Skip to main content
Log in

A cross-layer SSO solution for federating access to kerberized services in the eduroam/DAMe network

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Eduroam has become one of the main examples of network federations around the world, where hundred of institutions allow roaming end users to access the local network if they belong to any other eduroam member institution. In this context, this paper proposes how, once the end user is authenticated by the network, she can access additional federated application services (beyond the web) by means of Kerberos, without deploying additional cross-realm infrastructures. With the support of existing eduroam architecture, this proposal prevents the end user from being fully authenticated by her home institution again to access the application services, which do not need to be modified. Finally, optional advanced authorization can be used to provide added value services to end users.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8

Similar content being viewed by others

Notes

  1. http://www.terena.org/activities/tf-emc2/.

  2. Note that if any other institution acts as a home or visited institution for other users, it will also require such updates, as it will be playing an active role in this architecture.

  3. http://www.avispa-project.org/library/EAP_TTLS_CHAP.html.

  4. http://www.avispa-project.org/library/Kerb-preauth.html.

References

  1. Assertions and protocol for the OASIS security assertion Markup language (SAML) V1.1, September 2003. OASIS standard

  2. Openid web site. http://openid.net/. Last access date: 2012/01/19

  3. OAuth. http://oauth.net. Last access date: 2012/01/19

  4. Google Apps. http://www.google.com/apps/intl/en/group/index.html. Last access date: 2012/01/19

  5. Yahoo. http://www.yahoo.com. Last access date: 2012/01/19

  6. InCommon. http://www.incommonfederation.org. Last access date: 2012/01/19

  7. Wierenga, K., et al.: DJ5.1.4: Inter-NREN roaming architecture. Description and Development Items, September 2006. Project Deliverable

  8. Rigney, C., Willens, S., Rubens, A., Simpson, W.: Remote Authentication Dial in User Service (RADIUS). IETF RFC 2865, June 2000

  9. IEEE 802.11 (2007) Std., Telecommunications and Information Exchange between Systems—Local and Metropolitan Area Network—Specific Requirements—Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, June 2007. IEEE Standards

  10. Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., Levkowetz, H.: Extensible Authentication Protocol (EAP). RFC3748, June 2004

  11. DAMe Project. http://dame.inf.um.es. Last access date: 2012/01/19

  12. GEANT Project. http://www.geant.net/pages/home.aspx. Last access date: 2012/01/24

  13. Howlett, J.: Hartman. Project Moonshot, S. (February 2010)

  14. Application bridging for federated access beyond web (abfab) ietf working group. http://datatracker.ietf.org/wg/abfab/charter/. Last access date: 2012/01/19

  15. Linn, J.: Generic Security Service Application Program Interface Version 2. IETF RFC 2743, January 2000

  16. Neuman, C., Yu, T., Hartman, S., Raeburn, K.: The Kerberos Network Authentication Service (V5). IETF RFC 4120, July 2005

  17. The MIT Kerberos Consortium. http://www.kerberos.org. Last access date: 2012/01/19

  18. Information Technology Security: Governance, Strategy, and Practice. http://net.educause.edu/ir/library/pdf/LIVE041.pdf. Last access date: 2012/02/1

  19. Calhoun, P., Loughney, J.: Diameter Base Protocol. IETF RFC 3588, September 2003

  20. Aboba, B., Simon, D., Eronen, P.: Extensible Authentication Protocol Key Management Framework. RFC 5247, August 2008

  21. Salowey, J., Dondeti, L., Narayanan, V., Nakhjiri, M.: Specification for the Derivation of Root Keys from an Extended Master Session Key (EMSK). RFC 5295, August 2008, (2008)

  22. Hartman, S., Zhu, L.: A Generalized Framework for Kerberos Pre-Authentication. IETF RFC 6113, April 2011

  23. Funk, P., Blake-Wilson, S.: EAP Tunneled TLS Authentication Protocol (EAP-TTLS). IETF Internet Draft, draft-ietf-pppext-eap-ttls-05, July 2004

  24. Palekar, A., Simon, D., Salowey, J., Zhou, H., Zorn, G., Josefsson, S.: Protected EAP Protocol (PEAP) Version 2. IETF Internet Draft, draft-josefsson-pppext-eap-10, October 2004

  25. eXtensible Access Control Markup Language (XACML) Version 2.0, February 2005. OASIS Standard

  26. SIR—The RedIRIS Identity Service. http://www.rediris.es/sir/index.html.en. Last access date: 2012/01/19

  27. DAMe conversions, From Shibboleth and PAPI authentication to eduGAIN SSO token. http://dame.inf.um.es/. Last access date: 2012/01/19

  28. eduPKI. http://www.edupki.org. Last access date: 2012/01/19

  29. Marín-López, Rafael, Pereníguez, Fernando, López, Gabriel, Pérez-Méndez, Alejandro: Providing EAP-based Kerberos pre-authentication and advanced authorization for network federations. Comput. Stand. Int. 33(5), 494–504 (2011)

    Article  Google Scholar 

  30. Hartman, S., Howlett, J.: A GSS-API Mechanism for the Extensible Authentication Protocol. IETF Internet Draft, IETF draft-ietf-abfab-gss-eap-04.txt, October 2011

  31. Howlett, J.:A RADIUS Attribute, Binding and Profiles for SAML. IETF Internet Draft, IETF draft-ietf-abfab-aaa-saml-02.txt, October 2011

  32. Wei, Y.: Federated Cross-Layer Access. IETF Internet Draft, draft-wei-abfab-fcla-01, October 2011

  33. Zhu, L., Jaganathan, K., Hartman, S.: The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2. IETF RFC 4121, July 2005

  34. Melnikov, A.: The Kerberos V5 (“GSSAPI”) Simple Authentication and Security Layer (SASL) Mechanism. IETF RFC 4752, November 2006

  35. Cantor, S., Kemp, J., Philpott, R., Maler, E. (eds.). Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) v2.0, March 2005

  36. Aboba, B., Beadles, M., Arkko, J., Eronen, P.: The Network Access Identifier. IETF RFC 4282, December 2005

  37. Zorn, G., Zhang, T., Walker, J.: Salowey. Cisco Vendor-Specific RADIUS Attributes for the Delivery of Keying Material, J. April 2011

  38. Zhu, L., Tung, B.: Public Key Cryptography for Initial Authentication in Kerberos (PKINIT). IETF RFC 4556, June 2006

  39. Zhu, L.: Additional Kerberos Naming Constraints. IETF RFC 6111, February 2011

  40. Howlett, J., Nordh, V., Singer, W.: Deliverable DS3.1.1: eduGAIN service definition and policy (Initial Draft), May 2010. Project Deliverable

  41. Sánchez, Manuel, López, Gabriel, Cánovas, Óscar, Gómez-Skarmeta, Antonio F.: Performance analysis of a cross-layer sso mechanism for a roaming infrastructure. J. Netw. Comput. Appl. 32, 808–823 (2009)

    Article  Google Scholar 

  42. eduPerson. http://middleware.internet2.edu/eduperson/. Last access date: 2012/01/25

  43. Neinert, S., Lopez, D., Cuenca, M.S., Reverte, C., Thomson, I.: DJ5.3.4: Evaluation of a Prototype for unified SSO, November 2008. Project Deliverable

  44. Hoeper, K., Chen, L.: Recommendation for EAP Methods Used in Wireless Network Access Authentication, September 2009. Standard document

  45. Kauffman, C.: Internet Key Exchange (IKEv2) Protocol. IETF RFC 4306, December 2005

  46. Katoen, J.: NIST FIPS 180–2, Secure Hash Standard, August 2002. With Change Notice 1 dated February 2004

  47. Abdalla, Michel, Bellare, Mihir: Increasing the lifetime of a key: A comparative analysis of the security of re-keying techniques. In: Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, ASIACRYPT ’00, pp. 546–559, London, UK, 2000. Springer-Verlag

