Supporting authorize-then-authenticate for wi-fi access based on an electronic identity infrastructure

Federated electronic identity systems are increasingly used in commercial and public services to let users share their electronic identities (eIDs) across countries and providers. In Europe, the eIDAS Regulation and its implementation-the eIDAS Network-allowing mutual recognition of citizen’s eIDs in various countries, is now in action. We discuss authorization (before authentication), named also authorize-then-authenticate (AtA), in services exploiting the eIDAS Network. In the eIDAS Network, each European country runs a national eIDAS Node, which transfers in other Member State countries, via the eIDAS protocol, some personal attributes, upon successful authentication of a person in his home country. Service Providers in foreign countries typically use these attributes to implement authorization decisions for the requested service. We present a scenario where AtA is required, namely Wi-Fi access, in which the service provider has to implement access control decisions before the person is authenticated through the eIDAS Network with his/her national eID. The Wi-Fi access service is highly required in public and private places (e.g. shops, hotels, a.s.o.), but its use typically involves users’ registration at service providers and is still subject to security attacks. The eIDAS Network supports different authentication assurance levels, thus it might be exploited for a more secure and widely available Wi-Fi access service to the citizens with no prior registration, by exploiting their national eIDs. We propose first a model that discusses AtA in eIDAS-based services, and we consider different possible implementation choices. We describe next the implementation of AtA in an eIDAS-based Wi-Fi access service leveraging the eIDAS Network and a Zeroshell captive portal supporting the eIDAS protocol. We discuss the problems encountered and the deploy-ment issues that may impact on the service acceptance by the users and its exploitation on large scale

Presence analytics: discovering meaningful patterns about human presence using WLAN digital imprints

In this paper we illustrates how aggregated WLAN activity traces provide anonymous information that reveals invaluable insight into human presence within a university campus. We show how technologies supporting pervasive services, such as WLAN, which have the potential to generate vast amounts of detailed information, provide an invaluable opportunity to understand the presence and movement of people within such an environment. We demonstrate how these aggregated mobile network traces offer the opportunity for human presence analytics in several dimensions: social, spatial, temporal and semantic dimensions. These analytics have real potential to support human mobility studies such as the optimisation of space use strategies. The analytics presented in this paper are based on recent WLAN traces collected at Birkbeck College of University of London, one of the participants in the Eduroam network

OpenIaC: open infrastructure as code - the network is my computer

Modern information systems are built fron a complex composition of networks, infrastructure, devices, services, and applications, interconnected by data flows that are often private and financially sensitive. The 5G networks, which can create hyperlocalized services, have highlighted many of the deficiencies of current practices in use today to create and operate information systems. Emerging cloud computing techniques, such as Infrastructure-as-Code (IaC) and elastic computing, offer a path for a future re-imagining of how we create, deploy, secure, operate, and retire information systems. In this paper, we articulate the position that a comprehensive new approach is needed for all OSI layers from layer 2 up to applications that are built on underlying principles that include reproducibility, continuous integration/continuous delivery, auditability, and versioning. There are obvious needs to redesign and optimize the protocols from the network layer to the application layer. Our vision seeks to augment existing Cloud Computing and Networking solutions with support for multiple cloud infrastructures and seamless integration of cloud-based microservices. To address these issues, we propose an approach named Open Infrastructure as Code (OpenIaC), which is an attempt to provide a common open forum to integrate and build on advances in cloud computing and blockchain to address the needs of modern information architectures. The main mission of our OpenIaC approach is to provide services based on the principles of Zero Trust Architecture (ZTA) among the federation of connected resources based on Decentralized Identity (DID). Our objectives include the creation of an open-source hub with fine-grained access control for an open and connected infrastructure of shared resources (sensing, storage, computing, 3D printing, etc.) managed by blockchains and federations. Our proposed approach has the potential to provide a path for developing new platforms, business models, and a modernized information ecosystem necessary for 5G networks.publishedVersio

Planning the Taiwan Access Management Federation based on Shibboleth

There are a number of different ways in which it may be verified that a user at a computer attached to the internet may be certified as being entitled to use an electronic resource (usually one that has to be paid for) held on a server elsewhere on the internet. Authentication by Internet Protocol is appropriate when the user is in a fixed environment but to enable a user to have wider access other mechanisms are needed, the most universally applicable being authentication relying on the information provided by an access management federation using Shibboleth. Shibboleth is a standard-based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner. The requirements for the security of the solution particularly regarding the intellectual property rights of the owners of the data are discussed. Various possible solutions are outlined based on those in use in the UK Federation, the US InCommon system, the Swiss SWITCHaai, and the Australian Access Federation. The framework and development leading to the implementation of the Taiwan Access Management Federation (TAMF) primarily follow the SWITCHaai and to a lesser extent the other three Federations. The history, management structure, software used and the organization participants in the four federations that TAMF follows are discussed. The progress of TMAF is described as well. It is hoped that this could serve as a model for federations around the world

Authenticated wireless roaming via tunnels : making mobile guests feel at home

In wireless roaming a mobile device obtains a service from some foreign network while being registered for the similar service at its own home network. However, recent proposals try to keep the service provider role behind the home network and let the foreign network create a tunnel connection through which all service requests of the mobile device are sent to and answered directly by the home network. Such Wireless Roaming via Tunnels (WRT) others several (security) benefits but states also new security challenges on authentication and key establishment, as the goal is not only to protect the end-to-end communication between the tunnel peers but also the tunnel itself. In this paper we formally specify mutual authentication and key establishment goals for WRT and propose an efficient and provably secure protocol that can be used to secure such roaming session. Additionally, we describe some modular protocol extensions to address resistance against DoS attacks, anonymity of the mobile device and unlinkability of its roaming sessions, as well as the accounting claims of the foreign network in commercial scenarios