AuthenticationScheme_en

Application of Network Smart Cards to authentication on critical environments Joaquin Torres, M. Carbonell, J. Tellez and J.M. Sierra Carlos III University of Madrid, Spain Computer Science Department

Outline Our “Network Smart Card” Integration of Smart Cards in Networks?

Complete Architecture for authentication Application to the authentication on critical environments

2

Our Goals •

ID-card should participates as stand-alone supplicant (claimant) – isolating the protocol of the implementation in the Terminal and – minimizing other resources requirements of the Terminal.  Authentication protocol will be implemented as an integral part of the ID-card

•

A lightweight networking protocol stack would be more easily supported by the smart card – IETF Layer 2 authentication protocol • we propose the ID-card integration in a layer 2 authentication scheme • based on our network smart card concept, ID-NSCard

•

End-to-end mutual authentication scheme – Remote Device Authentication: this work assumes an a pr i or i untrustworthy environment

3

On our Network Smart Cards, IDNSCards • Based on Extensible Authentication Protocol, EAP [RFC 3748 ]

EAP-MD5,EAP-TLS, EAP-SIM/AKA,…, EAP-?

EAP-Methods

• EAP-Methods: EAP authentication method,  with individuals identification purposes

EAP Peer/Auth EAP Layer

EAP

PPP

ISO 7816

ID-NSCard

Access Control E.

Pass-through Authenticator

Stand-alone supplicant

4

Authentication & Autorization protocol architecture

EAP-ID

EAP

PPP

ISO7816 ID-NSCard

EAP

EAP RADIUS Client

RADIUS Proxies

RADIUS Server

UDP/IP

L2/L1

PPP

ISO7816 ACE

Network AAA Proxies

Authentication & Authorization Server

Note that we can re-use the same architecture for: EAP-MD5, EAP-TLS, EAP-SIM/AKA,…, EAP-? Aboba, B., Calhoum, P., RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP), IETF RFC 3579, September 2003.

5

… the Testbed for our Architecture •

back-end authentication server is implemented by freeRADIUS: supports both EAP/RADIUS and EAP methods development.

•

AP as a RADIUS proxy

•

Laptop as RADIUS Client (NAS): JRadius-Client

•

ID-NSCard protocol stack -according to the standardized state machines- has been implemented in programmable JavaCard smart card.

RADIUS Proxy

Auth&Autho. RADIUS Server

ACE

ID-NSCard

6

EAP-MD5 Prototipe ID-NSCard Shared secrets K s ecret

ACE

Authentication and Authorization Server

PPP LCP Request –EAP Auth PPP LCP ACK –EAP Auth

Shared secrets K s ec ret

1. PPP EAP-Req[Identity] 2. PPP EAP-Response [Identity]

5. PPP EAP-Req[MD5Challenge]

3. RADIUS AccessReq[EAP_Response[Identity]] 4. RADIUS Access-Challenge [EAP-Req[MD5Challenge]]

•Generates challenge

Computes response to challenge 6. PPP EAP-Resp [MD5Challenge] 7. RADIUS Access-Req[EAP_Response[MD5Challenge]] •Verifies challenge

9. PPP EAP-SUCCESS

8. RADIUS Access-Accept[EAP_SUCCESS]

•Authenticates Citizen

7

ID-NSCard as Spanish electronic IDCard: authentication flow and…

Shared secrets K ENC y K MAC

IDNSCard

ACE

Authentication and Authorization Server Shared secrets K ENC y K MAC

PPP LCP Request –EAP Auth PPP LCP ACK –EAP Auth 1. PPP EAP-Req[StartID] 2. PPP EAP-Response [M1]

•Ve ri f i e s ACG 1 an d au t he nt i cat es Se rv er

3. RADIUS Access-Req[EAP_Response[M1]] 5. PPP EAP-Req[ACG1]

•G e ner at es r C , an d SS C C

4. RADIUS Access- Chal lenge [EAPReq[ACG1]]

•Computes ACG1

•Deri v es K SK

Computes ACG2

•Generates rS

6. PPP EAP-Resp [ACGA2] 7. RADIUS Access-Req[EAP_Response[ACG2]]

9. PPP EAP-Resp [M2]

8. RADIUS AccessChallenge[EAP_Response[M2]]

•Ve ri f i e s ACG 2 an d Aut e nt i ca t es I D- NS Car d •Der i v es K SK •G e ne rat es S SC S

•Generates challenge T

•Signs T with K uI 10. PPP EAP-Request [M3]

11. RADIUS Access- Req[EAP_Req[M3]] 12. RADIUS Access-Accept[EAP_SUCCESS]

•Authenti cat es Citizen

13. PPP EAP- SUCCESS

8

I D -NSCar d Shar ed secr ets K EN C y K M AC

ACE

Authenticati on and Author ization Ser ver Shar ed secr ets K EN C y K M AC

PPP L CP Request –EAP Auth PPP L CP ACK –EAP Auth

1. PPP EAP-Req[Star t- I D] 2. PPP EAP-Response [M 1] •Ver ifies ACG1 and authenticates Ser ver

3. RAD I U S Access-Req[EAP_Response[M 1]] 5. PPP EAP-Req[ACG1]

4. RAD I U S Access-Challenge [EAP-Req[ACG1]]

•Gener ates r S •Computes ACG1

•Gener ates r C ,and SSC C •D er i ves K SK Computes ACG2

6. PPP EAP-Resp [ACGA2] 7. RADI U S Access-Req[EAP_Response[ACG2]]

9. PPP EAP-Resp [M 2]

8. RAD I U S AccessChallenge[EAP_Response[M 2]]

•Ver ifies ACG2 and Autenticates I DN SCar d •Der i ves K SK •Gener ates SSC S

•Gener ates challenge T

•Si gns T w ith K uI 10. PPP EAP-Request [M 3] 11. RAD I US Access-Req[EAP_Req[M 3]] 12. RAD I U S Access-Accept[EAP_SU CCESS]

•Authenticate s Citizen

13. PPP EAP-SU CCESS

9

Security and Trust Model issues

• we are not proposing a completely new authentication protocol – in the context of identification systems • our architecture is designed by well-known protocols • some of them are implemented inside the card with a novel approach – a new way to transport authentication messages • between the NSCard and AAA server – the ID-NSCard takes the contr ol in the user side • Security weaknesses and threats are derived by the actual nature of such standardized protocols – and the correctness of their implementation © 2009 evalues

10

Conclusions • a new approach based on network smart cards with specific identification purposes, ID-NSCards. • allows us to transport securely authentication messages between such a device and the remote authoritative server. • smart card behaves as an autonomous authentication supplicant, independently on the access terminal and on the characteristics of the scenario (flexibility and robustness) • this solution transparently reuses the standardized authentication mechanisms for European electronic ID-Cards. • Smart Card as networked host! © 2009 evalues

11

Turn static files into dynamic content formats.

Create a flipbook