Integration of the Captive Portal paradigm with the 802.1X architecture

In a scenario where hotspot wireless networks are increasingly being used, and given the amount of sensitive information exchanged on Internet interactions, there is the need to implement security mechanisms that guarantee data confidentiality and integrity in such networks, as well as the authenticity of the hotspot providers. However, many hotspots today use Captive Portals, which rely on authentication through Web pages (thus, an application-level authentication approach) instead of a link-layer approach. The consequence of this is that there is no security in the wireless link to the hotspot (it has to be provided at upper protocol layers), and is cumbersome to manage wireless access profiles (we need special applications or browsers' add-ons to do that). This work exposes the weaknesses of the Captive Portals' paradigm, which does not follow a unique nor standard approach, and describes a solution that intends to suppress them, based on the 802.1X architecture. This solution uses a new EAP-compliant protocol that is able to integrate an HTTP-based registration or authentication with a Captive Portal within the 802.1X authentication framework

Captive Portal Network Authentication Based on WebAuthn Security Keys

[Abstract]: Network authentication is performed via different technologies, which have evolved together with authentication systems in other environments. In all these environments, the authentication paradigm during the last decades has been the well known password. However, passwords have some important security problems, like phishing or keylogging. In 2019, the WebAuthn standard from the W3C started a new authentication paradigm based on hardware devices known as security keys. Although they are already being used in many web authentication services, they have not yet been integrated with network authentication mechanisms. This work successfully developed and integrated an authentication server based on WebAuthn security keys with a captive portal system. With this solution, users can be authenticated using security keys within a web-based captive portal network authentication system that gives clients access to network resources. The resulting authentication server is compatible with major operating systems like Windows 10 and Ubuntu 20.04, browsers like Firefox and Google Chrome and security keys like the Solokey and the Yubikey.[Resumo]: A autenticación de rede realízase a través de diferentes tecnoloxías, que evolucionaron xunto con sistemas de autenticación noutros escenarios. En todos estes escenarios, o paradigma de autenticación durante as últimas décadas foi o coñecido contrasinal. Porén, os contrasinais teñen algúns problemas de seguridade importantes, como o phishing ou o keylogging. En 2019, o estándar WebAuthn da W3C comezou un novo paradigma da autenticación baseado en dispositivos físicos coñecidos como chaves de seguridade. Aínda que estas xa se están usando en moitos servizos de autenticación web, aínda non foron integradas en mecanismos de autenticación de rede. Este traballo desenvolveu e integrou con éxito un servidor de autenticación baseado en chaves de seguridade WebAuthn cun sistema de portal cativo. Con esta solución, os usuarios poden autenticarse usando chaves de seguridade nun sistema de autenticación de rede con portal cativo baseado en web que da acceso aos clientes a recursos de rede. O servidor de autenticación resultante é compatible con sistemas operativos relevantes como Windows 10 ou Ubuntu 20.04, navegadores como Firefox e Google Chrome e chaves de seguridade como a Solokey e a Yubikey.Traballo fin de mestrado (UDC.FIC). Ciberseguridade. Curso 2021/202

Integração do paradigma de captive portals com a arquitetura 802.1X

Mestrado em Engenharia de Computadores e TelemáticaIn a scenario where hotspot networks are increasingly being used, present and obtaining more subscribers, with the amount of sensitive information exchanged on this type of networks and with the variety of their users, which may not be trustworthy, there is a need of implementing security mechanisms that guarantee data confidentiality and integrity, as well as to guarantee that announced networks are genuine, avoiding rogue networks. Captive portals are portals provided by networks of this type where a user logs in; they are a greater risk as they imply the transmission of sensitive data on a nonstandardized way. This work explores the weaknesses of this paradigm and describes a solution that intends to suppress them, based on the 802.1X architecture. This solution consists on creating an EAP-compliant protocol in order to integrate an HTTP-based authentication within the 802.1X authentication framework.Num cenário em que as redes hotspot estão a ser progressivamente mais usadas e presentes e a obter mais subscritores, com a quantidade de informação sensível que neste tipo de redes é transmitida e com a variedade destes mesmos utilizadores que podem ser ou não de confiança, são necessários mecanismos de segurança que garantam a confidencialidade e integridade de dados, assim como garantir que redes anunciadas sejam autenticadas, evitando redes malignas. Os captive portals, portais providenciados por redes deste tipo onde se efetua log in, são ainda um maior risco pois implicam a transmissão de dados sensíveis de maneira não standard. Este trabalho explora as fraquezas deste paradigma e apresenta uma solução que pretende colmatá-las, baseada na arquitetura 802.1X. Esta solução passa por criar uma extensão do protocolo EAP a fim de poder integrar a autenticação via HTTP com o processo de autenticação do 802.1X

