A Proposal for Next Generation Cellular Network Authentication and Authorization Architecture

A Proposal for Next Generation Cellular

Network Authentication and Authorization

Architecture

James Kempf

Research Fellow

DoCoMo USA Labs kempf@docomolabs-usa.com

DIMACS, November 4, 2004

Outline

• Existing solutions for auth/authz and their problems

– Pre-IP L2.5

– Universal Access Method (UAM)

• SEND and PANA

• A Different Way - Hyperoperator

• Obstacles to Acceptance

• Summary

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf 4/12/2020 2

Existing solutions for auth/authz and their problems

Pre-IP Layer 2.5

• Terminal and network authenticate each other prior to establishing IP service

• Typically thru a Layer 2.5 flow between the terminal and a network access server

– PPP for some cellular protocols

– Proprietary for others

– 802.1x EAPOL for 802.11

• Network access server routes auth request back into the home network via local AAA server

– Radius or Diameter across the Internet

• Home network AAA server authenticates

• Authorization for network access from home network AAA server to local

AAA server

– If a terminal is authenticated, then it is authorized for IP service

– If the network/base station is authenticated, then it is authorized to take the terminal’s traffic


Example: 802.1x

EAP+

Radius +

IP

EAP+

Radius +

IP

AAA-F

PMK pushed to

AP

AP/NAS

Border Router

Access Network

AR

EAP +

EAPoL +

802.11/3

Mobile Terminal

Internet

Copyright © 2004 DoCoMo Communications Laboratories USA, Inc. All Rights Reserved. James Kempf

AAA-H

4/12/2020 5

802.1x Terminal to Access Network Detail

STA

AP

STA 802.1X blocks port for data traffic

AP 802.1X blocks port for data traffic

AS

802.1X/EAP-Request Identity

802.1X/EAP-Response

Identity (EAP type specific)

Derive Pairwise Master Key

(PMK)

EAP type specific mutual authentication

(e.g. TLS)

RADIUS Access

Request/Identity

Derive Pairwise Master Key

(PMK)

RADIUS Accept + PMK

802.1X/EAP-SUCCESS

802.1X


RADIUS

4/12/2020 6

Problems

• Handover requires lengthy PMK rekeying, delaying handover

• Implicit authorization model for network access is difficult to extend to other services

– Example: multicast

• Authenticated and authorized terminals that are compromised or otherwise decide to behave badly


Universal Access Method

• Terminal establishes restricted IP access

– Can’t route to the Internet

– Only HTTP

• HTTP GET redirected to Public Access Control (PAC) Gateway

– PAC pushes login page to terminal

• User types in login/password for account access or credit card number for one time access

• PAC routes auth request back into the home network via local AAA server or credit card auth/authz to credit card provider

– Radius or Diameter across the Internet for AAA

– Ecommerce protocol (SET, Mondex, secure channel card payment, GeldKarte, etc.) for credit card.

• Home network AAA server authenticates or credit card provider authorizes

• Authorization for network access from home network AAA server to local

AAA server

– If a terminal is authenticated, then it is authorized for IP service

– If the network/base station is authenticated, then it is authorized to take the terminal’s traffic


UAM Architecture

Radius +

IP

Radius +

IP

AAA-H

AAA-F

AP

Border Router

Access Network

AR

HTTP + SSL

+

IP

Mobile Terminal

PAC

Secure

Credit Card

Auth/Authz

Internet


UAM Terminal to Access Network Detail

STA

PAC

PAC blocks Internet access

HTTP GET + User URL

Redirect Login URL

User types in account login/password or credit card number

HTTP POST credentials

RADIUS Access

Request/Identity + UAM

AVPs*

Redirect User URL

RADIUS Accept + UAM

AVPs*

User URL Displayed

UAM


RADIUS

4/12/2020

AS

* Credit card auth/authz protocol if used

10

Problems

• If the user isn’t using HTML or the device isn’t capable of Web browsing, the procedure fails

• Piecewise, asymmetric security with many opportunities for compromise

– Network authenticates user through user name/password or credit card number

– Terminal authenticates network through SSL

– RADIUS security depends on VPN or other

• No support for handover at all

• For other services:

– For AAA, implicit authorization model for network access is difficult to extend to other services,

– For credit card, authorization for other services requires user to type in credit card information again

• Authenticated and authorized terminals that are compromised or otherwise decide to behave badly


SEND and PANA

SEcure Neighbor Discovery (SEND)

• Recently standardized addition to IPv6 Neighbor Discovery (RFC 2461) for securing:

– Local link address resolution

– Router discovery

– No RFC number yet

• Prevents a fully authenticated and authorized terminal from behaving badly for a limited set of actions

– DoSing nodes on the same link

– MiM attacks by spoofing access router

• Local link address resolution secured by using cryptographically generated addresses

– Ties the IP address to the node’s public key

– Together with a signature, establishes the node’s authorization to claim the address

• Router discovery secured by certified public keys on the router, together with certificates

– Node checks router certificate against a certification path for which the node has a certificate for trust anchor

– Router’s certified public key used to check signature on Router

Advertisements


SEND Details – Obtaining Router

Certificate

Certification

Path

Solicitation +

Names of

Trust

Anchors

AR

Certification

Path

Advertisement +

Certification

Paths to Trust

Anchor

AP

Mobile Terminal

Router’s Certified Pubic Key


SEND Details – Secure Router Discovery

AR

Router

Solicitation

AP

Router

Advertisement +

Signature

Validate Signature

Mobile Terminal


SEND Details – Secure Link Address

Resolution

Internet Traffic

AR

AP

Neighbor Solicitation for CGA

+ Signature

Mobile Terminal

Hash!

Subnet Prefix


Terminal’s RSA Key

Cryptographically

Generated IPv6

Address

4/12/2020 16

Network Access Authentication and SEND

• SEND solves half the problem

– Allows the terminal to authenticate the network

• Adding a certificate on the terminal would allow the network to authenticate the terminal

– But no way to check terminal’s authorization nor provide accounting so network service can be billed

• SEND WG discussed using a terminal certificate for address resolution security but issue was dropped

– Want to see whether any market acceptance for SEND first

• Authentication of terminal using certificate provided by home network would provide a lighter weight alternative to AAA flows

– No need to do AAA on handover, just check certificate

• Or an authorization token issued by the access network after authentication and authorization are complete


Protocol carrying Authentication for

Network Access (PANA)

• PANA is an IP level encapsulation for Extensible Authentication

Protocol (EAP)

• Provides authentication transport if no Layer 2.5 transport is available.

• PANA framework contains a network access enforcement point to limit types of traffic until terminal is authenticated.

– Router solicitation/advertisement

– Address autoconfiguration

– DHCP

– PANA

• Enforcement point may also provide cryptographic protection for traffic if unavailable from link layer

– IKE/IPsec

• Replaces use of HTML in UAM


PANA Protocol – Host to Network

Radius/Diameter

+EAP

+

IP

Radius/Diameter +

IP

AAA-H

AAA-F

PAC

Border Router

Access Network

AR

EC

Internet

AP

PANA +

EAP +

IP

Mobile Terminal


PANA Protocol – Network to Host

Radius/Diameter

+EAP

+

IP

Radius/Diameter +

IP

AAA-H

AAA-F

PAC

Border Router

Access Network

AR

EC

Internet

AP

PANA +

EAP +

IP

Mobile Terminal


SNMP

4/12/2020 20

Controversy over PANA

• Arguments against PANA

– Layer 2 protocols all have their own ways of doing authentication

– Terminal should authenticate before obtaining an IP address

– PANA is architecturally wrong

– ...

•

PANA is really a replacement for UAM

– UAM is really architecturally wrong

• Forces the terminal to support HTTP

• HTTP is really the wrong stack layer for network access authentication signaling

– Widespread deployment of UAM indicates market interest in using IP as network access authentication transport

• Primary issue: PANA only solves a very small part of the problem

– If the link layer is not secure, then IKE/IPsec must be used for confidentiality on the link

• Too heavy weight

– Many of the problems surrounding other authentication methods remain


Different Way - Hyperoperator

The Problem

• Infrastructure deployment costs for a managed microcellular network like

802.11 are really high

• Nobody has managed to make a viable business out of subscription based hot-spots

• Well, maybe T-Mobile, but...

• Best business model seems to be a managed network model

– 802.11 provider sells network management service to hotels, convention centers, etc.

