What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can.

Slides:



Advertisements
Similar presentations
Authentication.
Advertisements

PEAP & EAP-TTLS 1.EAP-TLS Drawbacks 2.PEAP 3.EAP-TTLS 4.EAP-TTLS – Full Example 5.Security Issues 6.PEAP vs. EAP-TTLS 7.Other EAP methods 8.Summary.
Rick Graziani PPP authentication protocols 1. Link establishment - (LCPs) 2. Authentication - Optional (LCPs) 3. Link quality determination.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
S4C4 PPP. Protocols Point to Point Protocol Link Control Protocol Network Control Program Password Authentication Protocol Challenge Handshake Authentication.
Gursharan Singh Tatla SLIP and PPP 27-Mar
Microsoft Windows Server 2003 TCP/IP Protocols and Services Technical Reference Slide: 1 Lesson 4 Point to Point Protocol (PPP)
CMPE208 Presentation Terminal Access Controller Access Control System Plus (TACACS+) By MARVEL (Libing, Bhavana, Ramya, Maggie, Nitin)
Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.
Raphael Frank 20 October 2007 Authentication & Intrusion Prevention for Multi-Link Wireless Networks.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
11-6 HDLC High-level Data Link Control (HDLC) is a bit-oriented protocol for communication over point-to-point and multipoint links. It implements the.
Semester 4 - Chapter 4 – PPP WAN connections are controlled by protocols In a LAN environment, in order to move data between any two nodes or routers two.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Ariel Eizenberg PPP Security Features Ariel Eizenberg
Authentication Center for SDP Federation
Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE
IEEE Wireless Local Area Networks (WLAN’s).
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
Point to Point Protocol Operation. Point to Point Protocol Protocol Layers of PPP –Physical Layer –Data Link Layer – HDLC derivative –Other protocols.
WLAN Security:PEAP Sunanda Kandimalla. Intoduction The primary goals of any security setup for WLANs should include: 1. Access control and mutual authentication,
Georgy Melamed Eran Stiller
VPN – Virtual Private Networking. VPN A Virtual Private Network (VPN) connects the components of one network over another network. VPNs accomplish this.
RADIUS Server PAP & CHAP Protocols. Computer Security  In computer security, AAA protocol commonly stands for authentication, authorization and accounting.
Chapter 18 RADIUS. RADIUS  Remote Authentication Dial-In User Service  Protocol used for communication between NAS and AAA server  Supports authentication,
Point-to-Point Protocol (PPP) Security Connecting to remote access servers (RASs) PPP authentication PPP confidentiality Point-to-Point Tunneling Protocol.
Point-to-Point Access: PPP. In a network, two devices can be connected by a dedicated link or a shared link. In the first case, the link can be used by.
1 Microsoft Windows NT 4.0 Authentication Protocols Password Authentication Protocol (PAP) Challenge Handshake Authentication Protocol (CHAP) Microsoft.
 It defines the format of the frame to be exchanged between devices.  It defines how two devices can negotiate the establishment of the link and the.
PPP (Point to Point Protocol)
Network Security1 – Chapter 5 (B) – Using IEEE 802.1x Purpose: (a) port authentication (b) access control An IEEE standard
Mobile and Wireless Communication Security By Jason Gratto.
SOCKS Group: Challenger Member: Lichun Zhan. Agenda Introduction SOCKS v4 SOCKS v5 Summary Conclusion References Questions.
“Security Weakness in Bluetooth” M.Jakobsson, S.Wetzel LNCS 2020, 2001 The introduction of new technology and functionality can provides its users with.
Shambhu Upadhyaya Security – i Shambhu Upadhyaya Wireless Network Security CSE 566 (Lectures 8, 9)
Robert E. Meyers CCNA, CCAI Youngstown State University Cisco Regional Academy Instructor Cisco Networking Academy Program Semester 4, v Chapter.
Introduction to PPP. Using dial-up modems for packet-oriented- networking (i.e connecting to the internet) requires a data-link layer protocol widely-spread.
Copyright Kenneth M. Chipps Ph.D. PPP Last Update
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
1 Chapter 8 Copyright 2003 Prentice-Hall Cryptographic Systems: SSL/TLS, VPNs, and Kerberos.
Point-to-Point Access: PPP PPP Between Routers  Used for Point-to-Point Connections only  Used as data link control (encapsulates network layer.
Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.
Point-to-Point Tunneling Protocol [PPTP] Team: Invincibles Deepak Tripathi Habibeh Deyhim Karthikeyan Gopal Satish Madiraju Tusshar RakeshNLN.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
QUALCOMM Incorporated 1 Protocol Options for BSN- BSMCS Controller Interface Jun Wang, Kirti Gupta 05/16/2005 Notice: Contributors grant a free, irrevocable.
WEP, WPA, and EAP Drew Kalina. Overview  Wired Equivalent Privacy (WEP)  Wi-Fi Protected Access (WPA)  Extensible Authentication Protocol (EAP)
Chapter 11 Data Link Control
1 Jim Binkley link layer security Network Mgmt/Sec.
Data Link Layer: Data Link Control : Data Communication and Computer Networks Asst. Prof. Chaiporn Jaikaeo, Ph.D.
PPP Configuration.
Protocol Layering Chapter 11.
Cryptography CSS 329 Lecture 13:SSL.
1 Example security systems n Kerberos n Secure shell.
Port Based Network Access Control
Point-Point Protocol (PPP) by William F. Widulski.
Chapter 11 Data Link Control
PPP Protocol.
PPP Protocol.
Microsoft Windows NT 4.0 Authentication Protocols
Lesson 6 Point to Point Protocol
Long-haul Transport Protocols
Chapter 11 - Part 2 Data Link Control.
PPP – Point to Point Protocol
PPP PROTOCOL The First semester
ZyXEL Communications Corporation
– Chapter 5 (B) – Using IEEE 802.1x
PPP Protocol.
Security – i Shambhu Upadhyaya Wireless Network Security
Presentation transcript:

What is EAP EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can be used over it. New authentication protocols can be easily added.

EAP Background Originally developed for use with ppp. Extends the ppp-chap authentication method. Designed to work as a link layer authentication protocol.

PPP Overview PPP – point to point protocol. A link layer protocol. Used for point to point lines, for example: dial-up lines. Has a built in authentication protocol.

PPP Overview (2) PPP’s data-link configuration is done by LCP (Link Configuration Protocol). The LCP also configures the optional authentication mechanism. After the LCP configures the line, authentication takes place, and the network protocols are configured by the NCP (network configuration protocol).

PPP Authentication PPP’s authentication settings are set by the LCP before authentication begins. All of the authentication protocols used must be determined at this stage. NAS must know the protocols used for the authentication process.

Motivation for EAP We want to find out more information about the user before choosing the protocol. We want to use an unlimited number of protocols to authenticate each side. We want to allow the NAS (Network Access Server) to work with a back-end authentication server.

EAP’s basic assumptions EAP works over a secure line. A client may not support all authentication methods so EAP must support authentication method negotiation. To allow expandability, a NAS should be able to function without knowing all of the EAP authentication methods. The physical layer under the link layer may not be reliable.

What is a “Secure Line” In this case, “secure line” is not a strictly technical term. A “secure line” is a line where the probability of a third party listening to the line, injecting or modifying existing traffic is ‘low enough’. What exactly is low enough is dependant on the link’s use.

The EAP Protocol The EAP protocol is a one sided authentication protocol - the PEER must identify himself to the AUTHENTICATOR. EAP allows for mutual authentication by running the protocol in both directions.

