Protected Extensible Authentication Protocol

Slides:



Advertisements
Similar presentations
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Advertisements

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
Master Thesis Proposal By Nirmala Bulusu Advisor – Dr. Edward Chow Implementation of Protected Extensible Protocol (PEAP) – An IEEE 802.1x wireless LAN.
1 Wireless LAN Security Kim W. Tracy NEIU, University Computing
Wireless LAN Security Yen-Cheng Chen Department of Information Management National Chi Nan University
EAP Overview (Extensible Authentication Protocol) Team Golmaal: Vaibhav Sharma Vineet Banga Manender Verma Lovejit Sandhu Abizar Attar.
CSCI 6962: Server-side Design and Programming
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Mobile and Wireless Communication Security By Jason Gratto.
OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.
WIRELESS LAN SECURITY Using
Comparative studies on authentication and key exchange methods for wireless LAN Authors: Jun Lei, Xiaoming Fu, Dieter Hogrefe and Jianrong Tan Src:
Wireless and Security CSCI 5857: Encoding and Encryption.
Secure connections.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Eugene Chang EMU WG, IETF 70
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
BY MOHAMMED ALQAHTANI (802.11) Security. What is ? IEEE is a set of standards carrying out WLAN computer communication in frequency bands.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
1 Figure 2-11: Wireless LAN (WLAN) Security Wireless LAN Family of Standards Basic Operation (Figure 2-12 on next slide)  Main wired network.
Module 8: Designing Network Access Solutions. Module Overview Securing and Controlling Network Access Designing Remote Access Services Designing RADIUS.
Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.
Encryption and Security Dylan Anderson Michael Huffman Julie Rothacher Dylan Anderson Michael Huffman Julie Rothacher.
Shambhu Upadhyaya Security –Upper Layer Authentication Shambhu Upadhyaya Wireless Network Security CSE 566 (Lecture 10)
Network access security methods Unit objective Explain the methods of ensuring network access security Explain methods of user authentication.
Tunneling and Securing TCP Services Nathan Green.
Module 8: Designing Security for Authentication. Overview Creating a Security Plan for Authentication Creating a Design for Security of Authentication.
20 November 2015 RE Meyers, Ms.Ed., CCAI CCNA Discovery Curriculum Review Networking for Home and Small Businesses Chapter 7: Wireless Technologies.
Wireless Security: The need for WPA and i By Abuzar Amini CS 265 Section 1.
Workshop roaming services: eduroam / govroam
SSL(HandShake) Protocol By J.STEPHY GRAFF IIM.SC(C.S)
Doc.: IEEE /303 Submission May 2001 Simon Blake-Wilson, CerticomSlide 1 EAP-TLS Alternative for Security Simon Blake-Wilson Certicom.
Authentication has three means of authentication Verifies user has permission to access network 1.Open authentication : Each WLAN client can be.
Wireless Network Security CSIS 5857: Encoding and Encryption.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
1 Secure Socket Layer Originally by Yu Yang and Lilly Wang Originally by Yu Yang and Lilly Wang Modified by T. A. Yang Modified by T. A. Yang.
This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.
Cryptography CSS 329 Lecture 13:SSL.
1 Example security systems n Kerberos n Secure shell.
Network Security. Permission granted to reproduce for educational use only.© Goodheart-Willcox Co., Inc. Remote Authentication Dial-In User Service (RADIUS)
Port Based Network Access Control
Wireless Security - Encryption Joel Jaeggli For AIT Wireless and Security Workshop.
Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.
The Secure Sockets Layer (SSL) Protocol
CompTIA Security+ Study Guide (SY0-401)
Secure Sockets Layer (SSL)
Security of a Local Area Network
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
The Secure Sockets Layer (SSL) Protocol
Electronic Payment Security Technologies
Presentation transcript:

Protected Extensible Authentication Protocol PEAP Protected Extensible Authentication Protocol

What is PEAP? PEAP is an authentication protocol designed for wireless LANs PEAP makes use of 2 well known and well studied protocols EAP - Extensible Authentication Protocol TLS - Transport Layer Security

EAP – Extensible Authentication Protocol EAP is an authentication protocol that typically rides on top of another protocol such as 802.1x, RADIUS, PPP, etc. EAP allows the authenticator to serve as the user authentication carrier between the client and the authentication server. EAP limitations are well known and resolved by PEAP.

TLS – Transport Layer Security TLS provides the encryption, compression and data integrity. TLS is based on the SSL 3.0 Protocol Specification and is often described as a improved version of SSL. TLS is well documented and has been extensively analyzed with no significant weaknesses found.

Why do we need PEAP? A wireless access point (WAP) broadcasts all of its traffic so that anyone within broadcast range can passively collect the data. (Ethereal, AirSnort) Wireless encryption is weak and can be decrypted in a short period of time. (AirSnort, WEPcrack) Physical access of the network is not necessary to connect to the network. Knowledge of the SSID and possibly a valid MAC address is all that is required. (NetStumbler) Users have no way of knowing if they are connecting to a rogue access point setup as part of a man-in-the-middle attack.

How does PEAP fix these problems? The transmission of user-sensitive authentication data is encrypted within a TLS tunnel. Data within the TLS tunnel cannot be decrypted without the TLS master secret. If a client does not successfully authenticate, its connection is dropped by the access point. The TLS master secret is not shared with the access point, so rogue access points will be unable to decrypt messages protected by PEAP. Server-side Public-Key Infrastructure based digital certificates are used to authenticate EAP Servers.

How does PEAP work? Part 1 – Establish TLS tunnel Client WAP EAP Server Authentication Server Request Connection Request Connection Do you support PEAP? Yes Server PKI certificate & server’s TLS preferences Certificate verified & client’s TLS preferences or OK TLS settings accepted & TLS finished TLS tunnel established

How does PEAP work? Part 2 – EAP authentication within the TLS tunnel Client WAP EAP Server Authentication Server Response to TLS tunnel established Request client’s identity Client’s identity (tells server domain to contact) Server’s requested EAP authentication type Client’s requested EAP authentication type or OK EAP method accepted, request authentication Client’s UserID and Password UserID & password EAP authentication success Success TLS tunnel torn down

PEAP fast reconnect Allows wireless clients to move between access points on the same network without repeated requests for authentication. Requires that access points be configured to forward authentication requests to the same EAP server. If the original EAP server is not available, full authentication must occur. TLS session IDs are cached by the client and server. Because the server only caches TLS session IDs that successfully authenticate in part 2, if the client can reestablish the TLS session, it is not necessary to re-authenticate the client against the authentication server.

Security concerns Authentication data transmitted between the NAS and the authentication server is not encrypted by the TLS tunnel. This channel must be protected from man-in-the-middle attacks. Data transmitted after PEAP authentication is not encrypted. The TLS tunnel is only used for authentication. Implementation of PEAP must be setup correctly. Poor configuration can allow for several severe vulnerabilities.

References http://www.globecom.net/ietf/draft/draft-josefsson-pppext-eap-tls-eap-02.html http://www.oreillynet.com/lpt/a/2827 www.nwfusion.com/news/2002/0923peap.html http://www.ietf.org/rfc/rfc2246.txt http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/proddocs/entserver/sag_ias_protocols_peap.asp http://www.faqs.org/rfcs/rfc2284.html http://www.cisco.com/en/US/netsol/ns110/ns175/ns176/ns178/netqa09186a008010018c.html

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.