Extensible Authentication Protocol
Encyclopedia
Extensible Authentication Protocol, or EAP, is an authentication
framework frequently used in wireless networks
and Point-to-Point connections
. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247.
EAP is an authentication framework providing for the transport and usage of keying material and parameters
generated by EAP methods. There are many methods defined by RFCs and a number of vendor specific methods and new proposals exist. EAP is not a wire protocol
; instead it only defines message formats. Each protocol that uses EAP defines a way to encapsulate
EAP messages within that protocol's messages.
EAP is in wide use. For example, in IEEE 802.11
(WiFi) the WPA
and WPA2 standards have adopted IEEE 802.1X
with five EAP types as the official authentication mechanisms.
, EAP-AKA
and EAP-AKA', and in addition a number of vendor specific methods and new proposals exist. Commonly used modern methods capable of operating in wireless networks include EAP-TLS, EAP-SIM
, EAP-AKA
, LEAP
and EAP-TTLS. Requirements for EAP methods used in wireless LAN authentication are described in RFC 4017.
The standard also describes the conditions under which the AAA key management requirements described in RFC 4962 can be satisfied.
(LEAP) is a proprietary
EAP method developed by Cisco Systems
prior to the IEEE ratification of the 802.11i security standard. Cisco distributed the protocol through the CCX (Cisco Certified Extensions) as part of getting 802.1X and dynamic WEP
adoption into the industry in the absence of a standard. There is no native support for LEAP in any Windows operating system, but it is widely supported by third party client software most commonly included with WLAN (wireless LAN) devices. LEAP support for Microsoft Windows 7 and Microsoft Windows Vista can be added by downloading a client add in from Cisco that adds support for both LEAP and EAP-FAST. Due to the wide adoption of LEAP in the networking industry, many other WLAN vendors claim support for LEAP.
LEAP uses a modified version of MS-CHAP
, an authentication
protocol in which user credentials are not strongly protected and are thus easily compromised. Along these lines, an exploit tool called ASLEAP was released in early 2004 by Joshua Wright. Cisco recommends that customers that absolutely must use LEAP do so only with sufficiently complex passwords, though complex passwords are difficult to administer and enforce. Cisco's current general recommendation is to use newer and stronger EAP protocols such as EAP-FAST, PEAP
, or EAP-TLS.
, and is well-supported among wireless vendors. The security of the TLS
protocol is strong, provided the user understands potential warnings about false credentials. It uses PKI
to secure communication to a RADIUS
authentication server or another type of authentication server. So even though EAP-TLS provides excellent security, the overhead of client-side certificates may be its Achilles' heel
.
EAP-TLS is the original, standard wireless LAN EAP authentication protocol. Although it is rarely deployed, it is still considered one of the most secure EAP standards available and is universally supported by all manufacturers of wireless LAN hardware and software. The requirement for a client-side certificate, however unpopular it may be, is what gives EAP-TLS its authentication strength and illustrates the classic convenience vs. security trade-off. A compromised password is not enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side private key. The highest security available is when client-side keys are housed in smart card
s. This is because there is no way to steal a certificate's corresponding private key from a smart card without stealing the card itself. It is significantly more likely that the physical theft of a smart card would be noticed (and the smart card immediately revoked) than a (typical) password theft would be noticed. Up until April 2005, EAP-TLS was the only EAP type vendors needed to certify for a WPA or WPA2 logo. There are client and server implementations of EAP-TLS in 3Com, Apple, Avaya, Brocade Communications, Cisco, Enterasys Networks, Foundry, Hirschmann, HP, Juniper, and Microsoft, and open source operating systems. EAP-TLS is natively supported in Mac OS X 10.3 and above, wpa supplicant
, Windows 2000 SP4, Windows XP and above, Windows Mobile 2003 and above, and Windows CE 4.2.
hash function
is vulnerable to dictionary attack
s, and does not support key generation, which makes it unsuitable for use with dynamic WEP, or WPA/WPA2 enterprise. EAP-MD5 differs from other EAP methods in that it only provides authentication of the EAP peer to the EAP server but not mutual authentication. By not providing EAP server authentication, this EAP method is vulnerable to man-in-the-middle attacks. EAP-MD5 support was first included in Windows 2000
and deprecated in Windows Vista
.
EAP-PSK is documented in an experimental RFC that provides a lightweight and extensible EAP method that does not require any public-key cryptography. The EAP method protocol exchange is done in a minimum of four messages.
. It was co-developed by Funk Software
and Certicom. It is widely supported across platforms, although there is no native OS support for this EAP protocol in Microsoft Windows
, it requires the installation of small extra programs such as SecureW2.
EAP-TTLS offers very good security . The client can but does not have to be authenticated via a CA
-signed PKI
certificate to the server. This greatly simplifies the setup procedure as a certificate does not need to be installed on every client.
