DOCSLIB.ORG

(12) United States Patent (10) Patent No.: US 8,817,990 B2 Oba (45) Date of Patent: Aug

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
(12) United States Patent (10) Patent No.: US 8,817,990 B2 Oba (45) Date of Patent: Aug US008817990B2 (12) United States Patent (10) Patent No.: US 8,817,990 B2 Oba (45) Date of Patent: Aug. 26, 2014 (54) KERBERIZED HANDOVER KEYING (56) References Cited IMPROVEMENTS U.S. PATENT DOCUMENTS (75) Inventor: Yoshihiro Oba, Englewood Cliffs, NJ (US) 2002/014782O A1* 10, 2002 Yokote . 709,229 (73) Assignees: Toshiba America Research, Inc., 2004/0066764 A1 4, 2004 Kool et al. Washington, DC (US); Telecordia (Continued) Technologies, Inc., Piscataway, NJ (US) FOREIGN PATENT DOCUMENTS (*) Notice: Subject to any disclaimer, the term of this patent is extended or adjusted under 35 CA 2 675961 A1 T 2008 U.S.C. 154(b) by 621 days. JP 2007-528666 A 10/2007 (21) Appl. No.: 11/972.457 (Continued) (22) Filed: Jan. 10, 2008 OTHER PUBLICATIONS Tschofenig, H. et al., “Bootstrapping Kerberos”, Jul. 12, 2004, PANA O O Working Group, Internet Draft, Retrieved from "http://tools.ietforg/ (65) Prior Publication Data html/draft-tschofenig-pana-bootstrap-kerberos-00”.* US 2008/0212783 A1 Sep. 4, 2008 (Continued) Related U.S. Application Data Primary Examiner — Evans Desrosiers Assistant Examiner — Daniel Potratz (60) Provisional application No. 60/892,532, filed on Mar. (74) Attorney, Agent, or Firm — Westerman, Hattori, 1, 2007. Daniels & Adrian, LLP (51) Int. Cl. (57) ABSTRACT Hot 9. R A media-independent handover key management architec ( .01) ture is disclosed that uses Kerberos for secure key distribution HO4L 9/32 (2006.01) among a server, an authenticator, and a mobile node. In the G06F 7/04 (2006.01) preferred embodiments, signaling for key distribution is GO6F 15/16 (2006.01) based on re-keying and is decoupled from re-authentication GO6F 17/30 (2006.01) that requiresC EAP (Extensible Authentication Protocol) and GO6F 2 1/33 (2013.01) AAA (Authentication, Authorization and Accounting) sig (52) U.S. Cl. naling similar to initial network access authentication. In this CPC ............ H04L 63/0807 (2013.01); H04L 9/321 framework. the mobile node is able to obtain master session (2013.01); H04L 9/3213 (2013.01); G06F keys required for dynamically establishing the security asso 21/335 (2013.01) ciations with a set of authenticators without communicating USPC .............. 380,279.713/156.715/i7.726/16 fromwith themre-authentication, before handover. the Byproposed separating architecture re-key operation is more (58) Field of Classification Search optimized for a proactive mode of operation. It can also be CPC ..... G06F 21/335; H04L 9/321; H04L 9/3213; optimized for reactive mode of operation by reversing the key H04L 29/06761; H04L 63/0807; H04W 12/06 distribution roles between the mobile node and the target USPC ........ 726/10, 14, 18; 713/156, 168, 171, 172: access node. 380/277,279, 284 See application file for complete search history. 12 Claims, 20 Drawing Sheets AAAINTERACTION FORAUTHORIZATIONAND ACCOUNTING AUTHORIZATION INFORMATION OVER AUTHORIZATION INFORMATION KERBEROS OVERAAA PROTOCOL (PROACTIVE MODE) MOBILE NODE AAAINFRASTRUCTURE AUTHORIZATION INFORMATIONOVER AUTHENTICATOR KERBEROS ACCOUNTING INFORMATION (REACTIVE MODE) OVERAAAPROTOCOL. US 8,817,990 B2 Page 2 (56) References Cited working Technologies, Services, and Protocols; Performance of Computer and Communication Networks; Mobile and Wireless U.S. PATENT DOCUMENTS Communications; Lecture Notes in Computer Science; ; LNCS). Springer-Verlag, Berlin/Heidelberg, pp. 1344-1, XPO19005538. 