DESIGN OF A PASSWORD-BASED AUTHENTICATION METHOD FOR WIRELESS NETWORKS
Andrea Manganaro, Mingyur Koblensky and Michele Loreti Dipartimento di Sistemi e Informatica, Universita’ di Firenze, Viale Morgagni 65 - 50134 Firenze, Italy
Keywords: EAP methods, Password-based authentication, SRP-6.
Abstract: In recent years, amendments to IEEE standards for wireless networks added support for authentication al- gorithms based on the Extensible Authentication Protocol (EAP). Available solutions generally use digital certificates or pre-shared keys but the management of the resulting implementations is complex or unlikely to be scalable. In this paper we present EAP-SRP-256, an authentication method proposal that relies on the SRP-6 protocol and provides a strong password-based authentication mechanism. It is intended to meet the IETF security and key management requirements for wireless networks.
1 INTRODUCTION agement is unlikely to be simple. Tunneled methods provide an encrypted channel Securing communications over a wireless network re- inside which two parties can perform a protected au- quires protocols that provide both mutual authentica- thentication procedure. Digital certificates are still tion between the parties and correct integration with required, but this is mandatory only on Server-side. the available cryptographic algorithms. A common PEAP (Palekar et al., 2004) and EAP-TTLS (Funk, approach is that based on the Extensible Authentica- 2005) fit into this category. These methods have the tion Protocol (EAP) (Aboba et al., 2004), since it pro- advantage of simplifying digital certificates manage- vides a generalized framework for the execution of ment but they still depend on a PKI. arbitrary authentication mechanisms between two en- Pre-Shared-Key (PSK) methods perform au- tities, a client and an authentication Server. Protocols thentication using cryptographic algorithms that rely that rely on EAP are usually called methods. on one or more secret keys shared between the par- Amendments to IEEE standards 802.11 and ties without needing digital certificates. EAP-PSK 802.16 have defined the support for EAP in Wi-Fi (Bersani and Tschofenig, 2007) is believed to be the and WiMax systems respectively. In both these en- most representative for this category. PSK-based so- vironments the authentication methods are required lutions could simplify network security management to meet RFC 4017 (Stanley, 2005) that concerns se- in certain evironments, unfortunately they have also curity requirements, and the EAP Key Management some noticeable limitations: Framework (Bernard Aboba, 2006). • it is hard to implement key generation with an ad- EAP methods can be divided into four main cate- equate entropy level; gories, according to their authentication mechanism. PKI-based methods rely on a Public Key Infras- • key distribuition and management could become tructure (PKI) in order to manage the digital cer- complex and not scalable for large evironments; tificates exchanged between the parties. EAP-TLS • in general, such methods are not suitable to derive (Aboba and Simon, 1999) is a well-known and widely PSKs from users’ passwords. implemented example of this kind of approach. Nev- ertheless PKI dependency often results in a consider- As a consequence, PSK methods are commonly used able design complexity and digital certificates man- only in small environments.
9 Manganaro A., Koblensky M. and Loreti M. (2007). DESIGN OF A PASSWORD-BASED AUTHENTICATION METHOD FOR WIRELESS NETWORKS. In Proceedings of the Second International Conference on Wireless Information Networks and Systems, pages 9-16 DOI: 10.5220/0002147200090016 Copyright c SciTePress WINSYS 2007 - International Conference on Wireless Information Networks and Systems
Password-based methods typically are proto- 2.1 Foundation cols capable of performing authentication using only users’passwords as credentials. Such solutions are From the mathematical standpoint SRP-6 is a Diffie- attractive, since passwords are by far the most Hellman Key Exchange (Diffie and Hellman, 1976) widespread credential type. Nevertheless, to the best variant that relies on discrete logarithm properties and of our knowledge, no password-based method has uses the parameters shown in Table 1. been yet standardized or recognized as “secure”. Table 1: Mathematical notation for SRP. 1.1 Applicability I client’s identity In production wireless environments, the majority of n,g group parameters (prime and generator) the adopted EAP methods are PKI-dependent: PEAP k constant value derived from n and g and EAP-TLS are the most