supported by the party authentication to improve roaming

UCLouvain - BelgiumIP Networking Lab - http://inl.info.ucl.ac.be

Damien LEROY

BELNET Security Conference - April 30th, 2009

Using tunnels and three party authentication to

improve roaming security

Supported by the Walloon Region

Security of WiFi RoamingBSC 2009

D. LeroyUCL Belgium, Apr 2009

IP networking labContent

(I) Introduction to WiFi Roaming

(II) Remote authentication : risks for the visited network

(III) Security risks for the mobile user

(IV) Solutions based on VPN

(V) ALAWN project

2








(V) ALAWN project

3



IP networking lab

F

“WiFi Roaming”

4

HInternet



IP networking labScenario 1 : Open WiFi Access

5

H

F

Internet



IP networking labScenario 1 : Open WiFi Access

6

F

HInternet

ILLEGAL ACTIVITIES



IP networking lab

F

Scenario 1 : Open WiFi Access

7

HInternet

?

!!!!!!

!!!!!!



IP networking labScenario 2 : Temporary credentials

8

H

F

Internet

Auth.

server

tempusername+



IP networking labScenario 3 : Remote authentication

9

H

F

Internet

user: smith@H-Networkpasswd : in H

Auth.

server

Auth.

server



IP networking labScenario 3 : Remote authentication

9

H

F

Internet

user: smith@H-Networkpasswd : in H

Auth.

server

Auth.

server

Auth.

server








(V) ALAWN project

10

Authenticated Wireless Roaming via Tunnels: Making Mobile Guests Feel at Home

M. Manulis, D. Leroy, F.K., O.B., JJ.Q.UCL Belgium, March 2009

IP networking labThe Eduroam Project

eduroamEurope

eduroamAPAN

CSC

CSC

UNINETT

SUNET

UNI!C

EENet

LANET

LITNET

TERENA

SURFnetUKERNA

HEAnet

BELNETRESTENA

RENATER

FCCN

DFN

GARR

ARNES

CESNET

ACOnet

PIONIER

SWITCH

CARNet

BREN

HUNGARNET

RoEduNet

GRNET

RHnet

European Root

RedIRIS

CYNET

AARNet

NCHCUESTC

APAN Root

NRENs that have joined

NRENs that are in the process of joining

PolyU

NII



IP networking lab

UCL

Authentication within Eduroam

12

Stockholms universitet

Internet

SU SUuser: [email protected]

RADIUS

server

SwedishAuthority

BelgianAuthority

IEEE802.1XTTLS+PAP

RADIUS

server

RADIUS

serverRADIUS

server

mailto:[email protected]




IP networking lab

UCL

Roaming with Eduroam

13


Internet

user: [email protected] SU

RADIUS

server

RADIUS

server





IP networking lab

UCL


13


Internet

http://www.swedbank.se/


RADIUS

server

RADIUS

server

http://www.juritic.be


































IP networking lab

UCL


13


Internet


RADIUS

server

RADIUS

server





IP networking lab

UCL

User abuse : Access to illegal data

14


Internet

SU SU

Auth.

server

Auth.

server

user: [email protected]

ILLEGAL ACTIVITIES





IP networking lab

UCL

Auth.

server

User abuse : Access to illegal data

15


Internet

!!!!!!

!!!!!!

SU SU

Auth.

server

SwedishAuthority

Auth.

server

BelgianAuthority

Auth.

server



IP networking lab

UCL

Auth.

server

User abuse : Attack on the Internet

16


InternetSPAM

SPAM

SPAM

SPAM

SPAM

SU SU


Auth.

server





IP networking lab

Score each mail based on :

How do spam filters work ?

๏ Content : “viagra”, “diploma”, “free videos”, ...

๏ “Packaging” :Large images, lots of receivers, ...

๏ Well known spam-sender (often attacked hosts)Based on shared databases

17



IP networking lab

Score each mail based on :


๏ Content : “viagra”, “diploma”, “free videos”, ...

๏ “Packaging” :Large images, lots of receivers, ...

