Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Authentication System for Public WLAN Roaming

Published byCarsten Schäfer Modified over 6 years ago

Similar presentations

Presentation on theme: "Secure Authentication System for Public WLAN Roaming"— Presentation transcript:

1 Secure Authentication System for Public WLAN Roaming
Authors Secure Authentication System for Public WLAN Roaming Yasuhiko Matsunaga Computer Science Division Univ. of California, Berkeley Berkeley, CA, U.S.A. Ana Sanz Merino Computer Science Division Univ. of California, Berkeley Berkeley, CA, U.S.A. Manish Shah Computer Science Division Univ. of California, Berkeley Berkeley, CA, U.S.A. Takashi Suzuki Multimedia Laboratories NTT DoCoMo, Inc. Yokosuka, Kanagawa, Japan Randy H. Katz Computer Science Division Univ. of California, Berkeley Berkeley, CA, U.S.A. Presented by Ali Ali Secure Authentication System For Public WLAN Roaming

2 Outline Abstract Introduction Related work
Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

3 Abstract WLANs Service providers Serious Challenges
Different trust relationship Support their own authentication Most service providers cannot deploy many access point.

4 Roaming Model Abstract Security mechanism Are Req.

5 Outline Abstract Introduction Related work
Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

6 Introduction * Main challenges
Define Security mechanisms that protect user and network Network Requirements Security User Requirements Ease of use Functionality

7 Introduction What is the Solution?

8 and Web authentication scheme.
Introduction Single sign-on (SSO) Authentication Technologies Developed Client-side Policy engine Developed a compound Layer 2 (L2) and Web authentication scheme.

9 Outline Abstract Introduction Related work
Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

10 Related Work Link layer authentication IEEE 802.1X standard
IEEE i Web-based authentication and network layer access control

11 Outline Abstract Introduction Related work
Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

12 Single sign-on confederation model
Examples of identity providers ISPs credit-card companies roaming service providers (wireless LAN aggregators) cellular network operators

13 Single sign-on confederation model
Our architecture is independent of the authentication methods of service providers Allows users to choose their preferred identity provider and authentication scheme We considered two industry-standard SSO authentication standards RADIUS (Remote Authentication Dial In User Service) Liberty Architecture

14 Single sign-on confederation model
RADIUS (Remote Authentication Dial In User Service)

15 Single sign-on confederation model
Liberty Architecture

16 Outline Abstract Introduction Related work
Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

17 AUTHENTICATION FLOW ADAPTATION FRAMEWORK
Designed an architecture that can accommodate alternative authentication methods Traditional System. (Weakness) The Adv. Of our design All the providers do not need to support the same authentication scheme

18 AUTHENTICATION FLOW ADAPTATION FRAMEWORK
Our Design The Framework Allow each provider to support more than one authentication scheme permitting it to communicate with a larger number of providers In case WLAN services provider support multiple authentication; Users can select the method they prefer A user can select one depending on their trust level with the service provider.

19 Server Authentication Capabilities
AUTHENTICATION FLOW ADAPTATION FRAMEWORK Server Authentication Capabilities Server Requirements determine their level of trust charging schemes ( Payment Method, Price, Period, etc.)

20 AUTHENTICATION FLOW ADAPTATION FRAMEWORK
Authentication Flow Adaptation Sequence

21 AUTHENTICATION FLOW ADAPTATION FRAMEWORK
Architecture Model

22 AUTHENTICATION FLOW ADAPTATION FRAMEWORK
It can be observed that there can be more than one authentication server at the service provider each corresponding to a different authentication technology. Two main flow sequences are possible The client does not have the authentication negotiation client installed The user’s terminal has an authentication negotiation client

23 Authentication Negotiation Protocol
AUTHENTICATION FLOW ADAPTATION FRAMEWORK Authentication Negotiation Protocol A new XML web-based protocol The Authentication Negotiation Protocol

24 AUTHENTICATION FLOW ADAPTATION FRAMEWORK

25 Authentication Negotiation Protocol
AUTHENTICATION FLOW ADAPTATION FRAMEWORK Authentication Negotiation Protocol We used a protocol that close to OASIS SAML protocol which is based on XML-based framework for exchanging security information. SAML protocol; Define particular queries and statements for specific kinds of information to be Exchange which are encapsulated inside general SAML request and response Structures. In our protocol We avoid some of the security overhead of SAML messaging not needed in our protocol ( Example)

26 AUTHENTICATION FLOW ADAPTATION FRAMEWORK
The queries and statements defined by the Authentication Negotiation Protocol are the following: Authentication Capabilities Query Authentication Capabilities Statement Authentication Query

27 AUTHENTICATION FLOW ADAPTATION FRAMEWORK
Client Graphical User Interface

28 Outline Abstract Introduction Related work
Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

29 POLICY ENGINE The purpose of policy engine The advantages

30 The policy check component
POLICY ENGINE Component Blocks The policy check component Root component Secure component Specific component

31 Outline Abstract Introduction Related work
Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

32 Securing Web Based Auth. & Access Control
Security Threats in Web-based Authentication Compound Layer 2 and Web Authentication System Security Analysis

