290 likes | 310 Views
Secure Authentication System for Public WLAN Roaming . Ana Sanz Merino, Yasuhiko Matsunaga, Manish Shah, Takashi Suzuki, Randy H. Katz Presented by Dustin Christmann April 20, 2009. Outline. Introduction Current Approaches Single Sign-On Confederation Model
E N D
Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko Matsunaga, Manish Shah, Takashi Suzuki, Randy H. Katz Presented by Dustin Christmann April 20, 2009
Outline • Introduction • Current Approaches • Single Sign-On Confederation Model • Authentication Flow Adaption Framework • Policy Engine • Securing Web-Based Authentication • Evaluation • Conclusion
Introduction • WLAN hotspots becoming ubiquitous • Most WLAN hotspot providers small and can’t provide enough coverage • Needed: An inter-network WLAN roaming infrastructure
Introduction • Similar problem to cellular roaming • Main differences: • Cellular equipment contains identification tied to provider • GSM/UMTS (AT&T and T-Mobile): Contained in SIM card • CDMA (Sprint, Verizon, Alltel): Contained in phone firmware • Both GSM/UMTS and CDMA protocols include inter-system authentication protocols
Current Approaches Link layer authentication • IEEE 802.1X standard • Shared session key between user and network • Provides for encryption of packets, as well as authentication • Certificate-based • Not suitable for most public WLAN networks
A brief aside about 802.1X • Port-based authentication • Three parts: • Supplicant: wireless user • Authenticator: base station • Authentication server • Extensible Authentication Protocol (EAP) • Implemented in 802.11i standard
Extensible Authentication Protocol • Not an authentication mechanism, but a framework • Provides common functions and mechanism negotiation • Mechanisms called “methods” in EAP • Around 40 methods defined in various RFCs
So what’s 802.11i? • Amendment to 802.11 • Specifies security mechanisms for 802.11 networks • Ratified in 2004 • Addresses the weaknesses of Wired Equivalent Privacy (WEP) • Wi-Fi Protected Access (WPA): subset of 802.11i • WPA2 full implementation • WEP and WPA use RC4, WPA2 uses AES
Current Approaches Web-based authentication and network layer access control • Based on IP packet filtering • Web server acts as RADIUS client • Prone to theft of service by MAC spoofing • Microsoft CHOICE network
Single Sign-On Confederation Model • Users are authenticated by trusted identity providers • Service providers can have roaming agreements with one or several identity providers
Single Sign-On Confederation Model Assumptions: • The user terminal can validate the certificates of the service provider’s and identity provider’s authentication servers. • There are static trust relationships between the user and the identity provider, and between the service provider and the identity provider. • The user can authenticate the service provider’s authentication server via the identity provider’s authentication server, and vice versa.
Authentication Negotiation Protocol Need: • Way for service providers to communicate authentication capabilities • Way for users to select identity provider Solution: Authentication Negotiation Protocol • XML web-based protocol • Web browser not needed • Thin client
ANP Example Authentication Capabilities Statement • Includes timestamp • Service Provider • Name • Confirmation Method • Key • Identity Provider Group • List of identity providers • Charging information • Authentication methods • Authentication Methods • User info • Password • Charging Option • Interval • Unit price • Time Unit • User info • Service ID • Service • Service description
Policy Engine • Selects appropriate SSO scheme • Minimize user intervention for sign-on process • Protects user authentication information • Not entirely necessary, but very helpful
Policy Engine • Example in paper: • Independent module • Takes XML file as input
Securing Web-Based Authentication • Current web-based authentication approaches are vulnerable: • Theft of service via spoofing • Eavesdropping • Message alteration • Denial of service
Securing Web-Based Authentication • Problem: Neither layer 2 authentication nor web-based authentication is ideal: • IEEE 802.1X authentication is more secure, but requires a preshared secret • Web-based authentication more suitable for one-time use, but insecure
Securing Web-Based Authentication Solution: Hybrid approach • Initial link establishment via 802.11X guest authentication • Web-based authentication after that
Conclusions • This paper should have been three papers with more detail in each • Single sign-on authentication • Policy engine • Web-based authentication • Good way of enabling WLAN roaming by decoupling identity management from service provider