After the server is securely authenticated to the client via its CA certificate and optionally the client to the server, the server can then use the established secure connection ("tunnel") to authenticate the client. It can use an existing and widely deployed authentication protocol and infrastructure, incorporating legacy password mechanisms and authentication databases, while the secure tunnel provides protection from eavesdropping
and man-in-the-middle attack
. Note that the user's name is never transmitted in unencrypted cleartext, thus improving privacy.
Two distinct versions of EAP-TTLS exist: original EAP-TTLS (a.k.a. EAP-TTLSv0) and EAP-TTLSv1. EAP-TTLSv0 is described in RFC 5281, EAP-TTLSv1 is available as an Internet draft.
protocol version 2 (IKEv2). It provides mutual authentication and session key establishment between an EAP peer and an EAP server. It supports authentication techniques that are based on the following types of credentials:
It is possible to use a different authentication credential
(and thereby technique) in each direction. For example, the EAP server authenticates itself using public/private key pair and the EAP peer using symmetric key. In particular, the following combinations are expected to be used in practice:
EAP-IKEv2 is described in RFC 5106. A prototype implementation can be found at http://eap-ikev2.sourceforge.net.
as a replacement for LEAP
. The protocol was designed to address the weaknesses of LEAP while preserving the "lightweight" implementation. Use of server certificates is optional in EAP-FAST. EAP-FAST uses a Protected Access Credential (PAC) to establish a TLS tunnel in which client credentials are verified. EAP-FAST has three phases. Phase 0 is an optional phase in which the PAC can be provisioned manually or dynamically, but is outside the scope of EAP-FAST as defined in RFC4851. PAC provisioning is still officially Work-in-progress, even though there are many implementations. PAC provisioning typically only needs to be done once for a RADIUS server, client pair. In Phase 1, the client and the AAA server uses the PAC to establish TLS tunnel. In Phase 2, the client credentials are exchanged inside the encrypted tunnel.
When automatic PAC provisioning is enabled, EAP-FAST has a slight vulnerability that an attacker can intercept the PAC and subsequently use that to compromise user credentials. This vulnerability is mitigated by manual PAC provisioning or by using server certificates for the PAC provisioning phase.
There is also a vulnerability where an attacker's AP
can use the same SSID, reject the users PAC and supply a new one. Most supplicants can be set to prompt the user this credentials using the inner method to the hacker, who will then get either a cleartext password (EAP-FAST w/ GTC) or a vulnerable to dictionary attack MSCHAPv2 hash.
It is worth noting that the PAC file is issued on a per-user basis. This is a requirement in RFC 4851 sec 7.4.4 so if a new user logs on the network from a device, he needs a new PAC file provisioned first. This is one reason why it is difficult not to run EAP-FAST in insecure anonymous provisioning mode. The alternative is to use device passwords instead, but then it is not the user that is validated on the network.
EAP-FAST can be used without PAC files, falling back to normal TLS.
EAP-FAST is natively supported in Apple OS X 10.4.8 and newer. Cisco
supplies an EAP-FAST module for Windows Vista
and later operating systems which have an extensible EAPHost architecture for new authentication methods and supplicants.
EAP-FAST is defined in RFC 4851.
is used for authentication and session key distribution using the Global System for Mobile Communications
(GSM) Subscriber Identity Module
(SIM).
The A3/A8 algorithms are being run a few times, with different 128 bit challenges, so there will be more 64 bit Kc-s which will be combined/mixed to create stronger keys (Kc-s won't be used directly). The lack of mutual authentication in GSM has also been overcome.
EAP-SIM is defined in RFC 4186.
is used for authentication and session key distribution using the Universal Mobile Telecommunications System
(UMTS) Universal Subscriber Identity Module (USIM). EAP AKA is defined in RFC 4187.
is defined in RFC 5448 and is used for non-3GPP access to a 3GPP
core network, for example via EVDO
, WiFi
, or WiMax
.
. The PEAP-GTC authentication mechanism allows generic authentication to a number of databases such as Novell Directory Service (NDS) and Lightweight Directory Access Protocol
(LDAP), as well as the use of a one-time password
.
, or EAP-EKE, is one of the few EAP methods that provide secure mutual authentication using short passwords, and with no need for public key certificate
s. This method is specified in RFC 6124. It is a 3-round exchange, based on the Diffie-Hellman variant of the well-known EKE protocol.
EAP messages within that protocol's messages.
is defined in IEEE 802.1X
and known as "EAP over LANs" or EAPOL. EAPOL was originally designed for IEEE 802.3
ethernet in 802.1X-2001, but was clarified to suit other IEEE 802 LAN technologies such as IEEE 802.11
wireless and Fiber Distributed Data Interface
(ISO 9314-2) in 802.1X-2004. The EAPOL protocol was also modified for use with IEEE 802.1AE
(MACsec) and IEEE 802.1AR (Initial Device Identity, IDevID) in 802.1X-2010.
