1 / 16

Secure Authentication System for Public WLAN Roaming

Secure Authentication System for Public WLAN Roaming. Ana Sanz Merino Yasuhiko Matsunaga Manish Shah Takashi Suzuki Randy Katz. Agenda. 1. Challenges and our Solution 2. Testbed Description 3. Performance Measurement. Loose Trust Relationship in Current Public Wireless LAN Roaming.

chars
Télécharger la présentation

Secure Authentication System for Public WLAN Roaming

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Authentication System for Public WLAN Roaming Ana Sanz Merino Yasuhiko Matsunaga Manish Shah Takashi Suzuki Randy Katz

  2. Agenda • 1. Challenges and our Solution • 2. Testbed Description • 3. Performance Measurement

  3. Loose Trust Relationship in Current Public Wireless LAN Roaming • Each WLAN system is isolated, deploys different authentication schemes (ISPs, Card Companies) ID Provider Strong Trust WLAN Service Provider WLAN Service Provider Strong Trust No Trust Weak Trust User

  4. Challenges and Our Solutions • Confederate service providers under different trust levels and with different authentication schemes to offer wider coverage • Inter-system handover with minimal user intervention SSO Roaming with Authentication Adaptation • Select proper authentication method and protect privacy of user information per WLAN provider Policy Engine Client • Avoid theft of wireless service without assuming pre-shared secret between user and network L2/Web Compound Authentication

  5. Authentication Adaptation Flow • Authentication Negotiation Protocol • XML-based (1) Authentication Capabilities Query WLAN Service Provider User Terminal (2) Authentication Capabilities Statement: - provider id - authentication methods - charging options - required user information (3)Select authentication method according to user’s preferences (4) Authentication Query: - selected authn. method - selected charging option - user information (5) Authenticate the user (6) Authentication Statement

  6. Authentication Capabilities Statement Example <anp:AuthnCapabilitiesStatementLastUpdateInstant="1900-01-01T00:00:00Z"> <saml:Subject> <saml:NameIdentifier>vancouver.cs.berkeley.edu_SP</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>…</saml:ConfirmationMethod> <ds:KeyInfo>...</ds:KeyInfo> </saml:SubjectConfirmation> </saml:Subject> <anp:IDPGroup> <anp:IDPList> <anp:IDPName>ID Provider C</anp:IDPName> </anp:IDPList> <anp:ChargingOptionIDReference>Prepaid basic A </anp:ChargingOptionIDReference> <anp:AuthnMethodIDReference>Radius</anp:AuthnMethodIDReference> <anp:AuthnMethodIDReference>Liberty</anp:AuthnMethodIDReference> </anp:IDPGroup> <anp:AuthnMethod> <anp:AuthnMethodID>Radius</anp:AuthnMethodID> <anp:UserInfoDesignator AttributeName="UserName" AttributeNameSpace="my_userinfo_namespace"/> <anp:UserInfoDesignator AttributeName="UserPassword" AttributeNameSpace="my_userinfo_namespace"/> </anp:AuthnMethod>

  7. Authentication Capabilities Statement Example <anp:AuthnMethod> <anp:AuthnMethodID>Liberty<anp:AuthnMethodID> <anp:UserInfoDesignator AttributeName="IDPName" AttributeNameSpace="my_userinfo_namespace"/> </anp:AuthnMethod> <anp:ChargingOption> <anp:ChargingOptionID>Prepaid basic A</anp:ChargingOptionID> <anp:ChargingInterval Order="1"> <anp:UnitPrice>0.1</anp:UnitPrice> <anp:TimeUnit Unit="Minute"> <anp:Period>1</anp:Period> </anp:TimeUnit> <anp:ChargingMode>Constant</anp:ChargingMode> </anp:ChargingInterval> <anp:UserInfoDesignator AttributeName="ContractNumber" AttributeNameSpace="my_userinfo_namespace"/> <anp:ServiceIDReference>private_contents</anp:ServiceIDReference> </anp:ChargingOption> <anp:Service> <anp:ServiceID>private_contents</anp:ServiceID> <anp:ServiceDescription> Access to private contents through the provider’s web portal</anp:ServiceDescription> </anp:Service> </anp:AuthnCapabilitiesStatement>

  8. Auth Adaptation User Interface

  9. Policy Engine • Control automatic submission of user authentication information according to communication context • Authentication/Authorization flow adaptation End User User Terminal WLAN Service Provider Network Access Client Policy Engine Network Access Server Auth Info. Repository Policy Check Web Browser Capability Policy Repository Context EAP/ 802.1X

  10. Policy Rule Example … <Have_account_with> <IDP_Name>ID Provider C</IDP_Name> <Charging_Option>Prepaid basic A…</> <Charging_Option>Prepaid basic B…</> <Charging_Option> Prepaid premium A…</> <Auth_Method>Radius…</> <Auth_Method>Liberty…</> </Have_account_with> <Do_not_have_account_with> <IDP_Name>ID Provider B</IDP_Name> <Charging_Option>Prepaid basic A…</> <Auth_Method>Radius…</> </Do_not_have_account_with> </options> </policy> <policy> <rule> <authn_info href=”UserName”/> <authn_info href=”UserPassword”/> <authn_info href=”IDPName”/> <authn_info href=”ContractNumber”/> <subject> <id> vancouver.cs.berkeley.edu_SP </id> </subject> <provisional_action name=”user_acknowledgement”/> </rule> <options> <chosen_idp>ID Provider C</> <chosen_charging_option> Prepaid basic A</> <chosen_auth_method>Radius</> <Use_Next_Time>TRUE</> <Last_Update_Time> 1900-01-01T00:00:00Z</>

  11. Authentication Query Example • <anp:AuthnQuery> • <anp:AuthnMethodIDReference>Radius</anp:AuthnMethodIDReference> • <anp:ChargingOptionIDReference>Prepaid basic A • </anp:ChargingOptionIDReference> • <anp:UserInfo AttributeName="UserName"> • <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> my_user</saml:AttributeValue> • </anp:UserInfo> • <anp:UserInfo AttributeName="UserPassword"> • <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> my_password</saml:AttributeValue> • </anp:UserInfo> • <anp:UserInfo AttributeName="ContractNumber"> • <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> • my_contract_number</saml:AttributeValue> • </anp:UserInfo> • </anp:AuthnQuery>

  12. L2/Web Compound Authentication RADIUS/Web Server (1) 802.1x TLS guest authentication (2) Establish L2 Session Key Client Access Point (4)Firewall Control (3) Web Auth (with L2 session key digest) External Network • Prevent theft of service, eavesdropping, message alteration • Don’t work for L2 DoS attack – out of scope

  13. WLAN Secure Roaming Testbed Identity Provider #1 Identity Provider #2 Liberty id provider Liberty id provider Radius Radius RADIUS SOAP Service Provider #1 Service Provider #2 Liberty Service provider Liberty Service provider Web Portal Radius ANP Server Radius ANP Server Fire wall Web Portal Firewall RADIUS HTTPS ANP HTTPS Linux Client ANP Client Policy Engine 802.1x Roaming Client 802.1x WinXP Client Xsuppli cant

  14. Layer 2 Roaming User Interface

  15. Delay Profile Evaluation (Units: sec)

  16. Conclusions • Secure public WLAN roaming made possible by accommodating multiple authentication scheme and ID providers with an adaptation framework • Policy Engine reflects user authentication scheme preference and protects privacy of user information • Compound L2/Web authentication ensures cryptographically-protected access • Confirmed with prototype, measured performance shows reasonable delay for practical use • Exploits industry-standard authentication architectures: Radius, Liberty alliance

More Related