A Secure Access System for Mobile IPv6 Network ZHANG Hong Aug 28, 2003

Slides:

Advertisements

Similar presentations

A CGA based Source Address Authentication Method in IPv6 Access Network(CSA) Guang Yao, Jun Bi and Pingping Lin Tsinghua University APAN26 Queenstown,

Advertisements

Security Issues In Mobile IP

RadSec – A better RADIUS protocol

Secure Mobile IP Communication

Fast and Secure Universal Roaming Service for Mobile Internet Yeali S. Sun, Yu-Chun Pan, Meng-Chang Chen.

Mobile IP in Wireless Cellular Systems from several perspectives Charles E. Perkins Nokia Research Center.

MIP Extensions: FMIP & HMIP

Auto Configuration and Mobility Options in IPv6 By: Hitu Malhotra and Sue Scheckermann.

1Nokia Siemens Networks Presentation / Author / Date University of Twente On the Security of the Mobile IP Protocol Family Ulrike Meyer and Hannes Tschofenig.

Mobile IPv6 趨勢介紹 1. Mobile IP and its Variants Mobile IPv4 (MIPv4) – MIPv4 – Low-Latency Handover for MIPv4 (FMIPv4) – Regional Registration for MIPv4.

Inter-Subnet Mobile IP Handoffs in b Wireless LANs Albert Hasson.

1 Mobile IP Myungchul Kim Tel:

Overview of the Mobile IPv6 Bootstrapping Problem James Kempf DoCoMo Labs USA Thursday March 10, 2005.

Bootstrapping MIP6 Using DNS and IKEv2 (BMIP) James Kempf Samita Chakrarabarti Erik Nordmark draft-chakrabarti-mip6-bmip-01.txt Monday March 7, 2005.

Mobile IP Overview: Standard IP Standard IP Evolution of Mobile IP Evolution of Mobile IP How it works How it works Problems Assoc. with it Problems Assoc.

Vault: A Secure Binding Service Guor-Huar Lu, Changho Choi, Zhi-Li Zhang University of Minnesota.

A Study of Mobile IP Kunal Ganguly Wichita State University CS843 – Distributed Computing.

IPv6 Mobility David Bush. Correspondent Node Operation DEF: Correspondent node is any node that is trying to communicate with a mobile node. This node.

NCHU AI LAB Implications of Unlicensed Mobile Access for GSM security From ： Proceeding of the First International Conference on Security and Privacy for.

Session Policy Framework using EAP draft-mccann-session-policy-framework-using-eap-00.doc IETF 76 – Hiroshima Stephen McCann, Mike Montemurro.

Mobile IP Traversal Of NAT Devices By, Vivek Nemarugommula.

Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;

1 Chapter06 Mobile IP. 2 Outline What is the problem at the routing layer when Internet hosts move?! Can the problem be solved? What is the standard solution?

1/28/2010 Network Plus Security Review Identify and Describe Security Risks People –Phishing –Passwords Transmissions –Man in middle –Packet sniffing.

Security in MobileIP Fahd Ahmad Saeed. Wireless Domain Problem Wireless domain insecure Data gets broadcasted to everyone, and anyone hearing this can.

Wireless and Security CSCI 5857: Encoding and Encryption.

1 Anonymous Roaming Authentication Protocol with ID-based Signatures Lih-Chyau Wuu Chi-Hsiang Hung Department of Electronic Engineering National Yunlin.

1 /160 © NOKIA 2001 MobileIPv6_Workshop2001.PPT / / Tutorial Mobile IPv6 Kan Zhigang Nokia Research Center Beijing, P.R.China

National Institute Of Science & Technology Mobile IP Jiten Mishra (EC ) [1] MOBILE IP Under the guidance of Mr. N. Srinivasu By Jiten Mishra EC

1 Mohamed M Khalil Mobile IPv4 & Mobile IPv6. 2 Mohamed M Khalil Mobile IP- Why ? IP based Network Sub-network A Sub-network B Mobile workforce carry.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 Section 10.9 Internet Security Association and Key Management Protocol ISAKMP.

