<< back to toc

Authentication Concept

In network security and other operations, authentication is the process of determining the identity and legitimacy of a user, node, or process. Various authentication strategies have been developed. Among the simplest are the use of user IDs and passwords. (ENCYCLOPEDIA OF NETWORKING)

• Useability
  A user who wants to gain access to the world wide web has to acquire a scratch card or voucher card which contains a code to unlock his connection. The code consists of 4 human readable words or names which are randomly taken out of the internal dictionary. Having this kind of syntax has the great advantage that each part of the code is a word out of mans everyday live and therefore easy to recall - even at a short glimpse at the card. This is a huge benefit for the user, as he must not memorize dozens of alphanumeric letters which are very hard to type in as they are usually pretty randomly spread across the keyboard.
  
  
  image#2: voucher
  
• Security
  The security of such a code is also sufficient. As a word is internally a index showing to a record in our dictionary, one has up to 32 bit of possible words to choose from. As an attacker can not just run thrue all numerical representations of a code, he would have to try every alphanumeric combination per word or use his own dictionary to brute force. So given a 4 word code with a dictionary of 32000 words it would be 32000^4 numerical combinations and this multiplied by 26 possible letters for a average of 6 characters word length.
  
  32000^4  = 1048 e+15
  Combinations for known word list attack
  
  26^(4*6) = 9106 e+30
  Combinations for brute force alpha combination attack
  
  
  image#3: login form
  
• Encryption
  Authentication data will be submitted via a SSL encrypted HTTP connection. Therefore a certificate hast to be generated and signed by an authority who is to be trusted. As we have a local ip in this network no authority will sign this certificate, so it has to be self signed.
  
  
  image#4: certificate
  

Accounting Concept

A process by which network usage can be determined and charges assessed for use of network resources, such as storage, access, and services. Accounting measures include blocks read, blocks written, connect time, disk storage, and service requests. (ENCYCLOPEDIA OF NETWORKING)

• Payment
  A voucher is is generated and printed on demand. So if a customer would like to get access to the network he has to acquire a certain amount of time at the clerks desk. There the system creates a code related to that amount of time which is reduced with every network session of the user. The minimum time unit is 30 minutes.
• Credits
  As the user authenticates he will be prompted to choose the amount of time he would like to spend on the network. If his code words were entered correctly the system will verify his account status in the database for sufficant credits. On success his account will be reduced otherwise he will be denied.
• Session
  Once creditability has been proofed a session with a pre calculated expire time will be created and the connection will be authorized.

Database

For our hotspot system we only need three simple tables who relate to each other.

• word
  - holds all available code words
  
• code
  - builds the auth code out of 4 relations to word
  and holds expire time and status
  
• session
  - relates to a code
  and holds information on authenticated clients
  
  
  image#5: entity relationship model
  

Authorization Process

image#6: authentication diagram

• Customer David relaxes in the park with his notebook and notices that there is a wireless service available. He connects to the access point using his network setup utility and opens his browser for surfing.
  
  
  • Notebook connects to AP (unencrypted)
    
    
    image#7: connecting to wlan
    
    
    image#8: connected to wlan
    
    
  • DHCP deamon assigns IP Config to Notebook
    
    
    image#9: DHCP assignment
    
  
  
• As he submits the url of his favorite news site to the browser he is presented to an authentication page asking him to enter an access code.
  
  
  • Notebook resolves ip of domain for website request
    
  • Firewall rule translates destination ip into local ip
    
  • Local Apache session receives website request
    
  • Rewrite rule rebuilds the url request to fit the authentication script
    
    
    image#10: mod_rewrite diagram
    
    
  • PHP Authentication script is executed via Apache with the original url as GET HTTP variable
    
    
    image#11: rewritten url
    
    
    image#12: authentication script
    
  
  
• He reads the information on the page and acquires a voucher card from a litte shop nearby. Written on the card is his code along with his inital credit of 90 minutes of online time.
  
  
  • The clerk opens his administration panel and prints a new card.
    
    
    image#13: voucher creation
    
  
  
• Having entered the code and selected his preferred online time, he is prompted to accept a certificate for a secure connection. This encrypted connection is necessary to prevent anyone from listening to the transmitted access codes. Having entered the correct data, the browser presents him his spare time and give the option to visit the original url which was stored when he first submitted it to his browser.
  
  
  • Access data is submitted to Apache via HTTPS
    
  • Certificate validation is prompted as it is not signed by a trusted organisation
    
    
    image#14: certificate
    
    
  • PHP script verifies received code and remaining credits
    
  • PHP script analysis and filters dhcp.leases to find clients MAC
    
  • PHP script executes shell skript to enable firewall for clients IP and MAC
    
  • PHP script creates session with expire time in the database
    
    
    image#15: authentication script
    
  
  
• David is now free to surf his favorite news site and the whole web. After 30 minutes of information gathering he is suddenly presented with the login screen when he clicked on a link.
  
  
  • A cron job which is executed every minute executes a expire script
    
  • Expire PHP script fetches all expired dataset from database
    
  • Expire PHP script executes firewall script to disabled current rule
    
  • Expire PHP script updates dataset to expired status
    
  • Request is again redirected to authentication script
    
    
    image#16: login form
    
  
  
• David decides to save his remaining credits for his next trip to the park as his girl friend Sandra just arrived.
  
  
  image#17: bye bye