DOI QR코드

DOI QR Code

eduroam 사용자 대리인증 시스템의 설계 및 구현

Design and Implementation of eduroam Authentication-Delegation System

  • Lee, KyoungMin (Korea Institute of Science and Technology Information, KISTI) ;
  • Jo, Jinyong (Korea Institute of Science and Technology Information, KISTI) ;
  • Kong, JongUk (Korea Institute of Science and Technology Information, KISTI)
  • 투고 : 2016.07.15
  • 심사 : 2016.09.05
  • 발행 : 2016.09.30

초록

본 논문은 eduroam의 사용자 대리인증 시스템인 eduroam AND를 소개한다. eduroam은 전 세계 연구기관과 교육기관을 대상으로 서비스 중인 글로벌 무선인터넷 접속 서비스이다. eduroam AND(AutheNtication Delegation)는 eduroam 서비스에 가입되지 않은 국내 연구기관과 교육기관의 구성원들이 eduroam의 사용자 계정을 자가 생성하고 eduroam 서비스에 접속할 수 있게 할 목적으로 개발된 시스템이다. eduroam AND는 국제 표준에 따르는 연합 인증기술을 구현해 적용함으로써 서비스 접근 편의성 향상, 사용자 신원확인과 검증의 용이, 사용자 식별정보의 효율적 관리, 사용자 인증정보의 관리부담 완화 등의 기대효과를 갖는다. 또한 계층적 라우팅 구조를 갖는 eduroam의 노드상태 및 메시지 라우팅 상태 등을 상시 모니터링 함으로써 운영 관리의 효율성을 높일 수 있다. eduroam AND는 오픈소스 소프트웨어를 이용해 구현되었으며 국가과학기술연구망에 구축되어 운영 중이다. 마지막으로 구현결과를 중심으로 eduroam AND를 정성적으로 평가한다.

This paper introduces a guest identity provider system for eduroam which is a global Wi-Fi service targeting users enrolled in higher education and research institutions. Developed eduroam AND (AutheNtication Delegation) system enables users to create their eduroam user accounts and to access eduroam regardless of their locations. Users with no organizational eduroam account therefore can freely access eduroam using the system. A federated authentication model is implemented in the system, and thus the system has merits of having high accessibility, indirectly verifying users and organizations possible, saving management overhead. Status monitoring is essential because authentication request and response messages are routed by eduroam network. eduroam AND performs active monitoring to check service availability and visualizes the results, which increases operational and management efficiency. We leveraged open-source libraries to implement eduroam AND and run the system on KREONET (Korea REsearch Open NETwork). Lastly, we present implementation details and qualitively evaluate the system.

키워드

참고문헌

  1. D. W. Chadwick, "Federated Identity Management," in Foundations of security analysis and design V, New York, NY: Springer pub., part. 2, pp. 96-120, 2009.
  2. F. Licia and K. Wierenga, "Eduroam, providing mobility for roaming users," in Proceedings of the EUNIS 2005 Conference, Manchester, UK, 2005.
  3. IETF RFC 2865, Remote authentication dial in user service (RADIUS), IETF, Fremont, C.A., 2000.
  4. W. A. Arbaugh, N. Shankar, and Y. J. Wan, "Your 802.11 Wireless Network has No Clothes," IEEE Wireless Communications, vol. 9, pp. 44-51, Dec. 2002. https://doi.org/10.1109/MWC.2002.1160080
  5. G. Wang, J. Cho, and G. Cho, "Global Wireless LAN Roaming Status in Korea and Its Development Methods," Journal of the Institute of Electronics and Information Engineers, Vol. 25, No. 7, pp. 1239-1245, July 2015.
  6. T. Niizuma and H. Goto, "Centralized Online Sign-up and Client Certificate Issuing System for eduroam," in Proceedings of IEEE 38th Annual International Computers Software and Applications Conference Workshops, Vasteras, Sweden, pp.174-179, July 2014.
  7. EduShib VA (Virtual Appliance) [Internet]. Available: http://infohub.sifulan.my/display/EV/EduShib+VA+Home
  8. The Shibboleth Project [Internet]. Available: http://shibboleth.internet2.edu/
  9. SimpleSAMLphp official homepage [Internet]. Available: https://simplesamlphp.org
  10. OASIS Std. sstc-saml-tech-overview-2.0-draft-08, Security assertion markup language (saml) v2.0 technical overview, OASIS, Burlington, M.A., 2005.
  11. IETF RFC 6749, The OAuth 2.0 Authorization Framework, IETF, Fremont, C.A., 2012.
  12. David Recordon and Drummond Reed, "OpenID 2.0: a platform for user-centric identity management," in Proceedings of the second ACM workshop on Digital identity management, New York: NY, pp. 11-16, 2006.
  13. IETF RFC 6338, Definition of a Uniform Resource Name (URN) Namespace for the Schema for Academia (SCHAC), IETF, 2011.
  14. IETF RFC 2798, Definition of inetOrgPerson LDAP Object Class, IETF, 2000.
  15. T. Chad and R. Svetlana, "The security of cryptographic hashes," in Proceedings of the 49th Annual Southeast Regional Conference, Kennesaw: GA, pp. 103-108, 2011.
  16. FreeRADIUS official homepage [Internet]. Available: http://freeradius.org/
  17. IETF RFC 3748, Extensible authentication protocol (EAP), IETF, Fremont, C.A., 2004.
  18. Linux WPA/WPA2/IEEE 802.1X Supplicant [Internet]. Available: http://w1.fi/wpa_supplicant/
  19. pChart-a PHP class to build charts [Internet]. Available: http://pchart.sourceforge.net
  20. KAFE [Internet]. Available: https://coreen.kreonet.net