ENHANCING PUBLIC WIFI SECURITY

Similar documents
PROTECTED EXTENSIBLE AUTHENTICATION PROTOCOL

Configuring the Client Adapter through the Windows XP Operating System

Network Security 1. Module 7 Configure Trust and Identity at Layer 2

Protected EAP (PEAP) Application Note

Configuring the Client Adapter through Windows CE.NET

ilight/gigapop eduroam Discussion Campus Network Engineering

Authentication and Security: IEEE 802.1x and protocols EAP based

TestsDumps. Latest Test Dumps for IT Exam Certification

Seamless Yet Secure -Hotspot Roaming

Aruba PEAP-GTC Supplicant Plug-In Guide

802.1X: Deployment Experiences and Obstacles to Widespread Adoption

Exam : PW Title : Certified wireless security professional(cwsp) Version : DEMO

Table of Contents. 4 System Guard Configuration 4-1 System Guard Overview 4-1 Guard Against IP Attacks 4-1 Guard Against TCN Attacks 4-1

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Configuring the Client Adapter through the Windows XP Operating System

Cisco Exam Questions and Answers (PDF) Cisco Exam Questions BrainDumps

802.1X: Background, Theory & Implementation

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

Cisco Structured Wireless-Aware Network (SWAN) Implementation Guide

Configuring 802.1X Settings on the WAP351

802.1x. ACSAC 2002 Las Vegas

FAQ on Cisco Aironet Wireless Security

RADIUS Configuration Note WINS : Wireless Interoperability & Network Solutions

TopGlobal MB8000 Hotspots Solution

How to connect to Wi-Fi

CUA-854 Wireless-G Long Range USB Adapter with Antenna. User s Guide

Csci388. Wireless and Mobile Security Access Control: 802.1X, EAP, and RADIUS. Importance of Access Control. WEP Weakness. Wi-Fi and IEEE 802.

Configuring FlexConnect Groups

Cisco Exam Questions & Answers

Configuring Authentication Types

ISE Primer.

Configuring EAP-FAST CHAPTER

Exam HP2-Z32 Implementing HP MSM Wireless Networks Version: 7.1 [ Total Questions: 115 ]

Cisco Securing Cisco Wireless Enterprise Networks (WISECURE) Download Full Version :

Wireless LAN Security. Gabriel Clothier

Authentication and Security: IEEE 802.1x and protocols EAP based

Configuring 802.1X Authentication Client for Windows 8

Configure Network Access Manager

802.1x Port Based Authentication

Instructions for connecting to winthropsecure

Securing Wireless LANs with Certificate Services

Implementing X Security Solutions for Wired and Wireless Networks

P ART 3. Configuring the Infrastructure

WLAN Roaming and Fast-Secure Roaming on CUWN

Chapter 4 Configuring 802.1X Port Security

Port-based authentication with IEEE Standard 802.1x. William J. Meador

Configuring Funk Odyssey Software, Avaya AP-3 Access Point, and Avaya

Exam Questions CWSP-205

Cisco 4400 Series Wireless LAN Controllers PEAP Under Unified Wireless Networks with Microsoft Internet Authentication Service (IAS)

Table of Contents. Why doesn t the phone pass 802.1X authentication?... 16

Setting Up Cisco SSC. Introduction CHAPTER

Attacking Networks. Joshua Wright LightReading LIVE! October 1, 2003

Appendix E Wireless Networking Basics

BYOD: BRING YOUR OWN DEVICE.

D. The bank s web server is using an X.509 certificate that is not signed by a root CA, causing the user ID and password to be sent unencrypted.

Cisco Desktop Collaboration Experience DX650 Security Overview

Configuring the Client Adapter

Network Systems. Bibliography. Outline. General principles about Radius server. Radius Protocol

Vendor: HP. Exam Code: HP2-Z32. Exam Name: Implementing HP MSM Wireless Networks. Version: Demo

COPYRIGHTED MATERIAL. Contents

Internet Access: Wireless WVU.Encrypted Network Connecting a Windows 7 Device

User Databases. ACS Internal Database CHAPTER

simplifying... Wireless Access

The following chart provides the breakdown of exam as to the weight of each section of the exam.