When EAP is invoked by an 802.1X enabled Network Access Server
(NAS) device such as an IEEE 802.11i-2004
Wireless Access Point (WAP), modern EAP methods can provide a secure authentication mechanism and negotiate a secure private key (Pair-wise Master Key, PMK) between the client and NAS which can then be used for a wireless encryption session which uses TKIP or CCMP
(based on AES
) encryption.
, also known as Protected EAP or simply PEAP, is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security
(TLS) tunnel
. The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided.
PEAP was jointly developed by Cisco Systems, Microsoft, and RSA Security. PEAPv0 was the version included with Microsoft
Windows XP
and was nominally defined in draft-kamath-pppext-peapv0-00. PEAPv1 and PEAPv2 were defined in different versions of draft-josefsson-pppext-eap-tls-eap. PEAPv1 was defined in draft-josefsson-pppext-eap-tls-eap-00 through draft-josefsson-pppext-eap-tls-eap-05, and PEAPv2 was defined in versions beginning with draft-josefsson-pppext-eap-tls-eap-06.
The protocol only specifies chaining multiple EAP mechanisms and not any specific method. However, use of the EAP-MSCHAPv2 and EAP-GTC methods are the most commonly supported.
(PANA) is an IP-based protocol that allows a device to authenticate itself with a network to be granted access. PANA will not define any new authentication protocol, key distribution, key agreement or key derivation protocols. For these purposes, EAP will be used, and PANA will carry the EAP payload. PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms.
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
framework frequently used in wireless networks
Wireless LAN
A wireless local area network links two or more devices using some wireless distribution method , and usually providing a connection through an access point to the wider internet. This gives users the mobility to move around within a local coverage area and still be connected to the network...
and Point-to-Point connections
Point-to-Point Protocol
In networking, the Point-to-Point Protocol is a data link protocol commonly used in establishing a direct connection between two networking nodes...
. It is defined in RFC 3748, which made RFC 2284 obsolete, and was updated by RFC 5247.
EAP is an authentication framework providing for the transport and usage of keying material and parameters
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...
generated by EAP methods. There are many methods defined by RFCs and a number of vendor specific methods and new proposals exist. EAP is not a wire protocol
Wire protocol
In computer networking, a wire protocol refers to a way of getting data from point to point: A wire protocol is needed if more than one application has to interoperate. In contrast to transport protocols at the transport level , the term 'wire protocol' is used to describe a common way to represent...
; instead it only defines message formats. Each protocol that uses EAP defines a way to encapsulate
Encapsulation (networking)
In computer networking, encapsulation is a method of designing modular communication protocols in which logically separate functions in the network are abstracted from their underlying structures by inclusion or information hiding within higher level objects....
EAP messages within that protocol's messages.
EAP is in wide use. For example, in IEEE 802.11
IEEE 802.11
IEEE 802.11 is a set of standards for implementing wireless local area network computer communication in the 2.4, 3.6 and 5 GHz frequency bands. They are created and maintained by the IEEE LAN/MAN Standards Committee . The base version of the standard IEEE 802.11-2007 has had subsequent...
(WiFi) the WPA
Wi-Fi Protected Access
Wi-Fi Protected Access and Wi-Fi Protected Access II are two security protocols and security certification programs developed by the Wi-Fi Alliance to secure wireless computer networks...
and WPA2 standards have adopted IEEE 802.1X
IEEE 802.1X
IEEE 802.1X is an IEEE Standard for port-based Network Access Control . It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN....
with five EAP types as the official authentication mechanisms.
Methods
EAP is an authentication framework, not a specific authentication mechanism. It provides some common functions and negotiation of authentication methods called EAP methods. There are currently about 40 different methods defined. Methods defined in IETF RFCs include EAP-MD5, EAP-OTP, EAP-GTC, EAP-TLS, EAP-IKEv2, EAP-SIMEAP-SIM
Extensible Authentication Protocol Method for GSM Subscriber Identity Module, or EAP-SIM,is an Extensible Authentication Protocol mechanism for authentication and...
, EAP-AKA
EAP-AKA
Extensible Authentication Protocol Method for UMTS Authentication and Key Agreement, or EAP-AKA,is an Extensible Authentication Protocol mechanism for authentication and...
and EAP-AKA', and in addition a number of vendor specific methods and new proposals exist. Commonly used modern methods capable of operating in wireless networks include EAP-TLS, EAP-SIM
EAP-SIM
Extensible Authentication Protocol Method for GSM Subscriber Identity Module, or EAP-SIM,is an Extensible Authentication Protocol mechanism for authentication and...
, EAP-AKA
EAP-AKA
Extensible Authentication Protocol Method for UMTS Authentication and Key Agreement, or EAP-AKA,is an Extensible Authentication Protocol mechanism for authentication and...