The EAP Protocol (2) A request-response protocol. Uses 4 different kinds of messages: 1. EAP request 2. EAP response 3. EAP success 4. EAP failure

EAP messages All EAP messages have a common format: CodeIdentifierLength Data... Code: 1 byte, representing the type of EAP message Data: any size, The message’s data ID: 1 byte, Used for matching requests and responses Length: 2 byte, The total message length

EAP messages 2 EAP request and response messages have the same format, with code=1 for requests and code=2 for responses CodeIdentifierLength Type Data. Type Type: 1 byte, The type of authentication protocol used Data: any size, Data used for the authentication process

EAP messages 3 EAP Success messages are EAP messages with code 3 and no data. A success message means that the authentication concluded successfully. EAP failure messages are EAP messages with code 4 and no data. A Failure message means that the authentication has failed.

The authentication sequence The Authenticator sends the peer an Identity request (optional). The Peer sends a response to the identity request identifying himself (optional). The Authenticator sends a request with a type according to which authentication method he wants to use and the data needed for the authentication. The Peer sends back a response of the same type or of type Nak signifying he refuses to use the requested authentication method.

The authentication sequence The Authenticator may at this point send another request (to repeat the process) or a success/failure message. If the authentication was successful and mutual authentication is required,the sides change roles and the authentication is repeated in the other direction.

Notes All the messages pass on the communication line in plain-text (unless there is a protection mechanism in the link layer below) The messages are not signed/authenticated at the EAP level although individual EAP methods may MAC/sign/encrypt their data.

Generic EAP Example Authenticator Peer Repeated as many times as needed EAP Request EAP Response with the same type or a Nak EAP Success or EAP Failure message EAP Request EAP Response with the same type or a Nak EAP Success or failure message Repeated as needed If mutual Auth Is required Identity Request Identity Response Identity Request Identity Response

Error/duplicate handling To overcome a possibly unreliable link- layer below, EAP has built in duplicate handling and retransmission facilities. The authenticator is responsible for all retransmissions, if a response is lost the request will time-out and be resent. Duplicate handling is done by discarding any unexpected messages.

Using a Back-End Server The NAS forwards all the EAP messages it gets to the Back-End server. The Back-End Server sends all outgoing EAP messages to the peer through the NAS. If the Back-End server sends a failure message the NAS Sees it and closes the connection, if a success message is sent the NAS knows that the peer passed the authentication.

Basic EAP Methods In the initial definition of EAP included several built in authentication methods: Identity - request the other side to identify itself. Notification - to send notifications to the other side. Nak - peer refuses to use the authentication method. MD5-Challenge - an implementation of chap over EAP. One Time Password - used for one time passwords. Generic Token Card - used for generic token cards. Vendor Specific - *

Authentication example using MD5 PeerAuthenticator EAP-MD5 Request EAP – MD5 Response EAP Success or EAP Failure message Identity Request Identity Response Code=1Identifier=ILength=the total length Type Data= the md5 challenge string. Type=4 Code=2Identifier=ILength=the total length Type Data=hash(I&Secret&md5-challange) Type=4 Code=2Identifier=ILength=the total length Type Data= peer identity Type=1 Code=1Identifier=ILength=the total length Type Data= … Type=1 Code=3Identifier=ILength=the total length

MD5 Security properties Normal user-names and passwords may be used. Password is not transmitted exposed, it is protected by the md5 hashing function. Replay attack protection is done using the challenge field.

Security weaknesses The MD5 challenge has serious security problems. An offline dictionary attack on the user’s password is possible, because the challenge is known. The protocol is completely exposed to man in the middle and session hijacking attacks. Mounting a DOS attack is also very simple.

Are these attacks really a problem? Not really, because we are supposed to be working on a SECURE line. A man in the middle, session hijacking and DOS attacks need access to the physical communication line. The offline dictionary attack may still be a problem. However, this can be solved.

Conclusion It is reasonable to use the MD5-challenge authentication method over a secure line for non-critical data. It is however completely irresponsible to use EAP for authentication over insecure lines. We will see how this limitation was overcome in the next lecture.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.