bersani.ppt

431 views
336 views

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
431
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

bersani.ppt

  1. 1. Network Access Control Schemes Vulnerable to Covert Channels 11/03/2004 Florent Bersani & Anne-Sophie Duserre
  2. 2. Agenda <ul><li>Context </li></ul><ul><ul><li>Network Access Control ? </li></ul></ul><ul><ul><li>Covert channels ? </li></ul></ul><ul><li>Examples </li></ul><ul><ul><li>In mobile phone networks : DECT, GSM </li></ul></ul><ul><ul><li>In IEEE 802.11 WLANs </li></ul></ul><ul><li>Discussion </li></ul><ul><ul><li>Impact </li></ul></ul><ul><ul><li>Solutions </li></ul></ul>
  3. 3. Agenda <ul><li>Context </li></ul><ul><ul><li>Network Access Control ? </li></ul></ul><ul><ul><li>Covert channels ? </li></ul></ul><ul><li>Examples </li></ul><ul><ul><li>In mobile phone networks : DECT, GSM </li></ul></ul><ul><ul><li>In IEEE 802.11 WLANs </li></ul></ul><ul><li>Discussion </li></ul><ul><ul><li>Impact </li></ul></ul><ul><ul><li>Solutions </li></ul></ul>
  4. 4. NAC: t he first line of defense <ul><li>Network access control is about : </li></ul><ul><ul><li>Securely verifying the identity of a device/user that wants to connect to a network </li></ul></ul><ul><ul><li>Checking if this device/user is indeed authorized to do so </li></ul></ul><ul><li>Robust network access control is the key: </li></ul><ul><ul><li>To properly defined security zones </li></ul></ul><ul><ul><li>To financial valuation of network access </li></ul></ul>
  5. 5. NAC in a roaming situation
  6. 6. Covert channels: abusing protocols <ul><li>A communication channel is covert if it is neither designed nor intended to transfer information at all. [Lampson73] </li></ul><ul><li>For network protocols, a covert channel is rather a communication channel that is abused to unnoticeably transfer unexpected data . </li></ul><ul><ul><li>These channels provide venues to circumvent the policy </li></ul></ul>
  7. 7. Agenda <ul><li>Context </li></ul><ul><ul><li>Network Access Control ? </li></ul></ul><ul><ul><li>Covert channels ? </li></ul></ul><ul><li>Examples </li></ul><ul><ul><li>In mobile phone networks : DECT, GSM </li></ul></ul><ul><ul><li>In IEEE 802.11 WLANs </li></ul></ul><ul><li>Discussion </li></ul><ul><ul><li>Impact </li></ul></ul><ul><ul><li>Solutions </li></ul></ul>
  8. 8. DECT DECT Portable Part DECT Fixed Part Inter- Working Unit Local and / or Public Phone Network DECT Common Interface 1
  9. 9. DECT NAC in roaming scenarios K S =PRF(K,R S ) & RES1=PRF'(K S ,RAND_F)
  10. 10. GSM BTS BTS BTS MS BSC BSC BTS MSC Transport Network VLR HLR AuC
  11. 11. GSM NAC in roaming situations K C =PRF(K I ,RAND) & SRES1=PRF'(K I ,RAND)
  12. 12. WLAN 2 Peer Pass-through Authenticator Authentication Server Home RADIUS Server Wireless Access Point EAP Peer 1 Proxy RADIUS Server
  13. 13. WLAN NAC in roaming situations (1/2)
  14. 14. WLAN NAC in roaming situations (2/2) <ul><li>EAP [RFC 3748] may transport EAP methods that are opaque to the Visited AS, e.g. PEAP or EAP-PSK </li></ul><ul><li>A rogue Home AS may use this communication channel that it is granted with its user for other purposes than authentication! </li></ul>
  15. 15. Agenda <ul><li>Context </li></ul><ul><ul><li>Network Access Control ? </li></ul></ul><ul><ul><li>Covert channels ? </li></ul></ul><ul><li>Examples </li></ul><ul><ul><li>In mobile phone networks : DECT, GSM </li></ul></ul><ul><ul><li>In IEEE 802.11 WLANs </li></ul></ul><ul><li>Discussion </li></ul><ul><ul><li>Impact </li></ul></ul><ul><ul><li>Solutions </li></ul></ul>
  16. 16. Impact <ul><li>What the impact of the covert channel ? </li></ul><ul><ul><li>Feasibility </li></ul></ul><ul><ul><li>Attraction </li></ul></ul><ul><ul><li>Detectability </li></ul></ul><ul><li>The covert channel we present should be taken into account </li></ul><ul><ul><li>W hen signing roaming agreements </li></ul></ul><ul><ul><ul><li>pricing of the authentication traffic </li></ul></ul></ul><ul><ul><ul><li>choice of appropriate EAP methods </li></ul></ul></ul><ul><ul><li>W hen designing a threat model for WLANs </li></ul></ul>
  17. 17. Solutions <ul><li>Revert to another NAC schemes </li></ul><ul><ul><li>Cryptography has long recognized that multi-party protocols warrant specific research </li></ul></ul><ul><ul><li>A thorough threat model should be determined </li></ul></ul><ul><ul><li>A relevant protocol should then be selected </li></ul></ul><ul><ul><li>Tweak the standards (Design EAP methods that may be split between the visited AS and the home AS) </li></ul></ul><ul><li>Decrease the potential attraction of this channel </li></ul><ul><ul><li>Make the channel uninteresting for non-authentication traffic </li></ul></ul><ul><li>Monitor for this channel </li></ul><ul><ul><li>Monitor the statistics of EAP dialogs </li></ul></ul>
  18. 18. Questions & Comments
  19. 19. Questions & Comments [email_address]
  20. 20. References <ul><li>[Lampson73] B. W. Lampson, &quot;A Note on the Confinement Problem,&quot; Communications of the ACM, 16:10, pp. 613-615, October 1973 . </li></ul><ul><li>[ RFC 3748 ] B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, and H. Levkowetz, Extensible Authentication Protocol (EAP), June 2004, RFC 3748 </li></ul>

×