implemented methods to- s salt (random value) day. As mentioned above, such solutions tend to P client’s password be expensive since PKI design and management are x a private key derived from I, P and s pretty complex. It is not trivial to implement a X.509 v client’s password verifier infrastructure where certificates are generated, dis- A,a client’s public and private values tributed and revoked efficiently. Handling of certifi- B,b server’s public and private values cates lifecycle is a very delicate aspect for every PKI H a one-way hash function and any design error could result in a security weak- K the SRP session key ness. Moreover, clients should be able to check the authenticity of certificates. To do that in practice, clients use the CA public key with the proper verifica- tion algorithm (RSA or DSS). As noted in (Skoudis, 2.1.1 Modular Exponentiation 2002), this may lead to a weak trust-model, since it is strongly based on client’s system settings and user’s choices. All exponential computations are performed in a fi- There is a substantial lack of real alternatives to nite field GF(n). In other words, given a large prime PKI-dependent solutions, consequently the authors n, all operations are performed modulo n. Value g believe this is a relevant research topic to develop. is required to be a primitive root modulo n and it is Having a robust authentication method that does not called generator in a GF(n). For the generation of this use digital certificates would be desiderable, since it group parameters, existing implementations of SRP could offer a less expensive solution for wireless com- commonly use a predefined set of values that meets munication systems. the required constraints. See e.g. (Taylor et al., 2006). In this paper we present EAP-SRP-256, a new 2.1.2 Hash Functions EAP method proposal that allows password-based au- thentication. EAP-SRP-256 is based on the SRP-6 SRP-6 requires a one-way hash function H. In real protocol and it has been designed to be suitable for world implementations the SHA-1 or SHA-256 algo- both Wi-Fi and WiMax networks. rithms are commonly believed adequate, since into this context they are not susceptible to the currently known attacks to hash functions reported in (Hoffman 2 THE SRP-6 PROTOCOL and Schneier, 2005).
The Secure Remote Password (SRP) protocol 2.1.3 Parameters Initialization (Wu, 1997) is a password-based authenticated key- exchange protocol designed to resist both active and Each client must be prior accounted by an authenti- passive attacks. The SRP-6 protocol is an earlier im- cation Server using client’s identity (I) and password proved version of SRP that has been defined in (Wu, (P). Every account is created on server-side first gen- 2002) and included within the IEEE-P1363.2 stan- erating s, a pseudorandom value called salt, and then dardization process. In this section we give a brief computing the following parameters: overview on protocol properties and functionalities. x = H(s,I,P) (1)
v = gx mod n (2)
10 DESIGN OF A PASSWORD-BASED AUTHENTICATION METHOD FOR WIRELESS NETWORKS
2.3 Security k = H(n,g) (3) The security analysis of any authentication protocol Thereafter the authentication Server stores the could not easily performed with formal methods. For triplet (I,s,v) related to the accounted client with instance, the Dolev-Yao model (Dolev and Yao, 1981) identity I and n,g group parameters. Server does not is applicable with certain constraints but it is not ad- store the P value in any way. equate to deal with primitives such as Diffie-Hellman exponentiation (Millen and Shmatikov, 2003). More- over protocol security becomes undecidable with 2.2 Protocol Overview more general models (Heintze and Tygar, 1996), since the set of states to be considered is huge or infinite. The SRP-6 protocol performs mutual authentication In recent years, there has been interest in prov- between a client and an authentication Server, deriv- ing the security of password-based protocols using ing a different session key (K) at the end of each suc- the ideal-cipher model (Bellare et al., 2000) and there cessful authentication process. The length of K de- is evidence of its applicability (Bellare and Rog- pends on the chosen hash function properties. away, 2000) even for SRP. Unfortunately it has been Figure 2 shows the protocol flow that occurs be- also demonstrated (Zhao et al., 2006) that a prov- tween the parties. Note that messages are sent “in able security in ideal-cipher model does not necessar- clear” and exponential operations must be considered ily say that the instantiation of