Network Access Flows APPENDIXB

802.1x Configuration. Page 1 of 11

Connect to eduroam WiFi

Wireless Network Security Spring 2015

ipad in Business Security Overview

Server Certificate Validation

ExamTorrent. Best exam torrent, excellent test torrent, valid exam dumps are here waiting for you

Wireless Specifications. Wi-Fi Roaming Architecture and Interfaces Specification. WR-SP-WiFi-ROAM-I ISSUED. Notice

Cisco Exam Implementing Advanced Cisco Unified Wireless Security v2.0 Version: 9.0 [ Total Questions: 206 ]

11B/G Wireless Mini PCI Adapter WL533MAM User s Manual

About 802.1X... 3 Yealink IP Phones Compatible with 802.1X... 3 Configuring 802.1X Settings... 5 Configuring 802.1X using configuration files...

Table of Contents X Configuration 1-1

Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3

Rhodes University Wireless Network

IPv6 Community Wifi. Unique IPv6 Prefix per Host. IPv6 Enhanced Subscriber Access for WLAN Access Gunter Van de Velde Public.

Release Notes for Avaya WLAN 9100 AOS-Lite Operating System WAP9112 Release WAP9114 Release 8.1.0

Security in IEEE Networks

Agile Controller-Campus V100R002C10. Permission Control Technical White Paper. Issue 01. Date HUAWEI TECHNOLOGIES CO., LTD.

Wireless Network Security Spring 2016

b/g/n 1T1R Wireless USB Adapter. User s Manual

MCSA Guide to Networking with Windows Server 2016, Exam

Ju-A A Lee and Jae-Hyun Kim

NXC Series. Handbook. NXC Controllers NXC 2500/ Default Login Details. Firmware Version 5.00 Edition 19, 5/

Configuring Local EAP

Configuring OfficeExtend Access Points

Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

Network Policy Controller UAM/RADIUS Guide

How to connect your device using eduroam

Configuring WDS, Fast Secure Roaming, Radio Management, and Wireless Intrusion Detection Services

Standard For IIUM Wireless Networking

IMPORTANT INFORMATION FOR CURTIN WIRELESS ACCESS - STUDENT / WINDOWS XP -

Cross-organisational roaming on wireless LANs based on the 802.1X framework Author:

Network. NEC Portable Projector NP905/NP901W WPA Setting Guide. Security WPA. Supported Authentication Method WPA-PSK WPA-EAP WPA2-PSK WPA2-EAP

Cisco Exam Questions & Answers

IEEE 802.1x, RADIUS AND DYNAMIC VLAN ASSIGNMENT

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

Transcription:

ENHANCING PUBLIC WIFI SECURITY A Technical Paper prepared for SCTE/ISBE by Ivan Ong Principal Engineer Comcast 1701 John F Kennedy Blvd Philadelphia, PA 19103 215-286-2493 Ivan_Ong@comcast.com 2017 SCTE-ISBE and NCTA. All rights reserved.

Title Table of Contents Page Number 1. Abstract 3 2. Overview 3 3. EAP Primer 4 4. IEEE 802.1x and EAPOL 5 5. EAP-TLS Primer 6 6. Certificates 9 7. Implementation 10 8. Looking Forward 11 9. Abbreviations 11 10. Bibliography & References 11 2017 SCTE-ISBE and NCTA. All rights reserved. 2

1. Abstract Approximately 15 million Xfinity WiFi public hotspots are available today domestically, the total tonnage or usage for the month of Jan 2017 was 174 Petabytes and there were 1.79 billion sessions. More than 7 million apps were downloaded on the network in that month. Ensuring the security of the users on public hotspots will minimize threats and provide an overall improved user experience. This paper will explore EAP-TLS mechanism and its implementation approach on public WiFi. 2. Overview At a minimum, a typical hotspot broadcasts an open and secure SSID today, with EAP-TTLS and EAP- GTC mechanisms to ensure service compatibility primarily for Android and ios systems. A user has the option of associating their mobile client to either SSID, however, a profile is generated for secure SSID association as it offers some advantages over a non-secure SSID. A mobile client associating to a secure SSID today will have the ability to generate and download a profile that will ensure connectivity to a valid trusted service provider hotspot due to the server authentication that occurs in the EAP inner mechanism that is employed. The majority of Android mobile clients are accommodated by the EAP-TTLS method which performs a two-phase authentication: the outer authentication, from server to client, mandates the client to authenticate the server certificate. Once validated, a TLS tunnel is established; the inner authentication, from client to server, will then exchange encrypted information typically based on a simple non-tls authentication method. In the case of Xfinity WiFi, username and password credentials are exchanged. The majority of ios mobile clients are accommodated by the EAP-GTC method, a basic EAP standard that utilizes token management for authentication. This method was employed due to the fact that ios requires an Apple based application to generate a profile; without relying on the user to download an application that may seem intrusive to the inherent connection manager, this method was the most viable approach. This is used as a stepping stone to generating the profile remotely and subsequent associations will leverage the EAP-TTLS mechanisms. EAP-GTC does not protect the authentication data, both text challenge and reply are sent as clear text. Combine with EAP-PEAP, MSCHAP, for windows mobile clients, EAP-TTLS and EAP-GTC mechanisms do offer some form of security assurance, however, the path to improve user experience led us towards the employment of EAP-TLS which offers improvements over these EAP methods. EAP-TLS mandates server and client certificate based authentication. In brief, certificates are used instead of a subscriber s username and password as credentials. The content within the certificate typically consists of various attributes that are encrypted, the subscribers username and password are typically not included within. While this requirement makes it more secure than most other EAP methods, it is more challenging to deploy as it requires certificates to be generated and there is additional cost incurred in using a trusted 2017 SCTE-ISBE and NCTA. All rights reserved. 3

