Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Authentication System for Public WLAN Roaming Ana Sanz Merino Yasuhiko Matsunaga Manish Shah Takashi Suzuki Randy Katz.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Authentication System for Public WLAN Roaming Ana Sanz Merino Yasuhiko Matsunaga Manish Shah Takashi Suzuki Randy Katz."— Presentation transcript:

1 Secure Authentication System for Public WLAN Roaming Ana Sanz Merino Yasuhiko Matsunaga Manish Shah Takashi Suzuki Randy Katz

2 2 Agenda 1. Challenges and our Solution 2. Testbed Description 3. Performance Measurement

3 3 Loose Trust Relationship in Current Public Wireless LAN Roaming User WLAN Service Provider ID Provider (ISPs, Card Companies) WLAN Service Provider Strong Trust No Trust Weak Trust Each WLAN system is isolated, deploys different authentication schemes

4 4 Challenges and Our Solutions Confederate service providers under different trust levels and with different authentication schemes to offer wider coverage Inter-system handover with minimal user intervention SSO Roaming with Authentication Adaptation Select proper authentication method and protect privacy of user information per WLAN provider Policy Engine Client Avoid theft of wireless service without assuming pre- shared secret between user and network L2/Web Compound Authentication

5 5 Authentication Adaptation Flow Authentication Negotiation Protocol  XML-based User Terminal (3)Select authentication method according to user’s preferences WLAN Service Provider (2) Authentication Capabilities Statement: - provider id - authentication methods - charging options - required user information (4) Authentication Query: - selected authn. method - selected charging option - user information (5) Authenticate the user (6) Authentication Statement (1) Authentication Capabilities Query

6 6 Authentication Capabilities Statement Example vancouver.cs.berkeley.edu_SP …... ID Provider C Prepaid basic A Radius Liberty Radius

7 7 Authentication Capabilities Statement Example Liberty Prepaid basic A 0.1 1 Constant private_contents private_contents Access to private contents through the provider’s web portal

8 8 Auth Adaptation User Interface

9 9 Policy Engine Control automatic submission of user authentication information according to communication context Authentication/Authorization flow adaptation WLAN Service ProviderUser Terminal Network Access Client Web Browser Policy Check EAP/ 802.1X Policy Repository Context End User Auth Info. Repository Network Access Server Capability Policy Engine

10 10 Policy Rule Example … ID Provider C Prepaid basic A… Prepaid basic B… Prepaid premium A… Radius… Liberty… ID Provider B Prepaid basic A… Radius… vancouver.cs.berkeley.edu_SP <provisional_action name=”user_acknowledgement”/> ID Provider C Prepaid basic A Radius TRUE 1900-01-01T00:00:00Z

11 11 Radius Prepaid basic A my_user my_password my_contract_number Authentication Query Example

12 12 L2/Web Compound Authentication Access Point Client RADIUS/Web Server (1) 802.1x TLS guest authentication External Network (2) Establish L2 Session Key (3) Web Auth (with L2 session key digest) (4)Firewall Control Prevent theft of service, eavesdropping, message alteration Don’t work for L2 DoS attack – out of scope

13 13 WLAN Secure Roaming Testbed Liberty id provider WinXP Client Identity Provider #2 Radius HTTPS Service Provider #1 RADIUS Web Portal Radius 802.1x RADIUS Service Provider #2 SOAP HTTPS Liberty id provider Identity Provider #1 Liberty Service provider ANP Server Firewall Radius Linux Client ANP Client Policy Engine Roaming Client Radius 802.1x Web Portal Liberty Service provider ANP Server ANP Fire wall Xsuppli cant

14 14 Layer 2 Roaming User Interface

15 15 Delay Profile Evaluation (Units: sec) Proxy-based (RADIUS) Redirect-based (Liberty) LocalRoamingLocalRoaming Web Authentication. 0.2950.2960.2761.545 Policy Engine 0.255 Authn. Capabilities Announcement 0.250 Link Layer (802.1x) Authentication 0.124 Total 0.9240.9250.9052.174

16 16 Conclusions 1. Secure public WLAN roaming made possible by accommodating multiple authentication scheme and ID providers with an adaptation framework 2. Policy Engine reflects user authentication scheme preference and protects privacy of user information 3. Compound L2/Web authentication ensures cryptographically-protected access 4. Confirmed with prototype, measured performance shows reasonable delay for practical use 5. Exploits industry-standard authentication architectures: Radius, Liberty alliance

Download ppt "Secure Authentication System for Public WLAN Roaming Ana Sanz Merino Yasuhiko Matsunaga Manish Shah Takashi Suzuki Randy Katz."

Similar presentations

Authentication.

Authentication.
Rocket Software, Inc. Confidential James Storey General Manager, OSS Unit Rocket Software APNOMS 2003: Managing Pervasive Computing and Ubiquitous Communications.

Rocket Software, Inc. Confidential James Storey General Manager, OSS Unit Rocket Software APNOMS 2003: Managing Pervasive Computing and Ubiquitous Communications.
Secure Mobile IP Communication

Secure Mobile IP Communication
Lemonade and Mobile e- mail Stéphane H. Maes – Lemonade Intermediate meeting Vancouver, BC October 2004.

Lemonade and Mobile e- mail Stéphane H. Maes – Lemonade Intermediate meeting Vancouver, BC October 2004.
Always Best Connected Architecture and Design Rajesh Mishra Ericsson Berkeley Wireless Center.

Always Best Connected Architecture and Design Rajesh Mishra Ericsson Berkeley Wireless Center.
Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.

Unlicensed Mobile Access (UMA) Dasun Weerasinghe School of Engineering and Mathematical Sciences City University London.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Extending ForeFront beyond the limit www.AGATSolutions.com TMGUAG ISAIAG AG Security Suite.

Extending ForeFront beyond the limit TMGUAG ISAIAG AG Security Suite.
Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference 2006 9 th November, 2006.

Eduroam – Roam In a Day Louis Twomey, HEAnet Limited HEAnet Conference th November, 2006.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Network Access and 802.1X Klaas Wierenga SURFnet

Network Access and 802.1X Klaas Wierenga SURFnet
Www.mobilevce.com © 2004 Mobile VCE June 2004 Security – Requirements and approaches to securing future mobile services Malcolm K Payne BT.

© 2004 Mobile VCE June 2004 Security – Requirements and approaches to securing future mobile services Malcolm K Payne BT.
SIP roaming solution amongst different WLAN-based service providers Julián F. Gutiérrez 1, Alessandro Ordine 1, Luca Veltri 2 1 DIE, University of Rome.

SIP roaming solution amongst different WLAN-based service providers Julián F. Gutiérrez 1, Alessandro Ordine 1, Luca Veltri 2 1 DIE, University of Rome.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
TNC 2003 Wireless Campus project Coletta Elisa Marchioro -

TNC 2003 Wireless Campus project Coletta Elisa Marchioro -
Secure Authentication System for Public WLAN Roaming Yasuhiko Matsunaga Ana Sanz Merino Manish Shah Takashi Suzuki Randy Katz.

Secure Authentication System for Public WLAN Roaming Yasuhiko Matsunaga Ana Sanz Merino Manish Shah Takashi Suzuki Randy Katz.
An authorization control framework to enable service composition Takashi Suzuki, Randy H. Katz EECS Department University of California, Berkeley {tsuzuki,

An authorization control framework to enable service composition Takashi Suzuki, Randy H. Katz EECS Department University of California, Berkeley {tsuzuki,
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Similar presentations

Ads by Google