Secure Authentication System for Public WLAN Roaming

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

Encrypting Wireless Data with VPN Techniques
Secure Mobile IP Communication
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Secure Authentication System for Public WLAN Roaming Yasuhiko Matsunaga Ana Sanz Merino Manish Shah Takashi Suzuki Randy Katz.
An Architectural Framework for Providing WLAN Roaming D.Vassis G.Kormentzas Dept. of Information and Communication Systems Engineering University of the.
802.1x EAP Authentication Protocols
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Secure Authentication System for Public WLAN Roaming Ana Sanz Merino Yasuhiko Matsunaga Manish Shah Takashi Suzuki Randy Katz.
Web services security I
Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol.
Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © All rights.
Virtual Private Networks Alberto Pace. IT/IS Technical Meeting – January 2002 What is a VPN ? u A technology that allows to send confidential data securely.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Chapter 13 – Network Security
Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.
Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko.
Security Issues in Control, Management and Routing Protocols M.Baltatu, A.Lioy, F.Maino, D.Mazzocchi Computer and Network Security Group Politecnico di.
Module 4 Quiz. 1. Which of the following statements about Network Address Translation (NAT) are true? Each correct answer represents a complete solution.
Chapter 9 Networking & Distributed Security. csci5233 computer security & integrity (Chap. 9) 2 Outline Overview of Networking Threats Wiretapping, impersonation,
Shibboleth: An Introduction
11 SECURING NETWORK COMMUNICATION Chapter 9. Chapter 9: SECURING NETWORK COMMUNICATION2 OVERVIEW  List the major threats to network communications. 
Payment in Identity Federations David J. Lutz Universitaet Stuttgart.
Wireless security Wi–Fi (802.11) Security
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue.
Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Wireless Security.
Introduction to Port-Based Network Access Control EAP, 802.1X, and RADIUS Anthony Critelli Introduction to Port-Based Network Access Control.
History and Implementation of the IEEE 802 Security Architecture
1. Introduction In this presentation, we will review ,802.1x and give their drawbacks, and then we will propose the use of a central manager to replace.
Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.
Virtual Private Networks
History and Implementation of the IEEE 802 Security Architecture
Module 9: Configuring Network Access
Analysis of secured VoIP services
Virtual Private Networks
Virtual Private Network (VPN)
Microsoft Windows NT 4.0 Authentication Protocols
Zueyong Zhu† and J. William Atwood‡
Module Overview Installing and Configuring a Network Policy Server
WEP & WPA Mandy Kershishnik.
SECURING NETWORK TRAFFIC WITH IPSEC
Remote Access Lecture 2.
A Wireless LAN Security Protocol
Chapter 4: Wireless LANs
CompTIA Security+ Study Guide (SY0-401)
Security of a Local Area Network
– Chapter 5 (B) – Using IEEE 802.1x
Virtual Private Network (VPN)
Server-to-Client Remote Access and DirectAccess
SECURING WIRELESS LANS WITH CERTIFICATE SERVICES
draft-ipdvb-sec-01.txt ULE Security Requirements
Multi-party Authentication in Web Services
Authentication and handoff protocols for wireless mesh networks
AAA: A Survey and a Policy- Based Architecture and Framework
Security Activities in IETF in support of Mobile IP
Designing IIS Security (IIS – Internet Information Service)
Virtual Private Networks (VPN)
Virtual Private Network zswu
Cryptography and Network Security
Presentation transcript:

Secure Authentication System for Public WLAN Roaming Authors Secure Authentication System for Public WLAN Roaming Yasuhiko Matsunaga Computer Science Division Univ. of California, Berkeley Berkeley, CA, U.S.A. Ana Sanz Merino Computer Science Division Univ. of California, Berkeley Berkeley, CA, U.S.A. Manish Shah Computer Science Division Univ. of California, Berkeley Berkeley, CA, U.S.A. Takashi Suzuki Multimedia Laboratories NTT DoCoMo, Inc. Yokosuka, Kanagawa, Japan Randy H. Katz Computer Science Division Univ. of California, Berkeley Berkeley, CA, U.S.A. Presented by Ali Ali Secure Authentication System For Public WLAN Roaming

Outline Abstract Introduction Related work Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

Abstract WLANs Service providers Serious Challenges Different trust relationship Support their own authentication Most service providers cannot deploy many access point.

Roaming Model Abstract Security mechanism Are Req.

Outline Abstract Introduction Related work Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

Introduction * Main challenges Define Security mechanisms that protect user and network Network Requirements Security User Requirements Ease of use Functionality

Introduction What is the Solution?

and Web authentication scheme. Introduction Single sign-on (SSO) Authentication Technologies Developed Client-side Policy engine Developed a compound Layer 2 (L2) and Web authentication scheme.

Outline Abstract Introduction Related work Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

Related Work Link layer authentication IEEE 802.1X standard IEEE 802.11i Web-based authentication and network layer access control

Outline Abstract Introduction Related work Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

Single sign-on confederation model Examples of identity providers ISPs credit-card companies roaming service providers (wireless LAN aggregators) cellular network operators

Single sign-on confederation model Our architecture is independent of the authentication methods of service providers Allows users to choose their preferred identity provider and authentication scheme We considered two industry-standard SSO authentication standards RADIUS (Remote Authentication Dial In User Service) Liberty Architecture

Single sign-on confederation model RADIUS (Remote Authentication Dial In User Service)

Single sign-on confederation model Liberty Architecture

Outline Abstract Introduction Related work Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

AUTHENTICATION FLOW ADAPTATION FRAMEWORK Designed an architecture that can accommodate alternative authentication methods Traditional System. (Weakness) The Adv. Of our design All the providers do not need to support the same authentication scheme

AUTHENTICATION FLOW ADAPTATION FRAMEWORK Our Design The Framework Allow each provider to support more than one authentication scheme permitting it to communicate with a larger number of providers In case WLAN services provider support multiple authentication; Users can select the method they prefer A user can select one depending on their trust level with the service provider.