Certificate Authority (CA) to produce these certificates. There are benefits of using a trusted Certificate Authority as most of the Global Certs are already embedded within various devices operating systems and applications. This enables the client to server/ap authentication to occur seamlessly and to ensure the subscriber is associated with a trusted AP and not a rogue AP. To understand the improvements that are proposed, let s explore the specifics around EAP and IEEE 802.1x. 3. EAP Primer EAP, Extensible Authentication Protocol, is an authentication framework developed to function at the link layer. It is defined in RFC 3748 and updated in RFC 5247. There are many authentication mechanisms that functions within the EAP framework, they were developed by various vendors to accommodate different operating systems. EAP is designed to function within the link layer, negotiation occurs between the supplicant (end user mobile client) and the Authentication Server (typically a RADIUS server) via an Authenticator (typically an Access Point with RADIUS client). RADIUS attributes are required to be supported for each new authentication mechanism that is developed. Figure 1 depicts the high-level flow of an EAP transaction Figure 1 - High Level EAP exchange between Supplicant and Authentication Server via Authenticator 2017 SCTE-ISBE and NCTA. All rights reserved. 4

4. IEEE 802.1x and EAPOL The IEEE 802.1x standard and EAP over LAN (EAPOL) are typically coined as the same term, they referenced one another within the standard. IEEE 802.1x is found within the 802.11i standards where security attributes such as WPA2 (WiFi Protected Access version 2), TKIP and AES are derivatives. IEEE 802.1x is an IEEE standard for port based Network Access Control, what this translates to is access managed by means of a port. Until authentication is validated, access is blocked by the port to a LAN or WLAN. It does so by encapsulating EAP protocol over IEEE 802, also known as EAPOL. Figure 2 depicts the EAPOL frame and Figure 3 the EAPOL high level flow, as mentioned previously, the EAPOL frame contains destination and source MAC address but no network frame blocks as it functions on the Link Layer Figure 2 - EAPOL Frame structure 2017 SCTE-ISBE and NCTA. All rights reserved. 5

Figure 3 - EAPOL High Level Flow 5. EAP-TLS Primer EAP-Transport Layer Security (TLS) is the authentication mechanism selected to provide a secure experience. EAP-TLS, as defined in RFC 5216, is an IETF open standard that requires the use of both client and server certificates, preferably from a trusted Certificate Authority (CA). This is known as mutual authentication where certificates from both entities are validated prior to enabling access. Certificates adhere to the x.509 standard where the process of invoking a certificate is defined clearly with specific attributes such as encryption type, method, organization name, expiration date, extensions, among others are supported by most Certificate Authorities in their Public Key Infrastructure specifications. Please refer to Figure 4 for the structure of an x.509 certificate: 2017 SCTE-ISBE and NCTA. All rights reserved. 6

Figure 4 - x.509 Certificate Structure Attributes within the certificate are defined by the organization and issued by the Certificate Authority. A public and private key is established as part of the certificate generation process, the certificate(s) are then chained to a trusted root certificate of the CA. The server and client certificate will contain the private keys that are only known to itself and the CA, it is used to decrypt the public key that are then distributed to other devices/applications. An analogy would be a user accessing their banking website today, the mobile device employs the use of a browser that contains certain certificates (private key) that are inherently trusted and embedded. When the banking website is accessed, the SSL transaction would be called upon and check the certificate (public key) of the website to ensure it is a legitimate website. With EAP-TLS, the exchange occurs on both ends with the client and the server validating both certificates. If the server certificate is not who they claimed to be, then the authentication fails, this would be akin to preventing connectivity to a rogue AP with the added benefit of validating the client as well. It the server certificate passes but the client certificate fails, that could be translated as a user who is no longer a valid subscriber due to a number of reasons. 2017 SCTE-ISBE and NCTA. All rights reserved. 7

