Further Afield: 802.1X and Trusted Computing

In response to the need of a standardized solution to the rogue AP problem and others, and the need to provide a better security solution for the LAN and WLAN infrastructure, a number of network hardware and software manufacturers have recently joined the Trusted Computing Group (TCG) in order to take advantage of hardware-based security solutions.

The TCG — which previous to March 2003 was known as the Trusted

Computing Platform Alliance (TCPA) — has the general aim of developing trusted platforms (TP) based on the use of the trusted platform module (TPM) chip and

a new hardware architecture for platforms in general. The TPM chip is a piece of silicon hardware that is bound to the motherboard and controls a number of core security functions relating to other hardware components, the BIOS, and the operating system. The TPM (version 1.2) contains a cryptographic engine, random number generator, a number of keys and credentials, and has some limited non- volatile (NV) storage.

Broadly speaking, the design philosophy underlying trusted computing is the combined use of trusted hardware, measurements and attestations in order to estab- lish a system with a hardware-rooted trust. The TPM hardware is an embodiment of the core of this design philosophy. The TPM has a number of functions, including integrity measurement, integrity storage, and integrity reporting of all the events occurring in the platform. Thus, for example, processes that are to run within the system must be integrity-verified by an agent that itself has been measured and is trusted to always behave in the same manner. The various platform state informa- tion is recorded within a number of registers during initial platform configuration. During platform boot-up, the process is compared against the known state within registers, ensuring that illegal modifications (e.g., Trojan inserted) are detected. Other uses of the TPM include secure storage of cryptographic keys and certificates. In the context of LAN and WLAN infrastructure, the TPM provides a promis- ing avenue towards the notion of the authenticated network (AN) in which every piece of hardware that participates and composes a LAN/WLAN contains a TPM and is authenticated before it is allowed to gain access to the rest of the network infrastructure. In this way, rogue devices and rogue software (e.g., viruses, Trojans) can be prevented from entering the network and the network truly becomes self- protecting.

The TCG in May 2004 established a Trusted Network Connect (TNC) sub- group in order to study further the architectures, designs, and deployment cases for the use of TCG technology to secure the network infrastructure. The reader is encouraged to see [17] for more information on the TCG, the TPM, and more specifically the TNC.

2.8 SUMMARY

This chapter has discussed the issues of authentication and authorization in WLANs, both in the case of on-campus enterprise authentication and in the case of off-campus WiFi roaming. Four models for authentication were described, followed by a further in-depth discussion on two models, namely the UAM authentication and 802.1X authentication.

The Web-based UAM method uses the standard HTTP over SSL connection to deliver the user’s password from the client to a PAC Gateway, which then provides or denies further access to the user. Although simple (and it has been deployed by many WISPs), the UAM approach does not integrate the key derivation process needed for the layer-2 frame/packet encryption for the wireless segment of the communication between the client and the AP. As such, for public WiFi hotspots additional security measures — such as running an IPsec VPN — are advised, though VPNs are typically available only for corporate users.

Authentication based on the 802.1X framework standard requires an authen- tication “method” be used within the framework. The 802.1X framework works on the notion of ports and port-based access control. It promises to be the de facto industry standard for on-campus enterprise authentication of both user and network devices.

Finally, many vendors are beginning to use the 802.1X authentication frame- work for network element (device) authentication. This interest has been partly driven by the need to solve the rogue AP problem, and the broader rogue device problem. Although 802.1X, some existing EAP authentication methods, and device certificates provide a starting point for solving the rogue AP and rogue device prob- lems, further development and standardization need to be done.

References

[1] R. Yavatkar, D. Pendarakis, and R. Guerin, “A Framework for Policy-Based Admission Control.” RFC 2753 (Informational), Jan. 2000.

[2] J. Vollbrecht, “AAA Authorization Framework.” RFC 2904 (Informational), Aug. 2000. [3] C. Rigney, S. Willens, A. Rubens, and W. Simpson, “Remote Authentication Dial In User Service

[4] P. Calhoun, J. Loughney, E. Guttman, G. Zorn, and J. Arkko, “Diameter Base Protocol.” RFC 3588 (Proposed Standard), Sept. 2003.

[5] IEEE, “Port-Based Network Access Control,” IEEE Standards IEEE Std 802.1X-2001, Institute of Electrical and Electronics Engineers, June 2001.

[6] B. Anton, B. Bullock, and J. Short, “Best Current Practices for Wireless Internet Service Provider (WISP) Roaming,” Best Practices Document, Wireless Ethernet Compatibility Alliance (WECA), Wireless ISP Roaming (WISPr) Initiative, Mar. 2002.

[7] C. Rigney, “RADIUS Accounting.” RFC 2866 (Informational), June 2000.

[8] B. Aboba and P. Calhoun, “RADIUS Support for Extensible Authentication Protocol (EAP).” RFC 3579 (Informational), Sept. 2003.

[9] IEEE, “Port-Based Network Access Control (revision),” IEEE Standards IEEE P802.1X- REV/D7.1, Institute of Electrical and Electronics Engineers, Oct. 2003.

[10] B. Aboba, “Extensible Authentication Protocol (EAP).” RFC 3748 (Standards Track), June 2004. [11] C. Rigney, A. Rubens, W. Simpson, and S. Willens, “Remote Authentication Dial In User Service

(RADIUS).” RFC 2058 (Standards Track), Jan. 1997.

[12] W. Simpson, “The Point-to-Point Protocol (PPP).” RFC 1661 (Standards Track), July 1994. [13] J. Hassell, RADIUS, Sebastopol, CA: O’Reilly, 2002.

[14] B. Lloyd and W. Simpson, “PPP Authentication Protocols.” RFC 1334 (Standards Track), Oct. 1992.

[15] W. Simpson, “PPP Challenge Handshake Authentication Protocol (CHAP).” RFC 1994 (Standards Track), Aug. 1996.

[16] W. Barkley, T. Moore, and B. Aboba, “IEEE 802.1X and RADIUS Security.” IEEE 802.11 contribution, Nov. 2001.