Secure Authentication System for Public WLAN Roaming - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Secure Authentication System for Public WLAN Roaming

Description:

Rogue AP - DoS. Lack of cryptographic bindings causes several security vulnerabilities ... L2 DoS attack is still possible. L2 Auth. Web Auth MD5(K1) ... – PowerPoint PPT presentation

Number of Views:68
Avg rating:3.0/5.0
Slides: 24
Provided by: saharaCs
Category:

less

Transcript and Presenter's Notes

Title: Secure Authentication System for Public WLAN Roaming


1
Secure Authentication System for Public WLAN
Roaming
  • Yasuhiko Matsunaga
  • Ana Sanz Merino
  • Manish Shah
  • Takashi Suzuki
  • Randy Katz

2
Agenda
  • Single sign-on to confederated wireless networks
    with authentication adaptation
  • Privacy information protection using policy
    engine
  • Improve security of web-based WLAN authentication
    by binding 802.1x link level authentication
  • Performance Measurement

3
Loose Trust Relationship in Current Public
Wireless LAN Roaming
(ISPs, Card Companies)
ID Provider
Strong Trust
WLAN Service Provider
WLAN Service Provider
Strong Trust
No Trust
Weak Trust
User
  • Each WLAN system is isolated, deploys different
    authentication schemes
  • Users have to maintain different ID and
    credentials

4
Challenges and Our Solutions
  • Confederate service providers under different
    trust levels and with different authentication
    schemes to offer wider coverage
  • Alleviate user burden of maintaining different
    identities and credentials per WLAN provider
  • SSO Roaming with Authentication Adaptation
  • Select proper authentication method and protect
    privacy of user information per WLAN provider
  • Policy Engine Client
  • Avoid theft of wireless service without assuming
    pre-shared secret between user and network
  • L2/Web Compound Authentication

5
The Single Sign-on concept
Single sign-on
ID Provider
Office (provider C)
Street (provider B)
Initial Sign-on
Coffee shop (provider A)
Confederation
  • Single username and password
  • Users authenticate only the first time
  • Inter-system handover with minimal user
    intervention
  • Each network may deploy its own authentication
    scheme

6
Single Sign-on Technology
  • Currently two technologies clearly accepted by
    industry
  • RADIUS Proxy-based authentication scheme
  • Liberty Alliance Redirect-based authentication
    scheme
  • We adopted both of them for our implementation
  • Need authentication adaptation framework

7
Authentication Adaptation Flow
(1) Request authentication
User Terminal
WLAN Service Provider
(2) Announce - provider id - authentication
methods - charging options - required user
information
(3)Select authentication method according to
users preferences
(4) Submit - selected authn. method - selected
charging option - user information
(5) Authenticate the user
8
Client-side Policy Engine
  • Control automatic submission of user
    authentication information according to
    communication context
  • Context includes trust level of provider, cost,
    etc.
  • Authentication/Authorization flow adaptation
  • Switch between Proxy-based (Radius) and
    Redirect-based (Liberty-style) single sign on

9
Policy Engine Architecture
End User
WLAN provider
Client
Policy Enforcement Point
Policy Check Engine
Auth Info. Repository
Capability
AAA Server
Web Browser
Applet
Policy
Policy Repository
Context
EAP/ 802.1X
10
Security Threats of Web-based Authentication and
Access Control
  • Lack of cryptographic bindings causes several
    security vulnerabilities

Rogue AP -gtDoS
Web Server
No Data Encryption -gtEavesdropping
Gate-control (IP/MAC)
No Message Integrity Check -gtMessage Alteration
External Network
IP/MAC spoofing-gt Theft of Service
11
L2/Web Compound Authentication
RADIUS/Web Server
(1) 802.1x TLS guest authentication
(2) Establish L2 Session Key
Client
Access Point
(4)Firewall Control
(3) Web Auth (with L2 session key digest)
External Network
  • Prevent theft of service, eavesdropping, message
    alteration
  • Dont work for L2 DoS attack out of scope

12
WLAN Single Sign on Testbed
Identity Provider
External Network
Web Server
Radius
RADIUS
SOAP
HTTPS
Service Provider 1
Service Provider 2
Radius
Fire wall
Radius
Radius
Fire wall
RADIUS
Web
Web Portal
Web
HTTPS
802.1x
Client
Client
MC
MC
13
Authentication Adaptation User Interface
14
Layer 2 Roaming User Interface
15
Delay Profile Evaluation
(Units sec)
16
Conclusions
  • Secure public WLAN roaming made possible by
    accommodating multiple authentication scheme and
    ID providers with an adaptation framework
  • Policy Engine reflects user authentication scheme
    preference and protects privacy of user
    information
  • Compound L2/Web authentication ensures
    cryptographically-protected access
  • Confirmed with prototype, measured performance
    shows reasonable delay for practical use
  • Exploits industry-standard authentication
    architectures Radius, Liberty alliance

17
backup
18
Public Wireless LAN Service Model
  • The network is open to users without pre-shared
    secret

AAA Servers
User Category
Services
(1)Monthly/Pre-paid Subscribers
Premium Contents External Network Access
(Subscriber Pays)
(2)One-time Users
WLAN Infra-structure
Free Advertisement Contents (Hotspot
Owner Pays)
(3)Non-Subscribers
19
802.1x/11i/WPA L2 Network Authentication and
Access Control
  • Conventional Closed-style authentication Only
    hosts with pre-shared key can access the network,
    Mainly for Corporate WLAN

(1) Mutual TLS authentication with pre-shared key
(2) Establish L2 session key dynamically
(3) Only successfully- decrypted packets are
forwarded
External Network
20
L2/Web Authentication Comparison
21
Our Approach
  • Compound L2/Web authentication to ensure users to
    have cryptographically-protected wireless LAN
    access
  • Use 802.1x guest authentication mode, embed L2
    session key digest in web authentication
  • At layer 2, do not assume pre-shared secret
  • Digest embedding is necessary for avoiding race
    attack
  • After Web authentication, user gets full access
  • Otherwise, users have limited access to free
    contents
  • L2 DoS protection is out of scope

22
Race Attack Scenario
(Why L2 session key digest embedding is necessary)
Legitimate Client
Malicious Client (MAC Spoofer)
AP
RADIUS/Web
Firewall
L2 Auth
Bind (MAC, MD5(K1)
L2 Auth
K1
K1
L2 Auth
Web Auth MD5(K1)
Bind (MAC, MD5(K2))
L2 Auth
(L2 Session key verify NG)
K2
K2
  • Theft of service can be prevented by
    authentication binding
  • L2 DoS attack is still possible

23
Compound Authentication Testbed
RADIUS/Web Server
(1) 802.1x TLS guest authentication
(2) Establish L2 Session Key
Client
Access Point
FreeRADIUS 0.8.1 Apache 2.0.40
Cisco AIR-350
(4)Firewall Control
(3) Web Auth (with L2 session key digest)
Xsupplicant 0.6 libwww-perl 5.6.9
External Network
(rejected)
Attacker
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Secure Authentication System for Public WLAN Roaming" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!