2005.0113086 A1 5, 2005 Wilson Ohba Y et al. "Kerberized handover keying: a media-independent 2005/01985.06 A1* 9/2005 Qi et al. ........................ 713/17O handover key managementarchitecture” Mobiarch 07 Proceeding of 2005/01995.06 A1 9, 2005 Toben et al. 2nd ACM/IEEE International Workshop onMobility in The Evolving 2005/0210252 A1* 9, 2005 Freeman et al. .............. 713,171 Internet Architecture; , Aug. 31, 2007, pp. 1-7, XP002636383. 2006/0073811 A1* 4/2006 Ekberg .......................... 455,411 D. Harkins et al., “Problem Statement and Requirements on a 3-Party 2006/014O150 A1* 6/2006 Overa-Hernandez Key Distribution Protocol for Handover Keying draft-ohba-hokey et al. ............................. 370,331 3party-keydist-ps-00', online), Feb.26, 2007, Searched on Jun. 16. 2006, O146752 A1 7/2006 Jang et al. 2012. Internet-URL:http://tools.ietforg/html/draft-ohba-hokey 2006/022 1899 A1 * 10, 2006 Feder et al. ................... 370,331 3party-keydist-pS-00>, 14 pages. Yoshihiro Ohba et al., "Kerberized Handover Keying: A Media FOREIGN PATENT DOCUMENTS Independent Handover Key Management Architecture'. MobiArch JP 2008-508573. A 3, 2008 '07 Proceedings of 2nd ACM/IEEE international workshop on JP 2010-503258 A 1, 2010 Mobility in the evolving internet architecture, ACM, Aug. 27, 2007. JP 2010-517329 A 5, 2010 19 pages. WO 2005/094037 A1 10/2005 “ETSI TS 101909-11 V1.2.1 Digital Broadband Cable Access to the WO 2006,000802 A2 1, 2006 Public Telecommucations Network; IP Multimedia Time Critical Services; Part 11: Security”, online), p. 60, 61.325 and 326, Jul. 17. OTHER PUBLICATIONS 2002, ETSI, Searched on Jun. 16, 2012), Internet, <URL:http:// www.etsi.org/deliver?etsi ts/10 1900 101999/10 190911/01.02. Tschofenig, H. et al., “Bootstrapping Kerberos”, Jul. 12, 2004, PANA 01 60/>. Working Group, Internet Draft.* Yu Inamura, “Kerberos' Open Design, CQ Publishing Co., Ltd, Jun. International Search Report dated Jul. 2, 2008. 1, 1996, vol. 3, No. 3, pp. 40-61. Canadian Office Action dated Mar. 7, 2012, issued in corresponding M. Nakhjiri "A Keying hierarchy for managing Wireless Handover Canadian Patent Application No. 2,679.378. security draft-nakhjiri-hokey-hierarchy-03” online), Jan. 15, 2007. Allmus Hetal, "A Kerberos-based EAP method for re-authentication Searched on Jun. 16, 2012). Internet, <URL:http://tools.ietforg/ with integrated support for fast handover and IP mobility in wireless html/draft-nakhjiri-hokey-hierarchy-03>; (27 pages). LANs' Communications and Electronics, 2008. ICCE 2008. Second Bernard Aboba et al., EAP GSS Authentication Protocol. Online, International Conference on, IEEE, Piscataway, NJ. USA, Jun. 4. Apr. 6, 2002, Searched on Jun. 16, 2012). Internet, <URL: http:// 2008, pp. 61-66, XPO312.91448. tools.ietforg/pdf draft-aboba-pppext-eapgSS-122; (40 pages). Supplementary European Search Report dated May 24, 2011, issued Japanese Office Action dated Jun. 26, 2012, issued in corresponding in corresponding European Patent Application No. 