Next Generation Hotspot - ANTlabs
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
3 Ways to Roll Out Your
Next Generation Hotspot
– Faster!
Next Generation Hotspot (NGH) is the future of WiFi
connectivity. Carriers would be able to offer similar
experience to that of mobile for their customers using
NGH. Mobile Data demand is on the rise with several
forecasts suggesting that it will grow drastically and
Carriers worldwide are using cost-effective WiFi access
to meet such huge demands.
For further information visit: www. antlabs.com 3 Ways to Roll Out Your Next Generation Hotspot - Faster | 1
“
Mobile and offload from mobile 60
devices together will account for 50 49
47% of total IP traffic by 2020 40 35
30 24
WiFi traffic from both mobile 20 17
11
devices and WiFi-only devices 10 7
together will account for 49% of 0
total IP traffic by 2020 2016 2017 2018 2019 2020 2021
Exabytes per Month
* Source: Cisco VNI: Global Mobile Data Traffic Forecast Update, 2016 – 2021
For further information visit: www. antlabs.com 3 Ways to Roll Out Your Next Generation Hotspot - Faster | 2
Seamless device authentication is one of the basic requirement to adopt NGH. The NGH framework identifies EAP
(Extensible Authentication Protocol) being the de-facto Layer-3 (L3) authentication method for the user devices such as
EAP-SIM/AKA, EAP-TLS, EAP-TTLS etc.
EAP-based authentication mechanisms have resulted in other operational and security issues that hinders Carriers to
adopt NGH completely. Three main issues are highlighted in this whitepaper and we shall explain how ANTlabs’ unique
methods assist Carriers to overcome the operational and security issues and roll-out NGH hotspot faster than before.
The three main issues:
Overload of Mobile Authentication Centers (HLR/HSS/AuC) with authentication requests
WiFi Access network is unlike Mobile wherein the coverage area is narrow in comparison and
requires many WiFi access points to cover a large area. Depending upon the Wireless Access
network and to an extent, UE’s capabilities, roaming from one AP to another may trigger
frequent authentication requests. During peak periods, the HLR/HSS may receive enormous
requests to authenticate the UEs based on EAP-SIM.
WiFi-based IMSI Catchers
IMSI (International Mobile Subscriber Identity) is the unique 15-digit identity that
allows for the mutual authentication of a device based on the SIM card. This
number is stored in the read-only section of a SIM card and with the mobile
operator. Any WiFi capable computer can act as an IMSI catcher that can track the
location of the device.
We demonstrate how users may be tracked on
Re-using Certifications among different devices a range of smartphones and tablets including
For devices that use authentication based on the those running iOS, Android and other mobile
EAP-TLS/TTLS, one user’s certificate can be re- OSs. This tracking can be performed silently and
used by another just by installing the certificate on automatically without any interaction from the
their device, thus overcoming the security. tracked user. We have developed a proof of con-
cept system that demonstrates our IMSI catcher
employing passive and active techniques.
- Piers O’Hanlon & Ravishankar Borgaonkar,
BlackHat, London, 3rd Nov 2016
For further information visit: www. antlabs.com 3 Ways to Roll Out Your Next Generation Hotspot - Faster | 3
3 Unique Ways The following are the three unique ways that ANTlabs solutions overcome the
above critical issues in device authentication:
to Solve
Device
Authentication
1 Smart EAP-SIM Re-authentication to reduce
load towards HLR/HSS
Problems
ANTlabs Smart EAP-SIM re-authentication mechanism limits the number of
transactions that the HLR/HSS shall receive by still maintaining the complete Full
EAP-SIM authentication from UEs perspective. This mechanism drastically limits
the number of transactions that the HLR/HSS shall receive for authentication.
Upon a fresh successful authentication of a UE device with the HLR/HSS,
ANTlabs Tru’Auth retains the GSM triplets for a configurable period, termed as
TTL, in a secured manner. ANTlabs Tru’Auth AAA can retain as many triplets as
their subscribers’ accounts capacity. By default, retention period is set to 24 hours.
