UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko.

Slides:

Advertisements

Similar presentations

Security in Wireless Networks Juan Camilo Quintero D

Advertisements

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

Secure Authentication System for Public WLAN Roaming Yasuhiko Matsunaga Ana Sanz Merino Manish Shah Takashi Suzuki Randy Katz.

G53SEC 1 Mobile Security GSM, UTMS, Wi-Fi and some Bluetooth.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

TPS Reports Presents… A Wireless Report Joy Gibbons Julia Grant Kelsie Kirkpatrick Kevin Moore Byron Williams Image from:

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

Mobile and Wireless Security INF245 Guest lecture by Bjorn Jager Molde University College.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

IEEE Wireless Local Area Networks (WLAN’s).

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WPA2 By Winway Pang. Overview  What is WPA2?  Wi-Fi Protected Access 2  Introduced September 2004  Two Versions  Enterprise – Server Authentication.

Secure Authentication System for Public WLAN Roaming Ana Sanz Merino Yasuhiko Matsunaga Manish Shah Takashi Suzuki Randy Katz.

Marwan Al-Namari Week 10. RTS: Ready-to-Send. CTS: Clear-to- Send. ACK: Acknowledgment.NAV: network allocation vector (channel access, expected time to.

WLAN security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents WEP (Wired Equivalent Privacy) No key management Authentication.

Wireless Security Issues David E. Hudak, Ph.D. Senior Software Architect Karlnet, Inc.

Demonstration of Wireless Insecurities Presented by: Jason Wylie, CISM, CISSP.

Wireless Network Security. Wireless Security Overview concerns for wireless security are similar to those found in a wired environment concerns for wireless.

Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University

EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.

 An electrical device that sends or receives radio or television signals through electromagnetic waves.

VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © All rights.

Wireless Security Techniques: An Overview Bhagyavati Wayne C. Summers Anthony DeJoie Columbus State University Columbus State University Telcordia Technologies,

Computer Networks. Network Connections Ethernet Networks Single wire (or bus) runs to all machines Any computer can send info to another computer Header.

Mobile and Wireless Communication Security By Jason Gratto.

Remedies Use of encrypted tunneling protocols (e.g. IPSec, Secure Shell) for secure data transmission over an insecure networktunneling protocolsIPSecSecure.

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:

Wireless Networking.

Certified Wireless Network Administrator (CWNA) PW0-105 Chapter Network Security Architecture.

Chapter Network Security Architecture Security Basics Legacy security Robust Security Segmentation Infrastructure Security VPN.

Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.

BY MOHAMMED ALQAHTANI (802.11) Security. What is ? IEEE is a set of standards carrying out WLAN computer communication in frequency bands.

UNIVERSITY OF PATRAS Department of Electrical & Computer Engineering Wireless Telecommunications Laboratory M. Tsagkaropoulos “Securing.

Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.

PRESENTATION ON WI-FI TECHNOLOGY

IEEE i WPA2. IEEE i (WPA2) IEEE i, is an amendment to the standard specifying security mechanisms for wireless networks. The.

KAIS T Wireless Network Security and Interworking Minho Shin, et al. Proceedings of the IEEE, Vol. 94, No. 2, Feb Hyeongseop Shim NS Lab, Div. of.

WLAN-GPRS INTEGRATION FOR NEXT-GENERATION MOBILE DATA NETWORKS 通訊工程所蔡名岳

Wireless Hotspots: Current Challenges and Future Directions CNLAB at KAIST Presented by An Dong-hyeok Mobile Networks and Applications 2005.

Wireless Networking & Security Greg Stabler Spencer Smith.

Wireless Network Security and Interworking

1 Using GSM/UMTS for Single Sign-On 28 th October 2003 SympoTIC 2003 Andreas Pashalidis and Chris J. Mitchell.

Link-Layer Protection in i WLANs With Dummy Authentication Will Mooney, Robin Jha.

IEEE i Aniss Zakaria Survey Fall 2004 Friday, Dec 3, 2004

Lecture 24 Wireless Network Security

Discovery 2 Internetworking Module 8 JEOPARDY K. Martin.

Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 24 “Wireless Network Security”.

WLAN Security Condensed Version. First generation wireless security Many WLANs used the Service Set Identifier (SSID) as a basic form of security. Some.

Wireless security Wi–Fi (802.11) Security

KAIS T Comparative studies on authentication and key exchange methods for wireless LAN Jun Lei, Xiaoming Fu, Dieter Hogrefe, Jianrong Tan Computers.

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

Lecture 7 (Chapter 17) Wireless Network Security Prepared by Dr. Lamiaa M. Elshenawy 1.

