163 research outputs found
Security of Eduroam Passwords
Tartu Ălikool on otsustanud, et ĂŒlikooli traadita ĂŒhenduse kasutajanimi ja parool peab ĂŒhtima ĂŒlikooli kontos kasutusel oleva kasutajanime ja parooliga. See tĂ€hendab, et juhul kui ĂŒlikooli eduroam vĂ”rgul leidub mĂ”ni nĂ”rkus, on seda potentsiaalselt vĂ”imalik Ă€ra kasutada kasutajate ĂŒlikooli kontole ligipÀÀsuks. Antud uurimistöö on avastanud ĂŒhe sellise nĂ”rkuse, milles luuakse vĂ”ltsitud traadita ĂŒhenduse pÀÀsupunkt, et saada kĂ€tte kasutaja autentimiseks kasutatava protokolli kasutajapoolset vastust. Selle vastuse pĂ”hjal on rĂŒndajal vĂ”imalik kĂ€tte saada kasutaja parooli rĂ€si, mida on omakorda vĂ”imalik kasutada Tartu Ălikooli Samba serveriga autentimiseks. Antud uurimistöö sisaldab eduroami ning rĂŒnnakus vaja minevate protokollide kirjeldusi ning ettepanekuid, kuidas Tartu Ălikooli eduroami turvalisemaks muuta.The University of Tartu has decided that the university's eduroam accounts will share the same user credentials as the rest of the university's services. This could potentially be abused by exploiting weaknesses in wireless security in order to gain access to a user's university account. The aim of this research was to uncover any such weaknesses. In the course of the research, an attack was discovered, which uses a spoofed access point to capture a handshake between the user and the authenticator, which can be used to retrieve a hash of the user's password. That hash is then used to authenticate to the university's Samba server. The thesis also provides the reader with details on how eduroam and the protocols used in the attack work, and discusses potential improvements to strengthen the security of Tartu University's eduroam
IPv6 Network Mobility
Network Authentication, Authorization, and Accounting has
been used since before the days of the Internet as we know it
today. Authentication asks the question, âWho or what are
you?â Authorization asks, âWhat are you allowed to do?â And fi nally,
accounting wants to know, âWhat did you do?â These fundamental
security building blocks are being used in expanded ways today. The
fi rst part of this two-part series focused on the overall concepts of
AAA, the elements involved in AAA communications, and highlevel
approaches to achieving specifi c AAA goals. It was published in
IPJ Volume 10, No. 1[0]. This second part of the series discusses the
protocols involved, specifi c applications of AAA, and considerations
for the future of AAA
WI-FI ALLIANCE HOTSPOT 2.0 SPECIFICATION BASED NETWORK DISCOVERY, SELECTION, AUTHENTICATION, DEPLOYMENT AND FUNCTIONALITY TESTS.
The demand for high mobile data transmission has been dramatically enlarged since there is a significant increase at the number of mobile communication devices that capable of providing high data rates. It is clearly observed that even the next generation cellular networks are not able to respond to this demand to provide the required level of mobile data transmission capacity. Although, WLAN responses to this demand by providing upwards of 600 Mbps data rates it is not convenient in terms of cellular like mobility and requires user intervention anytime of reconnection to a hotspot. Therefore, the need for a new technology took place and IEEE has introduced a new amendment to IEEE 802.11 standards family which is called as IEEE 802.11u. Based on IEEE 802.11u amendment, WFA developed WFA Hotspot 2.0 Specification and started to certify the Wi-Fi devices under Passpoint certification program. This new technology developed to provide Wi-Fi capable devices simply identify, select and associate to a Hotspot without any user intervention in a highly secure manner.
As Hotspot 2.0 Specification is quite new in the market it has been a challenging work to reach some academic papers; however, IEEE 802.11u standard, Internet sources, white papers published by different companies/organizations and discussions with telecommunication experts have made this master thesis to achieve its goals.
