Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Proposal for Next Generation Cellular Network Authentication and Authorization Architecture James Kempf Research Fellow DoCoMo USA Labs

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "A Proposal for Next Generation Cellular Network Authentication and Authorization Architecture James Kempf Research Fellow DoCoMo USA Labs"— Presentation transcript:

1 A Proposal for Next Generation Cellular Network Authentication and Authorization Architecture James Kempf Research Fellow DoCoMo USA Labs kempf@docomolabs-usa.com DIMACS, November 4, 2004

2 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/20152 Outline Existing solutions for auth/authz and their problems –Pre-IP L2.5 –Universal Access Method (UAM) SEND and PANA A Different Way - Hyperoperator Obstacles to Acceptance Summary

3 Existing solutions for auth/authz and their problems

4 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/20154 Pre-IP Layer 2.5 Terminal and network authenticate each other prior to establishing IP service Typically thru a Layer 2.5 flow between the terminal and a network access server –PPP for some cellular protocols –Proprietary for others –802.1x EAPOL for 802.11 Network access server routes auth request back into the home network via local AAA server –Radius or Diameter across the Internet Home network AAA server authenticates Authorization for network access from home network AAA server to local AAA server –If a terminal is authenticated, then it is authorized for IP service –If the network/base station is authenticated, then it is authorized to take the terminal’s traffic

5 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/20155 Example: 802.1x Border Router AR AP/NAS Access Network Mobile Terminal Internet AAA-H AAA-F EAP + EAPoL + 802.11/3 EAP+ Radius + IP PMK pushed to AP

6 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/20156 802.1x Terminal to Access Network Detail 802.1X/EAP-Request Identity 802.1X/EAP-Response Identity (EAP type specific) RADIUS Access Request/Identity EAP type specific mutual authentication (e.g. TLS) 802.1X/EAP-SUCCESS AP STA 802.1X RADIUS AP 802.1X blocks port for data traffic STA 802.1X blocks port for data traffic AS Derive Pairwise Master Key (PMK) RADIUS Accept + PMK

7 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/20157 Problems Handover requires lengthy PMK rekeying, delaying handover Implicit authorization model for network access is difficult to extend to other services –Example: multicast Authenticated and authorized terminals that are compromised or otherwise decide to behave badly

8 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/20158 Universal Access Method Terminal establishes restricted IP access –Can’t route to the Internet –Only HTTP HTTP GET redirected to Public Access Control (PAC) Gateway –PAC pushes login page to terminal User types in login/password for account access or credit card number for one time access PAC routes auth request back into the home network via local AAA server or credit card auth/authz to credit card provider –Radius or Diameter across the Internet for AAA –Ecommerce protocol (SET, Mondex, secure channel card payment, GeldKarte, etc.) for credit card. Home network AAA server authenticates or credit card provider authorizes Authorization for network access from home network AAA server to local AAA server –If a terminal is authenticated, then it is authorized for IP service –If the network/base station is authenticated, then it is authorized to take the terminal’s traffic

9 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/20159 UAM Architecture Border Router AR AP Access Network Mobile Terminal Internet AAA-H AAA-F HTTP + SSL + IP Radius + IP PAC Secure Credit Card Auth/Authz

10 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201510 UAM Terminal to Access Network Detail HTTP GET + User URL Redirect Login URL HTTP POST credentials RADIUS Accept + UAM AVPs* Redirect User URL User types in account login/password or credit card number PAC STA UAM RADIUS PAC blocks Internet access AS RADIUS Access Request/Identity + UAM AVPs* * Credit card auth/authz protocol if used User URL Displayed

11 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201511 Problems If the user isn’t using HTML or the device isn’t capable of Web browsing, the procedure fails Piecewise, asymmetric security with many opportunities for compromise –Network authenticates user through user name/password or credit card number –Terminal authenticates network through SSL –RADIUS security depends on VPN or other No support for handover at all For other services: –For AAA, implicit authorization model for network access is difficult to extend to other services, –For credit card, authorization for other services requires user to type in credit card information again Authenticated and authorized terminals that are compromised or otherwise decide to behave badly

12 SEND and PANA

13 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201513 SEcure Neighbor Discovery (SEND) Recently standardized addition to IPv6 Neighbor Discovery (RFC 2461) for securing: –Local link address resolution –Router discovery –No RFC number yet Prevents a fully authenticated and authorized terminal from behaving badly for a limited set of actions –DoSing nodes on the same link –MiM attacks by spoofing access router Local link address resolution secured by using cryptographically generated addresses –Ties the IP address to the node’s public key –Together with a signature, establishes the node’s authorization to claim the address Router discovery secured by certified public keys on the router, together with certificates –Node checks router certificate against a certification path for which the node has a certificate for trust anchor –Router’s certified public key used to check signature on Router Advertisements