, LEAP
Lightweight Extensible Authentication Protocol
The Lightweight Extensible Authentication Protocol is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features of LEAP are dynamic WEP keys and mutual authentication...
and EAP-TTLS. Requirements for EAP methods used in wireless LAN authentication are described in RFC 4017.
The standard also describes the conditions under which the AAA key management requirements described in RFC 4962 can be satisfied.
LEAP
The Lightweight Extensible Authentication ProtocolLightweight Extensible Authentication Protocol
The Lightweight Extensible Authentication Protocol is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features of LEAP are dynamic WEP keys and mutual authentication...
(LEAP) is a proprietary
Proprietary software
Proprietary software is computer software licensed under exclusive legal right of the copyright holder. The licensee is given the right to use the software under certain conditions, while restricted from other uses, such as modification, further distribution, or reverse engineering.Complementary...
EAP method developed by Cisco Systems
Cisco Systems
Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 70,000 employees and annual revenue of US$...
prior to the IEEE ratification of the 802.11i security standard. Cisco distributed the protocol through the CCX (Cisco Certified Extensions) as part of getting 802.1X and dynamic WEP
Wired Equivalent Privacy
Wired Equivalent Privacy is a weak security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in September 1999, its intention was to provide data confidentiality comparable to that of a traditional wired network...
adoption into the industry in the absence of a standard. There is no native support for LEAP in any Windows operating system, but it is widely supported by third party client software most commonly included with WLAN (wireless LAN) devices. LEAP support for Microsoft Windows 7 and Microsoft Windows Vista can be added by downloading a client add in from Cisco that adds support for both LEAP and EAP-FAST. Due to the wide adoption of LEAP in the networking industry, many other WLAN vendors claim support for LEAP.
LEAP uses a modified version of MS-CHAP
MS-CHAP
MS-CHAP is the Microsoft version of the Challenge-handshake authentication protocol, CHAP. The protocol exists in two versions, MS-CHAPv1 and MS-CHAPv2...
, an authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...
protocol in which user credentials are not strongly protected and are thus easily compromised. Along these lines, an exploit tool called ASLEAP was released in early 2004 by Joshua Wright. Cisco recommends that customers that absolutely must use LEAP do so only with sufficiently complex passwords, though complex passwords are difficult to administer and enforce. Cisco's current general recommendation is to use newer and stronger EAP protocols such as EAP-FAST, PEAP
Protected Extensible Authentication Protocol
The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol within an encrypted and authenticated Transport Layer Security tunnel...
, or EAP-TLS.
EAP-TLS
EAP-Transport Layer Security (EAP-TLS), defined in RFC 5216, is an IETF open standardOpen standard
An open standard is a standard that is publicly available and has various rights to use associated with it, and may also have various properties of how it was designed . There is no single definition and interpretations vary with usage....
, and is well-supported among wireless vendors. The security of the TLS
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
protocol is strong, provided the user understands potential warnings about false credentials. It uses PKI
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
to secure communication to a RADIUS
RADIUS
Remote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service...
authentication server or another type of authentication server. So even though EAP-TLS provides excellent security, the overhead of client-side certificates may be its Achilles' heel
Achilles' heel
An Achilles’ heel is a deadly weakness in spite of overall strength, that can actually or potentially lead to downfall. While the mythological origin refers to a physical vulnerability, metaphorical references to other attributes or qualities that can lead to downfall are common.- Origin :In Greek...
.
EAP-TLS is the original, standard wireless LAN EAP authentication protocol. Although it is rarely deployed, it is still considered one of the most secure EAP standards available and is universally supported by all manufacturers of wireless LAN hardware and software. The requirement for a client-side certificate, however unpopular it may be, is what gives EAP-TLS its authentication strength and illustrates the classic convenience vs. security trade-off. A compromised password is not enough to break into EAP-TLS enabled systems because the intruder still needs to have the client-side private key. The highest security available is when client-side keys are housed in smart card
Smart card
A smart card, chip card, or integrated circuit card , is any pocket-sized card with embedded integrated circuits. A smart card or microprocessor cards contain volatile memory and microprocessor components. The card is made of plastic, generally polyvinyl chloride, but sometimes acrylonitrile...
s. This is because there is no way to steal a certificate's corresponding private key from a smart card without stealing the card itself. It is significantly more likely that the physical theft of a smart card would be noticed (and the smart card immediately revoked) than a (typical) password theft would be noticed. Up until April 2005, EAP-TLS was the only EAP type vendors needed to certify for a WPA or WPA2 logo. There are client and server implementations of EAP-TLS in 3Com, Apple, Avaya, Brocade Communications, Cisco, Enterasys Networks, Foundry, Hirschmann, HP, Juniper, and Microsoft, and open source operating systems. EAP-TLS is natively supported in Mac OS X 10.3 and above, wpa supplicant
Wpa supplicant
wpa_supplicant is a free software implementation of an IEEE 802.11i supplicant for Linux, FreeBSD, NetBSD and Microsoft Windows. In addition to being a full-featured WPA2 supplicant, it also implements WPA and older wireless LAN security protocols...
