Authentication and key establishment in wireless networks

Ph.DDOCTOR OF PHILOSOPH

Security of Eduroam Passwords

Tartu Ülikool on otsustanud, et ülikooli traadita ühenduse kasutajanimi ja parool peab ühtima ülikooli kontos kasutusel oleva kasutajanime ja parooliga. See tähendab, et juhul kui ülikooli eduroam võrgul leidub mõni nõrkus, on seda potentsiaalselt võimalik ära kasutada kasutajate ülikooli kontole ligipääsuks. Antud uurimistöö on avastanud ühe sellise nõrkuse, milles luuakse võltsitud traadita ühenduse pääsupunkt, et saada kätte kasutaja autentimiseks kasutatava protokolli kasutajapoolset vastust. Selle vastuse põhjal on ründajal võimalik kätte saada kasutaja parooli räsi, mida on omakorda võimalik kasutada Tartu Ülikooli Samba serveriga autentimiseks. Antud uurimistöö sisaldab eduroami ning rünnakus vaja minevate protokollide kirjeldusi ning ettepanekuid, kuidas Tartu Ülikooli eduroami turvalisemaks muuta.The University of Tartu has decided that the university's eduroam accounts will share the same user credentials as the rest of the university's services. This could potentially be abused by exploiting weaknesses in wireless security in order to gain access to a user's university account. The aim of this research was to uncover any such weaknesses. In the course of the research, an attack was discovered, which uses a spoofed access point to capture a handshake between the user and the authenticator, which can be used to retrieve a hash of the user's password. That hash is then used to authenticate to the university's Samba server. The thesis also provides the reader with details on how eduroam and the protocols used in the attack work, and discusses potential improvements to strengthen the security of Tartu University's eduroam

IPv6 Network Mobility

Network Authentication, Authorization, and Accounting has been used since before the days of the Internet as we know it today. Authentication asks the question, “Who or what are you?” Authorization asks, “What are you allowed to do?” And fi nally, accounting wants to know, “What did you do?” These fundamental security building blocks are being used in expanded ways today. The fi rst part of this two-part series focused on the overall concepts of AAA, the elements involved in AAA communications, and highlevel approaches to achieving specifi c AAA goals. It was published in IPJ Volume 10, No. 1[0]. This second part of the series discusses the protocols involved, specifi c applications of AAA, and considerations for the future of AAA

WI-FI ALLIANCE HOTSPOT 2.0 SPECIFICATION BASED NETWORK DISCOVERY, SELECTION, AUTHENTICATION, DEPLOYMENT AND FUNCTIONALITY TESTS.

The demand for high mobile data transmission has been dramatically enlarged since there is a significant increase at the number of mobile communication devices that capable of providing high data rates. It is clearly observed that even the next generation cellular networks are not able to respond to this demand to provide the required level of mobile data transmission capacity. Although, WLAN responses to this demand by providing upwards of 600 Mbps data rates it is not convenient in terms of cellular like mobility and requires user intervention anytime of reconnection to a hotspot. Therefore, the need for a new technology took place and IEEE has introduced a new amendment to IEEE 802.11 standards family which is called as IEEE 802.11u. Based on IEEE 802.11u amendment, WFA developed WFA Hotspot 2.0 Specification and started to certify the Wi-Fi devices under Passpoint certification program. This new technology developed to provide Wi-Fi capable devices simply identify, select and associate to a Hotspot without any user intervention in a highly secure manner. As Hotspot 2.0 Specification is quite new in the market it has been a challenging work to reach some academic papers; however, IEEE 802.11u standard, Internet sources, white papers published by different companies/organizations and discussions with telecommunication experts have made this master thesis to achieve its goals. This thesis work provides a great resource for the network operators to have a great understanding of the Hotspot 2.0 Specification in terms of theory, network element requirements and deployment by providing a good understanding of the system functionality. In this paper, a comprehensive theoretical background that addresses to WLAN technology, Passpoint elements, and IEEE 802.11u based network discovery, selection and authentication is provided. Besides, Hotspot 2.0 network deployment scenarios with network core element requirements are designed and Passpoint functionality tests are performed under different scenarios by describing a comprehensive setup for the testing.fi=Opinnäytetyö kokotekstinä PDF-muodossa.|en=Thesis fulltext in PDF format.|sv=Lärdomsprov tillgängligt som fulltext i PDF-format

