1 / 29

Secure Authentication System for Public WLAN Roaming

Secure Authentication System for Public WLAN Roaming . Ana Sanz Merino, Yasuhiko Matsunaga, Manish Shah, Takashi Suzuki, Randy H. Katz Presented by Dustin Christmann April 20, 2009. Outline. Introduction Current Approaches Single Sign-On Confederation Model

jason-forbes
Télécharger la présentation

Secure Authentication System for Public WLAN Roaming

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko Matsunaga, Manish Shah, Takashi Suzuki, Randy H. Katz Presented by Dustin Christmann April 20, 2009

  2. Outline • Introduction • Current Approaches • Single Sign-On Confederation Model • Authentication Flow Adaption Framework • Policy Engine • Securing Web-Based Authentication • Evaluation • Conclusion

  3. Introduction • WLAN hotspots becoming ubiquitous • Most WLAN hotspot providers small and can’t provide enough coverage • Needed: An inter-network WLAN roaming infrastructure

  4. Introduction • Similar problem to cellular roaming • Main differences: • Cellular equipment contains identification tied to provider • GSM/UMTS (AT&T and T-Mobile): Contained in SIM card • CDMA (Sprint, Verizon, Alltel): Contained in phone firmware • Both GSM/UMTS and CDMA protocols include inter-system authentication protocols

  5. Current Approaches Link layer authentication • IEEE 802.1X standard • Shared session key between user and network • Provides for encryption of packets, as well as authentication • Certificate-based • Not suitable for most public WLAN networks

  6. A brief aside about 802.1X • Port-based authentication • Three parts: • Supplicant: wireless user • Authenticator: base station • Authentication server • Extensible Authentication Protocol (EAP) • Implemented in 802.11i standard

  7. 802.1X Architecture

  8. RADIUS

  9. Liberty

  10. Extensible Authentication Protocol • Not an authentication mechanism, but a framework • Provides common functions and mechanism negotiation • Mechanisms called “methods” in EAP • Around 40 methods defined in various RFCs

  11. So what’s 802.11i? • Amendment to 802.11 • Specifies security mechanisms for 802.11 networks • Ratified in 2004 • Addresses the weaknesses of Wired Equivalent Privacy (WEP) • Wi-Fi Protected Access (WPA): subset of 802.11i • WPA2 full implementation • WEP and WPA use RC4, WPA2 uses AES

  12. 802.11i Four-Way Handshake

  13. Current Approaches Web-based authentication and network layer access control • Based on IP packet filtering • Web server acts as RADIUS client • Prone to theft of service by MAC spoofing • Microsoft CHOICE network

  14. Single Sign-On Confederation Model • Users are authenticated by trusted identity providers • Service providers can have roaming agreements with one or several identity providers

  15. Single Sign-On Confederation Model Assumptions: • The user terminal can validate the certificates of the service provider’s and identity provider’s authentication servers. • There are static trust relationships between the user and the identity provider, and between the service provider and the identity provider. • The user can authenticate the service provider’s authentication server via the identity provider’s authentication server, and vice versa.

  16. Roaming Model

  17. Authentication Negotiation Protocol Need: • Way for service providers to communicate authentication capabilities • Way for users to select identity provider Solution: Authentication Negotiation Protocol • XML web-based protocol • Web browser not needed • Thin client

  18. Authentication Flow Adaption Sequence

  19. Authentication Flow Adaption Architecture

  20. ANP Example Authentication Capabilities Statement • Includes timestamp • Service Provider • Name • Confirmation Method • Key • Identity Provider Group • List of identity providers • Charging information • Authentication methods • Authentication Methods • User info • Password • Charging Option • Interval • Unit price • Time Unit • User info • Service ID • Service • Service description

  21. Policy Engine • Selects appropriate SSO scheme • Minimize user intervention for sign-on process • Protects user authentication information • Not entirely necessary, but very helpful

  22. Policy Engine • Example in paper: • Independent module • Takes XML file as input

  23. Securing Web-Based Authentication • Current web-based authentication approaches are vulnerable: • Theft of service via spoofing • Eavesdropping • Message alteration • Denial of service

  24. Securing Web-Based Authentication • Problem: Neither layer 2 authentication nor web-based authentication is ideal: • IEEE 802.1X authentication is more secure, but requires a preshared secret • Web-based authentication more suitable for one-time use, but insecure

  25. Securing Web-Based Authentication Solution: Hybrid approach • Initial link establishment via 802.11X guest authentication • Web-based authentication after that

  26. Evaluation

  27. Authentication client latency

  28. Web-based Authentication Latency

  29. Conclusions • This paper should have been three papers with more detail in each • Single sign-on authentication • Policy engine • Web-based authentication • Good way of enabling WLAN roaming by decoupling identity management from service provider

More Related