A Proposal for Next Generation Cellular Network Authentication and Authorization Architecture James Kempf Research Fellow DoCoMo USA Labs

Slides:



Advertisements
Similar presentations
Rocket Software, Inc. Confidential James Storey General Manager, OSS Unit Rocket Software APNOMS 2003: Managing Pervasive Computing and Ubiquitous Communications.
Advertisements

Internet Protocol Security (IP Sec)
URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.
1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.
Packet Based Multimedia Communication Systems H.323 & Voice Over IP Outline 1. H.323 Components 2. H.323 Zone 3. Protocols specified by H Terminal.
Page 1 / 14 The Mesh Comparison PLANET’s Layer 3 MAP products v.s. 3 rd ’s Layer 2 Mesh.
IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.
Omniran GPP Trusted WLAN Access to EPC Use Case Analysis Date: Authors: NameAffiliationPhone Max RiegelNSN
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
SCSC 455 Computer Security Virtual Private Network (VPN)
CAPWAP BOF Control And Provisioning of Wireless Access Points James Kempf DoCoMo Labs USA Dorothy Stanley Agere Systems WAP!
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Chapter 8 Web Security.
Network-based, Localized Mobility Management – the Problem James Kempf DoCoMo Labs USA
Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.
Virtual Private Network
Omniran OmniRAN Wi-Fi Hotspot Roaming Use Case Date: Authors: NameAffiliationPhone Max RiegelNSN
Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;
WIRELESS LAN SECURITY Using
Wireless and Security CSCI 5857: Encoding and Encryption.
Copyright © 2006 CyberRAVE LLC. All rights reserved. 1 Virtual Private Network Service Grid A Fixed-to-Mobile Secure Communications Framework Managed Security.
Using Routing and Tunnelling to Combat DoS Attacks Adam Greenhalgh, Mark Handley, Felipe Huici Dept. of Computer Science University College London
1 Chapter 9 E- Security. Main security risks 2 (a) Transaction or credit card details stolen in transit. (b) Customer’s credit card details stolen from.
Altai Certification Training Backend Network Planning
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
Remote Access Chapter 4. Learning Objectives Understand implications of IEEE 802.1x and how it is used Understand VPN technology and its uses for securing.
70-411: Administering Windows Server 2012
Copyright © 2004 Pearson Education, Inc. Slide 5-1 Securing Channels of Communication Secure Sockets Layer (SSL): Most common form of securing channels.
Internet Goes Mobile Alper Yegin KIOW 2003 at APNIC 16 August 19th, Seoul, Korea.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
1 EAP Usage Issues Feb 05 Jari Arkko. 2 Typical EAP Usage PPP authentication Wireless LAN authentication –802.1x and i IKEv2 EAP authentication.
Concerns about designating the MAG as a Default Router James Kempf NETLMM Interim Sept. 27, 2006.
Network-based, Localized Mobility Management – the Problem James Kempf DoCoMo Labs USA
Doc.: IEEE /751r0 Submission July 2004 Max Riegel, SiemensSlide 1 Selling network access Views from a business perspective Max Riegel Siemens.
KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
GEOPRIV Layer 7 Location Configuration Protocol; Problem Statement and Requirements draft-tschofenig-geopriv-l7-lcp-ps-00.txt Hannes Tschofenig, Henning.
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.
The Intranet.
August 2, 2005draft-vidya-mipshop-fast-handover-aaa-00 Handover Keys using AAA (draft-vidya-mipshop-fast-handover-aaa-00.txt) Vidya Narayanan Narayanan.
Secure Neighbor Discovery in IPv6 Jari Arkko Ericsson Research James Kempf DoCoMo US Labs.
Lecture 24 Wireless Network Security
PANA Framework Prakash Jayaraman, Rafa Marin Lopez, Yoshihiro Ohba, Mohan Parthasarathy, Alper Yegin IETF 59.
URP Usage Scenarios for Mobility James Kempf Sun Microsystems, Inc.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Update on SEND Keys Draft draft-kempf-mipshop-handover-key-00.txt James Kempf DoCoMo Labs USA Rajeev Koodli Nokia
Santhosh Rajathayalan ( ) Senthil Kumar Sevugan ( )
DSLF Subscriber Auth Requirements and IETF PANA Protocol PANA WG Chairs IETF 70 Dec 7, 2007 – Vancouver, Canada.
PAGE 1 A Firewall Control Protocol (FCON) draft-soliman-firewall-control-00 Hesham Soliman Greg Daley Suresh Krishnan
Extensions to the Internet Threat Model
K. Salah1 Security Protocols in the Internet IPSec.
1 IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: EAP Pre-authentication Problem Statement in IETF HOKEY WG Date Submitted: September,
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
IPv6 Security Issues Georgios Koutepas, NTUA IPv6 Technology and Advanced Services Oct.19, 2004.
<draft-ohba-pana-framework-00.txt>
Open issues with PANA Protocol
Secure Authentication System for Public WLAN Roaming
Presentation transcript:

A Proposal for Next Generation Cellular Network Authentication and Authorization Architecture James Kempf Research Fellow DoCoMo USA Labs DIMACS, November 4, 2004

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/20152 Outline Existing solutions for auth/authz and their problems –Pre-IP L2.5 –Universal Access Method (UAM) SEND and PANA A Different Way - Hyperoperator Obstacles to Acceptance Summary

Existing solutions for auth/authz and their problems

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/20154 Pre-IP Layer 2.5 Terminal and network authenticate each other prior to establishing IP service Typically thru a Layer 2.5 flow between the terminal and a network access server –PPP for some cellular protocols –Proprietary for others –802.1x EAPOL for Network access server routes auth request back into the home network via local AAA server –Radius or Diameter across the Internet Home network AAA server authenticates Authorization for network access from home network AAA server to local AAA server –If a terminal is authenticated, then it is authorized for IP service –If the network/base station is authenticated, then it is authorized to take the terminal’s traffic

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/20155 Example: 802.1x Border Router AR AP/NAS Access Network Mobile Terminal Internet AAA-H AAA-F EAP + EAPoL /3 EAP+ Radius + IP PMK pushed to AP

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ x Terminal to Access Network Detail 802.1X/EAP-Request Identity 802.1X/EAP-Response Identity (EAP type specific) RADIUS Access Request/Identity EAP type specific mutual authentication (e.g. TLS) 802.1X/EAP-SUCCESS AP STA 802.1X RADIUS AP 802.1X blocks port for data traffic STA 802.1X blocks port for data traffic AS Derive Pairwise Master Key (PMK) RADIUS Accept + PMK

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/20157 Problems Handover requires lengthy PMK rekeying, delaying handover Implicit authorization model for network access is difficult to extend to other services –Example: multicast Authenticated and authorized terminals that are compromised or otherwise decide to behave badly

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/20158 Universal Access Method Terminal establishes restricted IP access –Can’t route to the Internet –Only HTTP HTTP GET redirected to Public Access Control (PAC) Gateway –PAC pushes login page to terminal User types in login/password for account access or credit card number for one time access PAC routes auth request back into the home network via local AAA server or credit card auth/authz to credit card provider –Radius or Diameter across the Internet for AAA –Ecommerce protocol (SET, Mondex, secure channel card payment, GeldKarte, etc.) for credit card. Home network AAA server authenticates or credit card provider authorizes Authorization for network access from home network AAA server to local AAA server –If a terminal is authenticated, then it is authorized for IP service –If the network/base station is authenticated, then it is authorized to take the terminal’s traffic

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/20159 UAM Architecture Border Router AR AP Access Network Mobile Terminal Internet AAA-H AAA-F HTTP + SSL + IP Radius + IP PAC Secure Credit Card Auth/Authz