08726355.4. Japanese Patent Application No. 2009-551756, with English Trans Jaatun MG et al. “Security in fast handovers' Telektronikk-Telenor lation (14 pages). Communication AS, vol. 102, No. 3-4, Dec. 2006, pp. 111-124. Canadian Office Action dated May 7, 2013, issued in corresponding XPOO2636384. Canadian Patent Application No. 2,679.378 (4 pages). Mohamedali Kaafar et al. "A Kerberos-Based Authentication Archi tecture for Wireless LANs' Apr. 8, 2004, Networking 2004, Net * cited by examiner U.S. Patent US 8,817,990 B2 BONET?BSEOWSSEWB)||8 (dBHÍOBHSOIHIN) U.S. Patent Aug. 26, 2014 Sheet 8 of 20 US 8,817,990 B2 ÖEHTSW OIWOLINBHI/WINESEHd(~|S 101.1300NW, U.S. Patent Aug. 26, 2014 Sheet 9 of 20 US 8,817,990 B2 BONET?ESdWE (HBWYTHEMO)NOIIVIOOSSWEH?OES U.S. Patent Aug. 26, 2014 Sheet 12 of 20 US 8,817,990 B2 EAP WITH PASS-THROUGHAUTHENTICATOR EAP EAPMETHODMESSAGE EAP METHOD METHOD EAP EAP EAP MESSAGE EAPAUTHENTICATOR MESSAGE EAP PEER (PASS-THROUGH) SERVER LOWER LOWER AAA AAA LAYER LAYER LAYER LAYER FIG. 11 U.S. Patent Aug. 26, 2014 Sheet 13 of 20 US 8,817,990 B2 KERBEROSSEQUENCE CLIENT AS-REQ AS-REP TGS-REQ TGS-REP FIG. 12 U.S. Patent Aug. 26, 2014 Sheet 14 of 20 US 8,817,990 B2 KHKPROACTIVE MODE MN (CLIENT) AS-REQ AS-REP FIG. 13 U.S. Patent Aug. 26, 2014 Sheet 15 of 20 US 8,817,990 B2 KHKREACTIVE MODE MN (SERVER)( AUTHENTICATOR (CLIENT) H & TRIGGER(MN) TGS-REQ (MN) TGS-REP (T) AP-REP KRB-SAFE OR SAP TTICKETFORMN H: EVENT'SWITCHED TOAUTHENTICATOR" FIG. 14 U.S. Patent Aug. 26, 2014 Sheet 16 of 20 US 8,817,990 B2 AAAINTERACTION FORAUTHORIZATIONAND ACCOUNTING AUTHORIZATION INFORMATION OVER AUTHORIZATION INFORMATION KERBEROS OVERAAA PROTOCOL (PROACTIVE MODE) AAAINFRASTRUCTURE MOBILENODE : AUTHORIZATION INFORMATION OVER AUTHENTICATOR ACCOUNTING INFORMATION KERBEROS OVERAAA PROTOCOL. (REACTIVE MODE) F.G. 15 U.S. Patent Aug. 26, 2014 Sheet 17 of 20 US 8,817,990 B2 EXAMPLE RELATIONSHIPBETWEENAAA DOMAINANDKERBEROS REALMS AAADOMAIN"mydomain.com" KERBEROS REALM KERBEROS REALM "rmydomain.com" "2mydomain.com" FIG. 16 U.S. Patent Aug. 26, 2014 Sheet 18 of 20 US 8,817,990 B2 EAP-EXTMESSAGE FORMAT WITHKERBEROS BOOTSTRAPPING CAPABILITY 1 OCTET 1 OCTET OCTET 1 OCTET CODE IDENTIFIER LENGTH TLVs (OPTIONAL) CAPABILITIES: BITO; RBIT (RE-AUTHENTICATION) BIT 1: 'C'BIT (CHANNELBINDING) BIT2: 'KBIT (KERBEROS) F.G. 17 U.S. Patent Aug. 26, 2014 Sheet 19 of 20 US 8,817,990 B2 KERBEROS BOOTSTRAPPING SEQUENCE MN (EAPPEERICLIENT) EAPSERVER EAP-REQUESTI EAP-EXT (K-1, METHOD) EAP-RESPONSE EAP-EXT (K-1, METHOD) EAP-REQUESTI EAP-EXT (K-1, KRB-BOOTAUTH) EAP-RESPONSE EAP-EXT (K-1, AUTH) KRB-BOOT EAP-SUCCESS FIG. 18 U.S. Patent Aug. 26, 2014 Sheet 20 of 20 US 8,817,990 B2 S. s s S. US 8,817,990 B2 1. 2 KERBERIZED HANDOVER KEYING server, a router or a workstation. Messages destined for some IMPROVEMENTS other host are not passed up to the upper layers but are for warded to the other host. In the OSI and other similar models, The present application claims priority under 35 U.S.C. IP is in Layer-3, the network layer. 119 as being a Non-provisional of Provisional Application 5 Wireless Networks: Ser. No. 60/892,532, entitled Kerberized Handover Keying Wireless networks can incorporate a variety of types of Improvements, filed on Mar. 1, 2007. mobile devices, such as, e.g., cellular and wireless tele phones, PCs (personal computers), laptop computers, wear BACKGROUND able computers, cordless phones, pagers, headsets, printers, 10 PDAs, etc.