, Windows 2000 SP4, Windows XP and above, Windows Mobile 2003 and above, and Windows CE 4.2.
EAP-MD5
EAP-MD5, defined in RFC 3748, is the only IETF Standards Track based EAP method. It offers minimal security; the MD5MD5
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that produces a 128-bit hash value. Specified in RFC 1321, MD5 has been employed in a wide variety of security applications, and is also commonly used to check data integrity...
hash function
Hash function
A hash function is any algorithm or subroutine that maps large data sets to smaller data sets, called keys. For example, a single integer can serve as an index to an array...
is vulnerable to dictionary attack
Dictionary attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...
s, and does not support key generation, which makes it unsuitable for use with dynamic WEP, or WPA/WPA2 enterprise. EAP-MD5 differs from other EAP methods in that it only provides authentication of the EAP peer to the EAP server but not mutual authentication. By not providing EAP server authentication, this EAP method is vulnerable to man-in-the-middle attacks. EAP-MD5 support was first included in Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
and deprecated in Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
.
EAP-PSK
EAP-PSK, defined in RFC 4764, is an EAP method for mutual authentication and session key derivation using a Pre-Shared Key (PSK). It provides a protected communication channel when mutual authentication is successful for both parties to communicate over and is designed for authentication over insecure networks such as IEEE 802.11.EAP-PSK is documented in an experimental RFC that provides a lightweight and extensible EAP method that does not require any public-key cryptography. The EAP method protocol exchange is done in a minimum of four messages.
EAP-TTLS
EAP-Tunneled Transport Layer Security (EAP-TTLS) is an EAP protocol that extends TLSTransport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
. It was co-developed by Funk Software
Funk Software
Funk Software was a US-based company that was acquired by Juniper Networks in 2005 for US$ 122 million....
and Certicom. It is widely supported across platforms, although there is no native OS support for this EAP protocol in Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
, it requires the installation of small extra programs such as SecureW2.
EAP-TTLS offers very good security . The client can but does not have to be authenticated via a CA
Certificate authority
In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
-signed PKI
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
certificate to the server. This greatly simplifies the setup procedure as a certificate does not need to be installed on every client.
After the server is securely authenticated to the client via its CA certificate and optionally the client to the server, the server can then use the established secure connection ("tunnel") to authenticate the client. It can use an existing and widely deployed authentication protocol and infrastructure, incorporating legacy password mechanisms and authentication databases, while the secure tunnel provides protection from eavesdropping
Eavesdropping
Eavesdropping is the act of secretly listening to the private conversation of others without their consent, as defined by Black's Law Dictionary...
and man-in-the-middle attack
Man-in-the-middle attack
In cryptography, the man-in-the-middle attack , bucket-brigade attack, or sometimes Janus attack, is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other...
. Note that the user's name is never transmitted in unencrypted cleartext, thus improving privacy.
Two distinct versions of EAP-TTLS exist: original EAP-TTLS (a.k.a. EAP-TTLSv0) and EAP-TTLSv1. EAP-TTLSv0 is described in RFC 5281, EAP-TTLSv1 is available as an Internet draft.
EAP-IKEv2
EAP-IKEv2 is an EAP method based on the Internet Key ExchangeInternet key exchange
Internet Key Exchange is the protocol used to set up a security association in the IPsec protocol suite. IKE builds upon the Oakley protocol and ISAKMP...
protocol version 2 (IKEv2). It provides mutual authentication and session key establishment between an EAP peer and an EAP server. It supports authentication techniques that are based on the following types of credentials:
- Asymmetric key pairs - public/private key pairs where the public key is embedded into a digital certificate, and the corresponding private key is known only to a single party.
- Passwords - low-entropyInformation entropyIn information theory, entropy is a measure of the uncertainty associated with a random variable. In this context, the term usually refers to the Shannon entropy, which quantifies the expected value of the information contained in a message, usually in units such as bits...
bit strings that are known to both the server and the peer. - Symmetric keys - high-entropy bit strings that are known to both the server and the peer.
It is possible to use a different authentication credential
Credential
A credential is an attestation of qualification, competence, or authority issued to an individual by a third party with a relevant or de facto authority or assumed competence to do so....
(and thereby technique) in each direction. For example, the EAP server authenticates itself using public/private key pair and the EAP peer using symmetric key. In particular, the following combinations are expected to be used in practice:
| EAP server | EAP peer |
|---|---|
| Asymmetric key pair | Asymmetric key pair |
| Asymmetric key pair | Symmetric key |
| Asymmetric key pair | Password |
| Symmetric key | Symmetric key |
EAP-IKEv2 is described in RFC 5106. A prototype implementation can be found at http://eap-ikev2.sourceforge.net.