14 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201514 AR AP Mobile Terminal SEND Details – Obtaining Router Certificate Certification Path Solicitation + Names of Trust Anchors Certification Path Advertisement + Certification Paths to Trust Anchor Router’s Certified Pubic Key

15 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201515 AR AP Mobile Terminal SEND Details – Secure Router Discovery Router Solicitation Router Advertisement + Signature Validate Signature

16 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201516 SEND Details – Secure Link Address Resolution AR AP Mobile Terminal Terminal’s RSA Key Subnet Prefix Hash! Cryptographically Generated IPv6 Address Neighbor Solicitation for CGA + Signature Internet Traffic

17 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201517 Network Access Authentication and SEND SEND solves half the problem –Allows the terminal to authenticate the network Adding a certificate on the terminal would allow the network to authenticate the terminal –But no way to check terminal’s authorization nor provide accounting so network service can be billed SEND WG discussed using a terminal certificate for address resolution security but issue was dropped –Want to see whether any market acceptance for SEND first Authentication of terminal using certificate provided by home network would provide a lighter weight alternative to AAA flows –No need to do AAA on handover, just check certificate Or an authorization token issued by the access network after authentication and authorization are complete

18 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201518 Protocol carrying Authentication for Network Access (PANA) PANA is an IP level encapsulation for Extensible Authentication Protocol (EAP) Provides authentication transport if no Layer 2.5 transport is available. PANA framework contains a network access enforcement point to limit types of traffic until terminal is authenticated. –Router solicitation/advertisement –Address autoconfiguration –DHCP –PANA Enforcement point may also provide cryptographic protection for traffic if unavailable from link layer –IKE/IPsec Replaces use of HTML in UAM

19 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201519 PANA Protocol – Host to Network Border Router AR AP Access Network Mobile Terminal Internet AAA-H AAA-F PAC Radius/Diameter + IP Radius/Diameter +EAP + IP EC PANA + EAP + IP

20 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201520 PANA Protocol – Network to Host Border Router AR AP Access Network Mobile Terminal Internet AAA-H AAA-F PAC Radius/Diameter + IP Radius/Diameter +EAP + IP EC SNMP PANA + EAP + IP

21 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201521 Controversy over PANA Arguments against PANA –Layer 2 protocols all have their own ways of doing authentication –Terminal should authenticate before obtaining an IP address –PANA is architecturally wrong –... PANA is really a replacement for UAM –UAM is really architecturally wrong Forces the terminal to support HTTP HTTP is really the wrong stack layer for network access authentication signaling –Widespread deployment of UAM indicates market interest in using IP as network access authentication transport Primary issue: PANA only solves a very small part of the problem –If the link layer is not secure, then IKE/IPsec must be used for confidentiality on the link Too heavy weight –Many of the problems surrounding other authentication methods remain

22 Different Way - Hyperoperator

23 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201523 The Problem Infrastructure deployment costs for a managed microcellular network like 802.11 are really high Nobody has managed to make a viable business out of subscription based hot-spots Well, maybe T-Mobile, but... Best business model seems to be a managed network model –802.11 provider sells network management service to hotels, convention centers, etc. For B3G or 4G, deployment, infrastructure, and network management costs of standard cellular business model might be steep to unaffordable –Low end distruptors based on cheap, unmanaged spectrum devices with macrocellular characteristics are a threat Private individuals and small businesses with 802.11 really don’t want the hassles of managing security in a wireless network –And some people who might want 802.11 always on might not want to pay for it until they really use it

24 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201524 The Goal Multiple federated, independent, small access networks –Maybe your neighbor, maybe you They contract with an operator to provide wireless service in exchange for discount on their network access or payment –Like solar power in California – PG&E doesn’t pay you but you sell them power during the day/summer and buy back at night/winter –Or maybe like solar power in Germany where the power company pays you for power you generate Operator provides them with: – Security and management software and expertise to make their network more secure than if they had to manage it themselves –Software for user service provisioning, charging and accounting so the operator’s users are properly charged –Software to regulate usage of the federated network so that the owner is guaranteed some percentage of the bandwidth →We call this model Hyperoperator

25 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201525 HyperOperator AP Hyperoperator kempf-and-associates AR wakerley-house AR AP Foxborough Drive Mountain View

26 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201526 Two Possibly Useful Components Mobile Firewall Authorization Certificates

27 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201527 Mobile Firewall Previous work –SEND handles some threats on the last hop –IETF 56 DefCon BOF Discussed protocol for distributed firewall but no agreement on forming a WG Firewall on the access router protects network from virus and worm traffic originating on a fully authenticated and authorized host Firewall detects mal-traffic, cuts off host’s network service Other uses –Bandwidth control –Differential service provisioning

28 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201528 Mobile Firewall Details AR Mobile Firewall Mobile Terminal Compromised host starts spewing mal- traffic Real time traffic analysis identifies threat X Virus traffic is blocked G. Fu, D. Funato, J. Wood, and T. Kawahara, "Mobile Firewall", The Fifth International Conference on Mobile and Wireless Communications Networks (MWCN 2003), Singapore, October 2003.

