secure authentication system for public wlan roaming
DESCRIPTION
Secure Authentication System for Public WLAN Roaming Ana Sanz Merino (†) , Manish Shah (†) , Yasuhiko Matsunaga (‡) , Takashi Suzuki (††) , Randy H. Katz (†) (†) University of California, Berkeley {asanz,manish,randy}@EECS.Berkeley.EDU, - PowerPoint PPT PresentationTRANSCRIPT
Secure Authentication System for Public WLAN RoamingAna Sanz Merino(†), Manish Shah(†), Yasuhiko Matsunaga(‡), Takashi Suzuki (††), Randy H. Katz(†)
(†)University of California, Berkeley {asanz,manish,randy}@EECS.Berkeley.EDU,(‡)NEC Corporation [email protected], (††)NTT DoCoMo [email protected]
1
Challenges and Our Solutions
• Confederate service providers under different trust levels and with different authentication schemes to offer wider coverage
• Inter-system handover with minimal user interventionSSO Roaming with Authentication Adaptation
• Select proper authentication method and protect privacy of user information per WLAN provider
Policy Engine Client
• Avoid theft of wireless service without assuming pre-shared secret between user and network
L2/Web Compound Authentication
User
WLAN Service Provider
ID Provider
(ISPs, Card Companies)
Strong Trust
Strong Trust
No Trust
Weak Trust
WLAN Service Provider
4
Auth Adaptation User Interface
5
Policy Engine• Control automatic submission of user authentication
information according to communication context• Authentication/Authorization flow adaptation
WLANServiceProviderUser Terminal
NetworkAccessClient
WebBrowser
PolicyCheck
EAP/802.1X
PolicyRepository
Context
End User
Auth Info.Repository
NetworkAccessServer
Capability
Policy Engine
Policy Rule Format<policy>
<rule><authn_info href=”UserName”/><authn_info href=”UserPassword”/><authn_info href=”IDPName”/><authn_info
href=”ContractNumber”/><subject>
<id>vancouver.cs.berkeley.edu_SP</id>
</subject><provisional_action
name=”user_acknowledgement”/></rule><options>
<chosen_idp>ID Provider C</><chosen_charging_option>
Prepaid basic A</><chosen_auth_method>Radius</><Use_Next_Time>TRUE</><Last_Update_Time>
1900-01-01T00:00:00Z</><Have_account_with>
<IDP_Name> … </> …</Have_account_with><Do_not_have_account_with>…</>
</options></policy> 6
L2/Web Compound Authentication
Access PointClient
RADIUS/Web Server(1) 802.1x TLS guest
authentication
External Network
(2) Establish L2 Session Key
(3) Web Auth (with L2 session
key digest)
(4)Firewall Control
• Prevent theft of service, eavesdropping, message alteration
• Don’t work for L2 DoS attack – out of scope
2
Authentication Adaptation Architecture
Client
AuthenticationNegotiation
Server
WebServer
AuthenticationNegotiation Client
WebBrowser
PolicyEngine
HTTP
End User
ExternalAuthentication
Server
WebAuthentication
Portal
ANP
ServiceProvider
AuthenticationManager
AuthnCapabilities
Authn CapabilitiesManager
User Terminal
(3)Select authentication
method according to user’s preferences
WLAN Service Provider
(1) Authentication Capabilities Query
(2) Authentication Capabilities Statement:- provider id- authentication methods- charging options- required user information
(4) Authentication Query:- selected authn. method- selected charging option- user information (5) Authenticate the
user(6) Authentication Statement
3
Authentication Capabilities Statement Example <anp:AuthnCapabilitiesStatement LastUpdateInstant="1900-01-01T00:00:00Z">