the protocol is secure. modulo n. Consequently, the applicability of a security analysis with formal methods to password-based authentica- tion protocols has not yet been proved. Table 2: The SRP-6 protocol. Despite this formal limitation, the SRP-6 proto- Client Server col could be considered inherently secure, since its mathematical structure can be reduced to the widely I −→ lookup (I,s,v) studied Diffie-Hellman problem (Diffie and Hellman, n,g,s 1976). Consequently it is possible to prove its effec- x = H(s,I,P) ←− tive security against active and passive known attacks. a A b A = g −→ B = kv + g See e.g. (Ferguson and Schneier, 2003). u = H(A,B) ←−B u = H(A,B) S = (B − kgx)a+ux S = (Avu)b M1 M1 = H(A,B,S) −→ verify M1 3 DESIGN OF EAP-SRP-256 M verify M ←−2 M = H(A,M ,S) 2 2 1 EAP-SRP-256 is a password-based authentication K = H(S) K = H(S) method that has been designed to operate in wire- less networks and relies on the SRP-6 protocol. This EAP method allows mutual authentication between SRP-6 also allows message reordering to perform a client and an authentication Server, deriving two the authentication in a more efficient way, reducing sets of symmetric keys during the protocol execution. the required protocol rounds. Optimized message or- Clients’ passwords are the only needed credentials. dering requires only two rounds and it is useful in The development of EAP-SRP-256 is part of an practice for limiting the channel overhead. Message academic research project1. The early design of reordering is shown in Table 3. the authentication method was given by (Manga- naro, 2005) that has developed protocol specifica- tions, design rationale and security analisys. A no- Table 3: SRP-6 with optimized message ordering. ticeable result was the open source implementation Client Server sent parameters for Wi-Fi networks that has been recently presented by (Koblensky, 2006). =⇒ I ⇐= n,g,s,B 3.1 Architecture =⇒ A,M1 ⇐= M2 The architecture of EAP-SRP-256 consists on seven building blocks that provide specific features and have 1http://rap.dsi.unifi.it/eap-srp-256/
11 WINSYS 2007 - International Conference on Wireless Information Networks and Systems
one or more functional dependencies with the other Table 4: The EAP-SRP-256 message flow. blocks. It is shown in Figure 1. Client Server The SRP-6 protocol gives the basic mechanisms for mutual authentication and primary session key EAP−Request Identity establishment. The EAP method provides message- ←− SRP−Anonymous integrity protection (using the HMAC-SHA-256 algo- −→ rithm) and data encryption for some data exchanged MS,ServerName between the parties. Moreover, it uses a key deriva- ←−
EAP−Request Identity ←− Every EAP method is required to start with this ex- plicit request. In IEEE 802.11 implementations this message is sent usually by the Access Point.
SRP−Anonymous −→ Figure 1: Architecture of EAP-SRP-256. This message is the conventional Response-Identity required by EAP. In this case it contains a default string (SRP-anonymous) that manifests the intention of the client to proceed with EAP-SRP-256 authenti- 3.2 Method Overview cation without identifying himself explicitly.
MS,ServerName EAP-SRP-256 is a 4 round authentication method that ←− encapsulates the optimized version of the SRP-6 pro- Server starts this specific EAP method, sending a tocol while adding some functionality, such as mes- nonce (MS) and optionally a string that represents sage integrity protection and a key derivation mecha- Server name. Server is requiring client’s identity. nism.
12 DESIGN OF A PASSWORD-BASED AUTHENTICATION METHOD FOR WIRELESS NETWORKS
and the considerations included in (Hoffman and A,M1,h Data ,h −→ 1 1 Schneier, 2005). This message provides the “Secure Client Authen- 3.3.2 Cryptographic Primitive tication” (SCA). Client sends its SRP-6 parameters, adding 64 bytes of encrypted data (h Data ) and h , 1 1 EAP-SRP-256 uses the AES-256 algorithm (Daemen a 32 byte Keyed-Hash Message Authentication Code, and Rijmen, 2002) as cryptographic primitive in order also know as HMAC. After receiving this message, to: Server performs SRP-6 computations and derives a set of ephemeral keys. • encrypt the h Data1,2,3 parameters exchanged be- tween the parties; M2,h Data ,h ←− 2 2 • run over the MCM-based key derivation mecha- This message provides the “Secure Server Authenti- nism; cation” (SSA). Server completes SRP-6 protocol and • be used (optionally) for the PRNG engine. sends 64 bytes of encrypted data (h Data ) and a 2 The recommended mode of operation for encryption 32byte HMAC (h ). After receiving this message, the 2 is the CTR mode as described in (Dworkin, 2001). client derives a set of session keys. AES is a de-facto world standard and, since its