Load more

Recommended publications
  • Glossary.Pdf
    Glossary Note: Terms in italics are described in their own glossary entries. 3DES. See Data Encryption Standard. A A RR. Type identifier for a DNS Address resource record. Active Directory (AD). The directory service for Windows 2000. A hierarchical, object-oriented database that stores distributed data for Windows 2000 domains, trees, and forests. Active Directory-integrated zones. DNS zones for which zone data are stored in Active Directory. All copies of an Active Directory-integrated zone are peers and can accept changes to the zone. Zone data are replicated through Active Directory. Zone transfers are required only when importing data from a primary zone or exporting data to a secondary zone. AD. Abbreviation for Active Directory. address class. See IP address class. address resolution protocol (ARP). A protocol used by IP to discover the hardware address of the device to which a datagram is being sent. Address resource record. A DNS resource record that maps a FQDN to an IP address. Referred to as Host resource records when administering Windows 2000 DNS. Referred to as Host Address resource records in this book. AH. See authentication header. ARP. See address resolution protocol. asymmetric cryptography. A cryptography method that uses one key for encryption and another key for decryption. Also called public key cryptography. attribute. A characteristic of an object in an object- oriented database such as Active Directory; often called a property in Windows 2000. authentication. The ability of one entity to reliably determine the identity of another entity. authentication header (AH). A security protocol used by IPSec that provides authentication and message integrity.
    [Show full text]
  • Centralised Authentication
    Centralised Authentication Fabian Alenius Guerreiro Jo~ao Uwe Bauknecht March 3, 2009 Contents 1 Introduction 2 2 LDAP 3 2.1 History of LDAP . 3 2.2 Directory servers . 3 2.3 Distinguished Names . 3 2.4 Directory Information Trees . 3 2.5 LDAP Authentication . 4 2.6 SASL binding . 4 3 Authentication Methods [5] 5 3.1 Kerberos . 5 3.1.1 Protocol draft 1.0 . 5 3.1.2 Analysis of Protocol draft 1.0 . 6 3.1.3 Protocol draft 2.0 . 6 3.1.4 Analysis of Protocol draft 2.0 . 7 3.1.5 Kerberos Version 4 . 7 3.1.6 Kerberos Conclusion . 8 3.2 X.509 certificates . 8 4 RADIUS 9 4.1 Introduction . 9 4.2 Functionality . 9 4.2.1 Authentication and Authorization . 9 4.2.2 Accounting . 10 4.2.3 Realms and Proxies . 10 4.3 Usage . 10 References 11 1 1 Introduction When a user wants to login to a computer system he has to go through the process of authentication. If the same user wants to authenticate against two computer systems he needs to authenticate twice. This becomes unpractical very fast as the number of systems grow, especially if the user has to remember separate usernames and passwords for each system. Another problem with this is that the management of the user accounts becomes complicated as we need several user accounts for each user. So, if we for example want to remove one user completely, we need to update all our systems. The solution to this problem is to use a centralized authentication server.