EAP-FAST
EAP-FAST (Flexible Authentication via Secure Tunneling) is a protocol proposal by Cisco SystemsCisco Systems
Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 70,000 employees and annual revenue of US$...
as a replacement for LEAP
Lightweight Extensible Authentication Protocol
The Lightweight Extensible Authentication Protocol is a proprietary wireless LAN authentication method developed by Cisco Systems. Important features of LEAP are dynamic WEP keys and mutual authentication...
. The protocol was designed to address the weaknesses of LEAP while preserving the "lightweight" implementation. Use of server certificates is optional in EAP-FAST. EAP-FAST uses a Protected Access Credential (PAC) to establish a TLS tunnel in which client credentials are verified. EAP-FAST has three phases. Phase 0 is an optional phase in which the PAC can be provisioned manually or dynamically, but is outside the scope of EAP-FAST as defined in RFC4851. PAC provisioning is still officially Work-in-progress, even though there are many implementations. PAC provisioning typically only needs to be done once for a RADIUS server, client pair. In Phase 1, the client and the AAA server uses the PAC to establish TLS tunnel. In Phase 2, the client credentials are exchanged inside the encrypted tunnel.
When automatic PAC provisioning is enabled, EAP-FAST has a slight vulnerability that an attacker can intercept the PAC and subsequently use that to compromise user credentials. This vulnerability is mitigated by manual PAC provisioning or by using server certificates for the PAC provisioning phase.
There is also a vulnerability where an attacker's AP
Wireless access point
In computer networking, a wireless access point is a device that allows wireless devices to connect to a wired network using Wi-Fi, Bluetooth or related standards...
can use the same SSID, reject the users PAC and supply a new one. Most supplicants can be set to prompt the user this credentials using the inner method to the hacker, who will then get either a cleartext password (EAP-FAST w/ GTC) or a vulnerable to dictionary attack MSCHAPv2 hash.
It is worth noting that the PAC file is issued on a per-user basis. This is a requirement in RFC 4851 sec 7.4.4 so if a new user logs on the network from a device, he needs a new PAC file provisioned first. This is one reason why it is difficult not to run EAP-FAST in insecure anonymous provisioning mode. The alternative is to use device passwords instead, but then it is not the user that is validated on the network.
EAP-FAST can be used without PAC files, falling back to normal TLS.
EAP-FAST is natively supported in Apple OS X 10.4.8 and newer. Cisco
Cisco
Cisco may refer to:Companies:*Cisco Systems, a computer networking company* Certis CISCO, corporatised entity of the former Commercial and Industrial Security Corporation in Singapore...
supplies an EAP-FAST module for Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
and later operating systems which have an extensible EAPHost architecture for new authentication methods and supplicants.
EAP-FAST is defined in RFC 4851.
EAP-SIM
EAP for GSM Subscriber IdentityEAP-SIM
Extensible Authentication Protocol Method for GSM Subscriber Identity Module, or EAP-SIM,is an Extensible Authentication Protocol mechanism for authentication and...
is used for authentication and session key distribution using the Global System for Mobile Communications
Global System for Mobile Communications
GSM , is a standard set developed by the European Telecommunications Standards Institute to describe technologies for second generation digital cellular networks...
(GSM) Subscriber Identity Module
Subscriber Identity Module
A subscriber identity module or subscriber identification module is an integrated circuit that securely stores the International Mobile Subscriber Identity and the related key used to identify and authenticate subscriber on mobile telephony devices .A SIM is held on a removable SIM card, which...
(SIM).
The A3/A8 algorithms are being run a few times, with different 128 bit challenges, so there will be more 64 bit Kc-s which will be combined/mixed to create stronger keys (Kc-s won't be used directly). The lack of mutual authentication in GSM has also been overcome.
EAP-SIM is defined in RFC 4186.
EAP-AKA
EAP for UMTS Authentication and Key AgreementEAP-AKA
Extensible Authentication Protocol Method for UMTS Authentication and Key Agreement, or EAP-AKA,is an Extensible Authentication Protocol mechanism for authentication and...
is used for authentication and session key distribution using the Universal Mobile Telecommunications System
Universal Mobile Telecommunications System
Universal Mobile Telecommunications System is a third generation mobile cellular technology for networks based on the GSM standard. Developed by the 3GPP , UMTS is a component of the International Telecommunications Union IMT-2000 standard set and compares with the CDMA2000 standard set for...
(UMTS) Universal Subscriber Identity Module (USIM). EAP AKA is defined in RFC 4187.
