Motorola Israel Project: Authentication Center for SDP Federation ARD The Team: Alina Mirinzon Dadi Suissa Gabi Brontvin Raz Zieber

Introduction

Network & SDP Authentication Center : Universal system based on AAA principle for authentication and authorization of users and applications that want to receive services that provider by SDP. What is AAA? Authentication, Authorization, Accounting What is SDP? Service Delivery Platform - The network infrastructure provider who gives AAA.

Introduction - cont. Each time user wants to access a network, in order to establish the connection, an AAA process is needed. AAA process: Interests: identify user, user permissions, billing. Functionaries: –SDP –Users - The clients –Applications - activate services supplied by the SDPs.

Vision

The project goal is to research, design and implement a proof of concept for authentication aspects of the SDP. The project outcome expected to be an Authentication Center for SDP Federation, serving multiple authentication decision-points and security policies.

Problem Domain

Our project deals with three subjects: Network Authentication SDP Authentication Privacy Policy (out of our scope) All the above will be resolved by a Single Authentication Center.

Problem Domain – cont. Network Authentication: Description: A client (supplicant) of one SDP wants to use infrastructure of any SDP. This authentication process is a precondition for establishing a connection between the client and the desired SDP.

Problem Domain – cont. Network Authentication – cont. Examples: You go on a trip oversea. You forgot to tell your mom (Polish mom) that you got married in Las-Vegas with a Christian lady. You reach for your mobile phone but you forgot to make the arrangement for using your phone in U.S. - OOOOOOOOPS. You are driving by bus in Beer-Sheva and want to send urgent talkback via your laptop (will be possible in the near future - WiMax technology) about the exam in compilation (it was a piece of cake). Beer-Sheva is covered by provider A but you are subscribed to provider B. - BASA

Problem Domain – cont. Network Authentication – cont. Traditional solution: Every SDP shall know all other SDPs. Each SDP Supports the protocols of all other SDPs. Agreements between SDPs in advance. Subscribed SDP#4 SDP#3 SDP#2 SDP#1 Connection request

Problem Domain – cont. Network Authentication – cont. Problems: Duplicate implementation of protocols. Severe data duplication. Subscribed SDP#4 SDP#3 SDP#2 SDP#1 Connection request

Problem Domain – cont. Network Authentication – cont. Suggested solution: One Authentication Center will receive all requests for authorization and handle it: protocols conversion Routes authentication request to DSP who user is subscribed to. Subscribed SDP#1 SDP#2 Authentication/ Privacy Center Authentication Proxy Server SDP#4 SDP#3 Connection request

Problem Domain – cont. Network Authentication – cont. Solve Problems: Convertor - Duplicate implementation of protocols. The SDPs are required to know only the center and its private subscribers - (Severe data duplication).

Problem Domain – cont. SDP Authentication : Description: Application needs to use a specific service. The same service is provided and available in several servers. In order to learn about the capabilities of the service and choose the most suitable one, the application needs to authenticate with each server. (For a “get location“ service, capabilities parameters can be - location accuracy, location update frequency, service cost).

Problem Domain – cont. SDP Authentication – cont. Example: User operates an application of searching restaurants in his current position. This application uses the service “get location”. High Accuracy and frequent update isn’t relevant for this application.

Problem Domain – cont. SDP Authentication – cont. Existing solution: Application trying to find all available services with the same functionality. Application needs to authorize with all servers. Application has to ask each server what it supports, rejecting those that aren’t suitable to its needs. Application chooses the most suitable and profitable service. Client Application Service SDP#1 SDP#2

Problem Domain – cont. SDP Authentication – cont. Problems: Repetition process authentication. Application will check servers that some of them aren’t relevant at all. No standard for service request protocols. Application service request should suite to Server protocol.

Problem Domain – cont. SDP Authentication – cont. Suggested solution: An authentication center will implement the authentication process and service request, using standard API. The center will give to application only the available and relevant services. SDP#1 Authentication/ Privacy Center Authenticator Proxy OSA Gateway SDP#2 EAP Authenticator EAP Supplicant Client Application Service

Problem Domain – cont. SDP Authentication – cont. Solve Problems: One Authentication center - Repetition process authentication. Implementing Standard API - Diversity of authentication protocols and No standard for service requests. The center provides only the relevant services - Application will check servers that some of them aren’t relevant at all.

Architecture & Technologies

EAP-MD5 Authenticator – Parlay framework Repository Convertor EAP Proxy Repository Application - Demo Access SDP Authentication Network Authentication

Functional Requirements

Repository  Select SDP record  Select record of application's server

Functional Requirements – cont. EAP Proxy  Receive authentication details.  Select the record from the repository.  Execute converter.  Send authorization request to SDP.  Return the response.

Functional Requirements – cont. Converter  RADIUS-DIAMETER conversion.  DIAMETER-RADIUS conversion.

Functional Requirements – cont. Network Gateway - Access Point  Get an authentication request from the client in layer 2.  Manage protocol handshake.  Sends authentication request to the Authentication Center through RADIUS protocol.  Block the user from entering the network.  Enter the user or refuse, according to authentication response.

Functional Requirements – cont. Supplicant Application (Parlay)  Request for service.  Selects a service.  Receive a service.

Functional Requirements – cont. Server Authenticator  Parlay Interface - Framework

Functional Requirements – cont. GUI  User connection.  Insert user personal details  Insert user connection details  Connection and Application process notification.  Initializing  Connecting  Accept\Reject  Disconnecting  Show Reports.

Non-Functional Requirements

Speed, Capacity & Throughput, Availability, Usability – Irrelevant Reliability – 100% correctness in supplying services and network access to entitled users only. Safety & Security  RADIUS & DIAMETER authentication protocols  Identify EAP-MD5 hash function.

Non-Functional Requirements Portability – different operating systems:  Supplicants - EAP Supplicant in Windows Parlay Supplicant in Linux  SDPs – Linux, RADIUS \ DIAMETER  Programming Languages -

Use-Cases

Use-Cases 1 Network authentication The story: A SDP supplicant wants to connect to the network. Post conditions: authorize network access.

Use-Cases 1

Use-Cases 2 Application authentication The story: The application wants to use a service and needs to be authenticated. Post conditions: The application is authenticated and is able to get the desired service.

Use-Cases 2

Risks

Proof Of Concept – possible won’t be implemented A lot of advanced networking technologies – wide knowledge needed (Parlay, DIAMETER, RADIUS, EAP-MD5…)

Thank You !!!