Architectural Approaches to Network and Service Access Authentication Marcin Dabrowski Piotr Pacyna
Total Page:16
File Type:pdf, Size:1020Kb
Feature Articles: Communications & Information Security Contents Feature Articles: Communications & Information Security 4 Architectural Approaches to Network and Service Access Authentication Marcin Dabrowski Piotr Pacyna 17 Analysis of Security Vulnerabilities and Countermeasures of Ethernet Passive Optical Network (EPON) Di Jin, Stamatios V. Kartalopoulos, Pramode K. Verma 30 Analysis on the Resilience of Key Pre-distribution in Sensor Networks Shen Yulong Ma Jianfeng Pei Qingqi 38 Hierarchical Spectrum Sharing Networks Jie Chen, Chuan Han, Chulin Liao, and Shaoqian Li 48 Security Measures Against CBRN Threats: Case Study Olympic Games P. Stavroulakis, Professor 54 Customized Biometric Architecture for Access Control in Stadiums based on Federated Identities Christos K. Dimitriadis, Peter Stavroulakis, D. Polemi 63 Simulation of Propagation Loss Models and Antenna Designs for Naval Troposcatter and Tropo spheric Duct Communications Nikos J. Farsaris, Prof. Peter P. Stavroulakis 69 Chaos-based Applications in Secure Optical Communications A. Argyris, A.Bogris and D. Syvridis 79 PIM Interference Analysis under Multi-band Multi-signal Input in Duplex Indoor Distribution System Pauling Huang, Wang Baohua , Senior Engineer, China Unicom China Communications June 2007 3 Feature Articles:FEATURE Communications & Information ARTICLES Security Architectural Approaches to Network and Service Access Authentication Marcin Dabrowski1 , Piotr Pacyna1,2 , 1 AGH University of Science and Technology, Poland, [email protected] 2 Universidad Carlos III de Madrid, Spain, [email protected] ABSTRACT governmental organizations and in public access networks. The success of the radio access networks Authentication is the first step, of central importance, is attributed to their high usability, flexibility, cost- for access control and for security protection in radio efficiency and especially to the unrestricted commu- access networks. A general model for authentication nications capability. Multiple radio access technolo- was adopted from fixed networks and applied to the gies favor competitiveness, accelerate progress in wireless world. However, the differences in the the field and propel the wireless industry. operational environment between the fixed and the Diversity has led to heterogeneity, with the side wireless world, heterogeneity of the radio communi- effect of a burden with inter-working between tech- cations systems, new trends in service provisioning, nologies and systems. Many challenges of inter- emerging business models and performance require- working are characteristic of a particular network ments raise the need to revisit the original require- setup, the technologies in use and the services under ments for authentication systems and to come up deployment. Some of them, however, are common to with schemes that better suit current needs. In this all installations. Specifically, in all the systems the review paper we discuss authentication in single- network infrastructure and the services need to be hop radio access networks by characterizing the protected against misuse. Authentication is the first current as well as the emerging authentication step, of central importance, in network and service schemes. access control and in security protection. This re- Key words: authentication, access control, wire- view paper studies the current and the emerging less networks, next-generation Internet approaches to authentication in single-hop radio access networks. I. INTRODUCTION II. SCOPE OF AUTHENTICATION In recent years, the wireless access networks have received broadband capabilities and have become Authentication allows to proove identity of a available for residential and institutional users. Broad- subject-a user, a system or a device-by verifying band radio access networks have been under deploy- credentials which are presented by the subject. The ment in enterprises, campuses, public institutions, subject is referred to by means of an identifier - some 4 China Communications June 2007 Feature Articles: Communications & Information Security naming convention, such as true name, a pseudonym New requirements for authentication in the wire- or, in an indirect way, by means of identifier of a less access networks are mainly related to user device owned by the subject, which allows for the so mobility, which is defined as the ability to change called user- or device authentication schemes. The point of attachment in a network. A physical change authentication is performed by a verifier in a uni- of the attachment due to a movement can also imply directional authentication or by both parties when a logical change of location in the network topology involved in the mutual authentication process. The or a change of the network operator, known as intra- subject and the verifier may have come across each domain and inter-domain handoff, respectively. A other before, but they needn’t necessarily have had a default requirement of almost any mobility scenario relationship at any time before. is continuous reachability of a mobile user. The Verification of the credentials submitted in the ability to sustain previously established sessions in process is conducted with support of trusted entities, spite of the movement, preferably with little or no such as e.g. authentication servers, which maintain a impact on session continuity, is another requirement. binding between the credentials and the subject and In the new context defined by mobility, a few are in a position to ascertain at any time validity of essential technology requirements need to be taken the binding. to account with respect to an authentication system: Authentication serves secure bootstrapping of net- 1) In systems which are supporting mobility, the work attachment, as a part of an access control users are ‘always on’ the network and may own process aimed to prevent service theft by unautho- multi-mode capable devices. With such diversity, rized individuals, impersonation of legitimate users the authentication systems need to be particularly also known as the identity theft. robust, scaleable and resilient to attacks. Methods Although a general model for authentication in of various complexity must be supported and the radio access networks was adopted from fixed system must be extensible for the emerging copper-wire access and cable networks, and next authentication methods. applied to the wireless world, some methods have 2) Mobile users prefer to be involved in a few been devised specifically for the wireless networks. business, relationships, preferably only with an These new methods are evolving due to signifi- operator in their home area. Multiple business cant differences of the operational environment relationships are either troublesome for users and between the fixed and the wireless world and due hence disfavoured or, simply unfeasible because to changing threat models when new forms of of random roaming patterns. attacks are discovered. 3) The employed authentication system must not overly depend on the mobility management A. New requirements for the wireless en- scheme or type of re-addressing used to support vironment mobility. 4) In open access systems, where multi-access tech Successful authentication establishes a trust rela- nologies are used, the necessity for frequent tionship between the subject and the verifier (also re-authentication, likely at every handoff, is known as the authenticator). The trust can be uni- or required. Also, small cell sizes, typical of some bi-directional, symmetric or asymmetric depending wireless technologies, imply short visiting times on the type and strength of the employed authentica- and quite frequent intra-domain handoffs. Low tion method. It is represented by unidirectional secu- protocol overhead and low overall latency of the rity association(s) which define a ciphersuite and authentication process is an advantage. cryptographic keying material used for subsequent 5) Delay sensitive application, in particular conver protection of communications on the wireless link. sational services, leave little tolerance margins China Communications June 2007 5 Feature Articles: Communications & Information Security for re-authentication during handoff. The new requirements. On the contrary, existence of requirement for voice call continuity favors large install base of authentication systems used so low-latency re-authentication and make-before- far, calls for incremental upgrades to build upon the brake authentication (pre-authentication), so that existing infrastructure and experience. Today, new the latency does not add to handover latency. requirements for authentication are diffusing the New business models are also expected to change well established methods. service provisioning. In particular: In the following sections we present recent ad- 6) Deregulation of the markets allows for market vances in network access authentication. In order to fragmentation. Pre-established security associations make the text comprehensive we begin with a revi- between a customer and the serving network will sion of legacy methods for better presentation of the differences in the new methods. be rare due to continuous roaming of users. 7) Wireless or cellular network service providers with disproportionate geographical coverage will III. AUTHENTICATION IN WIRELINE exist in the future, so that inter-domain handoffs NETWORKS will be more frequent than so far. Authentication should be robust also where roaming agreements Extensible