<saml:Subject><saml:NameIdentifier>my_service_provider_1</saml:NameIdentifier><saml:SubjectConfirmation>
<saml:ConfirmationMethod>…</saml:ConfirmationMethod><ds:KeyInfo>...</ds:KeyInfo>
</saml:SubjectConfirmation></saml:Subject><anp:IDPGroup>
<anp:IDPList><anp:IDPName>my_identity_provider_1</anp:IDPName>
</anp:IDPList><anp:ChargingOptionIDReference>monthly_rate</anp:ChargingOptionIDReference><anp:AuthnMethodIDReference>radius</anp:AuthnMethodIDReference><anp:AuthnMethodIDReference>liberty</anp:AuthnMethodIDReference>
</anp:IDPGroup><anp:AuthnMethod>
<anp:AuthnMethodID>radius</anp:AuthnMethodID><anp:UserInfoDesignator AttributeName="UserName" AttributeNameSpace="my_userinfo_namespace"/><anp:UserInfoDesignator AttributeName="UserPassword" AttributeNameSpace="my_userinfo_namespace"/>
</anp:AuthnMethod><anp:AuthnMethod>
<anp:AuthnMethodID>liberty<anp:AuthnMethodID><anp:UserInfoDesignator AttributeName="IDPName" AttributeNameSpace="my_userinfo_namespace"/>
</anp:AuthnMethod><anp:ChargingOption>
<anp:ChargingOptionID>monthly_rate</anp:ChargingOptionID><anp:ChargingInterval Order="1">
<anp:UnitPrice>39.95</anp:UnitPrice><anp:TimeUnit Unit="Month">
<anp:Period>1</anp:Period></anp:TimeUnit><anp:ChargingMode>Constant</anp:ChargingMode>
</anp:ChargingInterval><anp:UserInfoDesignator AttributeName="ContractNumber" AttributeNameSpace="my_userinfo_namespace"/><anp:ServiceIDReference>private_contents</anp:ServiceIDReference>
</anp:ChargingOption><anp:Service>
<anp:ServiceID>private_contents</anp:ServiceID><anp:ServiceDescription> Access to private contents through the provider’s web portal</anp:ServiceDescription>
</anp:Service></anp:AuthnCapabilitiesStatement>
7
WLAN Secure Roaming Testbed
Liberty idprovider
WinXP Client
Identity Provider #2
Radius
HTTPS
Service Provider #1
RADIUS
Web Portal
Radius
802.1x
RADIUS
Service Provider #2
SOAP
HTTPS
Liberty idprovider
Identity Provider #1
Liberty Serviceprovider
ANPServer Firewall
Radius
Linux Client ANPClient
PolicyEngine
RoamingClient
Radius
802.1x
Web Portal
Liberty Serviceprovider
ANPServer
ANP
Firewall
Xsupplicant
473 Soda Hall
Auth Manager
Auth Manager
8
Liberty Alliance Authentication
ID Provider Selection
Auth Response
Gate-open
SSL setup
Give user full-access
Authentication Process
Redirect to ID Provider
Authentication Request
User Credentials Request
{User ID, Password} Pair
Redirect to WLAN Provider with Auth Response
Login Succeeded
Gate-open
Open a hole in firewall ruleGive user limited access to AAA-H server
Web Browser/ ANP Client
Authentication Manager
WLAN Service Provider (a) ID Provider
AAA-H(Liberty id provider)
Packet Filter& Redirect
Mobile Client
SSL setup
Authentication Confirmation (SOAP)
9
Conclusions1. Secure public WLAN roaming made possible across independent
administrative domains, different authentication scheme2. Exploits industry-standard authentication architectures: Radius,
Liberty alliance3. Policy Engine reflects user authentication scheme preference and
protects privacy of user information4. Compound L2/Web authentication ensures cryptographically-
protected access5. Confirmed with prototype, measured performance shows
reasonable delay for practical use
0.250Authn. Capabilities
Announcement
Redirect-based (Liberty)Proxy-based (RADIUS)
2.1740.9050.9250.924Total
0.124Link Layer (802.1x) Authentication
0.255Policy Engine
1.5450.2760.2960.295Web Authentication
RoamingLocalRoamingLocal
(Units: sec)