Secure Authentication System for Public WLAN Roaming Ana Sanz Merino Yasuhiko Matsunaga Manish Shah Takashi Suzuki Randy Katz.

Slides:

Advertisements

Similar presentations

Authentication.

Advertisements

Rocket Software, Inc. Confidential James Storey General Manager, OSS Unit Rocket Software APNOMS 2003: Managing Pervasive Computing and Ubiquitous Communications.

Secure Mobile IP Communication

Lemonade and Mobile e- mail Stéphane H. Maes – Lemonade Intermediate meeting Vancouver, BC October 2004.

Always Best Connected Architecture and Design Rajesh Mishra Ericsson Berkeley Wireless Center.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Access and 802.1X Klaas Wierenga SURFnet

© 2004 Mobile VCE June 2004 Security – Requirements and approaches to securing future mobile services Malcolm K Payne BT.

SIP roaming solution amongst different WLAN-based service providers Julián F. Gutiérrez 1, Alessandro Ordine 1, Luca Veltri 2 1 DIE, University of Rome.

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

TNC 2003 Wireless Campus project Coletta Elisa Marchioro -

Secure Authentication System for Public WLAN Roaming Yasuhiko Matsunaga Ana Sanz Merino Manish Shah Takashi Suzuki Randy Katz.

An authorization control framework to enable service composition Takashi Suzuki, Randy H. Katz EECS Department University of California, Berkeley {tsuzuki,

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

Ubiquitous Access Control Workshop 1 7/17/06 Access Control and Authentication for Converged Networks Z. Judy Fu John Strassner Motorola Labs {judy.fu,

802.1x EAP Authentication Protocols

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

MJ10/07041 Session 10 Accounting, Security Management Adapted from Network Management: Principles and Practice © Mani Subramanian 2000 and solely used.

WIRELESS SECURITY DEFENSE T-BONE & TONIC: ALY BOGHANI JOAN OLIVER MIKE PATRICK AMOL POTDAR May 30, /30/2009.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

Mobile and Wireless Security INF245 Guest lecture by Bjorn Jager Molde University College.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

IEEE Wireless Local Area Networks (WLAN’s).

Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

1 An overview Always Best Connected Networks Dênio Mariz Igor Chaves Thiago Souto Aug, 2004.

WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

1 Chapter 8 Securing Information Systems. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized.

Computing Concepts – Part 2 Getting Started with Applied Computer Concepts Computing Concepts: Part 2 1.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

WIRELESS LAN SECURITY Using

Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:

Wireless and Security CSCI 5857: Encoding and Encryption.

September, 2005What IHE Delivers 1 G. Claeys, Agfa Healthcare Audit Trail and Node Authentication.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

Network Security Lecture 9 Presented by: Dr. Munam Ali Shah.

1 Figure 2-11: Wireless LAN (WLAN) Security Wireless LAN Family of Standards Basic Operation (Figure 2-12 on next slide)  Main wired network.

Doc.: IEEE /751r0 Submission July 2004 Max Riegel, SiemensSlide 1 Selling network access Views from a business perspective Max Riegel Siemens.

KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.

SWIM-SUIT Information Models & Services

1 Course Number Presentation_ID © 2001, Cisco Systems, Inc. All rights reserved. External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt.

2003/12/291 Security Aspects of 3G-WLAN Interworking 組別： 2 組員：陳俊文 , 李奇勇 , 黃弘光 , 林柏均

KAIS T Wireless Network Security and Interworking Minho Shin, et al. Proceedings of the IEEE, Vol. 94, No. 2, Feb Hyeongseop Shim NS Lab, Div. of.

Cellular Access Control and Charging for Mobile Operator Wireless Local Area Networks H. Haverinen, J. Mikkonen and T. Takamaki, Nokia Wei-Jen, Lin Advanced.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko.

Wireless Network Security and Interworking

SECURE WIRELESS NETWORK IN IŞIK UNIVERSITY ŞİLE CAMPUS.

Telecom and Informatics 1 Security and Privacy in Distributed Services Trial lecture: Security and Privacy in Distributed Services Richard Torbjørn Sanders.

1 Using GSM/UMTS for Single Sign-On 28 th October 2003 SympoTIC 2003 Andreas Pashalidis and Chris J. Mitchell.

Extending ISA/IAG beyond the limit. AGAT Security suite - introduction AGAT Security suite is a set of unique components that allow extending ISA / IAG.

Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.