    [Show full text]
  • Leveraging the Kerberos Credential Caching Mechanism for Faster Re-Authentications in Wireless Access Networks
    UBICOMM 2010 : The Fourth International Conference on Mobile Ubiquitous Computing, Systems, Services and Technologies EAP-Kerberos: Leveraging the Kerberos Credential Caching Mechanism for Faster Re-authentications in Wireless Access Networks Saber Zrelli Yoichi Shinoda Nobuo Okabe Center for Information Science Corporate R&D Headquarters Japan Advanced Institute of Science and Technology Yokogawa Electric Corporation Ishikawa, Japan Tokyo, Japan [email protected] saber.zrelli,[email protected] Abstract—Although the wireless technology nowadays provides support cross-domain authentication that enables an access satisfying bandwidth and higher speeds, it still lacks improve- network to authenticate a roaming client that belongs to a ments with regard to handoff performance. Existing solutions remote domain. The cross-domain authentication requires for reducing handoff delays are specific to a particular network technology or require expensive upgrades of the whole infras- message exchange between the AAA server of the visited tructure. In this paper, we investigate performance benefits of network and the AAA server of the roaming station’s home leveraging the Kerberos ticket cashing mechanism for achieving network. Because these inter-domain exchanges occur over the faster re-authentications in IEEE 802.11 wireless access networks. Internet, they are subject to degradations such as packet loss For this purpose, we designed a new EAP authentication method, and network delays which increases the overall authentication EAP-Kerberos, and evaluated re-authentication performance in different scenarios. time. When a roaming station changes of access point, the same authentication procedure takes place again, disrupting Keywords-Wireless; Authentication; Handoff; Performance the user traffic at each handoff. I.
    [Show full text]
  • A Kerberos-Based Authentication Architecture for Wireless Lans
    A Kerberos-Based Authentication Architecture for Wireless LANs Mohamed Ali Kaafar1, Lamia Benazzouz1, Farouk Kamoun1, and Davor Males2 1 Ecole Nationale des Seiences de l'lnformatique, Universitt~ de la Manouba. Tunisia {Medali.kaafar, Lamia.benazzouz, Farouk.kamoun}@ensi.rnu.tn 2 Laboratoire d'lnformatique de Paris 6 Universite Pierreet Marie Curie 8, rue du capitaine Scott 75015 Paris. France [email protected] Abstract. This work addresses the issues re1ated to authentication in wireless LAN environments, with emphasis on the IEEE 802.11 standard. lt proposes an authentication architecture for Wireless networks. This architecture called Wireless Kerberos (W-Kerberos), is based on the Kerberos authentication server and the IEEE 802.1X-EAP mode1, in order to satisfy both security and mobility needs. lt then, provides a mean of protecting the network, assuring mutual authentication, thwarts cryptographic attack risks via a key refreshment mechanism and manages fast and secure Handovers between access points. 1 Introduction Over recent years, wire1ess communication has enjoyed enormous growth, becoming popular in botb public and private sectors. Wireless Local Area Network (WLAN) technology is capable of offering instant, high-speed and mobile connectivity. While this technology offers a Iot of advantages, it does also introduce issues related to authentication, access control, confidentiality and data integrity. Today, wireless products are being developed that do not address all of the security services related to this technology. Although the IEEE 802.lli framework is proposing a "Robust Security Nework" architecture (RSN) to deal with the security wireless networks limitations, actually there is not a complete set of standards available that solves all the issues related to Wireless security [1].