  48. Hoeper, K., Nakhjiri, M., Ohba, Y.: Distribution of EAP-Based Keys for Handover and Re-Authentication. RFC 5749, March 2010

  49. IST Avispa Project 2001–39252. Automated Validation of Internet Security Protocols and Applications (AVISPA). http://www.avispa-project.org/

  50. Armando, A., Carbone, R., Compagna, L., Cuellar, J., Tobarra, L.: Formal analysis of saml 2.0 web browser single sign-on: breaking the saml-based single sign-on for google apps. In: FMSE ’08: Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering, pp. 1–10, ACM, New York, NY, USA (2008)

  51. Ruiz-Martínez, A., Marín-López, C.I., Baño-López, L., Gómez-Skarmeta, A.F.: A new fair non-repudiation protocol for secure negotiation and contract signing. J. Univers. Comput. Sci. 15(3), 555–584 (2009)

    Google Scholar 

  52. Deliverable D2.1: The High Level Protocol Specication Language, August 2003. AVISPA IST-2001-39252 Deliverable

  53. Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)

    Article  MathSciNet  MATH  Google Scholar 

  54. Vigan, L.: Automated security protocol analysis with the AVISPA tool. Elsevier Electr. Notes Theor. Comput. Sci. 155, 61–86 (2006)

    Article  Google Scholar 

  55. Cervesato, I.: The Dolev-Yao intruder is the most powerful attacker. In: Proceedings of the 16th Annual Symposium on Logic in Computer Science LICS’01, pp. 16–19. IEEE Computer Society Press. Short (2001)

  56. A Cross-Layer SSO solution for fedrating access to Kerberized services in the eduroam/DAMe network: HLPSL specification. http://libra.inf.um.es/~alex/hlpsl/. Last access date: 2012/05/11

  57. WPA Supplicant. http://hostap.epitest.fi/wpa_supplicant/

  58. FreeRadius. http://www.freeradius.org. Last access date: 2012/01/19

  59. MIT Kerberos. http://web.mit.edu/kerberos/. Last access date: 2012/01/19

  60. Internet2—Shiboleth. http://shibboleth.internet2.edu

  61. XACMLight. http://xacmllight.sourceforge.net/. Last access date: 2012/01/19

  62. OpenSSH. http://www.openssh.com. Last access date: 2012/01/19

Download references

Acknowledgments

This work is supported by the project MULTIGIGABIT EUROPEAN ACADEMIC NETWORK (FP7-INFRASTRUCTURES-2009-1). Authors finally thank the Funding Program for Research Groups of Excellence with code 04552/GERM/06 granted by the Fundación Séneca.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Alejandro Pérez-Méndez.

Appendix

Appendix

This appendix provides a detailed description of the message exchanges carried out in the different phases of this proposal, as well as of the processing that is performed by the participating entities. The notation is the same as described in Sect. 5.1.

1.1 Functions

Table 6 provides a brief description of the functions used in the description of the processing that is performed in the entities after the reception of a message.

Table 6 Description of functions

1.2 Exchanges’ detailed description

This subsection describes the message exchanges of the proposal. Specifically, the following exchanges are detailed:

  • Network authentication, distribution of the eduToken and keying material (Fig. 9)

  • Kerberos pre-authentication and TGT acquisition (Fig. 10)

  • Authorization and ST acquisition (Fig. 11).

Fig. 9
figure 9

Detailed description of network authentication

Fig. 10
figure 10

Detailed description of Kerberos pre-authentication and TGT acquisition

Fig. 11
figure 11

Detailed description of authorization and ST acquisition

Rights and permissions

Reprints and permissions

About this article

Cite this article

Pérez-Méndez, A., Pereñíguez-García, F., Marín-López, R. et al. A cross-layer SSO solution for federating access to kerberized services in the eduroam/DAMe network. Int. J. Inf. Secur. 11, 365–388 (2012). https://doi.org/10.1007/s10207-012-0174-5

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-012-0174-5

Keywords

Navigation