The TTL value has three other configurable parameters that define how long does
the GSM triplets need to be retained at the ANTlabs Tru’Auth.
With this mechanism, in one hour, the ANTlabs Tru’Auth can handle 1.8 Million
Unique UE logins, with 500 TPS of ANTlabs Tru’Auth MAP Gateway.
For further information visit: www. antlabs.com 3 Ways to Roll Out Your Next Generation Hotspot - Faster | 4
2 Thwart WiFi-based IMSI EAP-SIM Authentication Flow
snooping and increase security
UE AP/WLC ANTlabs Tru’Auth AAA HLR/HSS (AuC)
There are two peer policies which affects the behavior
of EAP-SIM/AKA authentication mechanisms: EAPoL
• Liberal Peer – Responds to any requests for EAP-Request/Identity
permanent identity (IMSI) EAP-Response/Acc-Req EAP-Response/Acc-Req
• Conservative Peer – Only responds to requests
for permanent identity when no Pseudonym EAP-Response/Acc-Chal EAP-Response/Acc-Chal
identity (TIMSI) is available.
EAP-Response/Acc-Req EAP-Response/Acc-Req
MAP Request Triplets
ANTlabs Tru’Auth AAA deploys using “Conservative”
Peer mechanism wherein the translation from the MAP Response Triplets
Permanent Identity to the Pseudonym Identity is Smart re-auth
handled dynamically and in real-time, thereby thwarting mechanism
EAP-Response/Acc-Chal
WiFi-based IMSI snooping. EAP-Response/Acc-Chal
UE runs GSM
algorithm &
verification
EAP-Response/Acc-Req EAP-Response/Acc-Req
EAP-Response/Acc-Acpt EAP-Response/Acc-Acpt
For further information visit: www. antlabs.com 3 Ways to Roll Out Your Next Generation Hotspot - Faster | 53 Control authorization based on device after
authentication by certificates
Abbreviations
The following tables lists the terminologies
For devices without SIM Cards, Certificates are the alternatives to used in this document:
simulate the seamless authentication. EAP-TLS/EAP-TTLS uses
certificate based authentication to authenticate the user. However, • AAA Protocol - Authentication, Authorization,
unlike SIM Cards, the certificates can be shared among different users and Accounting Protocol
thereby compromising unique user identification. • AuC - Authentication Centre. The GSM net-
work element that provides the authentication
ANTlabs Tru’Auth AAA employs additional security mechanism to triplets for authenticating the subscriber.
authorize based on user’s device in addition to the certificate-base • EAP -Extensible Authentication Protocol
authentication. By way of this, carriers can uniquely identify each • HLR - Home Location Register
users’ like SIM-based authentication. • HSS - Home Subscriber Server
• IMSI - International Mobile Subscriber
Identifier, used in GSM to identify subscribers.
With ANTlabs Carrier-Grade products, seamless authentication enhances the
• SIM - Subscriber Identity Module. The SIM is
user experience without much of their interaction and at the same time providing
traditionally a smart card distributed by a GSM
advanced security at lower TCO for Carriers.
operator.
• TLS - Transport Layer Security
• TTLS - Tunneled Transport Layer Security
Facts:
• More than 600,000 SIM Credentials cache in a single site
• 1 Million EAP-SIM Conservative Peer records in a single site
• 500 per sec EAP-TLS Certificates with OCSP/CRL References
O’Hanlon, Piers, and Ravishankar Borgaonkar.
“WiFi - Based IMSI Catcher.” (2016): 1-22.
www.blackhat.com. PDF.
Coming Next...
User Privacy vs User Information,
Know How to Meet Both
For further information visit: www. antlabs.com 3 Ways to Roll Out Your Next Generation Hotspot - Faster | 6You can also read