๏ Well known spam-sender (often attacked hosts)Based on shared databases

17

high score -> mark as spam



IP networking lab

How are these databases built up?


๏ Based on previous “mass spam” activities

๏ Based on IP addresses of senders

๏ Open databases

18



IP networking lab

UCL

Auth.

server


19


InternetSPAM

SPAM

SPAM

SPAM

SPAM

SU SU


Auth.

server





IP networking lab

UCL

Auth.

server


19


InternetSPAM

SPAM

SPAM

SPAM

SPAM

SU SU


Auth.

server

In PYZOR database : add 130.104.*.* (=UCL)





IP networking lab

UCL

Auth.

server


20


Internet

PYZOR database : ...130.104.*.* (=UCL)...

UCLUCL

UCL

UCL

SU SU

Auth.

server



IP networking labAccess control based on IP

๏ Some services (e.g., website) have their access control based on source IP.

‣ Digital libraries

‣ Intranet

‣ ...

๏ The mobile user will have access to these services ! (more complex filtering could be added)

21



IP networking lab

Summary

Security risks for visited network

22

Open WiFi Temp. cred. Remote auth.

User authentication

Administrative cost

Ease of use (for user)

Blacklisting based on IP

Access based on IP

Attack on the infrastruct.








(V) ALAWN project

23



IP networking lab

F

H

Stealing credentials

24

Internet


RADIUS

server

3rd partyAuthority

IEEE802.1XTTLS+PAP

RADIUS

server

RADIUS

server





IP networking lab

F

H

Pharming

25

Internet

http://www.google.com

SU SU

http://www.google.com

































IP networking lab

F

H

Sniffing

26

Internet

SU SU

RADIUS

server



IP networking lab

F

H

Fake Access Point

27

Internet

SU SU


RADIUS

server

IEEE802.1XTTLS+PAP

RADIUS

server

SSID:EDUROAM





IP networking lab

F

H

Fake Access Point

27

Internet

SU SU


RADIUS

server

IEEE802.1XTTLS+PAP

RADIUS

server

SSID:EDUROAM

It is able to :• steal cred.• do pharming• sniff traffic





IP networking labSecurity risks for F and M

28

Open WiFi Temp. cred. Remote auth.

User authenticationAdministrative cost for F

Ease of use (for user)Blacklisting based on IP

Access based on IPAttack on the infrastruct.

F maliciousFake access point








(V) ALAWN project

29



IP networking lab

UCL

VPN

30


Internet

SU SU

For the user : via username/pwd (or certificate)

For the home network : via certificate or no auth (cert must be distributed !)

VPN server

authentication



IP networking lab

UCL

VPN

31


Internet

SU SU

VPN server

http://ww

w.sw

edbank.se/




































IP networking lab

UCL

VPN

31


Internet

SU SU

VPN server


http://ww

w.sw

edbank.se/




























































IP networking lab

Yes because :

VPN, a solution for previous issues ?

๏ The requests are sent with the IP address of the home network

๏ If M sends spam over the Internet, only his home network is blamed

๏ It protects the user from a malicious visited network

32



IP networking lab

Yes but :


๏ Only authentication between H and M :

‣ F does not authenticate / know M and H

‣ M does not always check H auth (F can do pharming)

๏ On user’s demand

‣ If M wants to meet some security goals

‣ F cannot force M to create VPN to H

33



IP networking lab

The previous table, updated


34

Remote auth. VPN

User authentication (by F)Administrative cost for F






IP networking lab

How ?

Combining IEEE802.1X and VPN

๏ Firewall of F blocks everything

๏ User connects with his credentials for IEEE802.1X

๏ F opens the VPN port as destination port, only from this user, and to its home network (inferred from IEEE802.1X)

35



IP networking lab

Using both IEEE802.1X and VPN to reach security goals is possible. But :

Combining IEEE802.1X and VPN

๏ Need both infrastructures

๏ Once the user is authenticated, how the tunnel is forced to H ?

‣ Filtering based on IEEE8021.X decision ?