Figure 5 depicts the EAP-TLS flow, it is based off the EAPOL message flow if compared with Figure 3. Digital certificates are used in place of username and password as credentials. Mutual authentication exchange certain RADIUS attributes between the mobile client (supplicant) and the Authentication Server (RADIUS server) via the AP (NAS). A series of RADIUS messages are exchanged after the initial EAPOL transaction is initiated, a RADIUS Access-Request will be invoked as a result of an EAP- Response/Identity call. Common RADIUS attributes in this flow include NAS-Id, NAS-Port, Calling- Station-Id. The RADIUS server in turn will send a RADIUS Access-Challenge message to the AP which produces an EAP-Request message to the mobile client. Common RADIUS attributes in this flow includes Session-Timeout, Service-Type. The mobile client then responds with an EAP-Response [containing the certificate] to the AP which will produce a RADIUS-Access-Request message where AAA will then validate the certificate. If certificate is valid, AAA will return a RADIUS-Access-Accept message and the session keys to the AP, and in turn an EAP success. Figure 5 - EAP-TLS message flow 2017 SCTE-ISBE and NCTA. All rights reserved. 8

6. Certificates Essentially, two forms of authentication will occur in EAP-TLS: network will be authenticated against client, then client will be authenticated against network. Instead of using username and password, certificates are the common elements involved. On the network side, the certificate may reside on the AAA or any component playing the role of the AAA server. Figure 6 displays a sample certificate on the network side: Figure 6 - Server Certificate Some of the common attributes defined within a server cert are the Country, State, Locality, Subject, Organization, Organizational Unit, Common Name. The certificate encryption may be RSA or ECC based, typically with a 2048 modulus bit encryption applied. Ultimately, the server cert is chained to the trusted CA Root Cert that is prevalent on most device operating systems root store. 2017 SCTE-ISBE and NCTA. All rights reserved. 9

Figure 7 displays a sample certificate on the client side which is generated based on certain user attributes. Ultimately, the certificate is chained to a trusted Root CA. Figure 7 - Client Certificate 7. Implementation The benefits of employing certificates mutually between server and client and vice versa ensures a secure and seamless on-boarding experience for the user. To achieve this, many factors come into play such as certificates from trusted Certificate Authorities, core network infrastructure upgrades (such as captive portal development), policy changes (primarily to AAA), AP security features support (to support EAP mechanisms), and app development for various client operating systems (to provide an intuitive user interface) The user interface will essentially redirect a user to a captive portal to assist in generating and installation of a client certificate based on certain required parameters. This is the initial encounter which will not be repeated unless in the event of an expired certificate or when deemed necessary to reissue a new certificate. Subsequent client associations will not require any user input, the EAP-TLS exchange would ensure a transparent, secure connectivity between the client and AP. Even in a roaming scenario between APs, the certificates exchange would occur in the background and help authenticate and validate the mobile client on their respective service provider public WiFi network. 2017 SCTE-ISBE and NCTA. All rights reserved. 10

8. Looking Forward The security implementation of EAP-TLS will help ensure the proper framework is in place to accommodate other EAP mechanism as additional services are offered that may take advantage of the public WiFi network such as cellular service. The underlying foundation are in place to also support other industry standard specifications such as Hotspot 2.0. As the implementation help evolve the public WiFi network to a carrier grade level, the users will only stand to benefit from these changes. 9. Abbreviations Acronyms AAA AP CA EAP EAPOL GTC IEEE LAN Description Authentication, Authorization and Accounting Access Point Certificate Authority Extensible Authentication Protocol Extensible Authentication Protocol over LAN Generic Token Card Institute of Electrical and Electronics Engineers Local Area Network 10. Bibliography & References 802.11 Wireless Networks: The Definitive Guide, 2005, O Reilly, Matthew Gast R10.0 WiFi Authentication with EAP. LCW442H-V3.0-SG Edition 1, NokiaEDU Figure 2: http://www.zyxeltech.de/snotezw5_362/app/8021x.htm Figure 4: https://www.slideshare.net/koolkampus/chapter-ns4 2017 SCTE-ISBE and NCTA. All rights reserved. 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback