1 network authentication with pki educause/dartmouth pki summit july 27, 2005 jim jokl university of...
TRANSCRIPT
1
Network Authentication with
PKI
EDUCAUSE/Dartmouth PKI SummitJuly 27, 2005
Jim Jokl University of Virginia
2
Background: UVa Wireless LAN Project
Deploy campus-wide Wireless LAN (WLAN) Initial focus on student areas Later emphasis on faculty/staff areas
Support multiple applications Focus on standard applications: Email, Web,
login, file transfer, etc Don’t focus on applications such as video
Provide security Wireless really is different in this regard
3
UVa WLAN Summary Access Point summary as of July 2005
796 access points in database with approximately 704 operational
~250 older Cisco 352 802.11b (11 Mbps @ 2.4 GHz) units
Remainder are modern Cisco 1100/1200 series access points
802.11 G/B (11-45 Mbps @ 2.4 GHz) 802.11 A (45 Mbps @ 5 GHz) Still need to install A/G radios in some of the 1200s
Wireless security system Would have liked strong authentication and
encryption for all WLAN access, however ……
4
Wireless SecurityHave to support “other”
devices
5
Initial Wireless Security System
MAC address validation Users register the hardware address of their
wireless adapter Provisions for anyone affiliated with the
university to register cards for guests Supports “random” devices
Secured wireless via Cisco LEAP Password-based authentication Dynamic symmetric cipher keys Had expected this technology to be widely
implemented by vendors
6
EAP-based Authentication Process
Radius Servers
UVa Network
Access Point
Access Point
User User
7
Authentication Transition Combination of LEAP and MAC
registration was OK for a couple of years However
LEAP never became mainstream and generally required a Cisco wireless card and software installation
We had anticipated native LEAP support with Windows XP
Final straw was a reported security vulnerability with the LEAP protocol
8
Wireless LAN Access Control
EAP-MD5
LEAP EAP-TLS EAP-TTLS
PEAP
Server Authentication
None Password Hash
Public Key
Public Key
Public Key
Supplicant Authentication
Password Hash
Password Hash
Public Key
CHAP, PAP, MS-CHAP(v2),
EAP
Any EAP, like EAP-MS-
CHAPv2 or Public Key
Dynamic Key Delivery
No Yes Yes Yes Yes
Security Risks
Identity exposed, Dictionary
attack, MitM attack, Session
hijacking
Identity exposed, Dictionary
attack
Identity exposed
MitM attack
MitM attack
Source: wi-fiplanet.com
9
Background: UVa Standard Assurance CA (PKI-Lite)
On-line Web CA Uses existing account
information to validate user request
Computing ID, password, and some some database info checked
Certificate and chain automatically installed or PKCS-12
~20k active certificates now
10
UVa EAP-TLS Wireless Authentication
User verifies the Radius server’s identity using PKI
The Radius server verifies the user’s identity using PKI
An LDAP-based authorization step happens
Association is allowed and dynamic session crypto keys are exchanged
User
Access Point
Radius Server
LDAP AuthZ
11
OS Support for EAP-TLS Operating System Support
Windows XP, Windows 2000 SP-4* MacOS (10.3.3) 3rd party software available
Very easy to use No account management, passwords, etc Login to your workstation and secure
wireless just works AuthZ step will make it easier to keep
hacked machines off of the WLAN
12
EAP-TLS and the Microsoft Clients Microsoft field in certificate for AuthN
Subject Alt Name / Other Name / Principal Name
OID 1.3.6.1.4.1.311.20.2.3 If not present, uses CN
Uniqueness issues for many CAs Easy to add to certificate profile
Impact on the PKI-Lite certificate profiles Agreed to add this extension to EE cert profile
13
Summary: Supportedwireless “accounts” at UVa
EAP-TLS – our main wireless network Leverage PKI for user authentication on WinXP and
MacOS 10.3 Dynamic session encryption keys
MAC Address restricted network Provides access control and limited authentication Especially useful for devices with limited functionality Now integrated with our main NetReg MAC address
registration system Guest
MAC Access control and identification of UVa sponsor
14
UVa WLAN Authentication Transition
Transitioned to new authentication summer 2004 Added an EAP-TLS VLAN, removed LEAP
EAP-TLS is the authentication used on the broadcast SSID Main EAP-TLS issues encountered
Old drivers for user’s wireless cards A few users still had certificates without Microsoft attribute Macintosh a little harder since no Safari integration for
certificate download and installation Retained a legacy MAC registration-only VLAN
For special devices that don’t support EAP-TLS Non-broadcast SSID
Transition completed by end of summer Few hard problems encountered
Will add EAP-TLS VLAN for access to UVa “More Secure” network once more AuthZ work is completed
15
Authentication on the UVa WLAN
Unique Users (EAP-TLS) or Devices (MAC Addr) Authenticating to the UVa WLAN
0
2000
4000
6000
8000
10000
12000
All March April May June July
Month in 2005
Uni
que
Use
rs o
r D
evic
es p
er m
onth
"MAC Addr"
"EAP-TLS"
16
Background: University of Virginia PKI
Project Goal Enable PKI support in a wide range of applications
Deploy two campus CAs to support two types of PKI-enabled applications Standard Assurance CA
For better security on common applications Improve ease of use on some applications Identity proofing marginally stronger than used with
simple passwords High Assurance CA
For new applications requiring high security Uses hardware tokens only - 2-factor authentication Strong identity validation before certificate is issued
17
UVaAnywhere VPN Service Our first PKI application Certificate AuthN Encrypted path to UVa
network edge On-campus IP address Cisco 3000 concentrators Adding LDAP AuthZ IPSec and Cisco VPN
client is only supported mechanism
Internet Connections
UVaNet
UVaAnywhere Concentrators
18
UVaAnywhere-Lite Just added new SSL VPN service
For web applications only Uses existing Cisco 3000 concentrators PKI for authentication Uses LDAP for authorization
Web VPN provides convenient pop-up box for navigation
Customized with library and department pages that point to their web resources
19
Remote Access to the More Secure Network Certificate AuthN and LDAP
AuthZ
Firewall
VPN
SMTP Relay
LPR Relay
“LessSecure”Network
Level 1
“MoreSecure”Network
Level 2
LDAP AuthZ
20
VPN PKI 2-factor Authentication with LDAP Authorization
VPN Concentrators
Firewall
Firewall
LDAP AuthZ Servers
Oracle ERP
S1
S2
S3
Sn
Hospital Net
INOUT
Main Campus Network
OUT
IN
21
Oracle Special Services (ERP)2-factor Cert AuthN and LDAP
AuthZ
Main UVa
Network
S4
S2
S3
Sn
VPN Concentrators
Firewalls
LDAP AuthZ Servers
INOUTNormal User
OSS User
S1
22
Some References UVa Wireless LAN site
http://www.itc.virginia.edu/wireless/ UVa PKI Site
http://www.itc.virginia.edu/desktop/pki/ UVa VPN Sites
http://www.itc.virginia.edu/desktop/vpn http://www.itc.virginia.edu/vpn/webvpn
HEPKI-TAG PKI-Lite http://middleware.internet2.edu/hepki-tag/