Authenticated Wireless Roaming via Tunnels

Transcription

1

2 Supported by the Belgian Walloon Region Authenticated Wireless Roaming via Tunnels M. MANULIS, D. LEROY, F. KOEUNE, O. BONAVENTURE, J-J. QUISQUATER UCLouvain - Belgium UCL Crypto Group - IP Networking Lab ASIACCS 09 - March 10-12, 2009

3 Context : Open WiFi Roaming H Internet F 3

4 Context : Open WiFi Roaming H Internet F 4

5 Context : Open WiFi Roaming Internet H ILLEGAL ACTIVITIES F 5

6 Context : Open WiFi Roaming H Internet? F 6

7 Context : Authenticated WiFi Roaming H Internet temp user name + F 7

8 Context : Authenticated WiFi Roaming Internet H user: smith@h-network passwd : in H F 8

9 The Eduroam Project eduroam Europe RHnet eduroam APAN UNINETT CSC NET EENet LANET UNI!C HEAnet UKERNA LITNET TERENA UESTC PIONIER DFN RFnet BELNET RESTENA CESNET RENATER SWITCH GARR NCHC ACOnet HUNGARNET ARNES RoEduNet CARNet NII BREN FCCN PolyU RedIRIS GRNET CSC CYNET European Root AARNet APAN Root NRENs that have joined NRENs that are in the process of joining

10 Roaming with Eduroam Stockholms universitet Swedish Authority Internet Belgian Authority IEEE802.1X TTLS+PAP user: UCL 10

11 Roaming with Eduroam Stockholms universitet Internet user: UCL 11

12 Eduroam - Client abuse scenario Stockholms universitet Internet ILLEGAL ACTIVITIES user: Beck@.se UCL 12

13 Eduroam - Client abuse scenario Stockholms universitet Swedish Authority Internet!!!!!!!!!!!! Belgian Authority UCL 13

14 Eduroam - Client abuse scenario Stockholms universitet Internet SPAM SPAM SPAM SPAM SPAM In PYZOR database : add *.* (=UCL) user: Beck@.se UCL 14

15 Eduroam - Client abuse scenario Internet Stockholms universitet PYZOR database : *.* (=UCL) UCL UCL UCL UCL... 15

16 Potential Security Risks Malicious F (Foreign network) DNS manipulations (i.e., pharming) Stealing credentials Sniffing Claim higher cost 16

17 Potential Security Risks Malicious M (Mobile node) Misbehavior on the Internet using IP of F Risk for infrastructure of F (attack easier from the inside) Access control based on IP (intranet, digital libraries,...) 17

18 Wireless Roaming via Tunnels (WRT) Internet Stockholms universitet responds to Stockolm Un. First proposed in [SKC07] for home networks in a citywide context UCL 18

19 Wireless Roaming via Tunnels (WRT) Advantages If the user sends spam, is blamed (and blacklisted), not UCL UCL does not care about user activities! Traffic from Beck to can be encrypted (= hidden from UCL) Cost based on traffic can be measured by H 19

20 AWRT = Authentication and Key Establishment Protocol for Wireless Roaming via Tunnels Formal security model (in the paper) A protocol (in the next slides) + proofs (on authors website) 20

21 Security Goals Authentication H H must authenticate M as one of the registered mobile devices M must authenticate H as its home network M S F F must authenticate H as a roaming partner H must authenticate F as a roaming partner F trusts H to correctly authenticate M M trusts H to correctly authenticate F 21

22 Security Goals KM,H; KT Key establishment H Protection of communication between M, H and F M S F KT KT (tunnel key) KM,H; KT End-to-end protection KM,H (end-to-end key) 22

23 Building Blocks PRF (pseudo-random function) Used for key derivation {0,1} κ x {0,1}* {0,1} n Asymmetric encryption scheme (with IND-CCA2 property) (functions Enc and Dec) Digital signature scheme (with EUF-CMA property) (functions Sig and Ver) MAC (Message Authentication Code) (with WUF-CMA property) 23

24 AWRT - Initialization F is in possession of : (dkf,ekf), (skf,vkf) (H,vkH)j for each roaming partner j H is in possession of : (skm,vkm) (M,kM,αM)i for each mobile i user of H (F,vkF,dkF)j for each roaming partner j M is in possession of : km,αm 24

25 AWRT - The protocol (simplified) M F rf F Internet H kt=prfkm(0,sid) KT =PRFkt(1,sid) KM,H = PRFkM(2,sid) μm=macαm(1,sid) M rm H rh μh μm kt=decdkf(x) KT = PRFkt(1,sid) F rf M rm rh X μh σh( ) μm,σf( ) sid=f rf M rm H rh kt=prfkm(0,sid) X=EncekF(kt) μh=macαm(0,sid) KT =PRFkt(1,sid) KM,H = PRFkM(2,sid) 25