EAP-AKA'
The EAP-AKA' (AKA Prime) variant of EAP-AKAEAP-AKA
Extensible Authentication Protocol Method for UMTS Authentication and Key Agreement, or EAP-AKA,is an Extensible Authentication Protocol mechanism for authentication and...
is defined in RFC 5448 and is used for non-3GPP access to a 3GPP
3GPP
The 3rd Generation Partnership Project is a collaboration between groups of telecommunications associations, known as the Organizational Partners...
core network, for example via EVDO
Evolution-Data Optimized
Evolution-Data Optimized or Evolution-Data only is a telecommunications standard for the wireless transmission of data through radio signals, typically for broadband Internet access...
, WiFi
WIFI
WIFI is a radio station broadcasting a brokered format. Licensed to Florence, New Jersey, USA, the station is currently operated by Florence Broadcasting Partners, LLC.This station was previously owned by Real Life Broadcasting...
, or WiMax
WiMAX
WiMAX is a communication technology for wirelessly delivering high-speed Internet service to large geographical areas. The 2005 WiMAX revision provided bit rates up to 40 Mbit/s with the 2011 update up to 1 Gbit/s for fixed stations...
.
EAP-GTC
EAP Generic Token Card, or EAP-GTC, is an EAP method created by Cisco as an alternative to PEAPv0/EAP-MSCHAPv2 and defined in RFC 2284 and RFC 3748. EAP-GTC carries a text challenge from the authentication server, and a reply generated by a security tokenSecurity token
A security token may be a physical device that an authorized user of computer services is given to ease authentication...
. The PEAP-GTC authentication mechanism allows generic authentication to a number of databases such as Novell Directory Service (NDS) and Lightweight Directory Access Protocol
Lightweight Directory Access Protocol
The Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an Internet Protocol network...
(LDAP), as well as the use of a one-time password
One-time password
A one-time password is a password that is valid for only one login session or transaction. OTPs avoid a number of shortcomings that are associated with traditional passwords. The most important shortcoming that is addressed by OTPs is that, in contrast to static passwords, they are not vulnerable...
.
EAP-EKE
EAP with the Encrypted key exchangeEncrypted key exchange
Encrypted Key Exchange is a family of password-authenticated key agreement methods described by Steven M. Bellovin and Michael Merritt...
, or EAP-EKE, is one of the few EAP methods that provide secure mutual authentication using short passwords, and with no need for public key certificate
Public key certificate
In cryptography, a public key certificate is an electronic document which uses a digital signature to bind a public key with an identity — information such as the name of a person or an organization, their address, and so forth...
s. This method is specified in RFC 6124. It is a 3-round exchange, based on the Diffie-Hellman variant of the well-known EKE protocol.
Encapsulation
EAP is not a wire protocol; instead it only defines message formats. Each protocol that uses EAP defines a way to encapsulateEncapsulation (networking)
In computer networking, encapsulation is a method of designing modular communication protocols in which logically separate functions in the network are abstracted from their underlying structures by inclusion or information hiding within higher level objects....
EAP messages within that protocol's messages.
IEEE 802.1X
The encapsulation of EAP over IEEE 802IEEE 802
IEEE 802 refers to a family of IEEE standards dealing with local area networks and metropolitan area networks.More specifically, the IEEE 802 standards are restricted to networks carrying variable-size packets. IEEE 802 refers to a family of IEEE standards dealing with local area networks and...
is defined in IEEE 802.1X
IEEE 802.1X
IEEE 802.1X is an IEEE Standard for port-based Network Access Control . It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN....
and known as "EAP over LANs" or EAPOL. EAPOL was originally designed for IEEE 802.3
IEEE 802.3
IEEE 802.3 is a working group and a collection of IEEE standards produced by the working group defining the physical layer and data link layer's media access control of wired Ethernet. This is generally a local area network technology with some wide area network applications...
ethernet in 802.1X-2001, but was clarified to suit other IEEE 802 LAN technologies such as IEEE 802.11
IEEE 802.11
IEEE 802.11 is a set of standards for implementing wireless local area network computer communication in the 2.4, 3.6 and 5 GHz frequency bands. They are created and maintained by the IEEE LAN/MAN Standards Committee . The base version of the standard IEEE 802.11-2007 has had subsequent...
wireless and Fiber Distributed Data Interface
Fiber Distributed Data Interface
Fiber Distributed Data Interface provides a 100 Mbit/s optical standard for data transmission in a local area network that can extend in range up to . Although FDDI logical topology is a ring-based token network, it does not use the IEEE 802.5 token ring protocol as its basis; instead, its...
(ISO 9314-2) in 802.1X-2004. The EAPOL protocol was also modified for use with IEEE 802.1AE
IEEE 802.1AE
802.1AE is the IEEE MAC Security standard which defines connectionless data confidentiality and integrity for media access independent protocols...
(MACsec) and IEEE 802.1AR (Initial Device Identity, IDevID) in 802.1X-2010.