Penerapan Sistem Absensi Kehadiran Pegawai Berbasis Jaringan Wireless WPA2 Enterprise

Abstrak—Sistem absensi kehadiran dan jaringan internet merupakan dua hal yang berkaitan dengan teknologi yang umumnya pasti dibutuhkan pada tiap perusahan ataupun instansi. Umumnya pegawai setiap datang dan pulang diharuskan untuk melakukan absensi dengan datang ke mesin absensi dan melakukan absensi baik melalui fingerprint atau deteksi wajah, dimana proses itu terkadang memakan waktu untuk dapat masuk ke ruang kerja karena ruang kerja dan lokasi mesin absensi yang cukup jauh. Untuk membantu pegawai dalam melakukan 2 hal sekaligus yakni autentikasi wifi dan melakukan absensi kehadiran diperlukan sistem absensi dengan menggunakan jaringan wifi. Untuk menerapkan sistem autentikasi jaringan wifi yang cocok untuk kehadiran dibutuhkan sistem autentikasi yang langsung dapat menggunakan username dan password tanpa captive portal yang membutuhkan bantuan browseruntuk autentikasi. Maka untuk memenuhi kebutuhan itu dapat terselesaikan dengan memakai metode autentikasi WPA2 Enterprise, dimana tiap pegawai hanya perlu memasukkan username dan password berupa email dan password yang diberikan instansi / pegawai, maka akan langsung berhasil masuk ke jaringan wifi dan sekaligus terekam untuk melakukan absensi kehadiran. Untuk menerapkan WPA2 Enterprise ini dibutuhkan bantuan freeradiusdalam mengolah data autentikasi dari pegawai yang kemudian akan diverifikasikan lagi melalui LDAP, dalam hal ini UNESA menggunakan Google LDAP. Alur dari autentikasinya yakni pegawai melakukan koneksi ke jaringan wifi kemudian memasukkan username dan password, kemudian access point akan meneruskan proses verifikasi ke freeradius dan freeradius akan membantu melakukan verifikasi dan validasi akun. Data hasil absensi diambil dari aktivitas berhasil login dari autentikasi wifi dimana dapat paling awal dan akhir akan dipakai datanya untuk data kehadiran. Kata Kunci—sistem absensi, wpa2 enterprise, free radius

Enhanced Quality of Experience Based on Enriched Network Centric and Access Control Mechanisms

In the digital world service provisioning in user satisfying quality has become the goal of any content or network provider. Besides having satisfied and therefore, loyal users, the creation of sustainable revenue streams is the most important issue for network operators [1], [2], [3]. The motivation of this work is to enhance the quality of experience of users when they connect to the Internet, request application services as well as to maintain full service when these users are on the move in WLAN based access networks. In this context, the aspect of additional revenue creation for network operators is considered as well. The enhancements presented in this work are based on enriched network centric and access control mechanisms which will be achieved in three different areas of networks capabilities, namely the network performance, the network access and the network features themselves. In the area of network performance a novel authentication and authorisation method is introduced which overcomes the drawback of long authentication time in the handover procedure as required by the generic IEEE 802.1X process using the EAP-TLS method. The novel sequential authentication solution reduces the communication interruption time in a WLAN handover process of currently several hundred milliseconds to some milliseconds by combining the WPA2 PSK and the WPA2 EAP-TLS. In the area of usability a new user-friendly hotspot registration and login mechanisms is presented which significantly simplifies how users obtain WLAN hotspot login credentials and logon to a hotspot. This novel barcode initiated hotspot auto-login solution obtains user credentials through a simple SMS and performs an auto-login process that avoids the need to enter user name and password on the login page manually. In the area of network features a new system is proposed which overcomes the drawback that users are not aware of the quality in which a service can be provided prior to starting the service. This novel graceful denial of service solution informs the user about the expected application service quality before the application service is started