29 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201529 Authorization Certificates Home network provides terminal with proof of authorization for a service Terminal presents proof of authorization to foreign network for initial access Access network grants terminal a token for handover Terminal presents token on each handover (including between federated operators)

30 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201530 Authorization Certificate/Microcredits Example Border Router AP Access Network Mobile Terminal Hyperopertor Home Accounting Server Send Authorization Certificate Foreign Accounting Server 10 Send Access Token 10 Send Access Token Radius Flow (ugh! Do we really need this?)

31 Obstacles to Acceptance * *Or why this idea might not get traction

32 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201532 Research Problems Risk analysis of how much the operator stands to lose if the federated system cheats

33 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201533 Business Problem THE issue! This is a disruptive business model –Either low end if the customers are overserved by 3G network –Or nonconsumption if the customers are people who are not using existing 3G networks or are not using them for particular jobs The cellular providers can’t disrupt themselves –Unless they establish a separate business unit

34 Summary

35 Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf6/2/201535 Summary Reviewed existing methods of doing wireless auth/authz –Pre-IP Layer 2.5 –UAM Discussed problems with existing technologies Reviewed two new IETF protocols that may provide some benefit –SEND mitigates some threats on the local link, could be expanded to include network access authentication –PANA removes HTTP hack in UAM Described a more radical proposal – hyperoperator –Federated model of many small operators, with privately owned access points –Mobile firewall between host and the network to control traffic from compromised hosts –Authentication certificates and access tokens for authorization and accounting Discussed problems in –Existing infrastructural and intellectual investment in traditional AAA

36 Questions?

Download ppt "A Proposal for Next Generation Cellular Network Authentication and Authorization Architecture James Kempf Research Fellow DoCoMo USA Labs"

Similar presentations

Rocket Software, Inc. Confidential James Storey General Manager, OSS Unit Rocket Software APNOMS 2003: Managing Pervasive Computing and Ubiquitous Communications.

Rocket Software, Inc. Confidential James Storey General Manager, OSS Unit Rocket Software APNOMS 2003: Managing Pervasive Computing and Ubiquitous Communications.
Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.

URP Usage Scenarios for NAS Yoshihiro Ohba August 2001 Toshiba America Research, Inc.
1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.

1 © 2005 Cisco Systems, Inc. All rights reserved. CONFIDENTIAL AND PROPRIETARY INFORMATION Cisco Wireless Strategy Extending and Securing the Network Bill.
Packet Based Multimedia Communication Systems H.323 & Voice Over IP Outline 1. H.323 Components 2. H.323 Zone 3. Protocols specified by H.323 4. Terminal.

Packet Based Multimedia Communication Systems H.323 & Voice Over IP Outline 1. H.323 Components 2. H.323 Zone 3. Protocols specified by H Terminal.
Page 1 / 14 The Mesh Comparison PLANET’s Layer 3 MAP products v.s. 3 rd ’s Layer 2 Mesh.

Page 1 / 14 The Mesh Comparison PLANET’s Layer 3 MAP products v.s. 3 rd ’s Layer 2 Mesh.
IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.

IPv6 Multihoming Support in the Mobile Internet Presented by Paul Swenson CMSC 681, Fall 2007 Article by M. Bagnulo et. al. and published in the October.
Omniran-13-0040-00-0000 1 3GPP Trusted WLAN Access to EPC Use Case Analysis Date: 2013-05-15 Authors: NameAffiliationPhoneEmail Max RiegelNSN+49 173 293.

Omniran GPP Trusted WLAN Access to EPC Use Case Analysis Date: Authors: NameAffiliationPhone Max RiegelNSN
Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.

Key Provisioning Use Cases and Requirements 67 th IETF KeyProv BOF – San Diego Mingliang Pei 11/09/2006.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
CAPWAP BOF Control And Provisioning of Wireless Access Points James Kempf DoCoMo Labs USA Dorothy Stanley Agere Systems WAP!

CAPWAP BOF Control And Provisioning of Wireless Access Points James Kempf DoCoMo Labs USA Dorothy Stanley Agere Systems WAP!
Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.

1 Role of Authorization in Wireless Network Security Pasi Eronen Jari Arkko November 3, 2004 This document has been produced partially in the context of.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Doc.: Submission, Slide 1 Project: IEEE P802.15 Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the 802.15.4 Network.

Doc.: Submission, Slide 1 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title: [Securing the Network.
Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.
An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.

An Operational Perspective on BGP Security Geoff Huston GROW WG IETF 63 August 2005.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Chapter 8 Web Security.

Chapter 8 Web Security.

Similar presentations

Ads by Google