๏ Two init phases can take some time (few seconds) to succeed

36








(V) ALAWN project

37



IP networking lab

Some words about the project

The ALAWN project

๏ A Walloon Region project

๏ In collaboration with :

‣ CRID (Research Centre on IT and Law - FUNDP - Namur)

‣ Crypto Group - UCL

‣ IP Networking Lab - UCL

38



IP networking lab

UCL

The proposal - Step 1

39


Internet

SU SU

RADIUS

server

RADIUS

server

RADIUS

server

RADIUS

server

3-party

crypto authentication

& key exchange



IP networking lab

UCL

The proposal - Step 2

40


Internet

SU SU

RADIUS

server

RADIUS

server

RADIUS

server

RADIUS

server



IP networking lab

UCL

The proposal

41


Internet

SU SU


http

://www.sw

edban

k.se/

RADIUS

server
































IP networking lab

Goals for the protocol

Remote Auth. and Key Exchange (RAKE)

๏ Authentication between M, H and F

๏ Key exchange

๏ (Negotiation of session parameters)

42



IP networking lab

Authentication

S

Security Goals

43

H

FM



IP networking lab

Authentication

S

Security Goals

๏ H must authenticate M as one of the registered mobile devices

๏ M must authenticate H as its home network

43

H

FM



IP networking lab

Authentication

S

Security Goals



43

H

FM

๏ F must authenticate H as a roaming partner

๏ H must authenticate F as a roaming partner



IP networking lab

Authentication

S

Security Goals



43

H

FM

๏ F must authenticate H as a roaming partner

๏ H must authenticate F as a roaming partner

๏ F trusts H to correctly authenticate M

๏ M trusts H to correctly authenticate F



IP networking lab

Key establishment

S

Security Goals

44

H

FM

๏ Protection of communication between M, H and F

➡ KT (tunnel key)

๏ End-to-end protection

➡ KM,H (end-to-end key)

KM,H; KT

KM,H; KT

KT



IP networking lab

KT, the key shared between H-F-M

What are the keys used for ?

๏ To infer the key used for “wireless” communication

๏ To negotiate connection parameters (when it stops, accounting, mobility, ...)

45



IP networking lab

KM,H, the key shared between H and M

What are the keys used for ?

๏ For fully-encrypting the communication between M and H

๏ To negotiate connection parameters that should not be known/modified by F, shared between H and M

46



IP networking lab

Additional constraints

RAKE protocol

๏ RTT should be as low as possible

๏ The mobile device should not do “hard computation”

47



IP networking labThe protocol in itself (simplified)

48

SU SUAuth.

server

M FAuth.

server

HF|rF

M|rM|H

Internet

F|rF|M|rM

sid=F|rF|M|rM|H|rH

kt=PRFkM(0,sid)X=EncekF(kt)

μH=MACαM(0,sid)

rH|X|μH|σH(∗)kt=DecdkF(X)rH|μH

kt=PRFkM(0,sid)KT =PRFkt(1,sid)KM,H = PRFkM(2,sid)μM=MACαM(1,sid)

μMKT =

PRFkt(1,sid)μM,σF(∗)

KT =PRFkt(1,sid)KM,H = PRFkM(2,sid)



IP networking labThe protocol in itself

๏ A full security model has be defined

๏ Protocol has been proved

๏ For the ones interested in details : M. Manulis, D. Leroy, F. Koeune, O. Bonaventure and J.-J. Quisquater,

Authenticated Wireless Roaming via Tunnels: Making Mobile Guests Feel at Home, Proceedings of the ACM Symposium on

Information, Computer and Communications Security (ASIACCS 2009),

Sydney, Australia, March 2009

49



IP networking lab

Additional constraints, results

RAKE protocol

๏ RTT should be as low as possible

๏ The mobile device should not do “hard computation”

50



IP networking lab

UCL

The proposal

51


Internet

SU SU

RADIUS

server

RADIUS

server



IP networking labWhy using a tunnel ?