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ UAM Terminal to Access Network Detail HTTP GET + User URL Redirect Login URL HTTP POST credentials RADIUS Accept + UAM AVPs* Redirect User URL User types in account login/password or credit card number PAC STA UAM RADIUS PAC blocks Internet access AS RADIUS Access Request/Identity + UAM AVPs* * Credit card auth/authz protocol if used User URL Displayed

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ Problems If the user isn’t using HTML or the device isn’t capable of Web browsing, the procedure fails Piecewise, asymmetric security with many opportunities for compromise –Network authenticates user through user name/password or credit card number –Terminal authenticates network through SSL –RADIUS security depends on VPN or other No support for handover at all For other services: –For AAA, implicit authorization model for network access is difficult to extend to other services, –For credit card, authorization for other services requires user to type in credit card information again Authenticated and authorized terminals that are compromised or otherwise decide to behave badly

SEND and PANA

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ SEcure Neighbor Discovery (SEND) Recently standardized addition to IPv6 Neighbor Discovery (RFC 2461) for securing: –Local link address resolution –Router discovery –No RFC number yet Prevents a fully authenticated and authorized terminal from behaving badly for a limited set of actions –DoSing nodes on the same link –MiM attacks by spoofing access router Local link address resolution secured by using cryptographically generated addresses –Ties the IP address to the node’s public key –Together with a signature, establishes the node’s authorization to claim the address Router discovery secured by certified public keys on the router, together with certificates –Node checks router certificate against a certification path for which the node has a certificate for trust anchor –Router’s certified public key used to check signature on Router Advertisements

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ AR AP Mobile Terminal SEND Details – Obtaining Router Certificate Certification Path Solicitation + Names of Trust Anchors Certification Path Advertisement + Certification Paths to Trust Anchor Router’s Certified Pubic Key

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ AR AP Mobile Terminal SEND Details – Secure Router Discovery Router Solicitation Router Advertisement + Signature Validate Signature

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ SEND Details – Secure Link Address Resolution AR AP Mobile Terminal Terminal’s RSA Key Subnet Prefix Hash! Cryptographically Generated IPv6 Address Neighbor Solicitation for CGA + Signature Internet Traffic

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ Network Access Authentication and SEND SEND solves half the problem –Allows the terminal to authenticate the network Adding a certificate on the terminal would allow the network to authenticate the terminal –But no way to check terminal’s authorization nor provide accounting so network service can be billed SEND WG discussed using a terminal certificate for address resolution security but issue was dropped –Want to see whether any market acceptance for SEND first Authentication of terminal using certificate provided by home network would provide a lighter weight alternative to AAA flows –No need to do AAA on handover, just check certificate Or an authorization token issued by the access network after authentication and authorization are complete

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ Protocol carrying Authentication for Network Access (PANA) PANA is an IP level encapsulation for Extensible Authentication Protocol (EAP) Provides authentication transport if no Layer 2.5 transport is available. PANA framework contains a network access enforcement point to limit types of traffic until terminal is authenticated. –Router solicitation/advertisement –Address autoconfiguration –DHCP –PANA Enforcement point may also provide cryptographic protection for traffic if unavailable from link layer –IKE/IPsec Replaces use of HTML in UAM

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ PANA Protocol – Host to Network Border Router AR AP Access Network Mobile Terminal Internet AAA-H AAA-F PAC Radius/Diameter + IP Radius/Diameter +EAP + IP EC PANA + EAP + IP

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ PANA Protocol – Network to Host Border Router AR AP Access Network Mobile Terminal Internet AAA-H AAA-F PAC Radius/Diameter + IP Radius/Diameter +EAP + IP EC SNMP PANA + EAP + IP

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ Controversy over PANA Arguments against PANA –Layer 2 protocols all have their own ways of doing authentication –Terminal should authenticate before obtaining an IP address –PANA is architecturally wrong –... PANA is really a replacement for UAM –UAM is really architecturally wrong Forces the terminal to support HTTP HTTP is really the wrong stack layer for network access authentication signaling –Widespread deployment of UAM indicates market interest in using IP as network access authentication transport Primary issue: PANA only solves a very small part of the problem –If the link layer is not secure, then IKE/IPsec must be used for confidentiality on the link Too heavy weight –Many of the problems surrounding other authentication methods remain