h Data3,h3 introduction in 1999, there have been few cryptana- −→ lytic advances despite the efforts of many researchers This message provides “Secure Method Confirma- (Dobbertin et al., 2004). tion” (SMC). Client sends 64 bytes of encrypted data (h Data3) and a 32 byte HMAC (h3). With SMC, 3.3.3 Message Integrity Protection client confirms securely the correctness of encrypted data that parties have previously exchanged. After re- In order to avoid packet-modification attacks, EAP- ceiving this message, client derives a set of session SRP-256 uses authenticators (h1,2,3) for each message keys. that contains encrypted data. They are Keyed-Hash Message Authentication Codes (HMAC) (Krawczyk EAP−Success/Failure ←− et al., 1997) that use the SHA-256 function and a 256 bit symmetric ephemeral key. Every EAP method is required to end with a success Authenticators are computed following the Hor- or failure message related to the authentication pro- ton principle (Wagner and Schneier, 1996), using a cess. different key for each method execution. 3.2.2 Considerations 3.3.4 Key Derivation Initial messages merely start the authentication method while negotiating SRP-6 parameters. Note Key derivation is a crucial aspect for authentication that in this case the pseudonym is used instead of the and method security. EAP-SRP-256 derives two sets usual I value. of symmetric keys in order to perform data encryp- With the SCA, SSA and SMC messages, both par- tion, HMAC computation and the exportation of key- ties perform mutual authentication and derive two dif- ing material required by the EAP Key Management ferent sets of symmetric keys referred as ephemeral Framework. and session oriented. Key derivation details are dis- The entire mechanism is based on the Modified cussed in section 3.3.4. Counter Mode (MCM), a block cipher expansion function that transforms a single input block into t The h Data1,2,3 fields contain encrypted pseudo- random values, called seeds and challenges, that both blocks, where t ≥ 2 and each output block is of the the parties use for generating pseudonyms and session same length of the input. It has been demonstrated keys. in (Gilbert, 2003) that, under certain constraints, the MCM resulting output is secure according the Luby- 3.3 Implementation Details Rackoff paradigm (Luby and Rackoff, 1988), mean- ing that it will not be distinguishable from a perfect random function. In practice this results in two great 3.3.1 Hash Function properties: The authentication method uses SHA-256 as hash • produced output cannot be guessed, even knowing function. The choice follows current best practices the input;
13 WINSYS 2007 - International Conference on Wireless Information Networks and Systems
• when the input is kept secret, it cannot be guessed, representation can grow up to 8192 bits. Neverthe- even if output security is broken. less, protocol overhead determined by this feature is minimum. It has been estimated that the worst case EAP-SRP-256 applies AES-256 to the MCM, sat- scenario gives a maximum of 5 fragments. Figure 5 isfying the required constraints and inheriting the shows how the fragmentation level is related to n. properties above. Figure 2 shows the key derivation mechanism with all the involved components. As previously mentioned, method execution pro- Table 5: Worst case scenarios for fragmentation. duces two distinct sets ok keys. Ephemeral keys n Fragments Method Rounds (TEK1,2 and DK) have a lifetime limited to the method execution and they are mainly used for data 1024 bits 0 4 encryption and HMACs computation. 1536 bits 0 4 Session oriented keys (MSK and EMSK) are 2048 bits 0 4 those exported by the EAP method as keying mate- 4096 bits ≤ 2 ≤ 6 rial for the available crypto algorithms used at the 6144 bits ≤ 2 ≤ 6 OSI-layer 2. For implementations compliant with the 8192 bits ≤ 5 ≤ 9 IEEE 802.11i standard, this would correspond to the keying material used by RSN/WPA specifications for encryption. 3.3.6 Identity Protection
The SRP-6 protocol allows client’s identity (I) to be sent in clear over the communication channel, without compromising protocol security. Nevertheless, EAP- SRP-256 adds an identity-hiding mechanism in order to meet RFC 4017 requirements and increase the ef- fort for the attackers to obtain userIDs. To do so the EAP method uses pseudorandom values (id value) that are derived from the exchanged encrypted data and work as pseudonyms. They are different for each session.
