The EAP, a flexible protocol used to carry arbitrary authentication information, is defined in RFC 2284. (Incidentally, RFC 2284 is only 16 pages long!) A set of RFCs also defines the various authentication processes over EAP, including TLS, TTLS, SmartCard, and SIM. The IETF EAP workgroup is working on a revision of the EAP RFC and has submitted the new document as RFC 3579 (was RFC 2284bis).
EAP has two major features. First, it separates the message exchange from the process of authentication by providing an independent exchange layer. By doing so, it achieves the second characteristic: orthogonal extensibility, meaning that the authentication processes can extend the functionality by adopting a newer mechanism without necessarily effecting a corresponding change in the EAP layer.
The basic EAP consists of a set of simple constructs: four message types, two message frames, and an extensible choreography.
The four message types are request, response, success, and failure. Figure 7-2 shows the EAP frame format.
As shown in Figure 7-3, EAP also defines a packet to negotiate the EAP protocol configuration. The EAP protocol is identified by C227 (Hex). This packet will be included in the data field of the EAP frame in Figure 7-2.
The RFC assigns eight request/response types. The rest are assigned by the Internet Assigned Numbers Authority (IANA). The current assignments are shown in Table 7-2.
Assigned by RFC
Nak (response only)
One-Time Password (OTP)
Generic Token Card (GTC)
RSA Public Key Authentication
Defender Token (AXENT)
RSA Security SecurID EAP
Arcot Systems EAP
EAP-Cisco Wireless (LEAP)
Nokia IP SmartCard authentication
SRP-SHA1 Part 1
SRP-SHA1 Part 2
Remote Access Service
UMTS Authentication and Key Agreement
Mutual Authentication w/Key Exchange (MAKE)
Cogent Systems Biometrics Authentication EAP
Not assigned; can be assigned by IANA on the advice of a designated expert
Reserved; requires standards action
The expanded type (254) frame includes a vendor ID; therefore, it is not deemed interoperable.
Figure 7-5 shows the success/failure frame.
The EAP message exchange is basic, as shown in Figure 7-6. EAP starts after the supplicant has data and link layer connectivity (Step 0 in Figure 7-6). The communication between the authenticator and the supplicant is done as a request-response paradigm, meaning a message is sent and the sender waits for a response before sending another message.
Generally, either side should be able to start EAP, not just the authenticator. But in this case, notice that the authenticator starts the EAP message, not the supplicant/client. EAP does not assume a specific protocol such as IP, so the messages are "lock-step"?an ordered exchange of messages in which a reply is sent only after receiving the earlier message. Another important observation is that EAP is a point-to-point (peer-to-peer) exchange at the transport layer, not multicast or any other many-to-many mechanism. The choreography is just a minimal framework facilitating further RFCs to define the exact processes. That is what many of the RFCs do: define EAP over various authentication processes such as EAP-SIM, EAP-over-LDAP, EAP-over-GPRS, and of course, EAP-over-802, which is the 802.1x specification.
The first exchange (Step 1 in Figure 7-6) could be an identity exchange. Even though there is an identity message type, the RFC does not guarantee identity semantics and encourages that the authentication mechanisms not depend on this exchange for identity and have their own identity-recognition mechanisms. Moreover, the initial exchange would most likely be in cleartext; therefore, it is a security vulnerability.
In Step 2, all the exchanges between the supplicant, authenticator, and back-end authentication systems are defined by a wide variety of specific RFCs or drafts and authentication mechanisms.
Finally, at some point, the authenticator determines whether the authentication is a success or failure and sends an appropriate message to the supplicant (Step 3 in Figure 7-6).
This section examines in detail some of the most relevant EAP authentication frameworks. The typical mechanisms using EAP over LANS are EAP-MD5, EAP-One-Time Password (EAP-OTP), EAP-TLS, EAP-TTLS, EAP-Generic Token Card (EAP-GTC), Microsoft CHAP (EAP-MSCHAPv2), and EAP-FAST.
The EAP-MD5 is a Challenge Handshake Authentication Protocol (CHAP), as defined in RFC 1994. Figure 7-7 shows the choreography of the EAP-MD5 mechanism.
For EAP-MD5 to work, the client and the authentication server must have a shared secret, usually a password associated with an identity/username. This needs to be established out of band (Step 1 in Figure 7-7). The connectivity (Step 2 in Figure 7-7) and identity exchange (Step 3 in Figure 7-7) are required before the EAP-MD5 process. The EAP-MD5 method consists of a random challenge to the supplicant (Step 4-a in Figure 7-7) and a response from the supplicant (Step 4-c, Step 4-d in Figure 7-7), which contains the hash of the challenge created using the shared secret (Step 4-b in Figure 7-7). The authentication server verifies the hash (Step 4-e in Figure 7-7) and accepts or rejects the authentication. The authenticator allows or disallows access (Step 5 in Figure 7-7) based on this decision. If successful, the supplicant gains access (Step 6 in Figure 7-7).
EAP-MD5 is a pure authentication protocol; after the authentication, the messages are transmitted in cleartext. It is also a client authentication protocol?the server side (authenticator) is not authenticated; therefore, it cannot detect a rogue AP.
EAP-MD5 also contains a set of good features: It requires only lightweight processing (which translates to less hardware) and does not require a key/certificate infrastructure. Although pure EAP-MD5 has some value in the PPP world, it is of limited use in the wireless world. For example, Microsoft has dropped the support for EAP-MD5 for the wireless interface in Windows XP. Support was dropped because of security problems; EAP-MD5 is vulnerable to dictionary and brute-force attacks when used with Ethernet and wireless.
