copyright statement copyright robert j. brentrup 2005. this work is the intellectual property of the...
TRANSCRIPT
Copyright Statement
• Copyright Robert J. Brentrup 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.
Delegated Guest Access to Secure Networks
Robert Brentrup
Educause Poster Session
October 19, 2005
Network Security• Wireless networks are inherently more vulnerable
– No longer need to be inside a building– Anyone in range can listen– Have to expect uninvited “guests”
• Wired Equivalent Privacy (WEP) intended to protect traffic between the supplicant and access point.
– WEP has encryption flaws which diminish its effectiveness.
• WiFi Protected Access (WPA2) provides a stronger encryption scheme
– and supports a wider range of authentication techniques.
Problem
• If authenticated access is implemented– to limit use to members of the community– and to enable strong data encryption
• How do guests access the network conveniently?– Visitors are a daily occurence– Don’t want multi-day process to get a guest
account approved and created
Motivation for System
• Visitors are given access to labs by host
• Already allow sponsored accounts for longer time periods– But overheard is too high for short visit
• Why not allow local users to delegate privileges to guests?– Would give immediate access– Delegation allows decentralized authorization
Design Goals• Provide access to authorized guests• Guests may use comprehensive services granted to
local users• Require strong access control• Use standard protocols• Timeframe of authorization limited• Do not require central control• Provide audit trail• Prefer to use PKI authentication
Greenpass Solution• Use 802.1x protocol for authentication
– Works for Wireless or VPN
• Use EAP/TLS to identify users• Use RADIUS server for authorization decision
– Recognize some X.509 certificate issuers– Allow local users to delegate network access permission– SPKI certificate delegation chain– Recognized by small RADIUS modification– HTTP Cookies simplify use
• No user software install required• Client Java tool for delegation
Design: Information Flow
Hybrid PKI
Why SPKI/SDSI?
• Focuses specifically on the problem of authorization that we are trying to solve.
• Provisions for delegation of authority naturally gives rise to the distributed model of delegated access that we envisioned.
• Simple and lightweight, easy to work with.
• Guest access is tied directly to the guest’s public key rather than indirectly through the guest’s name.
Block Diagram
Guest Unauthorized
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Guest Introduction
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Guest Fingerprint
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Authorized Delegator
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Select Guest
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Guest Lookup
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Delegation Tool
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Delegation Complete
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Guest Authorized
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Authorized User
QuickTime™ and aTIFF (LZW) decompressor
are needed to see this picture.
Results
• Greenpass incorporates SPKI/SDSI with existing PKI standards to create an authentication scheme that is decentralized and not cumbersome to users.
• Published Open Source Components:
– Delegation Server, Introduction Cache
– Delegation Signing Tool
– Authorization Certificate Cache
– Radius modifications
Future Work
• Finer grained definition of authorization.
• Alternatives to SDSI/SPKI
• No X.509 PKI ? – everyone is a guest.
• Support for other devices (PDAs, VoIP devices).
Credits, Contacts and Links• Primarily designed by Nicholas Goffee and Sung Kim as their Master's degree
thesis projects advised by Prof. Sean Smith.
– Other contributors to the Greenpass project are: Kwang-Hyun Baek, Meiyuan Zhao, John Marchesini, Chris Masone, Punch Taylor, Robert Brentrup and Nick Santos.
• For Further Information
– Sean Smith - [email protected]
– Robert Brentrup - [email protected]
• www.dartmouth.edu/~pkilab/greenpass/
• www.cs.dartmouth.edu/reports/abstracts/TR2004-484/