3.3.7 Pseudorandom Numbers Generator
The generation of pseudorandom numbers is required during the entire authentication process. EAP-SRP- 256 supports a PRNG algorithm based on the ANSI- X9.31 (Keller, 2005) and FIPS-140-2 specifications. Figure 2: Key derivation for EAP-SRP-256: keys S and K The two major advantages are the adoption of a stan- are produced by the SRP-6 protocol execution. dard technique and the reuse of the available crypto- graphic primitive. The algorithm uses AES with ∗K, a secret key re- served for number generation, DT, a date-time vector, 3.3.5 Fragmentation and an arbitrary initialization seed V that must be kept secret. An iterative sequence could create pseudoran- Since the parties exchange variable length parame- dom values R computing: ters, a message fragmentation mechanism must be provided. To do so, EAP-SRP-256 supports fragmen- I = AES∗K(DT) (4) tation similarly to EAP-TLS, using a fragment ac- knowledgment scheme. Fragmentation level primarily depends on the R = AES∗K(I ⊕V) (5) value of n, since it influences the dimensions of the biggest SRP paramenters, A and B. The value of n is chosen from a standard predefined set and its binary V = AES∗K(R ⊕ I) (6)
14 DESIGN OF A PASSWORD-BASED AUTHENTICATION METHOD FOR WIRELESS NETWORKS
The support to this PRNG is optional but rec- ommended by method specifications. For other so- lutions, implementators should consider RFC 4086 (Eastlake et al., 2005) guidelines.
3.4 Security
The expected security level of EAP-SRP-265 has been evaluated by considering the building blocks of its architecture and known attacks on similar proto- cols. Security considerations have covered: • the SRP-6 protocol; • key generation and management; • mathematical properties of the parameters; • Man-in-The-Middle attacks; • Replay attacks; • Dictionary attacks; • Packet modification attacks; • compliance with RFC 4017 security require- ments. Figure 3: Comparison with other methods. According to the provided analysis, the proposed EAP method owns formal and cryptographic proper- ties that enable it to work correctly. If compared to to gain much better performance than with the stan- other popular solutions (Figure 3), it is believed to of- dard C implementation. fer an adequate security level for wireless networks giving some advantage such as PKI independence and a provable robustness for key derivation. 4 CONCLUSIONS AND FUTURE WORKS 3.5 Prototype In this paper we presented EAP-SRP-256, a new au- A working C/C++ implementation2 of EAP-SRP- thentication method proposal designed for wireless 256 has been developed for Wi-Fi networks in order networks that support the Extensible Authentication to study protocol applicability to real environments. Protocol (EAP). The proposed method mainly relies This prototype provides the integration with freeRA- on the SRP-6 protocol and it provides mutual authen- DIUS, a popular RADIUS authentication Server, and tication using a strong password-based scheme. The Xsupplicant, a client-side IEEE-802.11i implementa- given definition wants primarily to be compliant with tion. IETF security and key management requirements for FreeRADIUS rappresents today a widespread so- the EAP methods. lution in many environments. The development on At present, work is being done to develop a formal server side is conceived just like an EAP module, analyis for the proposed EAP method. The main pur- while the client side has been directly integrated in pose is to apply a model theoretic definition that can the application. demonstrate protocol correctness also from the math- The programming library Libgcrypt has been used ematical standpoint. In addition, the available Wi-Fi to perform the cryptographic operations such as AES- implementation is being deployed in real world en- 256, SHA-256, HMAC and all the modular calculus. vironments in order to analyze protocol behavior and It is in part derived from the GNU Multi-Precision Li- performance related to the current specifications. brary (GMP) and used primarily by the GNU Privacy Future work involves investigating the possibility Guard (GPG) software. This library uses many as- of further protocol enhancements. Features like the sembler implementations of very low level functions Fast-reconnect option are already under evaluation. 2Publicly available under GPL license at This would permit clients to re-authenticate using http://sourceforge.net/projects/eap-srp-256/ an alternate protocol exchange with a reduced round
15 WINSYS 2007 - International Conference on Wireless Information Networks and Systems