Secure and Privacy-Preserving Authentication Protocols for Wireless Mesh Networks

Wireless mesh networks (WMNs) have emerged as a promising concept to meet the challenges in next-generation wireless networks such as providing flexible, adaptive, and reconfigurable architecture while offering cost-effective solutions to service providers. As WMNs become an increasingly popular replacement technology for last-mile connectivity to the home networking, community and neighborhood networking, it is imperative to design efficient and secure communication protocols for these networks. However, several vulnerabilities exist in currently existing protocols for WMNs. These security loopholes can be exploited by potential attackers to launch attack on WMNs. The absence of a central point of administration makes securing WMNs even more challenging. The broadcast nature of transmission and the dependency on the intermediate nodes for multi-hop communications lead to several security vulnerabilities in WMNs. The attacks can be external as well as internal in nature. External attacks are launched by intruders who are not authorized users of the network. For example, an intruding node may eavesdrop on the packets and replay those packets at a later point of time to gain access to the network resources. On the other hand, the internal attacks are launched by the nodes that are part of the WMN. On example of such attack is an intermediate node dropping packets which it was supposed to forward. This chapter presents a comprehensive discussion on the current authentication and privacy protection schemes for WMN. In addition, it proposes a novel security protocol for node authentication and message confidentiality and an anonymization scheme for privacy protection of users in WMNs.Comment: 32 pages, 10 figures. The work is an extended version of the author's previous works submitted in CoRR: arXiv:1107.5538v1 and arXiv:1102.1226v

Development of security strategies using Kerberos in wireless networks

Authentication is the primary function used to reduce the risk of illegitimate access to IT services of any organisation. Kerberos is a widely used authentication protocol for authentication and access control mechanisms. This thesis presents the development of security strategies using Kerberos authentication protocol in wireless networks, Kerberos-Key Exchange protocol, Kerberos with timed-delay, Kerberos with timed-delay and delayed decryption, Kerberos with timed-delay, delayed decryption and password encryption properties. This thesis also includes a number of other research works such as, frequently key renewal under pseudo-secure conditions and shut down of the authentication server to external access temporarily to allow for secure key exchange. A general approach for the analysis and verification of authentication properties as well as Kerberos authentication protocol are presented. Existing authentication mechanisms coupled with strong encryption techniques are considered, investigated and analysed in detail. IEEE 802.1x standard, IEEE 802.11 wireless communication networks are also considered. First, existing security and authentication approaches for Kerberos authentication protocol are critically analysed with the discussions on merits and weaknesses. Then relevant terminology is defined and explained. Since Kerberos exhibits some vulnerabilities, the existing solutions have not treated the possibilities of more than one authentication server in a strict sense. A three way authentication mechanism addresses possible solution to this problem. An authentication protocol has been developed to improve the three way authentication mechanism for Kerberos. Dynamically renewing keys under pseudo-secure situations involves a temporary interruption to link/server access. After describing and analysing a protocol to achieve improved security for authentication, an analytical method is used to evaluate the cost in terms of the degradation of system performability. Various results are presented. An approach that involves a new authentication protocol is proposed. This new approach combines delaying decryption with timed authentication by using passwords and session keys for authentication purposes, and frequent key renewal under secure conditions. The analysis and verification of authentication properties and results of the designed protocol are presented and discussed. Protocols often fail when they are analysed critically. Formal approaches have emerged to analyse protocol failures. Abstract languages are designed especially for the description of communication patterns. A notion of rank functions is introduced for analysing purposes as well. An application of this formal approach to a newly designed authentication protocol that combines delaying the decryption process with timed authentication is presented. Formal methods for verifying cryptographic protocols are created to assist in ensuring that authentication protocols meet their specifications. Model checking techniques such as Communicating Sequential Processes (CSP) and Failure Divergence Refinement (FDR) checker, are widely acknowledged for effectively and efficiently revealing flaws in protocols faster than most other contemporaries. Essentially, model checking involves a detailed search of all the states reachable by the components of a protocol model. In the models that describe authentication protocols, the components, regarded as processes, are the principals including intruder (attacker) and parameters for authentication such as keys, nonces, tickets, and certificates. In this research, an automated generation tool, CASPER is used to produce CSP descriptions. Proposed protocol models rely on trusted third parties in authentication transactions while intruder capabilities are based on possible inductions and deductions. This research attempts to combine the two methods in model checking in order to realise an abstract description of intruder with enhanced capabilities. A target protocol of interest is that of Kerberos authentication protocol. The process of increasing the strength of security mechanisms usually impacts on performance thresholds. In recognition of this fact, the research adopts an analytical method known as spectral expansion to ascertain the level of impact, and which resulting protocol amendments will have on performance. Spectral expansion is based on state exploration. This implies that it is subject, as model checking, to the state explosion problem. The performance characteristics of amended protocols are examined relative to the existing protocols. Numerical solutions are presented for all models developed

