Abstract
Eduroam has become one of the main examples of network federations around the world, where hundred of institutions allow roaming end users to access the local network if they belong to any other eduroam member institution. In this context, this paper proposes how, once the end user is authenticated by the network, she can access additional federated application services (beyond the web) by means of Kerberos, without deploying additional cross-realm infrastructures. With the support of existing eduroam architecture, this proposal prevents the end user from being fully authenticated by her home institution again to access the application services, which do not need to be modified. Finally, optional advanced authorization can be used to provide added value services to end users.
Similar content being viewed by others
Notes
Note that if any other institution acts as a home or visited institution for other users, it will also require such updates, as it will be playing an active role in this architecture.
References
Assertions and protocol for the OASIS security assertion Markup language (SAML) V1.1, September 2003. OASIS standard
Openid web site. http://openid.net/. Last access date: 2012/01/19
OAuth. http://oauth.net. Last access date: 2012/01/19
Google Apps. http://www.google.com/apps/intl/en/group/index.html. Last access date: 2012/01/19
Yahoo. http://www.yahoo.com. Last access date: 2012/01/19
InCommon. http://www.incommonfederation.org. Last access date: 2012/01/19
Wierenga, K., et al.: DJ5.1.4: Inter-NREN roaming architecture. Description and Development Items, September 2006. Project Deliverable
Rigney, C., Willens, S., Rubens, A., Simpson, W.: Remote Authentication Dial in User Service (RADIUS). IETF RFC 2865, June 2000
IEEE 802.11 (2007) Std., Telecommunications and Information Exchange between Systems—Local and Metropolitan Area Network—Specific Requirements—Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, June 2007. IEEE Standards
Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., Levkowetz, H.: Extensible Authentication Protocol (EAP). RFC3748, June 2004
DAMe Project. http://dame.inf.um.es. Last access date: 2012/01/19
GEANT Project. http://www.geant.net/pages/home.aspx. Last access date: 2012/01/24
Howlett, J.: Hartman. Project Moonshot, S. (February 2010)
Application bridging for federated access beyond web (abfab) ietf working group. http://datatracker.ietf.org/wg/abfab/charter/. Last access date: 2012/01/19
Linn, J.: Generic Security Service Application Program Interface Version 2. IETF RFC 2743, January 2000
Neuman, C., Yu, T., Hartman, S., Raeburn, K.: The Kerberos Network Authentication Service (V5). IETF RFC 4120, July 2005
The MIT Kerberos Consortium. http://www.kerberos.org. Last access date: 2012/01/19
Information Technology Security: Governance, Strategy, and Practice. http://net.educause.edu/ir/library/pdf/LIVE041.pdf. Last access date: 2012/02/1
Calhoun, P., Loughney, J.: Diameter Base Protocol. IETF RFC 3588, September 2003
Aboba, B., Simon, D., Eronen, P.: Extensible Authentication Protocol Key Management Framework. RFC 5247, August 2008
Salowey, J., Dondeti, L., Narayanan, V., Nakhjiri, M.: Specification for the Derivation of Root Keys from an Extended Master Session Key (EMSK). RFC 5295, August 2008, (2008)
Hartman, S., Zhu, L.: A Generalized Framework for Kerberos Pre-Authentication. IETF RFC 6113, April 2011
Funk, P., Blake-Wilson, S.: EAP Tunneled TLS Authentication Protocol (EAP-TTLS). IETF Internet Draft, draft-ietf-pppext-eap-ttls-05, July 2004
Palekar, A., Simon, D., Salowey, J., Zhou, H., Zorn, G., Josefsson, S.: Protected EAP Protocol (PEAP) Version 2. IETF Internet Draft, draft-josefsson-pppext-eap-10, October 2004
eXtensible Access Control Markup Language (XACML) Version 2.0, February 2005. OASIS Standard
SIR—The RedIRIS Identity Service. http://www.rediris.es/sir/index.html.en. Last access date: 2012/01/19
DAMe conversions, From Shibboleth and PAPI authentication to eduGAIN SSO token. http://dame.inf.um.es/. Last access date: 2012/01/19
eduPKI. http://www.edupki.org. Last access date: 2012/01/19
Marín-López, Rafael, Pereníguez, Fernando, López, Gabriel, Pérez-Méndez, Alejandro: Providing EAP-based Kerberos pre-authentication and advanced authorization for network federations. Comput. Stand. Int. 33(5), 494–504 (2011)
Hartman, S., Howlett, J.: A GSS-API Mechanism for the Extensible Authentication Protocol. IETF Internet Draft, IETF draft-ietf-abfab-gss-eap-04.txt, October 2011
Howlett, J.:A RADIUS Attribute, Binding and Profiles for SAML. IETF Internet Draft, IETF draft-ietf-abfab-aaa-saml-02.txt, October 2011
Wei, Y.: Federated Cross-Layer Access. IETF Internet Draft, draft-wei-abfab-fcla-01, October 2011
Zhu, L., Jaganathan, K., Hartman, S.: The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2. IETF RFC 4121, July 2005
Melnikov, A.: The Kerberos V5 (“GSSAPI”) Simple Authentication and Security Layer (SASL) Mechanism. IETF RFC 4752, November 2006