This thesis work provides a great resource for the network operators to have a great understanding of the Hotspot 2.0 Specification in terms of theory, network element requirements and deployment by providing a good understanding of the system functionality. In this paper, a comprehensive theoretical background that addresses to WLAN technology, Passpoint elements, and IEEE 802.11u based network discovery, selection and authentication is provided. Besides, Hotspot 2.0 network deployment scenarios with network core element requirements are designed and Passpoint functionality tests are performed under different scenarios by describing a comprehensive setup for the testing.fi=OpinnÀytetyö kokotekstinÀ PDF-muodossa.|en=Thesis fulltext in PDF format.|sv=LÀrdomsprov tillgÀngligt som fulltext i PDF-format
Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks
Wireless mesh networks (WMNs) have emerged as a promising concept to meet the
challenges in next-generation wireless networks such as providing flexible,
adaptive, and reconfigurable architecture while offering cost-effective
solutions to service providers. As WMNs become an increasingly popular
replacement technology for last-mile connectivity to the home networking,
community and neighborhood networking, it is imperative to design efficient and
secure communication protocols for these networks. However, several
vulnerabilities exist in currently existing protocols for WMNs. These security
loopholes can be exploited by potential attackers to launch attack on WMNs. The
absence of a central point of administration makes securing WMNs even more
challenging. The broadcast nature of transmission and the dependency on the
intermediate nodes for multi-hop communications lead to several security
vulnerabilities in WMNs. The attacks can be external as well as internal in
nature. External attacks are launched by intruders who are not authorized users
of the network. For example, an intruding node may eavesdrop on the packets and
replay those packets at a later point of time to gain access to the network
resources. On the other hand, the internal attacks are launched by the nodes
that are part of the WMN. On example of such attack is an intermediate node
dropping packets which it was supposed to forward. This chapter presents a
comprehensive discussion on the current authentication and privacy protection
schemes for WMN. In addition, it proposes a novel security protocol for node
authentication and message confidentiality and an anonymization scheme for
privacy protection of users in WMNs.Comment: 32 pages, 10 figures. The work is an extended version of the author's
previous works submitted in CoRR: arXiv:1107.5538v1 and arXiv:1102.1226v
Development of security strategies using Kerberos in wireless networks
Authentication is the primary function used to reduce the risk of illegitimate access to IT services of any organisation. Kerberos is a widely used authentication protocol for authentication and access control mechanisms.
This thesis presents the development of security strategies using Kerberos authentication protocol in wireless networks, Kerberos-Key Exchange protocol, Kerberos with timed-delay, Kerberos with timed-delay and delayed decryption, Kerberos with timed-delay, delayed decryption and password encryption properties. This thesis also includes a number of other research works such as, frequently key renewal under pseudo-secure conditions and shut down of the authentication server to external access temporarily to allow for secure key exchange.
A general approach for the analysis and verification of authentication properties as well as Kerberos authentication protocol are presented. Existing authentication mechanisms coupled with strong encryption techniques are considered, investigated and analysed in detail. IEEE 802.1x standard, IEEE 802.11 wireless communication networks are also considered. First, existing security and authentication approaches for Kerberos authentication protocol are critically analysed with the discussions on merits and weaknesses. Then relevant terminology is defined and explained.
Since Kerberos exhibits some vulnerabilities, the existing solutions have not treated the possibilities of more than one authentication server in a strict sense. A three way authentication mechanism addresses possible solution to this problem. An authentication protocol has been developed to improve the three way authentication mechanism for Kerberos. Dynamically renewing keys under pseudo-secure situations involves a temporary interruption to link/server access. After describing and analysing a protocol to achieve improved security for authentication, an analytical method is used to evaluate the cost in terms of the degradation of system performability. Various results are presented.
An approach that involves a new authentication protocol is proposed. This new approach combines delaying decryption with timed authentication by using passwords and session keys for authentication purposes, and frequent key renewal under secure conditions. The analysis and verification of authentication properties and results of the designed protocol are presented and discussed.
Protocols often fail when they are analysed critically. Formal approaches have emerged to analyse protocol failures. Abstract languages are designed especially for the description of communication patterns. A notion of rank functions is introduced for analysing purposes as well. An application of this formal approach to a newly designed authentication protocol that combines delaying the decryption process with timed authentication is presented.
Formal methods for verifying cryptographic protocols are created to assist in ensuring that authentication protocols meet their specifications. Model checking techniques such as Communicating Sequential Processes (CSP) and Failure Divergence Refinement (FDR) checker, are widely acknowledged for effectively and efficiently revealing flaws in protocols faster than most other contemporaries. Essentially, model checking involves a detailed search of all the states reachable by the components of a protocol model. In the models that describe authentication protocols, the components, regarded as processes, are the principals including intruder (attacker) and parameters for authentication such as keys, nonces, tickets, and certificates. In this research, an automated generation tool, CASPER is used to produce CSP descriptions. Proposed protocol models rely on trusted third parties in authentication transactions while intruder capabilities are based on possible inductions and deductions. This research attempts to combine the two methods in model checking in order to realise an abstract description of intruder with enhanced capabilities. A target protocol of interest is that of Kerberos authentication protocol.
