EAP Overview
(Extensible Authentication Protocol)
Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar
�Contents:
Introduction Architecture Features
Implementations
Cisco LEAP EAP-TLS EAP-MD5 PEAP Other Subtypes
Comparison Chart
CmpE 209 Team Golmaal 2
�Introduction
What is EAP?
Defined by RFC 2284 and 3748 Universal Authentication Framework Mainly used in Wireless Networks and Point to point connections
A flexible protocol used to carry arbitrary authentication information. Typically rides on top of another protocol such as 802.1x or RADIUS
CmpE 209 Team Golmaal 3
�EAP Architecture
CmpE 209
Team Golmaal
�EAP Features
Provides some common functions and a negotiation of the desired authentication mechanism called methods. Currently there are about 40 different methods Methods defined in IETF RFCs include
EAP-MD5 EAP-OTP EAP-GTC EAP-TLS EAP-IKEv2 and in addition a number of vendor specific methods and new proposals exist
Commonly used modern methods capable of operating in wireless networks include EAP-TLS, EAP-SIM, EAP-AKA, PEAP, LEAP and EAP-TTLS
CmpE 209
Team Golmaal
�Cisco LEAP
Lightweight Extensible Authentication Protocol also known as Cisco-Wireless EAP Proprietary wireless LAN authentication method developed by Cisco Systems. Provides username/password-based authentication between a wireless client and a RADIUS server like Cisco ACS or Interlink AAA Among a few protocols used with the IEEE 802.1X standard for LAN port access control.
CmpE 209 Team Golmaal 6
�Architecture of LEAP
Client
ACS Server
Access Point
CmpE 209
Team Golmaal
�LEAP Process
CmpE 209
Team Golmaal
�Limitations of LEAP
Uses a modified authentication protocol version of MS-CHAP in which user credentials are not strongly protected. Can be susceptible to eavesdropping. For more robust implementations use of cryptography is necessary for securing user credentials
CmpE 209
Team Golmaal
�ASLEAP
CmpE 209
Team Golmaal
10
�Ciscos Response to Limitation of LEAP
Suggests that network administrators to have either of the two reactive techniques:
Force users to have stronger, more complicated passwords Switch to alternative protocol developed by Cisco (EAP-FAST) for more security.
CmpE 209
Team Golmaal
11
�EAP TLS
An Internet Engineering Task Force (IETF) standard (RFC 2716) that is based on the TLS protocol (RFC 2246) Considered extension to SSL Uses digital certificates for both user and server authentication It uses PKI to secure communication to the RADIUS authentication server EAP-TLS is the original standard wireless LAN EAP authentication protocol Supported my all operating systems and network appliances.
CmpE 209
Team Golmaal
12
�EAP Authentication Process in wireless network
�EAP-TTLS (Extension of EAP-TLS)
Extends EAP-TLS Securely tunnels Client authentication within TLS records TTLS requires only server-side certificates but in EAP TLS more certificates are used These certificates are used for one-way TLS authentication (network to user), and once you have a nice, safe, encrypted and integrity-checked channel, you can use EAP inside of the TLS tunnel for any other authentication
CmpE 209
Team Golmaal
14
�PEAP
PEAP is an IETF draft RFC authored by Cisco Systems, Microsoft, and RSA Security A method to securely transmit authentication information, including passwords, over wired or wireless networks Uses a digital certificate only for server authentication Very similar to TTLS! A TLS tunnel is established, and another EAP session takes place inside For user authentication, PEAP supports various EAP-encapsulated methods within a protected TLS tunnel PEAP sub-types - PEAPv0/EAP-MSCHAPv2 - PEAPv1/EAP-GTC
CmpE 209
Team Golmaal
15
�PEAP authentication process
CmpE 209 Team Golmaal 16
�EAP MD5
One of the most simple EAP types that can be used. Uses MD5 hashing. EAP-MD5 offers no key management or dynamic key generation, requiring the use of static WEP keys Okay for wired LANs, offers minimal security in wireless
Vulnerable to dictionary attacks, and does not support mutual authentication or key generation Unsuitable with dynamic WEP, or WPA/WPA2 enterprise
CmpE 209
Team Golmaal
17
�Other EAP Subtypes
EAP-PSK: pure symmetric-key EAP EAP-IKEv2: EAP authentication method based on the Internet Key Exchange Protocol version 2 (IKEv2) EAP-FAST: Flexible Authentication via Secure Tunneling (it is a proposal by Cisco Systems to fix the weaknesses of LEAP) EAP-SIM: Used for authentication and session key distribution using the Global System for Mobile Communications (GSM) Subscriber Identity Module (SIM) EAP-AKA: It is for UMTS Authentication and Key Agreement is used for authentication and session key distribution using the Universal Mobile Telecommunications System (UMTS)
CmpE 209
Team Golmaal
18
�Comparison Chart
EAP-MD5 LEAP EAP-TLS EAP-TTLS PEAP
Server Authentication
None
Password Hash
Public Key (Certificat e) Public Key (Certificate or Smart Card) Yes
Public Key (Certificat e) CHAP, PAP, MSCHAP(v2), EAP Yes
Public Key (Certificat e) Any EAP, like EAP-MSCHAPv2 or Public Key Yes
Supplicant Authentication
Password Hash
Password Hash
Dynamic Key Delivery
No
Yes
Security Risks
Identity exposed, Dictionary attack, Man-inthe-Middle (MitM) attack, Session hijacking
Identity exposed, Dictionary attack
Identity exposed
MitM attack
MitM attack; Identity hidden in Phase 2 but potential exposure in Phase 1
CmpE 209
Team Golmaal
19
�References
http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol http://www.wifiplanet.com/tutorials/article.php/3075481 http://wireless.utk.edu/documentation/papers/802.1x-chris.pdf http://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/ne tworking_solutions_white_paper09186a008009c8b3.shtml http://searchnetworking.techtarget.com/originalContent/0,289142, sid7_gci843996,00.html http://asleap.sourceforge.net
CmpE 209 Team Golmaal 20
