Copyright Statement

• Copyright Robert J. Brentrup 2005. This work is the intellectual property of the author. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.

Delegated Guest Access to Secure Networks

Robert Brentrup

Educause Poster Session

October 19, 2005

Network Security• Wireless networks are inherently more vulnerable

– No longer need to be inside a building– Anyone in range can listen– Have to expect uninvited “guests”

• Wired Equivalent Privacy (WEP) intended to protect traffic between the supplicant and access point.

– WEP has encryption flaws which diminish its effectiveness.

• WiFi Protected Access (WPA2) provides a stronger encryption scheme

– and supports a wider range of authentication techniques.

Problem

• If authenticated access is implemented– to limit use to members of the community– and to enable strong data encryption

• How do guests access the network conveniently?– Visitors are a daily occurence– Don’t want multi-day process to get a guest

account approved and created

Motivation for System

• Visitors are given access to labs by host

• Already allow sponsored accounts for longer time periods– But overheard is too high for short visit

• Why not allow local users to delegate privileges to guests?– Would give immediate access– Delegation allows decentralized authorization

Design Goals• Provide access to authorized guests• Guests may use comprehensive services granted to

local users• Require strong access control• Use standard protocols• Timeframe of authorization limited• Do not require central control• Provide audit trail• Prefer to use PKI authentication

Greenpass Solution• Use 802.1x protocol for authentication

– Works for Wireless or VPN

• Use EAP/TLS to identify users• Use RADIUS server for authorization decision

– Recognize some X.509 certificate issuers– Allow local users to delegate network access permission– SPKI certificate delegation chain– Recognized by small RADIUS modification– HTTP Cookies simplify use

• No user software install required• Client Java tool for delegation

Design: Information Flow

Hybrid PKI

Why SPKI/SDSI?

• Focuses specifically on the problem of authorization that we are trying to solve.

• Provisions for delegation of authority naturally gives rise to the distributed model of delegated access that we envisioned.

• Simple and lightweight, easy to work with.

• Guest access is tied directly to the guest’s public key rather than indirectly through the guest’s name.

Block Diagram

Guest Unauthorized

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Guest Introduction

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Guest Fingerprint

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Authorized Delegator

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Select Guest

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Guest Lookup

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Delegation Tool

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Delegation Complete

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Guest Authorized

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Authorized User

QuickTime™ and aTIFF (LZW) decompressor

are needed to see this picture.

Results

• Greenpass incorporates SPKI/SDSI with existing PKI standards to create an authentication scheme that is decentralized and not cumbersome to users.

• Published Open Source Components:

– Delegation Server, Introduction Cache

– Delegation Signing Tool

– Authorization Certificate Cache

– Radius modifications

Future Work

• Finer grained definition of authorization.

• Alternatives to SDSI/SPKI

• No X.509 PKI ? – everyone is a guest.

• Support for other devices (PDAs, VoIP devices).

Credits, Contacts and Links• Primarily designed by Nicholas Goffee and Sung Kim as their Master's degree

thesis projects advised by Prof. Sean Smith.

– Other contributors to the Greenpass project are: Kwang-Hyun Baek, Meiyuan Zhao, John Marchesini, Chris Masone, Punch Taylor, Robert Brentrup and Nick Santos.

• For Further Information

– Sean Smith - sws@dartmouth.edu

– Robert Brentrup - Robert.J.Brentrup@dartmouth.edu

• www.dartmouth.edu/~pkilab/greenpass/

• www.cs.dartmouth.edu/reports/abstracts/TR2004-484/