Cantor, S., Kemp, J., Philpott, R., Maler, E. (eds.). Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) v2.0, March 2005
Aboba, B., Beadles, M., Arkko, J., Eronen, P.: The Network Access Identifier. IETF RFC 4282, December 2005
Zorn, G., Zhang, T., Walker, J.: Salowey. Cisco Vendor-Specific RADIUS Attributes for the Delivery of Keying Material, J. April 2011
Zhu, L., Tung, B.: Public Key Cryptography for Initial Authentication in Kerberos (PKINIT). IETF RFC 4556, June 2006
Zhu, L.: Additional Kerberos Naming Constraints. IETF RFC 6111, February 2011
Howlett, J., Nordh, V., Singer, W.: Deliverable DS3.1.1: eduGAIN service definition and policy (Initial Draft), May 2010. Project Deliverable
Sánchez, Manuel, López, Gabriel, Cánovas, Óscar, Gómez-Skarmeta, Antonio F.: Performance analysis of a cross-layer sso mechanism for a roaming infrastructure. J. Netw. Comput. Appl. 32, 808–823 (2009)
eduPerson. http://middleware.internet2.edu/eduperson/. Last access date: 2012/01/25
Neinert, S., Lopez, D., Cuenca, M.S., Reverte, C., Thomson, I.: DJ5.3.4: Evaluation of a Prototype for unified SSO, November 2008. Project Deliverable
Hoeper, K., Chen, L.: Recommendation for EAP Methods Used in Wireless Network Access Authentication, September 2009. Standard document
Kauffman, C.: Internet Key Exchange (IKEv2) Protocol. IETF RFC 4306, December 2005
Katoen, J.: NIST FIPS 180–2, Secure Hash Standard, August 2002. With Change Notice 1 dated February 2004
Abdalla, Michel, Bellare, Mihir: Increasing the lifetime of a key: A comparative analysis of the security of re-keying techniques. In: Proceedings of the 6th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, ASIACRYPT ’00, pp. 546–559, London, UK, 2000. Springer-Verlag
Hoeper, K., Nakhjiri, M., Ohba, Y.: Distribution of EAP-Based Keys for Handover and Re-Authentication. RFC 5749, March 2010
IST Avispa Project 2001–39252. Automated Validation of Internet Security Protocols and Applications (AVISPA). http://www.avispa-project.org/
Armando, A., Carbone, R., Compagna, L., Cuellar, J., Tobarra, L.: Formal analysis of saml 2.0 web browser single sign-on: breaking the saml-based single sign-on for google apps. In: FMSE ’08: Proceedings of the 6th ACM Workshop on Formal Methods in Security Engineering, pp. 1–10, ACM, New York, NY, USA (2008)
Ruiz-Martínez, A., Marín-López, C.I., Baño-López, L., Gómez-Skarmeta, A.F.: A new fair non-repudiation protocol for secure negotiation and contract signing. J. Univers. Comput. Sci. 15(3), 555–584 (2009)
Deliverable D2.1: The High Level Protocol Specication Language, August 2003. AVISPA IST-2001-39252 Deliverable
Dolev, D., Yao, A.: On the security of public key protocols. IEEE Trans. Inf. Theory 29(2), 198–208 (1983)
Vigan, L.: Automated security protocol analysis with the AVISPA tool. Elsevier Electr. Notes Theor. Comput. Sci. 155, 61–86 (2006)
Cervesato, I.: The Dolev-Yao intruder is the most powerful attacker. In: Proceedings of the 16th Annual Symposium on Logic in Computer Science LICS’01, pp. 16–19. IEEE Computer Society Press. Short (2001)
A Cross-Layer SSO solution for fedrating access to Kerberized services in the eduroam/DAMe network: HLPSL specification. http://libra.inf.um.es/~alex/hlpsl/. Last access date: 2012/05/11
WPA Supplicant. http://hostap.epitest.fi/wpa_supplicant/
FreeRadius. http://www.freeradius.org. Last access date: 2012/01/19
MIT Kerberos. http://web.mit.edu/kerberos/. Last access date: 2012/01/19
Internet2—Shiboleth. http://shibboleth.internet2.edu
XACMLight. http://xacmllight.sourceforge.net/. Last access date: 2012/01/19
OpenSSH. http://www.openssh.com. Last access date: 2012/01/19
Acknowledgments
This work is supported by the project MULTIGIGABIT EUROPEAN ACADEMIC NETWORK (FP7-INFRASTRUCTURES-2009-1). Authors finally thank the Funding Program for Research Groups of Excellence with code 04552/GERM/06 granted by the Fundación Séneca.
Author information
Authors and Affiliations
Corresponding author
Appendix
Appendix
This appendix provides a detailed description of the message exchanges carried out in the different phases of this proposal, as well as of the processing that is performed by the participating entities. The notation is the same as described in Sect. 5.1.
1.1 Functions
Table 6 provides a brief description of the functions used in the description of the processing that is performed in the entities after the reception of a message.
1.2 Exchanges’ detailed description
This subsection describes the message exchanges of the proposal. Specifically, the following exchanges are detailed:
Rights and permissions
About this article
Cite this article
Pérez-Méndez, A., Pereñíguez-García, F., Marín-López, R. et al. A cross-layer SSO solution for federating access to kerberized services in the eduroam/DAMe network. Int. J. Inf. Secur. 11, 365–388 (2012). https://doi.org/10.1007/s10207-012-0174-5
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-012-0174-5