Continuous-variable quantum authentication of physical unclonable keys

We propose a scheme for authentication of physical keys that are materialized by optical multiple-scattering media. The authentication relies on the optical response of the key when probed by randomly selected coherent states of light, and the use of standard wavefront-shaping techniques that direct the scattered photons coherently to a specific target mode at the output. The quadratures of the electromagnetic field of the scattered light at the target mode are analysed using a homodyne detection scheme, and the acceptance or rejection of the key is decided upon the outcomes of the measurements. The proposed scheme can be implemented with current technology and offers collision resistance and robustness against key cloning.Comment: 15 pages, 7 figure

Cisco TrustSec käyttöönotto JYVSECTEC-ympäristössä

Opinnäytetyön toimeksiantajana toimi Jyväskylä Security Technology (JYVSECTEC)-hanke, joka toimii Jyväskylän ammattikorkeakoulun tiloissa. JYVSECTEC kehittää ja ylläpitää kyberturvallisuuden kehitysympäristöä tutkimus, kehitys ja koulutuskäyttöön. Tavoitteena työssä oli toteuttaa identiteettipohjainen tietoturva-ratkaisu käyttäen hyväksi Cisco TrustSec-komponentteja. Työ koostui suunnittelu-, testaus- ja todennusosioista sekä ohjeesta ympäristöä tulevaisuudessa hyödyntäville. Työn verkkoympäristö koostui Cisco Systemsin laitteista, jotka tukivat TrustSec-toiminnallisuuksia. Näitä laitteita olivat mm. C3750X- ja C3560X-kytkimet, ASA-palomuuri, sekä WLC 2504. Pääkomponenttina työssä toimi Cisco Identity Services Engine (ISE), jolla hallinnoitiin mm. verkkoon pääsyä autentikoimisen ja valtuuttamisen muodossa. Ympäristössä hyödynnettiin SGA-arkkitehtuuria, johon sisältyi mm. verkkolaitteiden välinen NDAC-autentikointi, liikenteen merkkaamista SGT/SXP-menetelmillä, palomuurin SGFW-ominaisuuden testaamista ja päätelaitteiden autentikoimista 802.1X-protokollalla. Päätelaitteen ja kytkimen välillä toteutettiin myös L2-tason salaus 802.1AE (MACsec)-protokollan avulla. Samaa salausta käytettiin myös kytkinten välillä NDAC-autentikoinnin päätteeksi. Opinnäytetyön tuloksena syntyi ympäristö, jossa tutkittiin useita TrustSec-ominaisuuksia. Tulevaisuudessa ympäristöä voidaan hyödyntää jatkokehityksessä ja koulutuspalveluissa.The Bachelor's thesis was assigned by Jyväskylä Security Technology (JYVSECTEC) project which operates in the JAMK University of Applied Sciences (JAMK) environment. JYVSECTEC develops and maintains closed cyber security infrastructure for research, development and training-services. Goal of the thesis was to create identity-based network solution by using components of Cisco Trusted Security (TrustSec). Thesis conducted from design, testing- and verifying parts along with creating a manual for future use. The network environment in the thesis included TrustSec-capable devices manufactured by Cisco Systems, among others C3750X and C3560X switches, ASA-5515X firewall and WLC 2504. The main component was Cisco Identity services Engine (ISE) which was used to handle mainly policies in terms of authentication and authorization in network. The environment utilized SGA architecture which included authenticating network devices with NDAC procedure, handling traffic with SGT/SXP and testing firewall SGFW feature. The endpoints were authenticated with 802.1X protocol by using EAP-FAST chaining method. After authentication the L2 link between endpoint and switch was secured with 802.1AE (MACsec) protocol. The same encryption was also used between switches. The result of the thesis is a network environment including several TrustSec components. The solutions and features were tested and verified. In future the environment will be used in training services and further development