wireless unification theory
DESCRIPTION
Wireless Unification Theory. William Arbaugh University of Maryland College Park. Bureaucracy. Speakers please introduce yourself to me and provide a copy of your slides to the note taker Workshop should be interactive- ask questions, answer questions. What do you want from the Workshop?. - PowerPoint PPT PresentationTRANSCRIPT
Wireless Unification Wireless Unification TheoryTheory
William ArbaughWilliam Arbaugh
University of MarylandUniversity of Maryland
College ParkCollege Park
BureaucracyBureaucracy
Speakers please introduce yourself to me Speakers please introduce yourself to me and provide a copy of your slides to the and provide a copy of your slides to the note takernote taker
Workshop should be interactive- ask Workshop should be interactive- ask questions, answer questionsquestions, answer questions
What do you want from the What do you want from the Workshop?Workshop?
?
Welcome!Welcome!
Program consists of talks and discussionsProgram consists of talks and discussions Want to focus on discussions (more to Want to focus on discussions (more to
follow)follow) Goal is to identify hard research problems Goal is to identify hard research problems
and potential bureaucratic and and potential bureaucratic and standardization stumbling blocksstandardization stumbling blocks
Technical TrendsTechnical Trends
Wireless access is becoming ubiquitous and Wireless access is becoming ubiquitous and broadband in naturebroadband in nature
Users are become more mobileUsers are become more mobile Mobility for data access is changing from Mobility for data access is changing from
“discrete mobility” to “continous mobility”“discrete mobility” to “continous mobility” Base stations are cheaper with less physical Base stations are cheaper with less physical
securitysecurity All of the wireless technologies have differing All of the wireless technologies have differing
authentication and access control frameworks!authentication and access control frameworks! InterworkingInterworking
ThreatThreat
Interworking allows attackers to find the Interworking allows attackers to find the “path of least resistance” and establish “path of least resistance” and establish “man in the middle attacks”“man in the middle attacks” The network with the weakest security will be The network with the weakest security will be
the entry pointthe entry point Providers will either not allow networks Providers will either not allow networks
with weak security to join (limit with weak security to join (limit Interworking growth) or allow it which Interworking growth) or allow it which introduces security problems.introduces security problems.
Workshop GoalsWorkshop Goals
How do we tie these networks together in How do we tie these networks together in a secure fashion?a secure fashion? Deal with legacy networks?Deal with legacy networks? Deal with future networks?Deal with future networks? Vertical/Horizontal roaming?Vertical/Horizontal roaming?
TechnicalTechnical
Patch work of technologyPatch work of technology
EAP
A5
PEAP
TLS
AES-CCM
CAVE
CHAP
AKA
HLR
VLR
Standardize it?Standardize it?
IRTFIETF
IEEE
WWRF
ISO
3GPP
How do we do it?How do we do it?
I have no idea!I have no idea! One of the main motivations for this One of the main motivations for this
workshop!workshop!
Things to think aboutThings to think about
What are the research questions?What are the research questions? What are the problems?What are the problems?
Standardization problemsStandardization problems Technical problemsTechnical problems Policy problemsPolicy problems
Technical OverviewTechnical Overview
IEEE 802.1xIEEE 802.1x EAPEAP RoamingRoaming
IEEE 802.1xIEEE 802.1x
Provides access control and key Provides access control and key distribution method to AP/base stationdistribution method to AP/base station
Centralized authenticationCentralized authentication Uses EAPUses EAP
Dual Port ModelDual Port Model
Controlled Port Uncontrolled Port
Authenticator System
Port unauthorized
Authentication Server
LAN
Access Point
AccessServer
Client / Supplicant
Trust RelationshipsTrust Relationships
Authentication Server
EAP method
Possibly viaRADIUS sharedsecret
Note: I am using trust here loosely since onlya security association is established.
Trust RelationshipsTrust Relationships
Authentication Server
EAP method
Possibly viaRADIUS sharedsecret
Note: I am using trust here loosely since onlya security association is established.
Transitively derived
Trust RelationshipsTrust Relationships
Note that the client and the AP/Base Note that the client and the AP/Base station have no direct trust relationshipstation have no direct trust relationship
It is derived transitively It is derived transitively if and only ifif and only if the the infrastructure establishes a trust relation infrastructure establishes a trust relation between the AP and the RADIUS serverbetween the AP and the RADIUS server
EAP SessionEAP Session
AuthenticationServer
Supplicant Authenticator
EAP REQUEST/IDENTITY
EAP RESPONSE/IDENTITY (MyID)
EAP REQUEST/OTP, OTP Challenge
EAP RESPONSE/OTP, OTP PW
EAP Success
Port authorized
EAP AuthenticationEAP Authentication
Authentication may not be mutualAuthentication may not be mutual Loss of anonymity due to identity requestLoss of anonymity due to identity request What are you authenticating?What are you authenticating?
User?User? Device?Device? Do we need both?Do we need both?
Roaming ChallengesRoaming Challenges
What is equivalent security?What is equivalent security? Hand-off’s between differing physical and Hand-off’s between differing physical and
MAC layers in under 30ms?MAC layers in under 30ms? Soft hand-over easy at layers 2 and below but Soft hand-over easy at layers 2 and below but
more difficult at layer 3 and abovemore difficult at layer 3 and above Hard hand-over just plain hardHard hand-over just plain hard
Some authentication methods are Some authentication methods are complex, compute intensive, and take too complex, compute intensive, and take too longlong
What did I miss?What did I miss?