    [Show full text]
  • 1. Privacy and Security 1.1. User Identity Authentication
    VA Enterprise Design Patterns: 1. Privacy and Security 1.1. User Identity Authentication Office of Technology Strategies (TS) Architecture, Strategy, and Design (ASD) Office of Information and Technology (OI&T) Version 2.0 Date Issued: March 2016 THIS PAGE INTENTIONALLY LEFT BLANK FOR PRINTING PURPOSES APPROVAL COORDINATION ___________________________________________ Rodney Emery Director, Technology Strategies and GEAC, ASD ASD Technology Strategies ___________________________________________ Paul A. Tibbits, M.D. DCIO Architecture, Strategy, and Design REVISION HISTORY Version Date Organization Notes Initial Draft/Outline of the update to the Internal and External User Identity Authentication Design Patterns issued for stakeholder review. Combined Internal and External Authentication 1.5 February 2016 ASD TS Design Plan documents and updated the name. Changed format to provide future state relevant to all authentication, internal and then external. Added IAM Infrastructure Integrity Risk Assessment and Recommended Actions. Includes the additional updates: Added overview diagram. Updated As-Is state for SSOe and use of MVI. Updated Internal and External current state diagrams. Clarified goal of IAM to provide a single source to access all identities and attributes in use across VA. Added requirement to create LOA Assessment 1.7 March 2016 ASD TS Examples specific to VA for every level and provided draft example. Updated Direct Client Authentication using PKI over TLS to be a temporary solution until SSOi supports LOA 4. Updated Use Cases. Updated scope to specify exclusion of Compliance Audit and Reporting (CAR), VA Credential Service Provider (CSP), electronic signature (eSig) and identity proofing (IP). REVISION HISTORY APPROVALS Version Date Approver Role 2.0 3/10/2016 Joseph Brooks Privacy and Security Design Pattern Lead TABLE OF CONTENTS TABLE OF CONTENTS ..............................................................................................................................................
    [Show full text]
  • Extending Oauth2.0 for Kerberos-Like Authentication to Avoid Internet Phishing Attacks
    Anoop Vijayan Extending OAuth2.0 for Kerberos-like authentication to avoid Internet phishing attacks Master thesis in Mobile Technology and Business Faculty of Information Technology University of Jyvaskyla Department of Computer Science and Information Systems Author: Anoop Vijayan Contact Information: [email protected] Supervisor(s): Timo Hamäläinen Department of Computer Science and Information Systems University of Jyvaskyla Reviewer(s): Timo Hamäläinen Department of Computer Science and Information Systems University of Jyvaskyla Title: Extending OAuth2.0 for Kerberos-like authentication to avoid Internet phishing attacks Project: Master thesis in Mobile Technology and Business Page count: 72 I ABSTRACT The combined use of OpenID and OAuth for authentication and authorization is gaining popularity day by day in Internet. Because of its simplicity to understand, use and robustness, they are used in many domains in web, especially where the apps and user base are huge like social networking. Also it reduces the burden of typing the password every time for authentication and authorization especially in hand-held gadgets. After a simple problem scenario discussion, it is clear that the OpenID+OAuth combination has some drawbacks from the authentication perspective. The two major problems discussed here include problems caused due to transfer of user credentials over Internet and complexity in setting up of two protocols separately for authentication and authorization. Both the problems are addressed by extending OAuth2.0. By using Kerberos-like authentication, the user has the possibility of not passing the credentials over Internet. It is worth to note that, OAuth2.0 also uses some kind of tokens for authorizations similar to Kerberos.