Wi-Fi Enabled Healthcare

Focusing on its recent proliferation in hospital systems, Wi-Fi Enabled Healthcare explains how Wi-Fi is transforming clinical work flows and infusing new life into the types of mobile devices being implemented in hospitals. Drawing on first-hand experiences from one of the largest healthcare systems in the United States, it covers the key areas associated with wireless network design, security, and support. Reporting on cutting-edge developments and emerging standards in Wi-Fi technologies, the book explores security implications for each device type. It covers real-time location services and emerging trends in cloud-based wireless architecture. It also outlines several options and design consideration for employee wireless coverage, voice over wireless (including smart phones), mobile medical devices, and wireless guest services. This book presents authoritative insight into the challenges that exist in adding Wi-Fi within a healthcare setting. It explores several solutions in each space along with design considerations and pros and cons. It also supplies an in-depth look at voice over wireless, mobile medical devices, and wireless guest services. The authors provide readers with the technical knowhow required to ensure their systems provide the reliable, end-to-end communications necessary to surmount today’s challenges and capitalize on new opportunities. The shared experience and lessons learned provide essential guidance for large and small healthcare organizations in the United States and around the world. This book is an ideal reference for network design engineers and high-level hospital executives that are thinking about adding or improving upon Wi-Fi in their hospitals or hospital systems

Älypuhelin kotiverkkojen luottamusankkurina

Kun tietoverkot kodeissa monimutkaistuvat, eivät kotikäyttäjät osaa tai halua enää ylläpitää niitä. Kotiverkkojen ylläpito ei eroa nykyisin paljon yritysympäristöistä. Käyttäjältä vaaditaan läsnäolo, tunnukset ja tietämys laitteiden operointiin. Näitä vaatimuksia täytyy soveltaa, jos ylläpito ulkoistettaisiin ja pääsy kotiverkkoihin sallittaisiin. Luotettava toimija on palkattava ja jaettava tälle tunnistautumiskeino sekä pääsy kohdelaitteelle ulkoa käsin. Tämä edellyttää ennakkotoimia ja tunnistautumisavainten jakelua. Käyttäjän älypuhelimessa toimiva sovellus toimii tässä luotettuna toimijana. Matkapuhelinliittymällään käyttäjä on jo osa luotettua tilaajarekisteriä, ja tätä ominaisuutta käytetään hyväksi työssä luottamuksen rakentajana. Matkapuhelintunnistuksena käytetään SIM-kortin tilaajatietoa EAP-menetelmällä. EAP-SIM-pohjaisen tunnistuksen toimivuus esitetään käyttöympäristössä, jossa on simuloitu SIM-kortti ja matkapuhelinoperaattori. Periaatteena on ollut käyttää olemassaolevia tekniikoita yhdistäen niitä uusiin alueisiin, kuten homenet-määritysten kotiverkkoihin ja edustajalle ulkoistettuun hallintaan. Tunnistus- ja valtuutustietojen välittämisen hoitaa WPA2 Enterprise RADIUS-ympäristössä. Välttääksemme monimutkaisuutta ja tarpeetonta hienorakeisuutta, käytämme yksinkertaista hallintaverkkomallia, jonka rajalla on kotiverkosta muuten erillään oleva älypuhelin. Tuloksena näytetään, että matkapuhelimella tehty tunnistautuminen luo luottamusankkurin ulkoisen edustajan ja kodin hallintaverkon välille avaten edustajalle hallintayhteyden kotikäyttäjän valvonnassa. SIM-tunnistuksen hyötyjä ovat vahva tunnistus ja laaja käyttäjäkanta. Haittoina ovat riippuvuus teleoperaattorista, käyttäjän identiteetin paljastumisen uhka ja ei-toivottu automaattinen tunnistautuminen.Today, home networks are complex, and the home owners do not necessarily want to administer all aspects of their networks. Configuring home network devices does not differ much from configuring enterprise devices. One needs access, credentials to login and knowledge to operate the device. If the configuration is outsourced to external parties and done remotely, those requirements need adaptation. Access to an end device from the outside must be provided, a trusted operator must be hired, and login credentials shared. For this purpose, some previously set provisioning and distribution of authentication keys is needed. In this work, an application running on a user's smartphone represents this trusted operator. The fact that the mobile phone subscribers already are part of a reliable infrastructure is used in the study as a trusted base. To benefit from the mobile identification, it is shown how the authentication and authorization are done using an extendable authentication profile (EAP) and a SIM card. A theory to use EAP-SIM authentication at home is presented, and to demonstrate that it works, a simulated testbed is built, tested, and analyzed. The idea is to reuse existing techniques by combining them with such new areas as homenet and delegated management. Authentication claims are transported with WPA2 Enterprise. To further avoid complexity and granularity, we only use a simple model of management network. As a result, we show that the smartphone authentication provides a trust anchor between a configuration agent and the home network. The home network management can be controlled via the smartphone while keeping the local phone user still in control. The benefits of using the SIM are that it is considered strong, and it has a large existing user base, while its disadvantages include dependency onto the mobile operator. Additionally, there remain challenges in keeping the SIM's identity private and in disabling unwanted re-authentications

