to identify nearby Wi-Fi access points. When an access point is identified, an association attempt follows.
• Figure 3 is a flowchart illustrating steps of implementing the association anomaly detection steps according to the invention.
• a step 16 is distinguished during which the Wi-Fi station transmits a Wi-Fi standard management frame, called “Probe Request”. This frame is received by the access point 2 which is a domestic gateway to the Internet. The frame includes a MAC address and content.
• step 17 in Figure 3 the access point identifies the content according to the invention.
• a digital file is then created.
• An MD5 hash is then applied to this digital file in step 18 so as to obtain a unique code 19.
• step 20 the unique code is saved within the gateway.
• step 21 it is checked whether the Wi-Fi station, i.e. the telephone 6, is associated with the access point 2.
• step 22 If not, the “no”, it is then checked in step 22 whether the unique code is known in the access point and whether the Wi-Fi station linked to this unique code has already been associated with the access point. It is thus attempted to determine whether, in the past, the telephone 6 has already been associated at least once with the access point 2. [OR I] If not, “no”, nothing happens at step 23.
• an alert signal is generated in step 24, for example via the Internet to a remote server of the operator.
• This alert signal can advantageously remain local to the gateway but can also be propagated in the home network or in the cloud through a secure tunnel (MQTT) in both cases.
• MQTT secure tunnel
• alert signal When the alert signal is local, it may be a software signal sent to a gateway application for the implementation of corrective actions, and/or a message sent on the local network to other network equipment, such as for example a Wi-Fi repeater.
• Figure 5 an embodiment according to the prior art is distinguished.
• Figure 5a illustrates a first association of the Wi-Fi station with the access point.
• Figure 5b illustrates a second association of the Wi-Fi station with the access point at a later time.
• Figure 5a concerns a first phase during which a Wi-Fi station transmits a “Probe Request” frame at a time t0. This frame obviously includes the MAC address of the Wi-Fi station.
• a second phase during an association attempt, at a time t1, the Wi-Fi station also transmits the same MAC address. In such a situation where the Wi-Fi station uses the same MAC address between the “Probe Request” and its association, it is easy for the access point to detect the presence of this equipment.
• Figure 5b concerns a second phase during which a Wi-Fi station transmits a “Probe Request” frame at a time t0.
• This frame obviously includes the MAC address of the Wi-Fi station.
• the Wi-Fi station transmits a MAC address different from that sent in the “Probe Request”.
• the fact that the Wi-Fi station uses a different MAC address between the “Probe Request” and its association prevents the link from being made between the “Probe Request” and the association.
• the MAC address is notably different by manufacturer implementation to mask its presence and avoid identification of the station.
• the MAC address can be random but not necessarily the data contained in the “Probe Request”.
• Figure 6 an embodiment according to the invention is distinguished.
• Figure 6a illustrates a first association of the Wi-Fi station with the access point.
• Figure 6b illustrates a second association of the Wi-Fi station with the access point at a later time.
• Figure 6a concerns the same steps as in Figure 5a with in addition here the calculation of the unique code at time t0 when receiving the “Probe Request” frame.
• the Wi-Fi station also transmits the same MAC address. In such a situation where the Wi-Fi station uses the same MAC address between the “Probe Request” and its association, it is easy for the access point to detect the presence of this equipment.
• Figure 6b concerns the same steps as in Figure 5b with in addition here the calculation of the unique code at time t0 during the transmission of the “Probe Request” frame.
• the Wi-Fi station transmits a MAC address different from that sent in the “Probe Request”.
• the unique code is used to identify the Wi-Fi station and note that this Wi-Fi station had already associated in the past during the phase described in Figure 6a.
• any anomaly in the connection of a Wi-Fi station to an access point is detected. This detection makes it possible to validate or not the upgrades of the security protocols.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Computer Security & Cryptography (AREA)
• Mobile Radio Communication Systems (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=86764752

Family Applications (1)

Country Status (3)

Family Cites Families (2)

• 2023
  • 2023-04-04 FR FR2303361A patent/FR3147678B1/fr active Active
• 2024
  • 2024-02-20 EP EP24705684.9A patent/EP4690885A1/de active Pending
  • 2024-02-20 WO PCT/EP2024/054307 patent/WO2024208479A1/fr not_active Ceased

Also Published As

Similar Documents

Legal Events