1

Seamless – Yet Secure - Hotspot Roaming

Steve ReyesProduct Management and Development

4501 Intelco Loop SEOlympia, WA 98507

913-814-6262Sreyes@verisign.comCDG Wi-Fi Summit 2003

2

Vision: Mobile and Portable ComputingVision: Mobile and Portable Computing

Internet

AAAAAAServersServers

Billing/Billing/Customer CareCustomer Care

ServersServers

EnterpriseEnterprise

Public WLAN Public WLAN Service Service ProviderProvider

Legacy Legacy and Web and Web EnterprisEnterpris

e e ApplicatiApplicati

onsons

Public WLAN “HotSpot”Public WLAN “HotSpot”

xDSLxDSL/Cable Broadband user/Cable Broadband user

Small Manufacturing Site or Small Manufacturing Site or Branch OfficeBranch Office

T1/T3T1/T3 T1/T3T1/T3

Cable/DSLCable/DSL

Cable/DSLCable/DSL

T1T1

3

Market Forecasts Market Forecasts –– All Over the MapAll Over the Map

0

20,000

40,000

60,000

80,000

100,000

2002 2003 2004 2005 2006

#Hot

Spo

ts

IDC June 2002 Forecast Actual/Forecast as announced

Analysys Research Goldman Sachs

Pyramid

2 0 0 22 0 0 3

2 0 0 42 0 0 5

2 0 0 6

IDC

Hom

e

Syne

rgy

Hom

e ID

CEn

terp

rise

Syne

rgy

Ente

rpris

eID

C P

ublic

Acc

ess

$0.0$0.5$1.0$1.5$2.0$2.5$3.0$3.5$4.0

$ Billions

3

9.5

30

0

5

10

15

20

25

30$ Billio

ns

Analysys AlexanderResources

TeleAnalytics

2007 2006

5%

30%

10%

50%

“ConsensusView”

GoldmanSach

s

Low High

% Broadband Connections

U.S. Hotspots

Global PwLAN Service Revenues

U.S. Wi-Fi Penetration

Global Wi-Fi Equipment Sales

4

Key Market Inhibitors Key Market Inhibitors

There are two major barriers holding back significantly higher levels of Wi-Fiadoption.

Security Concerns

Enterprises have been slow to build out WLAN due to concerns over network security (e.g., unauthorized access)

Lack of standard roaming infrastructure

The lack of a broadly accessible “roaming” standards fosters “closed networks” and significantly reduces the value proposition to end users, hotspot operators and network service providers.

• Fewer enterprise deployments.

• Lower carryover of users into hotspots and homes.

• Economies of scale not realized

• End-user inconvenience lowers demand

11

22

5

Evolution Evolution

Phase IPhase I

ClosedClosed and and nonnon--securesecure

Phase II (2003)Phase II (2003)

ClosedClosed but but securesecure

Phase III (2005)Phase III (2005)

OpenOpen and and securesecure

TimeTime

TodayToday

Realizable Realizable Market Market

OpportunityOpportunity

6

Requirements of Major ConstituentsRequirements of Major Constituents

Unleash theOpportunity

WLAN InfrastructureVendors

! Need to solve WLAN security issues in order to grow market

EnterpriseCustomers

! ROI! Unwilling to deploy

until WLAN security properly addressed

! Require complete solution bundle for WLAN network design, portability and mobility

WLAN Service Providers! Broadband ISPs

looking for new revenue streams

! 3G Networks need to seed wireless data services usage

Consumers/SMB Customers

! Want to deploy low TCO LAN

! Want public WLAN roaming capabilities

7

The Security ConundrumThe Security Conundrum

! SSID association NOT a security mechanism– Sniffing possible (desirable)– OR limited interoperability

! MAC address control lists – not maintainable! Authorization – all or nothing problem! WEP (privacy control)

– Vulnerable– Key management headache

! VPN– Requires client software– Install/configuration effort– Expensive

8

The Security ConundrumThe Security Conundrum! Vendor security frameworks

– Proprietary– May impact interoperability– May limit choice of vendors

! Cisco’s LEAP– Mutual authentication of clients and AP’s– Per session WEP key for encryption