Offloading security applications into the network

Users currently experience different levels of protection when accessing the Internet via their various personal devices and network connections, due to variable network security conditions and security applications available at each device. The SECURED project addresses these issues by designing an architecture to offload security applications from the end-user devices to a suitable trusted node in the network: the Network Edge Device (NED). Users populate a repository with their security applications and policy, which will then be fetched by the closest NED to protect the user’s traffic when he connects to a network. This setting provides uniform protection, independent of the actual user device and network location (e.g. public WiFi hotspot or 3G mobile connection). In other words, a user-centric approach is fostered by this architecture, opposed to the current device- or network-based security schema, with cost and protection benefits and simultaneously enabling new business models for service and network providers

Optimization and Evaluation of Authentication System using Blockchain Technology

User data security innovation is a particular concern in protecting one's privacy rights, which is one of the serious violations when an attacker can bypass the user authentication so that it looks like something legitimate and becomes legal. Based on these issues, the research aims at optimizing and evaluating the blockchain-based authentication systems to minimize data leakage, manipulate the data, and modify the data. Blockchain is one of the innovations that can solve this problem. Data or transactions in the blockchain are saved in hash form to make it difficult for hackers to break into them. The Blockchain implementation uses the Solidity programming language to build smart contracts and other tools such as MetaMask, Ganache, and Truffle. The Network Forensics Development Life Cycle (NFLDC) is used as a framework with the following five stages: Initiation, Acquisition, Implementation, Operation, and Disposition. Based on the research conducted, the attack strategy against blockchain-based systems consists of several scenarios covering the Burp Suite, XSS, SQL Injection, and DoS. The results show that the percentage of authentication optimization reaches a value of 90.1%, and 8.9% is the percentage for evaluating systems such as the possibility of cyberattack. Based on these results, this research has achieved its goals and may assist in further research. Doi: 10.28991/esj-2021-SP1-015 Full Text: PD

ACUTA Journal of Telecommunications in Higher Education

In This Issue Wireless Outlook 2012 802.11n Wireless in the Enterprise- The Next Big Change The University of Tulsa: A Wireless Campus Advertorial: Deploying Media Switching Systems for Educational lnstitutions Faster Wireless LAN Connections May Help Support Voice & Video Traffic Wireless at Syracuse Expectation Versus Experience: The Realities of Life on the Wireless Road lnstitutional Excellence Award Honorable Mention UC Mobile Interview President\u27s Message From the Executive Directo