Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Roaming Authentication Solution for Wifi using IPSec VPNs with client certificates Carlos Ribeiro Fernando Silva

Published byHeather Davidson Modified over 8 years ago

Similar presentations

Presentation on theme: "A Roaming Authentication Solution for Wifi using IPSec VPNs with client certificates Carlos Ribeiro Fernando Silva"— Presentation transcript:

1 A Roaming Authentication Solution for Wifi using IPSec VPNs with client certificates Carlos Ribeiro Carlos.Ribeiro@tagus.ist.utl.pt Fernando Silva Fernando.Silva@ist.utl.pt André Zúquete avz@det.ua.pt

2 TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Goals  Primary goal –To provide user authentication, data encryption and automatic roaming on wifi networks. –e-U initiative  The solution should be: –deliverable on most computers and wifi access points (APs); –simple to deploy; –simple to use by clients; –scalable to many users and networks.

3 TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Overview of the solution  Virtual Private Networks (VPNs), provide: –data encryption; –and Peer/data authentication;  IPSec VPNs –Standard; –Well-tested. –Available in most platforms.  Authentication with client (hereafter supplicants) certificates –Authentication servers are able to check certificates issued by other institutions.

4 TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Architecture

5 TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Supplicant certificates  Often avoided due to the complexity of Public Key Infrastructures (PKIs)  To avoid PKIs, supplicant certificates: –Cannot be used for irrevocable identification (sign); –Must have a short/medium validity period.  Instead of a PKI, supplicant credentials are: –distributed by HTTPS server; –Kept in a directory server (LDAP, SQL, AD)

6 TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Supplicant credentials  Credentials are generated and kept in the directory server. –Credentials = private key; supplicant certificate; and other certificates. –Supplicants do not need to generate the credentials themselves. –Can be supplied more then once to end users.  Certificates have short validity periods –Certification Revocation Lists are not necessary

7 TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Roaming  Each institution acts has a certification entity for their users. –It has a private key and a self-signed certificate. –Generates private keys and certificates for their users. –There is no need for a central certification entity.  Roaming agreements can be put in place incrementally –Without modifying or reissuing local certificates. –Bilateral agreements. –Multilateral, hierarchical agreements.  Local certificates issued before the roaming agreement, become valid roaming certificates transparently.

8 TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Local authentication InstA Supplicant Private key InstA Supplicant Send Verify Certificate Supplicant Public key Extract Supplicant authentication Establishing a Session key Gateway Public key Gateway Private key Gateway Authentication Send Institution A Gateway Institution A Supplicant InstA Gateway

9 TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Roaming authentication InstB InstA Supplicant Private key InstA Supplicant Send Verify Certificate Supplicant Public key Extract Supplicant authentication The only difference between local and roaming authentication is in the certificate verification phase. Bilateral agreements Multilateral/Hierarchical agreements

10 TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Roaming Certificate Verification InstA Supplicant InstB InstA InstB Gateway InstA InstB Certificates in InstA supplicant Certificates in InstB gateway Bilateral Agreements

11 TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Roaming Verification of signature  Each institution signs T public key  T signs every institution public key  The chains may have more levels, reproducing a multi- hierarchical structure: –e.g. Regional, national, international. InstA Supplicant InstB InstT InstB Gateway InstA InstT Certificates in InstA supplicant Certificates in InstB gateway Multilateral (hierarchical) Agreements InstT InstA InstT InstB InstT InstX InstT

12 TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Additional features  Visitors not included in roaming agreements: –Can be easily provided with temporary certificates. –Temporary certificate management can be easily delegated to some class of users (e.g. Professors).  Authentication is transparent. –Even after long periods of disconnection there is no need for an explicit authentication.

13 TNC2004 Carlos Ribeiro, Fernando Silva, André Zúquete Discussion  Stability and Longevity –IPSec is a mature standard which ensures stability for the present and longevity.  Ubiquity –The proposed solution does not depend on special authentication features of the host APs. –Only mandatory IPSec features promotes maximum compatibility. Currently: Windows 2000, Windows XP, Linux, MacOS X.  Roaming –Lightweight roaming infrastructure. –Certificate chains do not need to be checked online. –The solution does not require a full-featured PKI.  Other Features –The authentication process is fast and transparent. –Offers a simple method to allow limited-time access to foreign visitors.  The current implementation is completely free.

Download ppt "A Roaming Authentication Solution for Wifi using IPSec VPNs with client certificates Carlos Ribeiro Fernando Silva"

Similar presentations

Introduction of Grid Security

Introduction of Grid Security
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.

The Italian Academic Community’s Electronic Voting System Pierluigi Bonetti Lisbon, May 2000.
Grid Computing, B. Wilkinson, 20045a.1 Security Continued.

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.

PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.

Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
WAP Public Key Infrastructure CSCI 5939.02 – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

WAP Public Key Infrastructure CSCI – Independent Study Fall 2002 Jaleel Syed Presentation No 5.

Similar presentations

Ads by Google