33 Security Threats in Web-based Authentication
Securing Web Based Auth. & Access Control Security Threats in Web-based Authentication • Spoofing IP or MAC address • Eavesdropping • Message alteration • Denial of service attack

34 Securing Web Based Auth. & Access Control
Compound Layer 2 and Web Authentication

35 Securing Web Based Auth. & Access Control
System Security Analysis Theft of Service Eavesdropping/Message Alteration Denial-of-Service

36 Outline Abstract Introduction Related work
Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

37 Conclusion Questions?

38 Outline Abstract Introduction Related work
Single sign-on confederation model Authentication Flow Adaptation Framework Policy Engine Securing WEB-Based Authentication and Access Control Conclusion References

39 References [1] HotSpotList.com,http://www.hotspotlist.com/
[2]  IETF,RFC2865“RemoteAuthenticationDialInUserService(RADIUS)”,June2000. [3]  LibertyAllianceProject,“LibertyID-FFArchitectureOverview”,Version1.2,November2003. [4]  Wi- FiAlliance,“BestCurrentPracticesforWirelessInternetServiceProvider(WISP)Roaming”,ver.1.0,2003. [5]  S.HadaandM.Kudo,“AccessControlModelwithProvisionalActions”,IEICETrans.Fundamentals,V ol.E84-A,No.1,Jan.2001. [6]  OASIS,“eXtensibleAccessControlMarkupLanguage(XACML)”,Version1.0,February2003. [7]  IEEEStd802.1X-2001,“Port-BasedNetworkAccessControl”,June2001. [8]  IEEEStd802.11i/D7.0,”MediumAccessControl(MAC)SecurityEnhancements”,October2003. [9]  IETF,RFC2716,“PPPEAPTLSAuthenticationProtocol”,Oct.1999.

40 References [10]  Internet-Draft, “EAP Tunneled TLS Authentication Protocol”, draft-ietf-pppext-eap- ttls-03.txt, work in progress. [11]  IETF RFC 2402, “IP Authentication Header”, Nov [12]  D. Jablon, “Strong Password-Only Authenticated Key Exchange”, Computer Communication Review, Vol.26, 1996. [13]   [14]  V. Bahl, A. Balachandran, S. Venkatachary, “The CHOICE Network: Broadband Wireless Internet Access In Public Places”, Microsoft Technical Report, MSR-TR , Feb [15]  OASIS, “Assertions and Protocol for the OASIS Assertion Markup Language (SAML)”, Committee Specification 01, May 2002.

41 References [16] http://www.open1x.org/
[16]   [17]  N. C-Winget, R. Housley, D. Wagner, J. Walker, “Security flaws in data link protocols”, Communications of the ACM, 46(5), May 2003, pp [18]  J. Bellardo and S. Savage, “ Denial-of-Service Attacks: Real Vulnerabilities and Practical Solutions”, Proceedings of the USENIX Security Symposium, August 2003. [19]  IETF, RFC2759 “Microsoft PPP CHAP Extensions, Version 2”, Jan

Download ppt "Secure Authentication System for Public WLAN Roaming"

Similar presentations

Authentication.

Authentication.
Encrypting Wireless Data with VPN Techniques

Encrypting Wireless Data with VPN Techniques
Secure Mobile IP Communication

Secure Mobile IP Communication
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Secure Authentication System for Public WLAN Roaming Yasuhiko Matsunaga Ana Sanz Merino Manish Shah Takashi Suzuki Randy Katz.

Secure Authentication System for Public WLAN Roaming Yasuhiko Matsunaga Ana Sanz Merino Manish Shah Takashi Suzuki Randy Katz.
An Architectural Framework for Providing WLAN Roaming D.Vassis G.Kormentzas Dept. of Information and Communication Systems Engineering University of the.

An Architectural Framework for Providing WLAN Roaming D.Vassis G.Kormentzas Dept. of Information and Communication Systems Engineering University of the.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Secure Authentication System for Public WLAN Roaming Ana Sanz Merino Yasuhiko Matsunaga Manish Shah Takashi Suzuki Randy Katz.

Secure Authentication System for Public WLAN Roaming Ana Sanz Merino Yasuhiko Matsunaga Manish Shah Takashi Suzuki Randy Katz.
Web services security I

Web services security I
Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol.

Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol.
Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.

1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 9 Network Policy and Access Services in Windows Server 2008.
VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © 2003. All rights.

VPN Wireless Security at Penn State Rich Cropp Senior Systems Engineer Information Technology Services The Pennsylvania State University © All rights.
Virtual Private Networks Alberto Pace. IT/IS Technical Meeting – January 2002 What is a VPN ? u A technology that allows to send confidential data securely.

Virtual Private Networks Alberto Pace. IT/IS Technical Meeting – January 2002 What is a VPN ? u A technology that allows to send confidential data securely.
Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.

Module 9: Planning Network Access. Overview Introducing Network Access Selecting Network Access Connection Methods Selecting a Remote Access Policy Strategy.
Comparative studies on authentication and key exchange methods for 802.11 wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:

Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:

Similar presentations

Ads by Google