Server Authentication Capabilities AUTHENTICATION FLOW ADAPTATION FRAMEWORK Server Authentication Capabilities Server Requirements determine their level of trust charging schemes ( Payment Method, Price, Period, etc.)

AUTHENTICATION FLOW ADAPTATION FRAMEWORK Authentication Flow Adaptation Sequence

AUTHENTICATION FLOW ADAPTATION FRAMEWORK Architecture Model

AUTHENTICATION FLOW ADAPTATION FRAMEWORK It can be observed that there can be more than one authentication server at the service provider each corresponding to a different authentication technology. Two main flow sequences are possible The client does not have the authentication negotiation client installed The user’s terminal has an authentication negotiation client

Authentication Negotiation Protocol AUTHENTICATION FLOW ADAPTATION FRAMEWORK Authentication Negotiation Protocol A new XML web-based protocol The Authentication Negotiation Protocol

AUTHENTICATION FLOW ADAPTATION FRAMEWORK

Authentication Negotiation Protocol AUTHENTICATION FLOW ADAPTATION FRAMEWORK Authentication Negotiation Protocol We used a protocol that close to OASIS SAML protocol which is based on XML-based framework for exchanging security information. SAML protocol; Define particular queries and statements for specific kinds of information to be Exchange which are encapsulated inside general SAML request and response Structures. In our protocol We avoid some of the security overhead of SAML messaging not needed in our protocol ( Example)

AUTHENTICATION FLOW ADAPTATION FRAMEWORK The queries and statements defined by the Authentication Negotiation Protocol are the following: Authentication Capabilities Query Authentication Capabilities Statement Authentication Query

AUTHENTICATION FLOW ADAPTATION FRAMEWORK Client Graphical User Interface

Outline Abstract Introduction Related work Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

POLICY ENGINE The purpose of policy engine The advantages

The policy check component POLICY ENGINE Component Blocks The policy check component Root component Secure component Specific component

Outline Abstract Introduction Related work Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

Securing Web Based Auth. & Access Control Security Threats in Web-based Authentication Compound Layer 2 and Web Authentication System Security Analysis

Security Threats in Web-based Authentication Securing Web Based Auth. & Access Control Security Threats in Web-based Authentication • Spoofing IP or MAC address • Eavesdropping • Message alteration • Denial of service attack

Securing Web Based Auth. & Access Control Compound Layer 2 and Web Authentication

Securing Web Based Auth. & Access Control System Security Analysis Theft of Service Eavesdropping/Message Alteration Denial-of-Service

Outline Abstract Introduction Related work Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

Conclusion Questions?

Outline Abstract Introduction Related work Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

References [1] HotSpotList.com,http://www.hotspotlist.com/ [2]  IETF,RFC2865“RemoteAuthenticationDialInUserService(RADIUS)”,June2000. [3]  LibertyAllianceProject,“LibertyID-FFArchitectureOverview”,Version1.2,November2003. [4]  Wi- FiAlliance,“BestCurrentPracticesforWirelessInternetServiceProvider(WISP)Roaming”,ver.1.0,2003. [5]  S.HadaandM.Kudo,“AccessControlModelwithProvisionalActions”,IEICETrans.Fundamentals,V ol.E84-A,No.1,Jan.2001. [6]  OASIS,“eXtensibleAccessControlMarkupLanguage(XACML)”,Version1.0,February2003. [7]  IEEEStd802.1X-2001,“Port-BasedNetworkAccessControl”,June2001. [8]  IEEEStd802.11i/D7.0,”MediumAccessControl(MAC)SecurityEnhancements”,October2003. [9]  IETF,RFC2716,“PPPEAPTLSAuthenticationProtocol”,Oct.1999.

References [10]  Internet-Draft, “EAP Tunneled TLS Authentication Protocol”, draft-ietf-pppext-eap- ttls-03.txt, work in progress. [11]  IETF RFC 2402, “IP Authentication Header”, Nov. 1998. [12]  D. Jablon, “Strong Password-Only Authenticated Key Exchange”, Computer Communication Review, Vol.26, 1996. [13]  http://srp.stanford.edu/ [14]  V. Bahl, A. Balachandran, S. Venkatachary, “The CHOICE Network: Broadband Wireless Internet Access In Public Places”, Microsoft Technical Report, MSR-TR-2000-21, Feb. 2000. [15]  OASIS, “Assertions and Protocol for the OASIS Assertion Markup Language (SAML)”, Committee Specification 01, May 2002.

References [16] http://www.open1x.org/ [16]  http://www.open1x.org/ [17]  N. C-Winget, R. Housley, D. Wagner, J. Walker, “Security flaws in 802.11 data link protocols”, Communications of the ACM, 46(5), May 2003, pp. 35-39 [18]  J. Bellardo and S. Savage, “802.11 Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions”, Proceedings of the USENIX Security Symposium, August 2003. [19]  IETF, RFC2759 “Microsoft PPP CHAP Extensions, Version 2”, Jan. 2000.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.