26 AWRT - The protocol (simplified) M F rf F Internet H kt=prfkm(0,sid) KT =PRFkt(1,sid) KM,H = PRFkM(2,sid) μm=macαm(1,sid) M rm H rh μh μm kt=decdkf(x) KT = PRFkt(1,sid) F rf M rm rh X μh σh( ) μm,σf( ) sid=f rf M rm H rh kt=prfkm(0,sid) X=EncekF(kt) μh=macαm(0,sid) KT =PRFkt(1,sid) KM,H = PRFkM(2,sid) 26

27 AWRT - The protocol (simplified) M F rf F Internet H kt=prfkm(0,sid) KT =PRFkt(1,sid) KM,H = PRFkM(2,sid) μm=macαm(1,sid) M rm H Session ID rh μh μm kt=decdkf(x) KT = PRFkt(1,sid) F rf M rm rh X μh σh( ) μm,σf( ) sid=f rf M rm H rh kt=prfkm(0,sid) X=EncekF(kt) μh=macαm(0,sid) KT =PRFkt(1,sid) KM,H = PRFkM(2,sid) 27

28 Security Goals Authentication H H must authenticate M as one of the registered mobile devices M must authenticate H as home network M S F F must authenticate H as a roaming partner H must authenticate F as a roaming parter F trusts H to correctly authenticate M M trusts H to correctly authenticate F 28

29 AWRT - The protocol (simplified) M F rf F Internet H Permit H to auth M kt=prfkm(0,sid) KT =PRFkt(1,sid) KM,H = PRFkM(2,sid) μm=macαm(1,sid) M rm H rh μh μm Permit M to auth H kt=decdkf(x) KT = PRFkt(1,sid) F rf M rm rh X μh σh( ) μm,σf( ) sid=f rf M rm H rh kt=prfkm(0,sid) X=EncekF(kt) μh=macαm(0,sid) KT =PRFkt(1,sid) KM,H = PRFkM(2,sid) 29

30 Security Goals Authentication H H must authenticate M as one of the registered mobile devices M must authenticate H as home network M S F F must authenticate H as a roaming partner H must authenticate F as a roaming parter F trusts H to correctly authenticate M M trusts H to correctly authenticate F 30

31 AWRT - The protocol (simplified) M kt=prfkm(0,sid) KT =PRFkt(1,sid) KM,H = PRFkM(2,sid) μm=macαm(1,sid) F rf M rm H rh μh Permit H to auth F μm F Permit F to auth H kt=decdkf(x) KT = PRFkt(1,sid) Internet F rf M rm rh X μh σh( ) μm,σf( ) H sid=f rf M rm H rh kt=prfkm(0,sid) X=EncekF(kt) μh=macαm(0,sid) KT =PRFkt(1,sid) KM,H = PRFkM(2,sid) 31

32 Security Goals KM,H; KT Key establishment H End-to-end protection KM,H (end-to-end key) M S KM,H; KT F KT Protection of communication between M, H and F KT (tunnel key) 32

33 AWRT - The protocol (simplified) M F rf M rm H KT is derived from kt (PRF) kt=prfkm(0,sid) KT =PRFkt(1,sid) KM,H = PRFkM(2,sid) μm=macαm(1,sid) rh μh μm F kt is computed from SID & km kt=decdkf(x) KT = PRFkt(1,sid) Internet F rf M rm rh X μh σh( ) μm,σf( ) H sid=f rf M rm H rh kt=prfkm(0,sid) X=EncekF(kt) μh=macαm(0,sid) kt is sent (encrypted) to F KT =PRFkt(1,sid) KM,H = PRFkM(2,sid) 33

34 AWRT - The protocol (simplified) M kt=prfkm(0,sid) KT =PRFkt(1,sid) KM,H = PRFkM(2,sid) μm=macαm(1,sid) F rf M rm H F KM,H is computed from SID & km rh μh μm kt=decdkf(x) KT = PRFkt(1,sid) Internet F rf M rm rh X μh σh( ) μm,σf( ) H sid=f rf M rm H rh kt=prfkm(0,sid) X=EncekF(kt) μh=macαm(0,sid) KT =PRFkt(1,sid) KM,H = PRFkM(2,sid) 34

35 Remarks on efficiency The number of messages exchanged between F and H is the key point for protocol duration The mobile can already send data packet after one RTT M can be a light mobile device (e.g., a smart phone) No asymmetric key crypto computation in M 35

36 Practical Realizations of the Mechanism Proposals AWRT : In IEEE802.1X as a new EAP method The tunnel between F and H A Layer-2 tunnel End-to-End security ESP (Encapsultating Security Payload) (within IPsec) 36

37 Optional Protocol Extensions (discussed in the paper) Forward Secrecy Using DH techniques Denial-of-Service and Hijacking protection Confidentiality for M Accounting for Roaming 37

38 Conclusion Summary of security advantages Tunnels permits : For F: No harm to its network and reputation For M: have the same services as at home Force M to use the tunnel (and to H!) F is authenticated by H! (not by M that can be subjected to phishing/spoofing) 38

39 Conclusion Contributions WRT is not really new but it is the first time it is used for a such use AWRT permits 3-party-authentication & - key agreement in WRT Based on a formal security model A protocol has been designed 39

40 Questions? Mark Manulis Damien Leroy UCL Crypto Group (former member) IP Networking Lab