Lecture 24 Wireless Network Security

Security Patterns for Web Services 02/03/05 Nelly A. Delessy.

© ITT Educational Services, Inc. All rights reserved. IS3230 Access Security Unit 7 Authentication Methods and Requirements.

Wireless security Wi–Fi (802.11) Security

KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.

RADIUS By: Nicole Cappella. Overview  Central Authentication Services  Definition of RADIUS  “AAA Transaction”  Roaming  Security Issues and How.

Integration of and Third-Generation Wireless Data Networks

Secure Authentication System for Public WLAN Roaming

Presentation transcript:

Secure Authentication System for Public WLAN Roaming Ana Sanz Merino Yasuhiko Matsunaga Manish Shah Takashi Suzuki Randy Katz

2 Agenda 1. Challenges and our Solution 2. Testbed Description 3. Performance Measurement

3 Loose Trust Relationship in Current Public Wireless LAN Roaming User WLAN Service Provider ID Provider (ISPs, Card Companies) WLAN Service Provider Strong Trust No Trust Weak Trust Each WLAN system is isolated, deploys different authentication schemes

4 Challenges and Our Solutions Confederate service providers under different trust levels and with different authentication schemes to offer wider coverage Inter-system handover with minimal user intervention SSO Roaming with Authentication Adaptation Select proper authentication method and protect privacy of user information per WLAN provider Policy Engine Client Avoid theft of wireless service without assuming pre- shared secret between user and network L2/Web Compound Authentication

5 Authentication Adaptation Flow Authentication Negotiation Protocol  XML-based User Terminal (3)Select authentication method according to user’s preferences WLAN Service Provider (2) Authentication Capabilities Statement: - provider id - authentication methods - charging options - required user information (4) Authentication Query: - selected authn. method - selected charging option - user information (5) Authenticate the user (6) Authentication Statement (1) Authentication Capabilities Query

6 Authentication Capabilities Statement Example vancouver.cs.berkeley.edu_SP …... ID Provider C Prepaid basic A Radius Liberty Radius

7 Authentication Capabilities Statement Example Liberty Prepaid basic A Constant private_contents private_contents Access to private contents through the provider’s web portal

8 Auth Adaptation User Interface

9 Policy Engine Control automatic submission of user authentication information according to communication context Authentication/Authorization flow adaptation WLAN Service ProviderUser Terminal Network Access Client Web Browser Policy Check EAP/ 802.1X Policy Repository Context End User Auth Info. Repository Network Access Server Capability Policy Engine

10 Policy Rule Example … ID Provider C Prepaid basic A… Prepaid basic B… Prepaid premium A… Radius… Liberty… ID Provider B Prepaid basic A… Radius… vancouver.cs.berkeley.edu_SP <provisional_action name=”user_acknowledgement”/> ID Provider C Prepaid basic A Radius TRUE T00:00:00Z

11 Radius Prepaid basic A my_user my_password my_contract_number Authentication Query Example

12 L2/Web Compound Authentication Access Point Client RADIUS/Web Server (1) 802.1x TLS guest authentication External Network (2) Establish L2 Session Key (3) Web Auth (with L2 session key digest) (4)Firewall Control Prevent theft of service, eavesdropping, message alteration Don’t work for L2 DoS attack – out of scope

13 WLAN Secure Roaming Testbed Liberty id provider WinXP Client Identity Provider #2 Radius HTTPS Service Provider #1 RADIUS Web Portal Radius 802.1x RADIUS Service Provider #2 SOAP HTTPS Liberty id provider Identity Provider #1 Liberty Service provider ANP Server Firewall Radius Linux Client ANP Client Policy Engine Roaming Client Radius 802.1x Web Portal Liberty Service provider ANP Server ANP Fire wall Xsuppli cant

14 Layer 2 Roaming User Interface

15 Delay Profile Evaluation (Units: sec) Proxy-based (RADIUS) Redirect-based (Liberty) LocalRoamingLocalRoaming Web Authentication Policy Engine Authn. Capabilities Announcement Link Layer (802.1x) Authentication Total

16 Conclusions 1. Secure public WLAN roaming made possible by accommodating multiple authentication scheme and ID providers with an adaptation framework 2. Policy Engine reflects user authentication scheme preference and protects privacy of user information 3. Compound L2/Web authentication ensures cryptographically-protected access 4. Confirmed with prototype, measured performance shows reasonable delay for practical use 5. Exploits industry-standard authentication architectures: Radius, Liberty alliance