160 likes | 291 Views
Secure Authentication System for Public WLAN Roaming. Ana Sanz Merino Yasuhiko Matsunaga Manish Shah Takashi Suzuki Randy Katz. Agenda. 1. Challenges and our Solution 2. Testbed Description 3. Performance Measurement. Loose Trust Relationship in Current Public Wireless LAN Roaming.
E N D
Secure Authentication System for Public WLAN Roaming Ana Sanz Merino Yasuhiko Matsunaga Manish Shah Takashi Suzuki Randy Katz
Agenda • 1. Challenges and our Solution • 2. Testbed Description • 3. Performance Measurement
Loose Trust Relationship in Current Public Wireless LAN Roaming • Each WLAN system is isolated, deploys different authentication schemes (ISPs, Card Companies) ID Provider Strong Trust WLAN Service Provider WLAN Service Provider Strong Trust No Trust Weak Trust User
Challenges and Our Solutions • Confederate service providers under different trust levels and with different authentication schemes to offer wider coverage • Inter-system handover with minimal user intervention SSO Roaming with Authentication Adaptation • Select proper authentication method and protect privacy of user information per WLAN provider Policy Engine Client • Avoid theft of wireless service without assuming pre-shared secret between user and network L2/Web Compound Authentication
Authentication Adaptation Flow • Authentication Negotiation Protocol • XML-based (1) Authentication Capabilities Query WLAN Service Provider User Terminal (2) Authentication Capabilities Statement: - provider id - authentication methods - charging options - required user information (3)Select authentication method according to user’s preferences (4) Authentication Query: - selected authn. method - selected charging option - user information (5) Authenticate the user (6) Authentication Statement
Authentication Capabilities Statement Example <anp:AuthnCapabilitiesStatementLastUpdateInstant="1900-01-01T00:00:00Z"> <saml:Subject> <saml:NameIdentifier>vancouver.cs.berkeley.edu_SP</saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod>…</saml:ConfirmationMethod> <ds:KeyInfo>...</ds:KeyInfo> </saml:SubjectConfirmation> </saml:Subject> <anp:IDPGroup> <anp:IDPList> <anp:IDPName>ID Provider C</anp:IDPName> </anp:IDPList> <anp:ChargingOptionIDReference>Prepaid basic A </anp:ChargingOptionIDReference> <anp:AuthnMethodIDReference>Radius</anp:AuthnMethodIDReference> <anp:AuthnMethodIDReference>Liberty</anp:AuthnMethodIDReference> </anp:IDPGroup> <anp:AuthnMethod> <anp:AuthnMethodID>Radius</anp:AuthnMethodID> <anp:UserInfoDesignator AttributeName="UserName" AttributeNameSpace="my_userinfo_namespace"/> <anp:UserInfoDesignator AttributeName="UserPassword" AttributeNameSpace="my_userinfo_namespace"/> </anp:AuthnMethod>
Authentication Capabilities Statement Example <anp:AuthnMethod> <anp:AuthnMethodID>Liberty<anp:AuthnMethodID> <anp:UserInfoDesignator AttributeName="IDPName" AttributeNameSpace="my_userinfo_namespace"/> </anp:AuthnMethod> <anp:ChargingOption> <anp:ChargingOptionID>Prepaid basic A</anp:ChargingOptionID> <anp:ChargingInterval Order="1"> <anp:UnitPrice>0.1</anp:UnitPrice> <anp:TimeUnit Unit="Minute"> <anp:Period>1</anp:Period> </anp:TimeUnit> <anp:ChargingMode>Constant</anp:ChargingMode> </anp:ChargingInterval> <anp:UserInfoDesignator AttributeName="ContractNumber" AttributeNameSpace="my_userinfo_namespace"/> <anp:ServiceIDReference>private_contents</anp:ServiceIDReference> </anp:ChargingOption> <anp:Service> <anp:ServiceID>private_contents</anp:ServiceID> <anp:ServiceDescription> Access to private contents through the provider’s web portal</anp:ServiceDescription> </anp:Service> </anp:AuthnCapabilitiesStatement>
Policy Engine • Control automatic submission of user authentication information according to communication context • Authentication/Authorization flow adaptation End User User Terminal WLAN Service Provider Network Access Client Policy Engine Network Access Server Auth Info. Repository Policy Check Web Browser Capability Policy Repository Context EAP/ 802.1X
Policy Rule Example … <Have_account_with> <IDP_Name>ID Provider C</IDP_Name> <Charging_Option>Prepaid basic A…</> <Charging_Option>Prepaid basic B…</> <Charging_Option> Prepaid premium A…</> <Auth_Method>Radius…</> <Auth_Method>Liberty…</> </Have_account_with> <Do_not_have_account_with> <IDP_Name>ID Provider B</IDP_Name> <Charging_Option>Prepaid basic A…</> <Auth_Method>Radius…</> </Do_not_have_account_with> </options> </policy> <policy> <rule> <authn_info href=”UserName”/> <authn_info href=”UserPassword”/> <authn_info href=”IDPName”/> <authn_info href=”ContractNumber”/> <subject> <id> vancouver.cs.berkeley.edu_SP </id> </subject> <provisional_action name=”user_acknowledgement”/> </rule> <options> <chosen_idp>ID Provider C</> <chosen_charging_option> Prepaid basic A</> <chosen_auth_method>Radius</> <Use_Next_Time>TRUE</> <Last_Update_Time> 1900-01-01T00:00:00Z</>
Authentication Query Example • <anp:AuthnQuery> • <anp:AuthnMethodIDReference>Radius</anp:AuthnMethodIDReference> • <anp:ChargingOptionIDReference>Prepaid basic A • </anp:ChargingOptionIDReference> • <anp:UserInfo AttributeName="UserName"> • <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> my_user</saml:AttributeValue> • </anp:UserInfo> • <anp:UserInfo AttributeName="UserPassword"> • <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> my_password</saml:AttributeValue> • </anp:UserInfo> • <anp:UserInfo AttributeName="ContractNumber"> • <saml:AttributeValue xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion"> • my_contract_number</saml:AttributeValue> • </anp:UserInfo> • </anp:AuthnQuery>
L2/Web Compound Authentication RADIUS/Web Server (1) 802.1x TLS guest authentication (2) Establish L2 Session Key Client Access Point (4)Firewall Control (3) Web Auth (with L2 session key digest) External Network • Prevent theft of service, eavesdropping, message alteration • Don’t work for L2 DoS attack – out of scope
WLAN Secure Roaming Testbed Identity Provider #1 Identity Provider #2 Liberty id provider Liberty id provider Radius Radius RADIUS SOAP Service Provider #1 Service Provider #2 Liberty Service provider Liberty Service provider Web Portal Radius ANP Server Radius ANP Server Fire wall Web Portal Firewall RADIUS HTTPS ANP HTTPS Linux Client ANP Client Policy Engine 802.1x Roaming Client 802.1x WinXP Client Xsuppli cant
Delay Profile Evaluation (Units: sec)
Conclusions • Secure public WLAN roaming made possible by accommodating multiple authentication scheme and ID providers with an adaptation framework • Policy Engine reflects user authentication scheme preference and protects privacy of user information • Compound L2/Web authentication ensures cryptographically-protected access • Confirmed with prototype, measured performance shows reasonable delay for practical use • Exploits industry-standard authentication architectures: Radius, Liberty alliance