secure authentication system for public wlan roaming
DESCRIPTION
Secure Authentication System for Public WLAN Roaming. Ana Sanz Merino, Yasuhiko Matsunaga, Manish Shah, Takashi Suzuki, Randy H. Katz Presented by Dustin Christmann April 20, 2009. Outline. Introduction Current Approaches Single Sign-On Confederation Model - PowerPoint PPT PresentationTRANSCRIPT
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Secure Authentication System for Public WLAN
RoamingAna Sanz Merino, Yasuhiko
Matsunaga, Manish Shah, Takashi Suzuki, Randy H. Katz
Presented by Dustin ChristmannApril 20, 2009
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Outline• Introduction• Current Approaches• Single Sign-On Confederation Model• Authentication Flow Adaption Framework• Policy Engine• Securing Web-Based Authentication• Evaluation• Conclusion
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Introduction• WLAN hotspots becoming ubiquitous• Most WLAN hotspot providers small and
can’t provide enough coverage• Needed: An inter-network WLAN
roaming infrastructure
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Introduction• Similar problem to cellular roaming• Main differences:
– Cellular equipment contains identification tied to provider
• GSM/UMTS (AT&T and T-Mobile): Contained in SIM card
• CDMA (Sprint, Verizon, Alltel): Contained in phone firmware
– Both GSM/UMTS and CDMA protocols include inter-system authentication protocols
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Current ApproachesLink layer authentication• IEEE 802.1X standard• Shared session key between user and
network• Provides for encryption of packets, as well
as authentication• Certificate-based• Not suitable for most public WLAN
networks
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
A brief aside about 802.1XA brief aside about 802.1X• Port-based authentication• Three parts:
– Supplicant: wireless user– Authenticator: base station– Authentication server
• Extensible Authentication Protocol (EAP)• Implemented in 802.11i standard
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
802.1X Architecture802.1X Architecture
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
RADIUSRADIUS
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
LibertyLiberty
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Extensible Authentication Extensible Authentication ProtocolProtocol
• Not an authentication mechanism, but a framework
• Provides common functions and mechanism negotiation
• Mechanisms called “methods” in EAP• Around 40 methods defined in various
RFCs
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
So what’s 802.11i?So what’s 802.11i?• Amendment to 802.11• Specifies security mechanisms for 802.11
networks• Ratified in 2004• Addresses the weaknesses of Wired Equivalent
Privacy (WEP)• Wi-Fi Protected Access (WPA): subset of 802.11i• WPA2 full implementation• WEP and WPA use RC4, WPA2 uses AES
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
802.11i Four-Way Handshake
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Current ApproachesWeb-based authentication and network
layer access control• Based on IP packet filtering• Web server acts as RADIUS client• Prone to theft of service by MAC
spoofing• Microsoft CHOICE network
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Single Sign-On Confederation Model
• Users are authenticated by trusted identity providers
• Service providers can have roaming agreements with one or several identity providers
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Single Sign-On Single Sign-On Confederation ModelConfederation Model
Assumptions:• The user terminal can validate the certificates of
the service provider’s and identity provider’s authentication servers.
• There are static trust relationships between the user and the identity provider, and between the service provider and the identity provider.
• The user can authenticate the service provider’s authentication server via the identity provider’s authentication server, and vice versa.
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Roaming ModelRoaming Model
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Authentication Negotiation Authentication Negotiation ProtocolProtocol
Need:• Way for service providers to communicate
authentication capabilities• Way for users to select identity providerSolution: Authentication Negotiation Protocol• XML web-based protocol• Web browser not needed• Thin client
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Authentication Flow Authentication Flow Adaption SequenceAdaption Sequence
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Authentication Flow Adaption Architecture
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Authentication Methods
• User info• Password
Identity Provider Group
• List of identity providers
• Charging information• Authentication
methods
Service Provider• Name• Confirmation Method• Key
Authentication Capabilities Statement
• Includes timestamp
ANP ExampleANP Example
Charging Option• Interval• Unit price• Time Unit• User info• Service ID
Service• Service description
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Policy EnginePolicy Engine• Selects appropriate SSO scheme• Minimize user intervention for sign-on
process• Protects user authentication information• Not entirely necessary, but very helpful
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Policy Engine• Example in paper:
– Independent module
– Takes XML file as input
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Securing Web-Based Securing Web-Based AuthenticationAuthentication
• Current web-based authentication approaches are vulnerable:– Theft of service via spoofing– Eavesdropping– Message alteration– Denial of service
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Securing Web-Based Securing Web-Based AuthenticationAuthentication
• Problem: Neither layer 2 authentication nor web-based authentication is ideal:– IEEE 802.1X authentication is more
secure, but requires a preshared secret
– Web-based authentication more suitable for one-time use, but insecure
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Securing Web-Based Securing Web-Based AuthenticationAuthentication
Solution: Hybrid approach
• Initial link establishment via 802.11X guest authentication
• Web-based authentication after that
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Evaluation
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Authentication client Authentication client latencylatency
Proxy-based (RADIUS) Redirect-based (Liberty)
Local Remote Local RemoteWeb authentication
0.295 0.296 0.276 1.545
Policy engine 0.255
Authentication Capabilities Announcement
0.250
Link layer (802.1X) authentication
0.124
Total 0.924 0.925 0.905 2.174
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
Web-based Authentication Web-based Authentication LatencyLatency
Proxy-based (RADIUS) Redirect-based (Liberty)
Local Remote Local RemoteWeb authentication
0.091 0.102 0.088 1.364
Firewall redirection 0.086
Link layer (802.1X) authentication
0.124
Total 0.301 0.312 0.298 1.574
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering
ConclusionsConclusions• This paper should have been three
papers with more detail in each– Single sign-on authentication– Policy engine– Web-based authentication
• Good way of enabling WLAN roaming by decoupling identity management from service provider