IEEE MEDIA INDEPENDENT HANDOVER DCN: Title: Problem Statement for Authentication Signaling Optimization Date.

KAIS T Security architecture in a multi-hop mesh network Conference in France, Presented by JooBeom Yun.

XMPP Concrete Implementation Updates: 1. Why XMPP 2 »XMPP protocol provides capabilities that allows realization of the NHIN Direct. Simple – Built on.

Secure Authentication Scheme with Anonymity for Wireless Communications Speaker : Hong-Ji Wei Date :

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

1 Mobility Support in IPv6 (MIPv6) Chun-Chuan Yang Dept. Computer Science & Info. Eng. National Chi Nan University.

1 A VPN based approach to secure WLAN access John Floroiu

Lecture 24 Wireless Network Security

Introduction to Mobile IPv6

AAAv6 Charles E. Perkins Patrik Flykt Thomas Eklund.

Spring 2004 Mobile IP School of Electronics and Information Kyung Hee University Choong Seon HONG

Security Mechanisms for Delivering Ubiquitous Services in Next Generation Mobile Networks Haitham Cruickshank University of Surrey workshop on Ubiquitous.

Santhosh Rajathayalan ( ) Senthil Kumar Sevugan ( )

Ασύρματες και Κινητές Επικοινωνίες Ενότητα # 10: Mobile Network Layer: Mobile IP Διδάσκων: Βασίλειος Σύρης Τμήμα: Πληροφορικής.

Wireless security Wi–Fi (802.11) Security

Draft-ietf-aaa-diameter-mip-15.txt Tom Hiller et al Presented by Pete McCann.

Washinton D.C., November 2004 IETF 61 st – mip6 WG MIPv6 authorization and configuration based on EAP (draft-giaretta-mip6-authorization-eap-02) Gerardo.

An Introduction to Mobile IPv4

DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.

Mobile IP 순천향대학교 전산학과 문종식

Minneapolis, March 2005 IETF 62 nd – mip6 WG Goals for AAA-HA interface (draft-giaretta-mip6-aaa-ha-goals-00) Gerardo Giaretta Ivano Guardini Elena Demaria.

Paris, August 2005 IETF 63 rd – mip6 WG Mobile IPv6 bootstrapping in split scenario (draft-ietf-mip6-bootstrapping-split-00) mip6-boot-sol DT Gerardo Giaretta,

MIP6 RADIUS IETF-72 Update draft-ietf-mip6-radius-05.txt A. LiorBridgewater Systems K. ChowdhuryStarent Networks H. Tschofenig Nokia Siemens Networks.

 Attacks and threats  Security challenge & Solution  Communication Infrastructure  The CA hierarchy  Vehicular Public Key  Certificates.

WLAN IW Enhancement for Multiple Authentications Support QUALCOMM Inc.: Raymond Hsu, QUALCOMM Inc.: Masa Shirota,

Mobile IP Aamir Sohail NGN MS(TN) IQRA UNIVERSITY ISLAMABAD.

MIPv4-Diameter Update Tom Hiller Lucent Technologies.

1 Authentication Celia Li Computer Science and Engineering York University.

Mobile IP Security Konidala M. Divyan International Research Center for Information Security Network Security (ICE 615) Term Project – 2002 Autumn.

MOBILE IP & IP MICRO-MOBILITY SUPPORT Presented by Maheshwarnath Behary Assisted by Vishwanee Raghoonundun Koti Choudary MSc Computer Networks Middlesex.

Introduction Wireless devices offering IP connectivity

MOBILE IPv6 SECURITY ISSUES

Mobile Networking (I) CS 395T - Mobile Computing and Wireless Networks

Understand Networking Services

Mobile IP Outline Homework #4 Solutions Intro to mobile IP Operation

Chapter 24 Mobile IP.

Mobile IP Outline Intro to mobile IP Operation Problems with mobility.