    [Show full text]
  • Windows 2000 Kerberos Authentication
    Operating System Windows 2000 Kerberos Authentication White Paper Abstract The next generation of the Microsoft® Windows® operating system will adopt Kerberos as the default protocol for network authentication. An emerging standard, Kerberos provides a foundation for interoperability while enhancing the security of enterprise-wide network authentication. Windows 2000 implements Kerberos version 5 with extensions for public key authentication. The Kerberos client is implemented as a security provider through the Security Support Provider Interface. Initial authentication is integrated with the Winlogon single sign-on architecture. The Kerberos Key Distribution Center (KDC) is integrated with other Windows 2000 security services running on the domain controller and uses the domain’s Active Directory as its security account database. This white paper examines components of the protocol and provides detail on its implementation. © 1999 Microsoft Corporation. All rights reserved. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS DOCUMENT. Microsoft, Active Desktop, BackOffice, the BackOffice logo,
    [Show full text]
  • Secure Fast Handover in an Open Broadband Access Network Using Kerberos-Style Tickets
    Secure Fast Handover in an Open Broadband Access Network using Kerberos-style Tickets Martin Gilje Jaatun1, Inger Anne T¿ndel1, Fr¶ed¶ericPaint2, Tor Hjalmar Johannessen2, John Charles Francis3, and Claire Duranton4 1 SINTEF ICT, Trondheim, Norway 2 Telenor R&D, Fornebu, Norway 3 Swisscom Innovations, Bern, Switzerland 4 France Telecom R&D, Issy-les-Moulineaux, France [email protected] Abstract. In an Open Broadband Access Network consisting of multi- ple Internet Service Providers, delay due to multi-hop processing of au- thentication credentials is a major obstacle to fast handover between ac- cess points, e®ectively preventing delay-sensitive interactive applications such as Voice over IP. By exploiting existing trust relationships between service providers and access points, it is possible to pre-authenticate a mobile terminal to an access point, creating a Kerberos-style ticket that can be evaluated locally. The terminal can thus perform a handover and be authenticated to the new access point, without incurring communi- cation and processing delays by involving other servers. 1 Introduction The Open Broadband Access Network (OBAN) [1] seeks to utilise excess ca- pacity available in residential broadband connections, by opening up private wireless access points to passers-by. It is intended as a multi-ISP network, where a roaming OBAN user may consume mobile IP services from residential wireless access points regardless of whether or not he has a contract with the same ISP as the residential user. In addition to serving as a lower-cost, higher-bandwidth alternative to services such as UMTS [2] or WiMAX [3], OBAN also intends to incorporate multi-lateral roaming agreements [4] towards such services, in e®ect creating a ubiquitous, world-wide network.
    [Show full text]
  • A New a Kerberos Model
    Volume 2, Issue 3, March 2012 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com 3 A NEW A KERBEROS MODEL Aditya Harbola* Deepti Negi Deepak Harbola School of computing School of computing Department of computer science Graphic Era University, Graphic Era University, BCTKEC, Dehradun, UK Dehradun, UK Dwarahat, UK [email protected] [email protected] [email protected] Abstract – An internet service provider (ISPs) offers easy access to the network to meet the ever growing demand for business. The authenticated subscribers must be verified for access authorization and for cost recovery, billing and resource planning purpose. For all business services coordination between the various administrative system’s are required. This paper presents a new AAA Kerberos protocol for distributed systems. Traditional Kerberos authentication schemes do not meet distributed system requirements of authorization, failsafe operation, accounting of service usage and resilience to loss of connectivity. Our new AAA Kerberos protocol model meets the requirements of authentication, authorization and accounting. Keywords - Authentication, authorization, accounting, key management, control systems. INTRODUCTION end user's resource consumption, which can then be processed for billing, auditing, and capacity-planning purposes. A network is full of challenges and meeting these One of the requirements of AAA framework is a good challenges in a simplified and scalable manner lies at the heart price-to-performance ratio offering high-volume disk storage of authentication, authorization, and accounting. AAA and optimized database administration. A single AAA server essentially defines a framework for coordinating the challenges can act as a centralized administrative control point for multiple across multiple network technologies and platforms.