EECS  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

Copyright © 2006 Heathkit Company, Inc. All Rights Reserved Introduction to Networking Technologies Wireless Security.

History and Implementation of the IEEE 802 Security Architecture

History and Implementation of the IEEE 802 Security Architecture

Wireless Local Area Network (WLAN)

Secure Authentication System for Public WLAN Roaming

Presentation transcript:

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko Matsunaga, Manish Shah, Takashi Suzuki, Randy H. Katz Presented by Dustin Christmann April 20, 2009

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Outline Introduction Current Approaches Single Sign-On Confederation Model Authentication Flow Adaption Framework Policy Engine Securing Web-Based Authentication Evaluation Conclusion

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Introduction WLAN hotspots becoming ubiquitous Most WLAN hotspot providers small and can’t provide enough coverage Needed: An inter-network WLAN roaming infrastructure

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Introduction Similar problem to cellular roaming Main differences: –Cellular equipment contains identification tied to provider GSM/UMTS (AT&T and T-Mobile): Contained in SIM card CDMA (Sprint, Verizon, Alltel): Contained in phone firmware –Both GSM/UMTS and CDMA protocols include inter- system authentication protocols

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Current Approaches Link layer authentication IEEE 802.1X standard Shared session key between user and network Provides for encryption of packets, as well as authentication Certificate-based Not suitable for most public WLAN networks

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering A brief aside about 802.1X Port-based authentication Three parts: –Supplicant: wireless user –Authenticator: base station –Authentication server Extensible Authentication Protocol (EAP) Implemented in i standard

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering 802.1X Architecture

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering RADIUS

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Liberty

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Extensible Authentication Protocol Not an authentication mechanism, but a framework Provides common functions and mechanism negotiation Mechanisms called “methods” in EAP Around 40 methods defined in various RFCs

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering So what’s i? Amendment to Specifies security mechanisms for networks Ratified in 2004 Addresses the weaknesses of Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA): subset of i WPA2 full implementation WEP and WPA use RC4, WPA2 uses AES

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering i Four-Way Handshake

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Current Approaches Web-based authentication and network layer access control Based on IP packet filtering Web server acts as RADIUS client Prone to theft of service by MAC spoofing Microsoft CHOICE network

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Single Sign-On Confederation Model Users are authenticated by trusted identity providers Service providers can have roaming agreements with one or several identity providers

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Single Sign-On Confederation Model Assumptions: The user terminal can validate the certificates of the service provider’s and identity provider’s authentication servers. There are static trust relationships between the user and the identity provider, and between the service provider and the identity provider. The user can authenticate the service provider’s authentication server via the identity provider’s authentication server, and vice versa.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Roaming Model

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Authentication Negotiation Protocol Need: Way for service providers to communicate authentication capabilities Way for users to select identity provider Solution: Authentication Negotiation Protocol XML web-based protocol Web browser not needed Thin client

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Authentication Flow Adaption Sequence

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Authentication Flow Adaption Architecture

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Authentication Methods User info Password Identity Provider Group List of identity providers Charging information Authentication methods Service Provider Name Confirmation Method Key Authentication Capabilities Statement Includes timestamp ANP Example Charging Option Interval Unit price Time Unit User info Service ID Service Service description

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Policy Engine Selects appropriate SSO scheme Minimize user intervention for sign-on process Protects user authentication information Not entirely necessary, but very helpful

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Policy Engine Example in paper: –Independent module –Takes XML file as input

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Securing Web-Based Authentication Current web-based authentication approaches are vulnerable: –Theft of service via spoofing –Eavesdropping –Message alteration –Denial of service

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Securing Web-Based Authentication Problem: Neither layer 2 authentication nor web- based authentication is ideal: –IEEE 802.1X authentication is more secure, but requires a preshared secret –Web-based authentication more suitable for one-time use, but insecure

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Securing Web-Based Authentication Solution: Hybrid approach Initial link establishment via X guest authentication Web-based authentication after that

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Evaluation

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Authentication client latency Proxy-based (RADIUS)Redirect-based (Liberty) LocalRemoteLocalRemote Web authentication Policy engine Authentication Capabilities Announcement Link layer (802.1X) authentication Total

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Web-based Authentication Latency Proxy-based (RADIUS)Redirect-based (Liberty) LocalRemoteLocalRemote Web authentication Firewall redirection Link layer (802.1X) authentication Total

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Conclusions This paper should have been three papers with more detail in each –Single sign-on authentication –Policy engine –Web-based authentication Good way of enabling WLAN roaming by decoupling identity management from service provider