๏ Tunnel from F to H is not encrypted, it is only used to permit M to send packet to his home network

๏ Technical interests have been shown at the beginning of the presentation

๏ We showed with CRID that it also has legal advantages : R. Robert, M. Manulis, F. De Villenfagne, D. Leroy, J. Jost, F. Koeune, C. Ker, J.-M. Dinant, Y. Poullet, O. Bonaventure, and J.-J. Quisquater, WiFi Roaming: Legal Implications and Security Constraints, Int. J. of Law and Information Technology 2008 16: 205-241

52



IP networking labTechnical choices

๏ The RAKE protocol :

‣ Extending IEEE802.1X (EAP)

๏ The tunnel :

‣ Use a L2TP tunnel

๏ Encryption between H and M :

‣ Optional

‣ Using IPSec (ESP)

53



IP networking labExtending 802.1X for RAKE

๏ IEEE802.1X is now widely used

๏ It uses EAP (the Extensible Authentication Protocol) for authentication

๏ EAP can be easily extended

54



IP networking lab

How does IEEE802.1X work ?

Extending 802.1X for RAKE

55

RADIUS

server

physical layer connection PORTBLOCKED

EAP start

EAP-request identity



IP networking lab



55

RADIUS

server


EAP start


EAP-response identity : dleroy

(in RADIUS packet)EAP-response identity : dleroy



IP networking lab



55

RADIUS

server


EAP start




EAP requests/responses following the EAP method



IP networking lab



55

RADIUS

server


EAP start





EAP-success EAP-success PORTOPEN



IP networking lab



55

RADIUS

server


EAP start





EAP-success EAP-success PORTOPEN

Ethernet or WiFi (keys derived from previous negotiations)



IP networking lab

We have implemented it


๏ In “Host AP” project (hostapd & wpa_supplicant)

๏ An open-source implementation

๏ hostapd works with most Linux & BSD drivers

๏ wpa_supplicant works with most Linux, BSD & Windows drivers

56



IP networking labExtending 802.1X for RAKE

๏ In next months, we would like to test it in real situations

๏ With hostap :

‣ On laptop and mobile devices

‣ On access point (on OpenWRT OS)

‣ On basic Linux server

๏ If you want to test the protocol in your network in a few months... please ask us

57



IP networking lab

UCL

Tunnel between F and H

58


Internet

SU SU

RADIUS

server

RADIUS

server



IP networking lab

A L2TP tunnel

Tunnel between F and H

๏ The AP acts as layer 2 bridge

๏ Advantages:‣ Even the IP address is allocated by H

‣ Do not have to rely on F technical config (e.g., IPv4/v6)

‣ Less security risks for F

‣ Transparent for M (the host and the user)

59



IP networking labOn Expected Increase of Latencies

๏ For each request, a RTT “H-F” is added

60

‣ City : 30-60ms for residential hosts (3-4ms for well-connected hosts) [LP03]

‣ Country (USA): <150ms [LP03]

‣ Intercontinental : <250ms for 90% residential [DHGS07]

๏ ITU-T recommendations: one-way latency <400ms may be acceptable (e.g., VoIP)

S



IP networking lab

UCL

Encryption between M and H

61


Internet

SU SU



IP networking labEncryption between M and H

๏ Kept optional (negotiated)

๏ Using KM,H (only known by M and H)

๏ Encryption method negotiated

‣ more suitable : IPSec ESP in tunnel mode

62



IP networking labComparison with previous solutions

63

Remote auth. VPN RAKE

User authentication (by F)Administrative cost for F






IP networking lab

Constraints

Summary on our proposal

✓ The tunnel increases the latency for some destinations

✓ The partnership has to be decided earlier

✓ Need (light) modifications of host, AP or the egress router, and authentication server.

64



IP networking lab

Advantages


✓ If the user sends spam, the user’s home network is blamed (and blacklisted), not the visited network

✓ Visited network does not care about the user activities

✓ Traffic can be encrypted

65



IP networking lab

Advantages


✓ Tunnel is initiated (and forced) by F and H, not by the user

✓ H does verify F authentication (>< TTLS)

✓ Same services as “at home”

66

Questions ?

ip networking labhttp://inl.info.ucl.ac.be

Damien [email protected]

http://inl.info.ucl.ac.be

http://inl.info.ucl.ac.be



supported by the party authentication to improve roaming

Documents