    [Show full text]
  • Authentication
    Authentication “What was your username again?” clickety clickety — The BOFH User Authentication Basic system uses passwords • Can be easily intercepted Encrypt/hash the password • Can still intercept the encrypted/hashed form Modify the encryption/hashing so the encrypted/hashed value changes each time (challenge/response mechanism) User Authentication (ctd) Vulnerable to offline password guessing (attacker knows challenge and encrypted challenge, can try to guess the password used to process it) User Authentication (ctd) There are many variations of this mechanism but it’s very hard to get right • Impersonation attacks (pretend to be client or server) • Reflection attacks (bounce the authentication messages elsewhere) • Steal client/server authentication database • Modify messages between client and server • Chess grandmaster attack Simple Client/Server Authentication Client and server share a key K • Server sends challenge encrypted with K – Challenge should generally include extra information like the server ID and timestamp • Client decrypts challenge, transforms it (eg adds one, flips the bits), re-encrypts it with K, and sends it to the server • Server does the same and compares the two Properties • Both sides are authenticated • Observer can’t see the (unencrypted) challenge, can’t perform a password-guessing attack • Requires reversible encryption Something similar is used by protocols like Kerberos Unix Password Encryption Designed to resist mid-70’s level attacks Uses 25 iterations of modified DES Salt prevents identical passwords
    [Show full text]
  • How to Use the Cacert Infrastructure Within an Openid Context?
    Master Thesis How to use the CAcert infrastructure within an OpenID context? Auteurs: B.J. Derlagen (s0829692), O.M. Berfelo (s0756067) Educational institution: Radboud University Faculty: Faculty of Science Institute for Computing and Information Sciences Education: Information Science Thesis number: Supervisors: Prof.dr. B.P.F. Jacobs, dr.ir. E. Poll Date: 1 Preface We wrote this master thesis for our education Information Science at the Radboud University in Nijmegen. We have done a research of how we can use the CAcert infrastructure in an OpenID context. This is the result of our research. We would like to thank some people who have made a contribution to this master thesis that led us to the final result. We would like to thank our supervisors Prof.dr. B.P.F. Jacobs and dr.ir. E. Poll for their feedback, knowledge, ideas and advice. We also would like to thank Esther Makaay and Marco Davids of SIDN for the conversation we had with them. Finally we would like to thank Bernard van Gastel and Marc Overmeer for the ideas and advice they gave us. Barthold Derlagen & Onno Berfelo. Warnsveld, 3 September 2010. 2 Abstract These days more and more people have access to an internet connection. These people spend an increasing amount of time on the web. On the web you'll encounter many websites on which you'll need to authenticate yourself. In many cases you'll do this with a username and password combination. Using the same combination on every site is unwise. This is where Single Sign On (SSO) (section 2.3.1) gets into the picture.
    [Show full text]
  • Frameworks for Centralized Authentication and Authorization
    Frameworks For Centralized Authentication And Authorization by Ken Erikson Thesis of 30 ECTS credits submitted to the School of Computer Science at Reykjavík University in partial fulfillment of the requirements for the degree of Master of Science (M.Sc.) in Computer Science June 2020 Examining Committee: Sébastien Lafond, Supervisor Adjunct Professor, Åbo Akademi University, Finland Dragos Truscan, Examiner Adjunct Professor, Åbo Akademi University, Finland Marcel Kyas, Examiner Assistant Professor, Reykjavík University, i Copyright Ken Erikson June 2020 ii Frameworks For Centralized Authentication And Authorization Ken Erikson Thesis of 30 ECTS credits submitted to the School of Computer Science at Reykjavík University in partial fulfillment of the requirements for the degree of Master of Science (M.Sc.) in Computer Science June 2020 Student: Ken Erikson Examining Committee: Sébastien Lafond Dragos Truscan Marcel Kyas iii The undersigned hereby grants permission to the Reykjavík University Library to reproduce single copies of this Thesis entitled Frameworks For Centralized Authentication And Authorization and to lend or sell such copies for private, scholarly or scientific research purposes only. The author reserves all other publication and other rights in association with the copyright in the Thesis, and except as herein before provided, neither the Thesis nor any substantial portion thereof may be printed or otherwise reproduced in any material form whatsoever without the author’s prior written permission. date Ken Erikson Master of Science iv Ken Erikson ABSTRACT A commonly used method of authentication on the Internet is to provide a combina- tion of a username and a password. One way to make this method more secure is to have long passwords.
    [Show full text]