1 / 23

Secure Authentication System for Public WLAN Roaming

Secure Authentication System for Public WLAN Roaming. Yasuhiko Matsunaga Ana Sanz Merino Manish Shah Takashi Suzuki Randy Katz. Agenda. Single sign-on to confederated wireless networks with authentication adaptation Privacy information protection using policy engine

ryu
Download Presentation

Secure Authentication System for Public WLAN Roaming

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Authentication System for Public WLAN Roaming Yasuhiko Matsunaga Ana Sanz Merino Manish Shah Takashi Suzuki Randy Katz

  2. Agenda • Single sign-on to confederated wireless networks with authentication adaptation • Privacy information protection using policy engine • Improve security of web-based WLAN authentication by binding 802.1x link level authentication • Performance Measurement

  3. Loose Trust Relationship in Current Public Wireless LAN Roaming (ISPs, Card Companies) ID Provider • Each WLAN system is isolated, deploys different authentication schemes • Users have to maintain different ID and credentials Strong Trust WLAN Service Provider WLAN Service Provider Strong Trust No Trust Weak Trust User

  4. Challenges and Our Solutions • Confederate service providers under different trust levels and with different authentication schemes to offer wider coverage • Alleviate user burden of maintaining different identities and credentials per WLAN provider SSO Roaming with Authentication Adaptation • Select proper authentication method and protect privacy of user information per WLAN provider Policy Engine Client • Avoid theft of wireless service without assuming pre-shared secret between user and network L2/Web Compound Authentication

  5. The Single Sign-on concept Single sign-on ID Provider • Single username and password • Users authenticate only the first time • Inter-system handover with minimal user intervention • Each network may deploy its own authentication scheme Office (provider C) Street (provider B) Initial Sign-on Coffee shop (provider A) Confederation

  6. Single Sign-on Technology • Currently two technologies clearly accepted by industry: • RADIUS: Proxy-based authentication scheme • Liberty Alliance: Redirect-based authentication scheme • We adopted both of them for our implementation • Need authentication adaptation framework

  7. Authentication Adaptation Flow (1) Request authentication User Terminal WLAN Service Provider (2) Announce: - provider id - authentication methods - charging options - required user information (3)Select authentication method according to user’s preferences (4) Submit: - selected authn. method - selected charging option - user information (5) Authenticate the user

  8. Client-side Policy Engine • Control automatic submission of user authentication information according to communication context • Context includes trust level of provider, cost, etc. • Authentication/Authorization flow adaptation • Switch between Proxy-based (Radius) and Redirect-based (Liberty-style) single sign on

  9. Policy Engine Architecture End User Client WLAN provider Policy Enforcement Point Auth Info. Repository Policy Check Engine Capability AAA Server Web Browser Applet Policy Policy Repository Context EAP/ 802.1X

  10. Security Threats of Web-based Authentication and Access Control • Lack of cryptographic bindings causes several security vulnerabilities Rogue AP ->DoS Web Server No Data Encryption ->Eavesdropping Gate-control (IP/MAC) No Message Integrity Check ->Message Alteration External Network IP/MAC spoofing-> Theft of Service

  11. L2/Web Compound Authentication RADIUS/Web Server (1) 802.1x TLS guest authentication (2) Establish L2 Session Key Client Access Point (4)Firewall Control (3) Web Auth (with L2 session key digest) External Network • Prevent theft of service, eavesdropping, message alteration • Don’t work for L2 DoS attack – out of scope

  12. WLAN Single Sign on Testbed Identity Provider External Network Web Server Radius RADIUS SOAP HTTPS Service Provider #1 Service Provider #2 Radius Radius Fire wall Radius Fire wall RADIUS Web Web Portal Web HTTPS 802.1x Client Client MC MC

  13. Authentication Adaptation User Interface

  14. Layer 2 Roaming User Interface

  15. Delay Profile Evaluation (Units: sec)

  16. Conclusions • Secure public WLAN roaming made possible by accommodating multiple authentication scheme and ID providers with an adaptation framework • Policy Engine reflects user authentication scheme preference and protects privacy of user information • Compound L2/Web authentication ensures cryptographically-protected access • Confirmed with prototype, measured performance shows reasonable delay for practical use • Exploits industry-standard authentication architectures: Radius, Liberty alliance

  17. backup

  18. Public Wireless LAN Service Model • The network is ‘open’ to users without pre-shared secret AAA Servers User Category Services (1)Monthly/Pre-paid Subscribers Premium Contents & External Network Access (Subscriber Pays) (2)One-time Users WLAN Infra-structure Free & Advertisement Contents (Hotspot Owner Pays) (3)Non-Subscribers

  19. 802.1x/11i/WPA L2 Network Authentication and Access Control • Conventional ‘Closed-style’ authentication: Only hosts with pre-shared key can access the network, Mainly for Corporate WLAN (1) Mutual TLS authentication with pre-shared key (2) Establish L2 session key dynamically (3) Only successfully- decrypted packets are forwarded External Network

  20. L2/Web Authentication Comparison

  21. Our Approach • Compound L2/Web authentication to ensure users to have cryptographically-protected wireless LAN access • Use 802.1x ‘guest’ authentication mode, embed L2 session key digest in web authentication • At layer 2, do not assume pre-shared secret • Digest embedding is necessary for avoiding race attack • After Web authentication, user gets full access • Otherwise, users have limited access to free contents • L2 DoS protection is out of scope

  22. Race Attack Scenario (Why L2 session key digest embedding is necessary) Legitimate Client Malicious Client (MAC Spoofer) AP RADIUS/Web Firewall L2 Auth Bind (MAC, MD5(K1) L2 Auth K1 K1 L2 Auth Web Auth+ MD5(K1) Bind (MAC, MD5(K2)) L2 Auth (L2 Session key verify NG) K2 K2 • Theft of service can be prevented by authentication binding • L2 DoS attack is still possible

  23. Compound Authentication Testbed RADIUS/Web Server (1) 802.1x TLS guest authentication (2) Establish L2 Session Key Client Access Point FreeRADIUS 0.8.1 Apache 2.0.40 Cisco AIR-350 (4)Firewall Control (3) Web Auth (with L2 session key digest) Xsupplicant 0.6 libwww-perl 5.6.9 External Network (rejected) Attacker

More Related