A Roaming Authentication Solution for Wifi using IPSec VPNs with client certificates Carlos Ribeiro Fernando Silva

Slides:



Advertisements
Similar presentations
Introduction of Grid Security
Advertisements

Internet Protocol Security (IP Sec)
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
MyProxy: A Multi-Purpose Grid Authentication Service
The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Password?. Project CLASP: Common Login and Access rights across Services Plan
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.
16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
PKIs  To use public key methods, an organization must establish a comprehensive Public Key Infrastructure (PKI) A PKI automates most aspects of using.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Certificate Management Using Distributed Trusted Third Parties Alexander W. Dent Joint work with Geraint Price.
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Flexible Network Access Overview. Flexible Access an Integral part of Universal Access Policy Universal Access to Campus IT Resources Managed LAN portsFlexible.
Security Management.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
A centralized system.  Active Directory is Microsoft's trademarked directory service, an integral part of the Windows architecture. Like other directory.
PKI Network Authentication Dartmouth Applications Robert Brentrup Educause/Dartmouth PKI Summit July 27, 2005.
Public Key Infrastructure from the Most Trusted Name in e-Security.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
Clinic Security and Policy Enforcement in Windows Server 2008.
Chapter 10: Authentication Guide to Computer Network Security.
Terminal Services in Windows Server ® 2008 Infrastructure Planning and Design.
ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Registration Processing for the Wireless Internet Ian Gordon Director, Market Development Entrust Technologies.
Module 8 Configuring Mobile Computing and Remote Access in Windows® 7.
TNC2004 Rhodes 1 Authentication and access control in Sympa mailing list manager Serge Aumont & Olivier Salaün May 2004.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Configuring Directory Certificate Services Lesson 13.
SECURITY MANAGEMENT Key Management in the case of public-key cryptosystems, we assumed that a sender of a message had the public key of the receiver at.
Building Secure, Flexible and Scalable Environments using LDAP - SANS Orlando Sacha Faust PricewaterhouseCoopers
Module 9: Fundamentals of Securing Network Communication.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
Harshavardhan Achrekar - Grad Student Umass Lowell presents 1 Scenarios Authentication Patterns Direct Authentication v/s Brokered Authentication Kerberos.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.
1. 2 Overview In Exchange security is managed by assigning permissions in Active Directory Exchange objects are secured with DACL and ACEs Permissions.
Welcome Windows Server 2008 安全功能 -NAP. Network Access Protection in Windows Server 2008.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Module 2: Introducing Windows 2000 Security. Overview Introducing Security Features in Active Directory Authenticating User Accounts Securing Access to.
1 Thuy, Le Huu | Pentalog VN Web Services Security.
Key Management. Authentication Using Public-Key Cryptography  K A +, K B + : public keys Alice Bob K B + (A, R A ) 1 2 K A + (R A, R B,K A,B ) 3 K A,B.
Connect. Communicate. Collaborate Deploying Authorization Mechanisms for Federated Services in the eduroam architecture (DAMe)* Antonio F. Gómez-Skarmeta.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
The Hierarchical Trust Model. PGP Certificate Server details Fast, efficient key repository –LDAP, HTTP interfaces Secure remote administration –“Pending”
Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Public Key Infrastructure.

An Analysis of XKMS Yamini Ghadge Shanky Subramanian.
Module 8: Securing Network Traffic by Using IPSec and Certificates
Public Key Infrastructure from the Most Trusted Name in e-Security
Architecture Competency Group
Module 8: Securing Network Traffic by Using IPSec and Certificates
The Italian Academic Community’s Electronic Voting System
Presentation transcript:

A Roaming Authentication Solution for Wifi using IPSec VPNs with client certificates Carlos Ribeiro Fernando Silva André Zúquete

TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Goals  Primary goal –To provide user authentication, data encryption and automatic roaming on wifi networks. –e-U initiative  The solution should be: –deliverable on most computers and wifi access points (APs); –simple to deploy; –simple to use by clients; –scalable to many users and networks.

TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Overview of the solution  Virtual Private Networks (VPNs), provide: –data encryption; –and Peer/data authentication;  IPSec VPNs –Standard; –Well-tested. –Available in most platforms.  Authentication with client (hereafter supplicants) certificates –Authentication servers are able to check certificates issued by other institutions.

TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Architecture

TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Supplicant certificates  Often avoided due to the complexity of Public Key Infrastructures (PKIs)  To avoid PKIs, supplicant certificates: –Cannot be used for irrevocable identification (sign); –Must have a short/medium validity period.  Instead of a PKI, supplicant credentials are: –distributed by HTTPS server; –Kept in a directory server (LDAP, SQL, AD)

TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Supplicant credentials  Credentials are generated and kept in the directory server. –Credentials = private key; supplicant certificate; and other certificates. –Supplicants do not need to generate the credentials themselves. –Can be supplied more then once to end users.  Certificates have short validity periods –Certification Revocation Lists are not necessary

TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Roaming  Each institution acts has a certification entity for their users. –It has a private key and a self-signed certificate. –Generates private keys and certificates for their users. –There is no need for a central certification entity.  Roaming agreements can be put in place incrementally –Without modifying or reissuing local certificates. –Bilateral agreements. –Multilateral, hierarchical agreements.  Local certificates issued before the roaming agreement, become valid roaming certificates transparently.

TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Local authentication InstA Supplicant Private key InstA Supplicant Send Verify Certificate Supplicant Public key Extract Supplicant authentication Establishing a Session key Gateway Public key Gateway Private key Gateway Authentication Send Institution A Gateway Institution A Supplicant InstA Gateway

TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Roaming authentication InstB InstA Supplicant Private key InstA Supplicant Send Verify Certificate Supplicant Public key Extract Supplicant authentication The only difference between local and roaming authentication is in the certificate verification phase. Bilateral agreements Multilateral/Hierarchical agreements

TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Roaming Certificate Verification InstA Supplicant InstB InstA InstB Gateway InstA InstB Certificates in InstA supplicant Certificates in InstB gateway Bilateral Agreements

TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Roaming Verification of signature  Each institution signs T public key  T signs every institution public key  The chains may have more levels, reproducing a multi- hierarchical structure: –e.g. Regional, national, international. InstA Supplicant InstB InstT InstB Gateway InstA InstT Certificates in InstA supplicant Certificates in InstB gateway Multilateral (hierarchical) Agreements InstT InstA InstT InstB InstT InstX InstT

TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Additional features  Visitors not included in roaming agreements: –Can be easily provided with temporary certificates. –Temporary certificate management can be easily delegated to some class of users (e.g. Professors).  Authentication is transparent. –Even after long periods of disconnection there is no need for an explicit authentication.

TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Discussion  Stability and Longevity –IPSec is a mature standard which ensures stability for the present and longevity.  Ubiquity –The proposed solution does not depend on special authentication features of the host APs. –Only mandatory IPSec features promotes maximum compatibility. Currently: Windows 2000, Windows XP, Linux, MacOS X.  Roaming –Lightweight roaming infrastructure. –Certificate chains do not need to be checked online. –The solution does not require a full-featured PKI.  Other Features –The authentication process is fast and transparent. –Offers a simple method to allow limited-time access to foreign visitors.  The current implementation is completely free.