Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright Statement Copyright Robert J. Brentrup 2005. This work is the intellectual property of the author. Permission is granted for this material to.

Similar presentations


Presentation on theme: "Copyright Statement Copyright Robert J. Brentrup 2005. This work is the intellectual property of the author. Permission is granted for this material to."— Presentation transcript:

1 Copyright Statement Copyright Robert J. Brentrup 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

2 Delegated Guest Access to Secure Networks Robert Brentrup Educause Poster Session October 19, 2005

3 Network Security Wireless networks are inherently more vulnerable –No longer need to be inside a building –Anyone in range can listen –Have to expect uninvited “guests” Wired Equivalent Privacy (WEP) intended to protect traffic between the supplicant and access point. –WEP has encryption flaws which diminish its effectiveness. WiFi Protected Access (WPA2) provides a stronger encryption scheme –and supports a wider range of authentication techniques.

4 Problem If authenticated access is implemented –to limit use to members of the community –and to enable strong data encryption How do guests access the network conveniently? –Visitors are a daily occurence –Don’t want multi-day process to get a guest account approved and created

5 Motivation for System Visitors are given access to labs by host Already allow sponsored accounts for longer time periods –But overheard is too high for short visit Why not allow local users to delegate privileges to guests? –Would give immediate access –Delegation allows decentralized authorization

6 Design Goals Provide access to authorized guests Guests may use comprehensive services granted to local users Require strong access control Use standard protocols Timeframe of authorization limited Do not require central control Provide audit trail Prefer to use PKI authentication

7 Greenpass Solution Use 802.1x protocol for authentication –Works for Wireless or VPN Use EAP/TLS to identify users Use RADIUS server for authorization decision –Recognize some X.509 certificate issuers –Allow local users to delegate network access permission –SPKI certificate delegation chain –Recognized by small RADIUS modification –HTTP Cookies simplify use No user software install required Client Java tool for delegation

8 Design: Information Flow

9 Hybrid PKI

10 Why SPKI/SDSI? Focuses specifically on the problem of authorization that we are trying to solve. Provisions for delegation of authority naturally gives rise to the distributed model of delegated access that we envisioned. Simple and lightweight, easy to work with. Guest access is tied directly to the guest’s public key rather than indirectly through the guest’s name.

11 Block Diagram

12 Guest Unauthorized

13 Guest Introduction

14 Guest Fingerprint

15 Authorized Delegator

16 Select Guest

17 Guest Lookup

18 Delegation Tool

19 Delegation Complete

20 Guest Authorized

21 Authorized User

22 Results Greenpass incorporates SPKI/SDSI with existing PKI standards to create an authentication scheme that is decentralized and not cumbersome to users. Published Open Source Components: –Delegation Server, Introduction Cache –Delegation Signing Tool –Authorization Certificate Cache –Radius modifications

23 Future Work Finer grained definition of authorization. Alternatives to SDSI/SPKI No X.509 PKI ? – everyone is a guest. Support for other devices (PDAs, VoIP devices).

24 Credits, Contacts and Links Primarily designed by Nicholas Goffee and Sung Kim as their Master's degree thesis projects advised by Prof. Sean Smith. –Other contributors to the Greenpass project are: Kwang-Hyun Baek, Meiyuan Zhao, John Marchesini, Chris Masone, Punch Taylor, Robert Brentrup and Nick Santos. For Further Information –Sean Smith - sws@dartmouth.edu –Robert Brentrup - Robert.J.Brentrup@dartmouth.edu www.dartmouth.edu/~pkilab/greenpass/ www.cs.dartmouth.edu/reports/abstracts/TR2004-484/


Download ppt "Copyright Statement Copyright Robert J. Brentrup 2005. This work is the intellectual property of the author. Permission is granted for this material to."

Similar presentations


Ads by Google