The process of increasing the strength of security mechanisms usually impacts on performance thresholds. In recognition of this fact, the research adopts an analytical method known as spectral expansion to ascertain the level of impact, and which resulting protocol amendments will have on performance. Spectral expansion is based on state exploration. This implies that it is subject, as model checking, to the state explosion problem. The performance characteristics of amended protocols are examined relative to the existing protocols.
Numerical solutions are presented for all models developed
Continuous-variable quantum authentication of physical unclonable keys
We propose a scheme for authentication of physical keys that are materialized
by optical multiple-scattering media. The authentication relies on the optical
response of the key when probed by randomly selected coherent states of light,
and the use of standard wavefront-shaping techniques that direct the scattered
photons coherently to a specific target mode at the output. The quadratures of
the electromagnetic field of the scattered light at the target mode are
analysed using a homodyne detection scheme, and the acceptance or rejection of
the key is decided upon the outcomes of the measurements. The proposed scheme
can be implemented with current technology and offers collision resistance and
robustness against key cloning.Comment: 15 pages, 7 figure
Cisco TrustSec kÀyttöönotto JYVSECTEC-ympÀristössÀ
OpinnÀytetyön toimeksiantajana toimi JyvÀskylÀ Security Technology (JYVSECTEC)-hanke, joka toimii JyvÀskylÀn ammattikorkeakoulun tiloissa. JYVSECTEC kehittÀÀ ja yllÀpitÀÀ kyberturvallisuuden kehitysympÀristöÀ tutkimus, kehitys ja koulutuskÀyttöön. Tavoitteena työssÀ oli toteuttaa identiteettipohjainen tietoturva-ratkaisu kÀyttÀen hyvÀksi Cisco TrustSec-komponentteja. Työ koostui suunnittelu-, testaus- ja todennusosioista sekÀ ohjeesta ympÀristöÀ tulevaisuudessa hyödyntÀville.
Työn verkkoympÀristö koostui Cisco Systemsin laitteista, jotka tukivat TrustSec-toiminnallisuuksia. NÀitÀ laitteita olivat mm. C3750X- ja C3560X-kytkimet, ASA-palomuuri, sekÀ WLC 2504. PÀÀkomponenttina työssÀ toimi Cisco Identity Services Engine (ISE), jolla hallinnoitiin mm. verkkoon pÀÀsyÀ autentikoimisen ja valtuuttamisen muodossa. YmpÀristössÀ hyödynnettiin SGA-arkkitehtuuria, johon sisÀltyi mm. verkkolaitteiden vÀlinen NDAC-autentikointi, liikenteen merkkaamista SGT/SXP-menetelmillÀ, palomuurin SGFW-ominaisuuden testaamista ja pÀÀtelaitteiden autentikoimista 802.1X-protokollalla. PÀÀtelaitteen ja kytkimen vÀlillÀ toteutettiin myös L2-tason salaus 802.1AE (MACsec)-protokollan avulla. Samaa salausta kÀytettiin myös kytkinten vÀlillÀ NDAC-autentikoinnin pÀÀtteeksi.
OpinnÀytetyön tuloksena syntyi ympÀristö, jossa tutkittiin useita TrustSec-ominaisuuksia. Tulevaisuudessa ympÀristöÀ voidaan hyödyntÀÀ jatkokehityksessÀ ja koulutuspalveluissa.The Bachelor's thesis was assigned by JyvÀskylÀ Security Technology (JYVSECTEC) project which operates in the JAMK University of Applied Sciences (JAMK) environment. JYVSECTEC develops and maintains closed cyber security infrastructure for research, development and training-services. Goal of the thesis was to create identity-based network solution by using components of Cisco Trusted Security (TrustSec). Thesis conducted from design, testing- and verifying parts along with creating a manual for future use.
The network environment in the thesis included TrustSec-capable devices manufactured by Cisco Systems, among others C3750X and C3560X switches, ASA-5515X firewall and WLC 2504. The main component was Cisco Identity services Engine (ISE) which was used to handle mainly policies in terms of authentication and authorization in network. The environment utilized SGA architecture which included authenticating network devices with NDAC procedure, handling traffic with SGT/SXP and testing firewall SGFW feature. The endpoints were authenticated with 802.1X protocol by using EAP-FAST chaining method. After authentication the L2 link between endpoint and switch was secured with 802.1AE (MACsec) protocol. The same encryption was also used between switches.
The result of the thesis is a network environment including several TrustSec components. The solutions and features were tested and verified. In future the environment will be used in training services and further development
- âŠ