Secure Authentication System for Public WLAN Roaming - PowerPoint PPT Presentation

1 / 23
About This Presentation
Title:

Secure Authentication System for Public WLAN Roaming

Description:

Rogue AP - DoS. Lack of cryptographic bindings causes several security vulnerabilities ... L2 DoS attack is still possible. L2 Auth. Web Auth MD5(K1) ... – PowerPoint PPT presentation

Number of Views:68
Avg rating:3.0/5.0
Slides: 24
Provided by: saharaCs
Category:

less

Transcript and Presenter's Notes

Title: Secure Authentication System for Public WLAN Roaming


1
Secure Authentication System for Public WLAN
Roaming
  • Yasuhiko Matsunaga
  • Ana Sanz Merino
  • Manish Shah
  • Takashi Suzuki
  • Randy Katz

2
Agenda
  • Single sign-on to confederated wireless networks
    with authentication adaptation
  • Privacy information protection using policy
    engine
  • Improve security of web-based WLAN authentication
    by binding 802.1x link level authentication
  • Performance Measurement

3
Loose Trust Relationship in Current Public
Wireless LAN Roaming
(ISPs, Card Companies)
ID Provider
Strong Trust
WLAN Service Provider
WLAN Service Provider
Strong Trust
No Trust
Weak Trust
User
  • Each WLAN system is isolated, deploys different
    authentication schemes
  • Users have to maintain different ID and
    credentials

4
Challenges and Our Solutions
  • Confederate service providers under different
    trust levels and with different authentication
    schemes to offer wider coverage
  • Alleviate user burden of maintaining different
    identities and credentials per WLAN provider
  • SSO Roaming with Authentication Adaptation
  • Select proper authentication method and protect
    privacy of user information per WLAN provider
  • Policy Engine Client
  • Avoid theft of wireless service without assuming
    pre-shared secret between user and network
  • L2/Web Compound Authentication

5
The Single Sign-on concept
Single sign-on
ID Provider
Office (provider C)
Street (provider B)
Initial Sign-on
Coffee shop (provider A)
Confederation
  • Single username and password
  • Users authenticate only the first time
  • Inter-system handover with minimal user
    intervention
  • Each network may deploy its own authentication
    scheme

6
Single Sign-on Technology
  • Currently two technologies clearly accepted by
    industry
  • RADIUS Proxy-based authentication scheme
  • Liberty Alliance Redirect-based authentication
    scheme
  • We adopted both of them for our implementation
  • Need authentication adaptation framework

7
Authentication Adaptation Flow
(1) Request authentication
User Terminal
WLAN Service Provider
(2) Announce - provider id - authentication
methods - charging options - required user
information
(3)Select authentication method according to
users preferences
(4) Submit - selected authn. method - selected
charging option - user information
(5) Authenticate the user
8
Client-side Policy Engine
  • Control automatic submission of user
    authentication information according to
    communication context
  • Context includes trust level of provider, cost,
    etc.
  • Authentication/Authorization flow adaptation
  • Switch between Proxy-based (Radius) and
    Redirect-based (Liberty-style) single sign on

9
Policy Engine Architecture
End User
WLAN provider
Client
Policy Enforcement Point
Policy Check Engine
Auth Info. Repository
Capability
AAA Server
Web Browser
Applet
Policy
Policy Repository
Context
EAP/ 802.1X
10
Security Threats of Web-based Authentication and
Access Control
  • Lack of cryptographic bindings causes several
    security vulnerabilities

Rogue AP -gtDoS
Web Server
No Data Encryption -gtEavesdropping
Gate-control (IP/MAC)
No Message Integrity Check -gtMessage Alteration
External Network
IP/MAC spoofing-gt Theft of Service
11
L2/Web Compound Authentication
RADIUS/Web Server
(1) 802.1x TLS guest authentication
(2) Establish L2 Session Key
Client
Access Point
(4)Firewall Control
(3) Web Auth (with L2 session key digest)
External Network
  • Prevent theft of service, eavesdropping, message
    alteration
  • Dont work for L2 DoS attack out of scope

12
WLAN Single Sign on Testbed
Identity Provider
External Network
Web Server
Radius
RADIUS
SOAP
HTTPS
Service Provider 1
Service Provider 2
Radius
Fire wall
Radius
Radius
Fire wall
RADIUS
Web
Web Portal
Web
HTTPS
802.1x
Client
Client
MC
MC
13
Authentication Adaptation User Interface
14
Layer 2 Roaming User Interface
15
Delay Profile Evaluation
(Units sec)
16
Conclusions
  • Secure public WLAN roaming made possible by
    accommodating multiple authentication scheme and
    ID providers with an adaptation framework
  • Policy Engine reflects user authentication scheme
    preference and protects privacy of user
    information
  • Compound L2/Web authentication ensures
    cryptographically-protected access
  • Confirmed with prototype, measured performance
    shows reasonable delay for practical use
  • Exploits industry-standard authentication
    architectures Radius, Liberty alliance

17
backup
18
Public Wireless LAN Service Model
  • The network is open to users without pre-shared
    secret

AAA Servers
User Category
Services
(1)Monthly/Pre-paid Subscribers
Premium Contents External Network Access
(Subscriber Pays)
(2)One-time Users
WLAN Infra-structure
Free Advertisement Contents (Hotspot
Owner Pays)
(3)Non-Subscribers
19
802.1x/11i/WPA L2 Network Authentication and
Access Control
  • Conventional Closed-style authentication Only
    hosts with pre-shared key can access the network,
    Mainly for Corporate WLAN

(1) Mutual TLS authentication with pre-shared key
(2) Establish L2 session key dynamically
(3) Only successfully- decrypted packets are
forwarded
External Network
20
L2/Web Authentication Comparison
21
Our Approach
  • Compound L2/Web authentication to ensure users to
    have cryptographically-protected wireless LAN
    access
  • Use 802.1x guest authentication mode, embed L2
    session key digest in web authentication
  • At layer 2, do not assume pre-shared secret
  • Digest embedding is necessary for avoiding race
    attack
  • After Web authentication, user gets full access
  • Otherwise, users have limited access to free
    contents
  • L2 DoS protection is out of scope

22
Race Attack Scenario
(Why L2 session key digest embedding is necessary)
Legitimate Client
Malicious Client (MAC Spoofer)
AP
RADIUS/Web
Firewall
L2 Auth
Bind (MAC, MD5(K1)
L2 Auth
K1
K1
L2 Auth
Web Auth MD5(K1)
Bind (MAC, MD5(K2))
L2 Auth
(L2 Session key verify NG)
K2
K2
  • Theft of service can be prevented by
    authentication binding
  • L2 DoS attack is still possible

23
Compound Authentication Testbed
RADIUS/Web Server
(1) 802.1x TLS guest authentication
(2) Establish L2 Session Key
Client
Access Point
FreeRADIUS 0.8.1 Apache 2.0.40
Cisco AIR-350
(4)Firewall Control
(3) Web Auth (with L2 session key digest)
Xsupplicant 0.6 libwww-perl 5.6.9
External Network
(rejected)
Attacker
Write a Comment
User Comments (0)
About PowerShow.com