Different Way - Hyperoperator

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ The Problem Infrastructure deployment costs for a managed microcellular network like are really high Nobody has managed to make a viable business out of subscription based hot-spots Well, maybe T-Mobile, but... Best business model seems to be a managed network model – provider sells network management service to hotels, convention centers, etc. For B3G or 4G, deployment, infrastructure, and network management costs of standard cellular business model might be steep to unaffordable –Low end distruptors based on cheap, unmanaged spectrum devices with macrocellular characteristics are a threat Private individuals and small businesses with really don’t want the hassles of managing security in a wireless network –And some people who might want always on might not want to pay for it until they really use it

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ The Goal Multiple federated, independent, small access networks –Maybe your neighbor, maybe you They contract with an operator to provide wireless service in exchange for discount on their network access or payment –Like solar power in California – PG&E doesn’t pay you but you sell them power during the day/summer and buy back at night/winter –Or maybe like solar power in Germany where the power company pays you for power you generate Operator provides them with: – Security and management software and expertise to make their network more secure than if they had to manage it themselves –Software for user service provisioning, charging and accounting so the operator’s users are properly charged –Software to regulate usage of the federated network so that the owner is guaranteed some percentage of the bandwidth →We call this model Hyperoperator

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ HyperOperator AP Hyperoperator kempf-and-associates AR wakerley-house AR AP Foxborough Drive Mountain View

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ Two Possibly Useful Components Mobile Firewall Authorization Certificates

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ Mobile Firewall Previous work –SEND handles some threats on the last hop –IETF 56 DefCon BOF Discussed protocol for distributed firewall but no agreement on forming a WG Firewall on the access router protects network from virus and worm traffic originating on a fully authenticated and authorized host Firewall detects mal-traffic, cuts off host’s network service Other uses –Bandwidth control –Differential service provisioning

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ Mobile Firewall Details AR Mobile Firewall Mobile Terminal Compromised host starts spewing mal- traffic Real time traffic analysis identifies threat X Virus traffic is blocked G. Fu, D. Funato, J. Wood, and T. Kawahara, "Mobile Firewall", The Fifth International Conference on Mobile and Wireless Communications Networks (MWCN 2003), Singapore, October 2003.

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ Authorization Certificates Home network provides terminal with proof of authorization for a service Terminal presents proof of authorization to foreign network for initial access Access network grants terminal a token for handover Terminal presents token on each handover (including between federated operators)

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ Authorization Certificate/Microcredits Example Border Router AP Access Network Mobile Terminal Hyperopertor Home Accounting Server Send Authorization Certificate Foreign Accounting Server 10 Send Access Token 10 Send Access Token Radius Flow (ugh! Do we really need this?)

Obstacles to Acceptance * *Or why this idea might not get traction

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ Research Problems Risk analysis of how much the operator stands to lose if the federated system cheats

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ Business Problem THE issue! This is a disruptive business model –Either low end if the customers are overserved by 3G network –Or nonconsumption if the customers are people who are not using existing 3G networks or are not using them for particular jobs The cellular providers can’t disrupt themselves –Unless they establish a separate business unit

Summary

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/ Summary Reviewed existing methods of doing wireless auth/authz –Pre-IP Layer 2.5 –UAM Discussed problems with existing technologies Reviewed two new IETF protocols that may provide some benefit –SEND mitigates some threats on the local link, could be expanded to include network access authentication –PANA removes HTTP hack in UAM Described a more radical proposal – hyperoperator –Federated model of many small operators, with privately owned access points –Mobile firewall between host and the network to control traffic from compromised hosts –Authentication certificates and access tokens for authorization and accounting Discussed problems in –Existing infrastructural and intellectual investment in traditional AAA

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.