• For B3G or 4G, deployment, infrastructure, and network management costs of standard cellular business model might be steep to unaffordable

– Low end distruptors based on cheap, unmanaged spectrum devices with macrocellular characteristics are a threat

• Private individuals and small businesses with 802.11 really don’t want the hassles of managing security in a wireless network

– And some people who might want 802.11 always on might not want to pay for it until they really use it


The Goal

• Multiple federated, independent, small access networks

– Maybe your neighbor, maybe you

• They contract with an operator to provide wireless service in exchange for discount on their network access or payment

– Like solar power in California – PG&E doesn’t pay you but you sell them power during the day/summer and buy back at night/winter

– Or maybe like solar power in Germany where the power company pays you for power you generate

• Operator provides them with:

– Security and management software and expertise to make their network more secure than if they had to manage it themselves

– Software for user service provisioning, charging and accounting so the operator’s users are properly charged

– Software to regulate usage of the federated network so that the owner is guaranteed some percentage of the bandwidth

→ We call this model Hyperoperator


HyperOperator

Foxborough Drive

Mountain View kempf-and-associates

AR

AP

AR wakerley-house

Hyperoperator

AP


Two Possibly Useful Components

• Mobile Firewall

• Authorization Certificates


Mobile Firewall

• Previous work

– SEND handles some threats on the last hop

– IETF 56 DefCon BOF

• Discussed protocol for distributed firewall but no agreement on forming a

WG

• Firewall on the access router protects network from virus and worm traffic originating on a fully authenticated and authorized host

• Firewall detects mal-traffic, cuts off host’s network service

• Other uses

– Bandwidth control

– Differential service provisioning


Mobile Firewall Details

AR

Mobile Firewall

X

Real time traffic analysis identifies threat

Compromised host starts spewing maltraffic

Virus traffic is blocked

Mobile Terminal

G. Fu, D. Funato, J. Wood, and T. Kawahara, "Mobile

Firewall", The Fifth International Conference on Mobile and Wireless Communications Networks (MWCN 2003) ,

Singapore, October 2003.


Authorization Certificates

• Home network provides terminal with proof of authorization for a service

• Terminal presents proof of authorization to foreign network for initial access

• Access network grants terminal a token for handover

• Terminal presents token on each handover (including between federated operators)


Authorization Certificate/Microcredits

Example

Send Access Token

Foreign

Accounting

Server

Radius Flow

(ugh! Do we really need this?)

10

Border Router

Access Network

Hyperopertor

AP

10

Send Authorization

Certificate

Send Access Token

Mobile Terminal


Home Accounting

Server

4/12/2020 30

Obstacles to Acceptance *

*Or why this idea might not get traction

Research Problems

• Risk analysis of how much the operator stands to lose if the federated system cheats


Business Problem

• THE issue!

• This is a disruptive business model

– Either low end if the customers are overserved by 3G network

– Or nonconsumption if the customers are people who are not using existing 3G networks or are not using them for particular jobs

• The cellular providers can’t disrupt themselves

– Unless they establish a separate business unit


Summary

Summary

• Reviewed existing methods of doing wireless auth/authz

– Pre-IP Layer 2.5

– UAM

• Discussed problems with existing technologies

• Reviewed two new IETF protocols that may provide some benefit

– SEND mitigates some threats on the local link, could be expanded to include network access authentication

– PANA removes HTTP hack in UAM

• Described a more radical proposal – hyperoperator

– Federated model of many small operators, with privately owned access points

– Mobile firewall between host and the network to control traffic from compromised hosts

– Authentication certificates and access tokens for authorization and accounting

• Discussed problems in

– Existing infrastructural and intellectual investment in traditional AAA


Questions?

A Proposal for Next Generation Cellular Network Authentication and Authorization Architecture

A Proposal for Next Generation Cellular

Network Authentication and Authorization

Architecture

Outline

Existing solutions for auth/authz and their problems

Pre-IP Layer 2.5

Example: 802.1x

802.1x Terminal to Access Network Detail

802.1X

RADIUS

Problems

Universal Access Method

UAM Architecture

UAM Terminal to Access Network Detail

UAM

RADIUS

Problems

SEND and PANA

SEcure Neighbor Discovery (SEND)

SEND Details – Obtaining Router

Certificate

SEND Details – Secure Router Discovery

SEND Details – Secure Link Address

Resolution

Network Access Authentication and SEND

Protocol carrying Authentication for

Network Access (PANA)

PANA Protocol – Host to Network

PANA Protocol – Network to Host

Controversy over PANA

Different Way - Hyperoperator

The Problem

The Goal

HyperOperator

Two Possibly Useful Components

Mobile Firewall

Mobile Firewall Details

Authorization Certificates

Authorization Certificate/Microcredits

Example

Obstacles to Acceptance *

Research Problems

Business Problem

Summary

Summary

Questions?

Related documents

Add this document to collection(s)

Add this document to saved

Suggest us how to improve StudyLib