When EAP is invoked by an 802.1X enabled Network Access Server
Network access server
A Network Access Server is a single point of access to a remote resource.-Overview:Concentrates dial-in and dial-out user communications. An access server may have a mixture of analog and digital interfaces and support hundreds of simultaneous users.Communications processor that connects...
(NAS) device such as an IEEE 802.11i-2004
IEEE 802.11i-2004
IEEE 802.11i-2004 or 802.11i, implemented as WPA2, is an amendment to the original IEEE 802.11. The draft standard was ratified on 24 June 2004. This standard specifies security mechanisms for wireless networks. It replaced the short Authentication and privacy clause of the original standard with...
Wireless Access Point (WAP), modern EAP methods can provide a secure authentication mechanism and negotiate a secure private key (Pair-wise Master Key, PMK) between the client and NAS which can then be used for a wireless encryption session which uses TKIP or CCMP
CCMP
Counter Mode with Cipher Block Chaining Message Authentication Code Protocol or CCMP is an encryption protocol designed for Wireless LAN products that implement the standards of the IEEE 802.11i amendment to the original IEEE 802.11 standard...
(based on AES
Advanced Encryption Standard
Advanced Encryption Standard is a specification for the encryption of electronic data. It has been adopted by the U.S. government and is now used worldwide. It supersedes DES...
) encryption.
PEAP
The Protected Extensible Authentication ProtocolProtected Extensible Authentication Protocol
The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol within an encrypted and authenticated Transport Layer Security tunnel...
, also known as Protected EAP or simply PEAP, is a protocol that encapsulates EAP within a potentially encrypted and authenticated Transport Layer Security
Transport Layer Security
Transport Layer Security and its predecessor, Secure Sockets Layer , are cryptographic protocols that provide communication security over the Internet...
(TLS) tunnel
Tunneling protocol
Computer networks use a tunneling protocol when one network protocol encapsulates a different payload protocol...
. The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided.
PEAP was jointly developed by Cisco Systems, Microsoft, and RSA Security. PEAPv0 was the version included with Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
and was nominally defined in draft-kamath-pppext-peapv0-00. PEAPv1 and PEAPv2 were defined in different versions of draft-josefsson-pppext-eap-tls-eap. PEAPv1 was defined in draft-josefsson-pppext-eap-tls-eap-00 through draft-josefsson-pppext-eap-tls-eap-05, and PEAPv2 was defined in versions beginning with draft-josefsson-pppext-eap-tls-eap-06.
The protocol only specifies chaining multiple EAP mechanisms and not any specific method. However, use of the EAP-MSCHAPv2 and EAP-GTC methods are the most commonly supported.
PANA
The Protocol for Carrying Authentication for Network AccessProtocol for Carrying Authentication for Network Access
PANA is an IP-based protocol that allows a device to authenticate itself with a network to be granted access. PANA will not define any new authentication protocol, key distribution, key agreement or key derivation protocols...
(PANA) is an IP-based protocol that allows a device to authenticate itself with a network to be granted access. PANA will not define any new authentication protocol, key distribution, key agreement or key derivation protocols. For these purposes, EAP will be used, and PANA will carry the EAP payload. PANA allows dynamic service provider selection, supports various authentication methods, is suitable for roaming users, and is independent from the link layer mechanisms.
See also
- List of authentication protocols
- Diameter
- Handover KeyingHandover KeyingIn wireless technology, handover keying refers to maintaining a secure connection seamlessly while migrating from one wireless network to another.-External links:* IETF * with Russ Housley, chair of the Internet Engineering Task Force...
- PPPPoint-to-Point ProtocolIn networking, the Point-to-Point Protocol is a data link protocol commonly used in establishing a direct connection between two networking nodes...
- RADIUSRADIUSRemote Authentication Dial In User Service is a networking protocol that provides centralized Authentication, Authorization, and Accounting management for computers to connect and use a network service...
- ITU-TITU-TThe ITU Telecommunication Standardization Sector is one of the three sectors of the International Telecommunication Union ; it coordinates standards for telecommunications....
X.1035X.1035ITU-T Recommendation X.1035 specifies a password-authenticated key agreement protocol that ensures mutual authentication of two parties by using a Diffie–Hellman key exchange to establish a symmetric cryptographic key...
External links
- RFC 3748: Extensible Authentication Protocol (EAP) (June 2004)
- RFC 5247: Extensible Authentication Protocol (EAP) Key Management Framework (August 2008)
- Configure RADIUS for secure 802.1x wireless LAN
- How to self-sign a RADIUS server for secure PEAP or EAP-TTLS authentication
- Wifiradis a free online RADIUS server for secure PEAP mschap-v2 authentication
- Extensible Authentication Protocol on Microsoft TechNet
- EAPHost in Windows Vista and Windows Server 2008
- WIRE1x
- "IETF EAP Method Update (emu) Working Group"