Presentation is loading. Please wait.

Presentation is loading. Please wait.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko.

Published byAndrea Daniel Modified over 9 years ago

Similar presentations

Presentation on theme: "UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko."— Presentation transcript:

1 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko Matsunaga, Manish Shah, Takashi Suzuki, Randy H. Katz Presented by Dustin Christmann April 20, 2009

2 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Outline Introduction Current Approaches Single Sign-On Confederation Model Authentication Flow Adaption Framework Policy Engine Securing Web-Based Authentication Evaluation Conclusion

3 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Introduction WLAN hotspots becoming ubiquitous Most WLAN hotspot providers small and can’t provide enough coverage Needed: An inter-network WLAN roaming infrastructure

4 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Introduction Similar problem to cellular roaming Main differences: –Cellular equipment contains identification tied to provider GSM/UMTS (AT&T and T-Mobile): Contained in SIM card CDMA (Sprint, Verizon, Alltel): Contained in phone firmware –Both GSM/UMTS and CDMA protocols include inter- system authentication protocols

5 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Current Approaches Link layer authentication IEEE 802.1X standard Shared session key between user and network Provides for encryption of packets, as well as authentication Certificate-based Not suitable for most public WLAN networks

6 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering A brief aside about 802.1X Port-based authentication Three parts: –Supplicant: wireless user –Authenticator: base station –Authentication server Extensible Authentication Protocol (EAP) Implemented in 802.11i standard

7 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering 802.1X Architecture

8 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering RADIUS

9 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Liberty

10 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Extensible Authentication Protocol Not an authentication mechanism, but a framework Provides common functions and mechanism negotiation Mechanisms called “methods” in EAP Around 40 methods defined in various RFCs

11 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering So what’s 802.11i? Amendment to 802.11 Specifies security mechanisms for 802.11 networks Ratified in 2004 Addresses the weaknesses of Wired Equivalent Privacy (WEP) Wi-Fi Protected Access (WPA): subset of 802.11i WPA2 full implementation WEP and WPA use RC4, WPA2 uses AES

12 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering 802.11i Four-Way Handshake

13 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Current Approaches Web-based authentication and network layer access control Based on IP packet filtering Web server acts as RADIUS client Prone to theft of service by MAC spoofing Microsoft CHOICE network

14 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Single Sign-On Confederation Model Users are authenticated by trusted identity providers Service providers can have roaming agreements with one or several identity providers

15 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Single Sign-On Confederation Model Assumptions: The user terminal can validate the certificates of the service provider’s and identity provider’s authentication servers. There are static trust relationships between the user and the identity provider, and between the service provider and the identity provider. The user can authenticate the service provider’s authentication server via the identity provider’s authentication server, and vice versa.

16 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Roaming Model

17 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Authentication Negotiation Protocol Need: Way for service providers to communicate authentication capabilities Way for users to select identity provider Solution: Authentication Negotiation Protocol XML web-based protocol Web browser not needed Thin client

18 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Authentication Flow Adaption Sequence

19 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Authentication Flow Adaption Architecture

20 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Authentication Methods User info Password Identity Provider Group List of identity providers Charging information Authentication methods Service Provider Name Confirmation Method Key Authentication Capabilities Statement Includes timestamp ANP Example Charging Option Interval Unit price Time Unit User info Service ID Service Service description

21 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Policy Engine Selects appropriate SSO scheme Minimize user intervention for sign-on process Protects user authentication information Not entirely necessary, but very helpful

22 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Policy Engine Example in paper: –Independent module –Takes XML file as input

23 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Securing Web-Based Authentication Current web-based authentication approaches are vulnerable: –Theft of service via spoofing –Eavesdropping –Message alteration –Denial of service

24 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Securing Web-Based Authentication Problem: Neither layer 2 authentication nor web- based authentication is ideal: –IEEE 802.1X authentication is more secure, but requires a preshared secret –Web-based authentication more suitable for one-time use, but insecure

25 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Securing Web-Based Authentication Solution: Hybrid approach Initial link establishment via 802.11X guest authentication Web-based authentication after that

26 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Evaluation

27 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Authentication client latency Proxy-based (RADIUS)Redirect-based (Liberty) LocalRemoteLocalRemote Web authentication 0.2950.2960.2761.545 Policy engine 0.255 Authentication Capabilities Announcement 0.250 Link layer (802.1X) authentication 0.124 Total 0.9240.9250.9052.174

28 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Web-based Authentication Latency Proxy-based (RADIUS)Redirect-based (Liberty) LocalRemoteLocalRemote Web authentication 0.0910.1020.0881.364 Firewall redirection 0.086 Link layer (802.1X) authentication 0.124 Total 0.3010.3120.2981.574

29 UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Conclusions This paper should have been three papers with more detail in each –Single sign-on authentication –Policy engine –Web-based authentication Good way of enabling WLAN roaming by decoupling identity management from service provider

Download ppt "UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko."

Similar presentations

Security in Wireless Networks Juan Camilo Quintero D. 1041718.

Security in Wireless Networks Juan Camilo Quintero D
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
CSE 6590 1.  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in 802.11  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 

CSE  Wired Equivalent Privacy (WEP) ◦ first security protocol defined in  Wi-Fi Protected Access (WPA) ◦ defined by Wi-Fi Alliance 
Secure Authentication System for Public WLAN Roaming Yasuhiko Matsunaga Ana Sanz Merino Manish Shah Takashi Suzuki Randy Katz.

Secure Authentication System for Public WLAN Roaming Yasuhiko Matsunaga Ana Sanz Merino Manish Shah Takashi Suzuki Randy Katz.
G53SEC 1 Mobile Security GSM, UTMS, Wi-Fi and some Bluetooth.

G53SEC 1 Mobile Security GSM, UTMS, Wi-Fi and some Bluetooth.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.

DIMACS Nov 3 - 4, 2004 WIRELESS SECURITY AND ROAMING OVERVIEW DIMACS November 3-4, 2004 Workshop: Mobile and Wireless Security Workshop: Mobile and Wireless.
TPS Reports Presents… A Wireless Report Joy Gibbons Julia Grant Kelsie Kirkpatrick Kevin Moore Byron Williams Image from:

TPS Reports Presents… A Wireless Report Joy Gibbons Julia Grant Kelsie Kirkpatrick Kevin Moore Byron Williams Image from:
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID 003503527.

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.

An Initial Security Analysis of the IEEE 802.1x Standard Tsai Hsien Pang 2004/11/4.
Mobile and Wireless Security INF245 Guest lecture 17.10.2007 by Bjorn Jager Molde University College.

Mobile and Wireless Security INF245 Guest lecture by Bjorn Jager Molde University College.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE 802.11 Wireless Local Area Networks (WLAN’s).

IEEE Wireless Local Area Networks (WLAN’s).
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,

WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

Similar presentations

Ads by Google