Network Authentication with PKI EDUCAUSEDartmouth PKI Summit July
- Slides: 22
Network Authentication with PKI EDUCAUSE/Dartmouth PKI Summit July 27, 2005 Jim Jokl University of Virginia 1
Background: UVa Wireless LAN Project p Deploy campus-wide Wireless LAN (WLAN) n n p Support multiple applications n n p Initial focus on student areas Later emphasis on faculty/staff areas Focus on standard applications: Email, Web, login, file transfer, etc Don’t focus on applications such as video Provide security n Wireless really is different in this regard 2
UVa WLAN Summary p Access Point summary as of July 2005 n n n 796 access points in database with approximately 704 operational ~250 older Cisco 352 802. 11 b (11 Mbps @ 2. 4 GHz) units Remainder are modern Cisco 1100/1200 series access points 802. 11 G/B (11 -45 Mbps @ 2. 4 GHz) p 802. 11 A (45 Mbps @ 5 GHz) p Still need to install A/G radios in some of the 1200 s p p Wireless security system n Would have liked strong authentication and encryption for all WLAN access, however …… 3
Wireless Security Have to support “other” devices 4
Initial Wireless Security System p MAC address validation n p Users register the hardware address of their wireless adapter Provisions for anyone affiliated with the university to register cards for guests Supports “random” devices Secured wireless via Cisco LEAP n n n Password-based authentication Dynamic symmetric cipher keys Had expected this technology to be widely implemented by vendors 5
EAP-based Authentication Process Radius Servers Access Point UVa Network Access Point User 6
Authentication Transition Combination of LEAP and MAC registration was OK for a couple of years p However p n n n LEAP never became mainstream and generally required a Cisco wireless card and software installation We had anticipated native LEAP support with Windows XP Final straw was a reported security vulnerability with the LEAP protocol 7
Wireless LAN Access Control EAP-MD 5 Server Authentic ation None Supplicant Authentica tion Password Hash LEAP EAP-TLS EAPTTLS PEAP Password Public Key Hash Password Public Key Hash CHAP, PAP, MS-CHAP(v 2), EAP Any EAP, like EAP-MSCHAPv 2 or Public Key Dynamic Key Delivery No Yes Yes Security Risks Identity exposed, Dictionary attack, Mit. M attack, Session hijacking Identity exposed, Dictionary attack Identity exposed Mit. M attack 8 Source: wi-fiplanet. com
Background: UVa Standard Assurance CA (PKI-Lite) p p p On-line Web CA Uses existing account information to validate user request Computing ID, password, and some database info checked Certificate and chain automatically installed or PKCS-12 ~20 k active certificates now 9
UVa EAP-TLS Wireless Authentication p User Access Point p p Radius Server p LDAP Auth. Z User verifies the Radius server’s identity using PKI The Radius server verifies the user’s identity using PKI An LDAP-based authorization step happens Association is allowed and dynamic session crypto keys are exchanged 10
OS Support for EAP-TLS p Operating System Support n n n p Windows XP, Windows 2000 SP-4* Mac. OS (10. 3. 3) 3 rd party software available Very easy to use n n n No account management, passwords, etc Login to your workstation and secure wireless just works Auth. Z step will make it easier to keep hacked machines off of the WLAN 11
EAP-TLS and the Microsoft Clients p Microsoft field in certificate for Auth. N n Subject Alt Name / Other Name / Principal Name p n If not present, uses CN p n p OID 1. 3. 6. 1. 4. 1. 311. 20. 2. 3 Uniqueness issues for many CAs Easy to add to certificate profile Impact on the PKI-Lite certificate profiles n Agreed to add this extension to EE cert profile 12
Summary: Supported wireless “accounts” at UVa p EAP-TLS – our main wireless network n n p MAC Address restricted network n n n p Leverage PKI for user authentication on Win. XP and Mac. OS 10. 3 Dynamic session encryption keys Provides access control and limited authentication Especially useful for devices with limited functionality Now integrated with our main Net. Reg MAC address registration system Guest n MAC Access control and identification of UVa sponsor 13
UVa WLAN Authentication Transition p Transitioned to new authentication summer 2004 n Added an EAP-TLS VLAN, removed LEAP p n Main EAP-TLS issues encountered p p p n p For special devices that don’t support EAP-TLS Non-broadcast SSID Transition completed by end of summer p n Old drivers for user’s wireless cards A few users still had certificates without Microsoft attribute Macintosh a little harder since no Safari integration for certificate download and installation Retained a legacy MAC registration-only VLAN p n EAP-TLS is the authentication used on the broadcast SSID Few hard problems encountered Will add EAP-TLS VLAN for access to UVa “More Secure” network once more Auth. Z work is completed 14
Authentication on the UVa WLAN 15
Background: University of Virginia PKI p Project Goal n p Enable PKI support in a wide range of applications Deploy two campus CAs to support two types of PKI-enabled applications n Standard Assurance CA p p p n For better security on common applications Improve ease of use on some applications Identity proofing marginally stronger than used with simple passwords High Assurance CA p p p For new applications requiring high security Uses hardware tokens only - 2 -factor authentication Strong identity validation before certificate is issued 16
UVa. Anywhere VPN Service p p Internet Connections p p UVa. Net p p p UVa. Anywhere Concentrators Our first PKI application Certificate Auth. N Encrypted path to UVa network edge On-campus IP address Cisco 3000 concentrators Adding LDAP Auth. Z IPSec and Cisco VPN client is only supported mechanism 17
UVa. Anywhere-Lite p Just added new SSL VPN service n n n For web applications only Uses existing Cisco 3000 concentrators PKI for authentication Uses LDAP for authorization Web VPN provides convenient pop-up box for navigation p Customized with library and department pages that point to their web resources 18
Remote Access to the More Secure Network Certificate Auth. N and LDAP Auth. Z SMTP Relay “Less Secure” Network Firewall “More Secure” Network Level 1 VPN Level 2 LDAP Auth. Z LPR Relay 19
VPN PKI 2 -factor Authentication with LDAP Authorization Main Campus Network Oracle ERP IN VPN Concentrators Firewall S 1 S 2 Firewall OUT IN S 3 LDAP Auth. Z Servers Sn Hospital Net 20
Oracle Special Services (ERP) 2 -factor Cert Auth. N and LDAP Auth. Z OSS User Main UVa Network VPN Concentrators S 4 S 1 S 2 Firewalls Normal User OUT IN S 3 LDAP Auth. Z Servers Sn 21
Some References p UVa Wireless LAN site n p UVa PKI Site n p http: //www. itc. virginia. edu/desktop/pki/ UVa VPN Sites n n p http: //www. itc. virginia. edu/wireless/ http: //www. itc. virginia. edu/desktop/vpn http: //www. itc. virginia. edu/vpn/webvpn HEPKI-TAG PKI-Lite n http: //middleware. internet 2. edu/hepki-tag/ 22
Message authentication and entity authentication
Peer entity authentication
Code c
Authentication in cryptography and network security
July 12 1776
Criciúma ec
June july august
Slidetodoc.com
Sources nso frenchhowell neill mit technology...
July 26 1953
Harris burdick pictures uninvited guest
June too soon july stand by
July 10 1856
Sensory language definition
2001 july 15
July 14 1789
Monday 13th july
What is the significance of july 4 1776 brainpop
July 16 1776
July 1-4 1863
July 2 1937 amelia earhart
Ctdssmap payment schedule july 2021
Catawba indian nation bingo