Presentation transcript:

A Secure Access System for Mobile IPv6 Network ZHANG Hong Aug 28, 2003

Introduction Background: Internet, Wireless, Mobile Communication is under very fast development A secure mobile IPv6 network access system is highly needed for mobile IPv6 deployment

Scenario

Current Status and Problem Current methods and systems are still inadequate, including EAP, PANA, 802.1X, RADIUS, Diameter

Security Goals 1) The MN and the network access server could do mutual authentication, in case Man- in-Middle Attack. 2) Inter-domain authentication/authorization must be accomplished to support roaming user. 3) No one including AAA servers in foreign domain could forge access request of MN. 4) Transport service for the MN should be protected and prevent attacker to steal the service after MN is authenticated.

Security Association

Overview The secure access procedure for MN is comprised of three phases: - initial phase, - authentication- registration phase - termination phase.

Initial Phase When MN first enters a foreign network, it is in this phase. The MN will get IPv6 care-of-address by either stateful or stateless address auto-configuration. This system does not modify current IPv6 address auto-configuration protocols. MN sends a server-request packet to access servers with an IPv6 site-local broadcast address. The servers receive the request and send answers. MN will choose one server and build secure channel with it by a TLS-alike way. This secure channel will protect further authentication and registration messages.

Message 1: Server Request := MN ’ s request for a access server to deal with its access request Message 2: Server Reply := Access Server ’ s reply Message 3: Ack := MN ’ s acknowledge for one of the access servers. Message 4:{Server Cert, Challenge}Sig := the chosen access server returns its certificate and a challenge, the whole message is signed by the access server.

Authentication- Registration Phase In this phase, MN will send its NAI, identity credentials to access server through the secure channel built in initial phase. Thus the user identity privacy is achieved by encryption. Authentication of MN may need AAAH if MN is in foreign domain, and AAAH will do binding update registration in HA for the MN. Authentication is accomplished by transferring EAP payload between MN and AAAH.

Message 1: E{NAI, Cha, N} := MN ’ s NAI, Challenge (Cha) in initial phase, Nonce (N) for message freshness, the whole message is encrypted using the access server ’ s public key Message 2: AMR1 := Auth-MN-Request message, this message contains NAI. AAAL will forward this message to MN ’ s AAAH Message 3: AMA1 := Auth-MN-Answer message, this message contains NAI, EAP-MD5 challenge AVP Message 4: {EAP, N}sig := access server sends the EAP-MD5 challenge to MN. Nonce guarantees the message freshness. This message is signed

Message 5: E{NAI, EAP, N, BU} := MN sends NAI, EAP-MD5 response, nonce and binding update (BU) request to access server. Message 6: AMR2 := access server encapsulate NAI, EAP response in AVPs, BU and sends them to AAAL through AMR message Message 7: BUR := Binding Update Request, AAAH sends binding update request to HA, and HA replies BUA(Binding Update Answer)

Termination Phase MN sends termination request to the access server and the server replies. In order to detect when MN has disconnected abnormally, the access server uses heartbeat detection mechanism by sending probe message periodically.

Message 1: E{Terminate Request, N} := MN ’ s request to terminate access, this message is encrypted by temp key Message 2: {Server Reply}sig := Access server ’ s reply with signature

Logic Analysis ABBR. AS – Access Server Cert – Certificate Cha – Challenge N - Nonce MN Receives Cert, Cha, { Cert, Cha }Sig MN Verifies Cert MN Believes PK Belongs to AS MN Believes AS Said Cha AS Receives {MN, Cha, N}Pk AS Believes Freshness(Cha)

AS Believes Freshness(MN, N) MN Receives EAP-Cha, N, {EAP-Cha, N}sig MN Believes AS Said {EAP-Cha, N} MN Believes Freshness(N) MN Believes Freshness(EAP-Cha) AS Receives{EAP-Res, MN, N }pk AAAH Verifies EAP-Res AAAH Believes MN ’ s Identity

Comparison With Former Goals This system accomplishes all of them. 1) The access server is authenticated to MN by certificate. The MN is authenticated later by EAP methods. 2) Inter-domain authentication/authorization is supported by AMR and AMA messages in Diameter protocol. 3) No one could forge access request of MN and send it to AAA servers in home domain. 4) Service theft attack is prevented by security association between MN and router.

Thanks !!!