- 1. Network Access Control Schemes Vulnerable to Covert
Channels11/03/2004 Florent Bersani & Anne-Sophie Duserre
2. Agenda
-
- In mobile phone networks : DECT, GSM
3. Agenda
-
- In mobile phone networks : DECT, GSM
4. NAC: t he first line of defense
- Network access control is about :
-
- Securely verifying the identity of a device/user that wants to
connect to a network
-
- Checking if this device/user is indeed authorized to do so
- Robust network access control is the key:
-
- To properly defined security zones
-
- To financial valuation of network access
5. NAC in a roaming situation 6. Covert channels: abusing
protocols
- A communication channel is covert if it is neither designed nor
intended to transfer information at all. [Lampson73]
- For network protocols, a covert channel is rather a
communication channel that is abused to unnoticeably transfer
unexpected data .
-
- These channels provide venues to circumvent the policy
7. Agenda
-
- In mobile phone networks : DECT, GSM
8. DECT DECT Portable Part DECT Fixed Part Inter- Working Unit
Localand / orPublic Phone Network DECTCommon Interface 1 9. DECT
NAC in roaming scenarios K S =PRF(K,R S ) & RES1=PRF'(K S
,RAND_F) 10. GSM BTS BTS BTS MS BSC BSC BTS MSC Transport Network
VLR HLR AuC 11. GSM NAC in roaming situations K C =PRF(K I ,RAND)
& SRES1=PRF'(K I ,RAND) 12. WLAN 2 Peer Pass-through
Authenticator Authentication Server HomeRADIUSServer Wireless
Access Point EAP Peer 1 ProxyRADIUSServer 13. WLAN NAC in roaming
situations(1/2) 14. WLAN NAC in roaming situations(2/2)
- EAP [RFC 3748] may transport EAP methods that are opaque to the
Visited AS, e.g. PEAP or EAP-PSK
- A rogue Home AS may use this communication channel that it is
granted with its user for other purposes than authentication!
15. Agenda
-
- In mobile phone networks : DECT, GSM
16. Impact
- What the impact of the covert channel ?
- The covert channel we present should be taken into account
-
- W hen signing roaming agreements
-
-
- pricing of the authentication traffic
-
-
- choice of appropriate EAP methods
-
- W hen designing a threat model for WLANs
17. Solutions
- Revert to another NAC schemes
-
- Cryptography has long recognized that multi-party protocols
warrant specific research
-
- A thorough threat model should be determined
-
- A relevant protocol should then be selected
-
- Tweak the standards (Design EAP methods that may be split
between the visited AS and the home AS)
- Decrease the potential attraction of this channel
-
- Make the channel uninteresting for non-authentication
traffic
-
- Monitor the statistics of EAP dialogs
18. Questions & Comments 19. Questions & Comments
[email_address] 20. References
- [Lampson73] B. W. Lampson, "A Note on the Confinement Problem,"
Communications of the ACM, 16:10, pp. 613-615, October 1973 .
- [ RFC 3748 ] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, and
H. Levkowetz, Extensible Authentication Protocol (EAP), June 2004,
RFC 3748