What Is Greenpass

Overview

How can we securely close access to a WLAN, while also permitting authorized guests to have the same internal access that insiders do? Furthermore:

• We need to accommodate the decentralized way that trust flows in the real world. Guest Alice can visit the Computer Science building because host Bob said it was OK; she doesn't have to get central approval. The wireless network should be the same way.
• We can't install additional software on user laptops.

We solve this problem by using EAP-TLS authentication, based on X.509 certificates, but then using lightweight SDSI-SPKI PKI to allow insiders to delegate authorization to visitors. We have built and tested tools to allow delegation to happen over the Web (with browsers and tools already present on standard laptops), to allow guests to carry their SDSI-SPKI chains in cookies, and to allow FreeRADIUS to grant access to both insiders and guests authorized by insiders.

This technology also works with VPNs.

In ongoing work, we are extending this hybrid/decentralized approach to other families of applications and devices.

Goals

Greenpass seeks to enable decentralized, delegation-based access control on a wireless network by issuing SPKI/SDSI authorization certificates [SPKI/SDSI info] to users.

The project goals are described in detail in the paper "Greenpass: Decentralized, PKI-based Authorization for Wireless LANs"

Delegation of access rights allows the guest's host to make this decision in a decentralized fashion. X.509 public keys are used to uniquely identify the guests to which the privilege has been delegated. SPKI certificates are used to express the delegation and limit its duration.

Greenpass was designed to require only an 802.1x capable wireless laptop and a standard web browser. Additional software does NOT need to be installed on client computers.

Greenpass was originally designed to be used in a wireless network, but it could be used in a secured wired network or with VPNs as well.

Acknowledgements

Greenpass was primarily designed by Nicholas C. Goffee and Sung Hoon Kim as their Master's degree thesis projects advised by Prof. Sean Smith. Other members of the thesis committees were Profs. Ed Feustel, David Kotz and Chris Hawblitzel. Other contributors to the Greenpass project are Kimberly Powell, Kwang-Hyun Baek, Meiyuan Zhao, John Marchesini, Chris Masone, Punch Taylor, Robert Brentrup and Nick Santos.