number and a lower computation overhead. Another Heintze, N. and Tygar, J. D. (1996). A model for secure pro- research area is the extendibility to a general proto- tocols and their compositions. Software Engineering, col model that provides a negotiation mechanism for 22(1):16–30. crypto primitives and hash functions. Hoffman, P. and Schneier, B. (2005). Attacks on crypto- Finally there is a need do develop an implementa- graphic hashes in internet protocols. RFC 4270. tion for WiMax networks in order to demonstrate the Keller, S. S. (2005). NIST-Recommended random number applicability of EAP-SRP-256 to different communi- generator based on ANSI X9.31 Appendix A.2.4 us- cation systems. ing the 3-key triple DES and AES algorithms. NIST Information Technology Laboratory - Computer Se- curity Division, National Institute of Standards and Technology. REFERENCES Koblensky, M. (2006). Implementazione del protocollo di autenticazione EAP-SRP-256. Master Thesis at the Aboba, B., Blunk, L., Vollbrecht, J., and Carlson, J. (2004). Dipartimento di Sistemi e Informatica, Universita’ di Extensible authentication protocol (EAP). RFC 3748. Firenze, Italy. (Obsoletes RFC 2284). Krawczyk, H., Bellare, M., and Canetti, R. (1997). HMAC: Aboba, B. and Simon, D. (1999). PPP EAP TLS authenti- Keyed-hashing for message authentication. RFC cation protocol. RFC 2716. 2104. Luby, M. and Rackoff, C. (1988). How to construct pseudo- Bellare, M., Pointcheval, D., and Rogaway, P. (2000). Au- random permutations from random functions. SIAM J. thenticated key exchange secure against dictionary at- Computing, Vol. 17 No. 2. tacks. Lecture Notes in Computer Science, 1807:139. Manganaro, A. (2005). Studio di un metodo di autenti- Bellare, M. and Rogaway, P. (2000). The AuthA proto- cazione per le reti wireless basato sul protocollo SRP- col for password-based authenticated key exchange. 6. Master Thesis at the Dipartimento di Sistemi e In- Technical report. Contribution to the IEEE P1363 formatica, Universita’ di Firenze, Italy. study group for Future PKC Standards. Millen, J. and Shmatikov, V. (2003). Symbolic protocol Bernard Aboba, e. a. (2006). Extensible authentication pro- analysis with products and diffie-hellman exponentia- tocol (EAP) key management framework. IETF Inter- tion. In Proceedings of the 16th IEEE Computer Se- net draft (Work in Progress). curity Foundations Workshop., Asilomar, USA. Bersani, F. and Tschofenig, H. (2007). The EAP-PSK pro- Palekar, A., Simon, D., Salowey, J., Zhou, H., Zorn, G., and tocol: A pre-shared key extensible authentication pro- Josefsson, S. (2004). Protected EAP protocol (PEAP) tocol (EAP) method. RFC 4764. version 2. IETF Internet draft (Work in Progress). Daemen, J. and Rijmen, V. (2002). The Design of Rijndael. Skoudis, E. (2002). Counter Hack - A step-by-step Guide Springer-Verlag New York, Inc., Secaucus, NJ, USA. to Computer Attacks and Effective Defenses. Prentice ISBN 3540425802. Hall PTR. ISBN 0-13-033273-9. Diffie, W. and Hellman, M. E. (1976). New directions in Stanley, e. a. (2005). EAP method requirements for WLAN. cryptography. IEEE Transactions on Information The- RFC 4017. ory, IT-22(6):644–654. Taylor, D., Wu, T., Mavrogiannopoulos, N., and Perrin, T. Dobbertin, H., Knudsen, L. R., and Robshaw, M. J. B. (2006). Using SRP for TLS authentication. IETF In- (2004). The cryptanalysis of the AES - a brief sur- ternet draft (Work in Progress). vey. In AES Conference, pages 1–10. Wagner, D. and Schneier, B. (1996). Analysis of the SSL Dolev, D. and Yao, A. C. (1981). On the security of public 3.0 protocol. In Proceedings of the Second USENIX key protocols. Technical report, Stanford, CA, USA. Workshop on Electronic Commerce, Oakland, Califor- Dworkin, M. (2001). Recommendation for block cipher nia. modes of operation - methods and techniques. NIST Wu, T. (1997). The secure remote password protocol. In Special Publication 800-38A, National Institute of Proceedings of the 1998 Internet Society Network and Standards and Technology. Distributed System Security Symposium, pages 97– Eastlake, D., Schiller, J. I., and Crocker, S. (2005). Ran- 111, San Diego, CA. domness requirements for security. RFC 4086. Wu, T. (October 2002). SRP-6: Improvements and refine- ments to the secure remore password protocol. Sub- Ferguson, N. and Schneier, B. (2003). Practical Cryptog- mission to the IEEE P1363 Working Group. raphy. Wiley Publishing Inc. ISBN 0-471-22894-X. Zhao, Z., Dong, Z., and Wang, Y. (2006). Security analysis Funk, P. (2005). EAP tunneled TLS authentication protocol of a password-based authentication protocol proposed version 0 (EAP-TTLSv0). IETF Internet draft (Work to IEEE 1363. Theor. Comput. Sci., 352(1):280–287. in Progress). Gilbert, H. (2003). The security of one-block-to-many modes of operation. Springer-Verlag LNCS, FSE 03(2287):376–395. ISBN 3-540-20449-0.
16