EAP-OTP is similar to MD5, except it uses the OTP as the response. The request contains a displayable message. The OTP method is defined in RFC 2289. The OTP mechanism is employed extensively in VPN and PPP scenarios but not in the wireless world.
The EAP-GTC (Generic Token Card) is similar to the EAP-OTP except with hardware token cards. The request contains a displayable message, and the response contains the string read from the hardware token card.
As you have seen, methods such as EAP-MD5 and EAP-GTC are specific to authentication and are confined to authenticating only the client. EAP-TLS adds more capabilities such as mutual authentication, which provides an encrypted transport layer and the capability to dynamically change the keys. On the other hand, EAP-TLS is based on digital certificates and thus requires an infrastructure to manage?issue, revoke, and verify?certificates and keys.
EAP-TLS is based on the TLS protocol that is defined in RFC 2246. The following section talks a little bit about TLS, and then you will look at which of its features carry over into EAP-TLS.
The origin of the transport level protocol was SSLv1, proposed and implemented by Netscape for securing browser traffic. SSL 1.0 was superseded by SSL 2.0, which was the original SSL. SSL 3.0, which, of course, superseded SSL 2.0, is the most common security protocol used today. IETF chartered a working group in 1996, accepted submissions from Netscape (SSL 3.0) and Microsoft (PCT), and delivered RFC 2246?TLS 1.0.
TLS has the concept of sessions and connection. A connection is a channel, whereas a session is governed by security context?session identifier, peer certificate, compression method, cipher spec for the session key, and MAC algorithm parameters and the shared master secret. TLS can and will securely negotiate different session parameters while maintaining the same connection?usually a TCP connection. The handshake phase establishes a session, and the session keys (symmetric) encrypt the transport during the data transfer phase. In addition to providing confidentiality, TLS provides integrity check. TLS, of course, is a point-to-point method.
TLS defines two layers: a record layer (which exchanges messages dealing with things such as fragmentation, MAC, and encryption) and a message layer (which defines different types of messages). The four message types are as follows:
Change cipher spec? Used to signify change in the session context to be used by the record layer. This is an independent content type that is used to avoid getting trapped in specific protocol messages, at which point the pipe could stall.
Alert? Could be warning or fatal. The alert message subtypes (approximately 26 subtypes) include close notify, decryption failed, certificate revoked, access denied, and so on.
Handshake protocol? You will see these messages in Figure 7-8. The subtypes include the following:
- Hello messages (hello_request, client_hello, and server_hello)
- Server authentication and key exchange messages (certificate, server_key_exchange, certificate_request, and server_hello_done)
- Client authentication and key exchange messages (certificate_verify and client_key_exchange)
- Handshake finalization message (finished)
Application data? The records themselves are transmitted over a reliable protocol such as TCP. TLS also defines a handshake protocol for authentication, exchanging cryptographic parameters and establishing session context.
Figure 7-8 shows the TLS choreography, through the lifetime of a connection, in some detail.
The handshake protocol (Steps 3, 4, 5, and 6 in Figure 7-8) accomplishes server authentication, algorithm negotiation, establishing session context, and (optional) client authentication. Of course, to successfully complete the handshake and arrive at the keys and secrets, the client and server should have digital certificates (Step 1 in Figure 7-8) and connectivity (Step 2 in Figure 7-8).
After the handshake is successfully completed, the client and server can exchange application data (Step 7 in Figure 7-8) using the established secure transport. Occasionally, renegotiation of session context might happen, usually for new session keys. Finally, the client or server with the close message closes the connection (Step 8 in Figure 7-8).
EAP-TLS employs selected parts of the TLS. For example, it uses the TLS handshake for mutual authentication, cipher suit negotiation, and to derive session keys; however, it does not use all parts of the TLS record protocol.
Figure 7-9 shows the frame format for EAP-TLS. The EAP type is 13 (see Table 7-2). The EAP data frame consists of TLS-specific fields. A similar approach is taken for the choreography, as shown in Figure 7-10. As expected, Figure 7-10 is a combination of Figures 7-6 and 7-8.
After the EAP identity request and response, a TLS-START request is sent (this is where Bit 2 of the TLS flag is used) to the supplicant (Step 3-a in Figure 7-10). This initiates the TLS handshake protocol (remember, TLS starts with a client-hello), which, in the end, results in authentication and establishing session keys for securing (confidentiality and integrity) the transport layer. As you saw in the TLS section, the session context contains all the relevant information. After the handshake is done, EAP-TLS does not use any of the TLS record protocols; that is, the application data is not exchanged using the TLS record protocol.
As you can see, this still does not satisfy all the requirements of the wireless world because EAP-TLS is written for PPP, where a key and authentication are sufficient for communication and the client authenticates the server. The wireless world also has the authenticator/AP, which has to be authenticated, and the server is a RADIUS server.
In the wireless world, EAP-TLS is used as a strong and secure means for authentication and key establishment. After that, the native WEP mechanisms are used to encrypt the data. In fact, the WEP encryption key is derived from the TLS session key.
EAP-TTLS is similar to EAP-TLS, but the client authentication is extended after the secure transport has been established. Then the client can be authenticated using any of the methods like username/PW, CHAP, and MSCHAPv2. This is called tunneled authentication. What this achieves is that the client does not require a digital certificate; only the authentication server needs one. This capability simplifies the client credential management. Organizations can also use currently available/legacy authentication methods (usually password-based schemes).