Presentation is loading. Please wait.

Presentation is loading. Please wait.

Protected Extensible Authentication Protocol

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Protected Extensible Authentication Protocol"— Presentation transcript:

1 Protected Extensible Authentication Protocol
PEAP Protected Extensible Authentication Protocol

2 What is PEAP? PEAP is an authentication protocol designed for wireless LANs PEAP makes use of 2 well known and well studied protocols EAP - Extensible Authentication Protocol TLS - Transport Layer Security

3 EAP – Extensible Authentication Protocol
EAP is an authentication protocol that typically rides on top of another protocol such as 802.1x, RADIUS, PPP, etc. EAP allows the authenticator to serve as the user authentication carrier between the client and the authentication server. EAP limitations are well known and resolved by PEAP.

4 TLS – Transport Layer Security
TLS provides the encryption, compression and data integrity. TLS is based on the SSL 3.0 Protocol Specification and is often described as a improved version of SSL. TLS is well documented and has been extensively analyzed with no significant weaknesses found.

5 Why do we need PEAP? A wireless access point (WAP) broadcasts all of its traffic so that anyone within broadcast range can passively collect the data. (Ethereal, AirSnort) Wireless encryption is weak and can be decrypted in a short period of time. (AirSnort, WEPcrack) Physical access of the network is not necessary to connect to the network. Knowledge of the SSID and possibly a valid MAC address is all that is required. (NetStumbler) Users have no way of knowing if they are connecting to a rogue access point setup as part of a man-in-the-middle attack.

6 How does PEAP fix these problems?
The transmission of user-sensitive authentication data is encrypted within a TLS tunnel. Data within the TLS tunnel cannot be decrypted without the TLS master secret. If a client does not successfully authenticate, its connection is dropped by the access point. The TLS master secret is not shared with the access point, so rogue access points will be unable to decrypt messages protected by PEAP. Server-side Public-Key Infrastructure based digital certificates are used to authenticate EAP Servers.

7 How does PEAP work? Part 1 – Establish TLS tunnel
Client WAP EAP Server Authentication Server Request Connection Request Connection Do you support PEAP? Yes Server PKI certificate & server’s TLS preferences Certificate verified & client’s TLS preferences or OK TLS settings accepted & TLS finished TLS tunnel established

8 How does PEAP work? Part 2 – EAP authentication within the TLS tunnel
Client WAP EAP Server Authentication Server Response to TLS tunnel established Request client’s identity Client’s identity (tells server domain to contact) Server’s requested EAP authentication type Client’s requested EAP authentication type or OK EAP method accepted, request authentication Client’s UserID and Password UserID & password EAP authentication success Success TLS tunnel torn down

9 PEAP fast reconnect Allows wireless clients to move between access points on the same network without repeated requests for authentication. Requires that access points be configured to forward authentication requests to the same EAP server. If the original EAP server is not available, full authentication must occur. TLS session IDs are cached by the client and server. Because the server only caches TLS session IDs that successfully authenticate in part 2, if the client can reestablish the TLS session, it is not necessary to re-authenticate the client against the authentication server.

10 Security concerns Authentication data transmitted between the NAS and the authentication server is not encrypted by the TLS tunnel. This channel must be protected from man-in-the-middle attacks. Data transmitted after PEAP authentication is not encrypted. The TLS tunnel is only used for authentication. Implementation of PEAP must be setup correctly. Poor configuration can allow for several severe vulnerabilities.

11 References

Download ppt "Protected Extensible Authentication Protocol"

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.

External User Security Model (EUSM) for SNMPv3 draft-kaushik-snmp-external-usm-00.txt November, 2004.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.

Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication E-Mail Security E-Mail Security Secure Sockets Layer Secure.

CHAPTER 8: SECURITY IN COMPUTER NETWORKS Encryption Encryption Authentication Authentication Security Security Secure Sockets Layer Secure.
無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – 802.11b  Security Mechanisms in 802.11b  Security Problems in 802.11b  Solutions for 802.11b.

無線區域網路安全 Wireless LAN Security. 2 Outline  Wireless LAN – b  Security Mechanisms in b  Security Problems in b  Solutions for b.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.

MITP | Master of Information Technology Program Securing Wireless LAN using Cisco-based technology Campus Crew Study Group Paul Matijevic Ed McCulloch.
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
802.1x EAP Authentication Protocols

802.1x EAP Authentication Protocols
11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.

11 WIRELESS SECURITY by Prof. Russell Jones. WIRELESS COMMUNICATION ISSUES  Wireless connections are becoming popular.  Network data is transmitted.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.

Chapter 5 Secure LAN Switching.  MAC Address Flooding Causing CAM Overflow and Subsequent DOS and Traffic Analysis Attacks.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

Similar presentations

Ads by Google