! Agere’s Advanced Mobile Security Architecture (AMSA)– RC4 per session encryption with Diffie Helman key exchange– Supports EAP-TLS with WEP encryption and key refresh

! Symbol– Based on Kerberos– Mutual authentication, end-to-end encryption– Per session dynamic key distribution

9

WebWeb--Based SecurityBased Security

! Browser-based authentication via username/password through encrypted browser window

! Typically employs Access Controller located between the wireless AP and internal LAN or Internet

! Best suited for “guest services”

! Vulnerable to session hijacking– Reasonable general access control– Not solid assurance of privacy

10

IPSecIPSec/VPN/VPN

! Place WLAN outside firewall

! Provide WLAN users VPN client

! Forces users through VPN concentrator

11

WWired ired EEquivalent quivalent PProtocolrotocol

! Standard configurable feature of most leading AP’s! Objective to ensure privacy by encrypting each 802.11

packet via RC4 cipher stream! Relies on pre-shared static keys (typically manually

configured)! Weaknesses:

– No key management specified– Keys too small (40 bits) and easily broken– Initialization Vector (IV) is too small and easily broken (sent in

the clear)– RC4 algorithm is weak

! WEP is bad, but better than nothing if keys are changed frequently

12

802.1X Security802.1X Security

! 802.1X Standard– Framework for “ providing compatible authentication &

authorization mechanisms for devices interconnected by 802.11 LANs”

! 802.1X Security Entities– Identifies 3 entities:

" Client (Supplicant)" Access Point (Authenticator)" Authentication Server (AS)

– AP-to-AS communication using EAPOL

13

Secure WLAN RoamingSecure WLAN Roaming

Internet Enterprise

Public WLAN “Hotspot”

Home network

Authentication ClearinghouseAS AS AS AS

Public WLAN Carrier/ISP routes all Authenticationrequests to Authentication Clearinghouse.

Clearinghouse opens outer EAP-TTLS tunneland pass-on Username/Password toEnterprise’s RADIUS Server; manages Accounting & Billing

14

CA Hierarchy CA Hierarchy

Wi-Fi CA

DeviceVendor #1

DeviceVendor #2

DeviceVendor #N

NIC/STASerial#1pqr...

NIC/STASerial#1stv...

APSerial#2xyz...

APSerial#2abc...

AAASerial#5cde...

AAASerial#5fgh...

WISPr CA

W -ISP #1 W -ISP #2 W -ISP #n

User#1-456 AP#1-678

PAC#1-765

User#2-456 AP#2-123 AAA

#2-897

User#n-123

User#n-456

Wi-FiRoot CA

15

Industry Trust ModelIndustry Trust Model

! PKI model ensures highest level of trust

! Digital certificates based

! Utilizes 802.1x/EAP-TLS

! Trusted Certificate Authority network

! Portable across home, enterprise and public venues

16

Wireless Carrier ParadigmWireless Carrier Paradigm

CellularCellularNetworkNetwork

MediationMediation

UsersprofileHLR

Apps.

Hot spotsHot spots Billing

3G Access3G AccessNetworksNetworks

RevenueRevenue

Service

s

Service

s

WLANsWLANs

17

Targeted ArchitectureTargeted Architecture

AAAAAAServersServers

Billing/Billing/Customer CareCustomer Care

ServersServers

Residential ISPResidential ISPWireless carrierWireless carrier

(Service Provider)(Service Provider)

xDSLxDSL/Cable Broadband user/Cable Broadband userWireless userWireless user

Cable/DSLCable/DSL T1T1

AAAAAAServersServers

Billing/Billing/Customer CareCustomer Care

ServersServers

Public WLAN Public WLAN “Hotspot” / WISP “Hotspot” / WISP

operationsoperations

Internet

Roaming userRoaming user

AAAAAAServersServers

Clearinghouse Clearinghouse (optional)(optional)

Direct exchangeDirect exchange

AAAAAAServersServers

Mobile carriersMobile carriers

SS7

GWGW

HLRHLR

18

Thank You!!Thank You!!