以凭证中心机制强化跨校无线漫游认证环境安全

kevin@nchc.org.tw;a00whl00@nchc.org.twztsai@cc.ee.ntu.edu.tw76SSL(certificates)802.1xPKIAbstractThewebportalsarethemostwidelydeployedWLANauthenticationmethodincampusesandorganizations.UserauthenticationprocessisprotectedbyHTTPoverTLS,andthesecuritymechanismisrelyingontheSSLcertificateinstalledonthewebserver.Unfortunately,mostofusersarenoteasytojudgethewedcertificateisofficialornotandmayfacetheM-I-T-Mattacks.ByintroducingtheWLANRoamingCAinfrastructurewillprovideaneasywaytorecognizetheSSLcertificateforroamingusersandtakethemfarawayfrommaliciouswebportals.Currently,theCAcertificatesareusedforwebportals.Inaddition,theinfrastructureisalsousefulfor802.1xPEAP/TTLSenvironments.KeywordsPKI,CA,Certificate,WLAN,Roaming.1.[1][3]931195**NSC-95-2219-E-492-00195295122.IEEE802.1x[6]802.11i[5][7]Web-basedPAP()802.1xEAP-MD5†EAP-PEAP[10]2.1SSIDSSIDSSIDVPNSSL(Man-In-The-Middle)[2]2.2SSID†EAP-MD5EAP802.1xEAP-MD52.3223A3SSL()RADIUSMD5VPN(PublicKey)(fingerprints)(RootCertificate)3.3.1PKI[11](PublicKeyInfrastructurePKI)PKI(DigitalCertificate)(CertificateAuthorityCA)(RegisterAuthorityRA)PKISSLITU-X.509v3X.509v31.v32.CA3.CA4.CA5.6.7.8.CA9.PKI(PrivateKey)(PublicKey)3.2SSL(SecureSocketLayer)(RootCertificate)(IntermediateCertificate)44SSL1.2.SSL3.355RootCA(RootCertificateAuthority)RootCARootCA(IntermediateCA)RootCASSL(CertificateRevocationListCRL)CRLX.509CRL3.4RADIUS(CertificateSigningRequestCSR)1.CSRCSR2.CSRCSRCSR3.CSRCSR4.4.1(PrivateKey)(CSR)RARACACAX.509664.2OpenSSLOpenSSL[8]SSLv2/v3TLSv1(OpenSources)UNIXUNIX-LikeOpenSSLOpenSSLOpenSSLWin32OpenSSL[12]WindowsOpenSSL4.3OpenSSLopensslOpenSSLopensslgenrsa4096my_cert.key.pemRSA4096bitsOpenSSL512bitsPEM[9]my_cert.key.pemPEMUN*Xchmod400my_cert.key.pem4.4CSRopensslreq-new-keymy_cert.key.pemcsr.pemmy_cert.key.pemcsr.pemOpenSSLXCountryNameProvinceNameTWTaiwanOrganizationNameUnitNameNCHCComputerCenterOrganizationUnitUTF-8UTF-8CommonNameDomainDomainIPCommonNameIPIPDomainChallengepasswordEntercsr.pemPEM4.55.eduroam[4]eduroam-NG(eduroam-NextGeneration)eduroam-NGRADIUSPKIRADIUSeduroam-NG(eduroam-NG)6.802.1x802.1x1.2.1.2.(Phishing)VPN802.1x802.1x802.11i802.1x7.[1],Jul.2006,[2],“()”,Mar.2003,=60[3],Jul.2006,[4]Eduroam-EducationalRoamingInfrastructure,Jul.2006,[5]IEEE802.11iWLANSecurityEnhancements,Jul.2004,[6]IEEE802.1xPort-BasedNetworkAccessControl,Dec.2004,[7]NIST,“Guideto802.11i:EstablishingRobustSecurityNetworks(Draft)”,Jul.2006,[8]OpenSSL:TheOpenSourcetoolkitforSSL/TLS,May.2006,[9]PrivacyEnhancementforInternetElectronicMail,Feb.1993,[10]ProtectedEAPProtocol(PEAP)Version2,Oct.2004,[11]PublicKeyInfrastructure(X.509)(pkix),Mar.2006,[12]Win32OpenSSLInstallationProject,Jul.2006,