Quick viewing(Text Mode)

Extensible Authentication Protocol (EAP)

Extensible Authentication Protocol (EAP)

SotilloECU 1 ExtensibleAuthenticationProtocol(EAP) SecurityIssues

SamuelSotillo, Dept.ofTechnologySystems,EastCarolinaUniversity

and a negotiation of the desired authentication Abstract —This document describes the Extensible mechanism[2]. Authentication Protocol and several of its best-known security issues.ItintroducesthebasicfunctionalityofEAPaswellasof severalofitsimplementations.Itdiscussesseveralvulnerabilities Originally, EAP was created as an extension to thataffectEAPmethods. PPP that allows for the development of arbitrary Index Terms —EAP, Network, Security, Wireless, PPP, plug-in modules for current and future Authentication, WLAN, WPA, WPA2, TLS, TTLS, EAP-TLS, authenticationmethodsandtechnologies[3].Today, EAP-TTLS,LEAP,SEAPv0,SEAPv1,CHAP,EAP-FAST,EAP- PSK EAP is most often used in wireless LANs [2]. Particularly, two wireless standards, WPA and WPA2,whichhaveofficiallyadoptedseveralEAP I. INTRODUCTION methods as their main authentication mechanisms HIS document presents an overview on some [2]. Tsecurity issues that affect the Extensible Authentication Protocol as defined by the IETF B. EAPBasics RFC3748[1]. SinceEAPwasoriginallydevelopedforPPP,the This document introduces some basic concepts best way to explain its operation is using a PPP- aboutEAP,itsbasicarchitectureandfunctionality. based example. Figure 1 shows a typical stack for Also, it describes some of the many EAP authentication of PPP-based communication. implementationsofEAP.Finally,itdiscussessome AsshowninFigure1,withEAP,PPPpeersdonot security issues associated to diverse EAP chooseaspecificauthenticationmechanismduring implementations. thelinkestablishmentphaseofthePPPconnection; instead, they negotiate to perform EAP during the connection authentication phase. Once the II. EXTENSIBLE AUTHENTICATION PROTOCOL connection authentication phase is completed, the OVERVIEW peers negotiate the use of a specific EAP authentication method. At this point, the A. Origen conversation between the peers consists mostly of TheExtensibleAuthenticationProtocol(EAP)is requests and responses for authentication an Internet standard that provides an infrastructure information(inFigure1,theconversationisshown for network access clients and authentication asasolidlineconnectingtheEAPboxesoneach servers.ItisdescribedintheRFC3748[1]. correspondingstack).Afterthat,EAPallowsforan EAP is not and does not specify any specific open-ended exchange of information between the authenticationmechanism.Instead,EAPprocuresa access client and the authenticating server that framework that provides some common functions varies depending on the connection parameters involved(inFigure1,theauthenticatingserveruses ManuscriptcompletedNovember29,2007.Thisworkwascompletedasa projectrequirementforthecourseICTN4010,section601. theRADIUSprotocol).Inessence,theEAPmethod Samuel Sotillo is a senior student at East Carolina University, Dept. of determines the length and details of the Technology,CollegeofTechnologyandComputerScience. SotilloECU 2 conversationbetweenauthenticatingpeers[1][3]. TABLE I EAP VARIANTS

PROTOCOL DESCRIPTION LightweightEAP Ciscoproprietary—itisamodified (LEAP) versionofMS-CHAP EAP-TLS BasedonTransportLayer Security—whichisbasedonthe PublicKeyInfrastructure(PKI) EAP-MD5 BasedonMD5hash EAP-PSK Basedonpre-sharedkeys(PSK) EAP-TTLS BasedonTunneledTransport LayerSecurity(TTLS)—most widelyused EAP-IKE2 BasedonInternetKeyExchange Protocolversion2(IKEv2)—it Fig. 1. Typical stack for EAP authentication of PPP-based usesasymmetric/symmetrickey communication. PPP peers do not choose a specific pairsandpasswords authenticationmechanismduringthelinkestablishmentphase PEAPv0/EAP- SimilarindesigntoEAP-TTLS— of the PPP connection; instead, they negotiate to perform MSCHAPv2 however,itonlyrequiresaserver- EAPduringtheconnectionauthenticationphase. sidePKIcertificate—secondmost used PEAPv1/EAP-GTC Ciscovariant—basedonGeneric TokenCard(GTC)authentication EAP-FAST Ciscoproprietaryreplacementfor LEAP—basedonFlexible ThemaincomponentsofEAP,asshowninFigure AuthenticationviaSecure Tunneling(FAST) 1,arethefollowing: EAP-SIM ForGlobalSystemforMobile Communications(GSM)—based -- EAP peer /Access Clients :Computersattempting onSubscriberIdentityModule toaccessnetworkresources. (SIM),avariantofPEAPforGSM EAP-AKA BasedonUniversalMobile TelecommunicationsSystem -- EAP authenticator : An access point (AP) or (UMTS)SubscriberIdentity network access server (NAS) requiring EAP Module(USIM)Authentication authentication before granting access to a network andKeyAgreement(AKA) EAP-GSS BasedonGenericSecurityService resource. (GSS)—itusesKerberos See[2]formoredetails. -- Authentication server : A server computer that negotiatestheuseofaspecificEAPmethodwithan EAP Access Client. It also validates EAP peers’ AsupplicantisasoftwarecomponentthatusesEAP credentials and authorizes access to network toauthenticatenetworkaccessbutthathandlesthe resources.InFigure1,theauthenticationserverisa actualdataexchange[3].Intheexampleshownin Remote Authentication Dial-In User Service Figure 1, both the EAP authenticator and the (RADIUS)server.[3] authentication server send EAP messages using RADIUS. As a result, EAP messages are actually Notice from Figure 1 that the EAP peer and, in exchanged between the EAP components on the the case of wireless LANs, the EAP authenticator EAPclientandtheauthenticationserver. bothsendEAPmessagesusinga supplicant and a datalinklayertransportprotocolsuchasPPP—or, In a word, EAP provides the highest flexibility forwirelessLANs,theIEEE802.1Xinfrastructure. because it allows vendors to create more secure SotilloECU 3 authenticationschemesthatcanbepluggedinlater In contrast, each EAP implementation stipulates on,asrequired[1][2]. TABLE 2 EAP METHODSFOR DIFFERENT TYPESOF NETWORK ACCESS TYPEOF NETWORK C. EAPImplementations AVAILABLE EAP METHODS ACCESS There are quite a few implementations available Dial-upremote EAP-MD5CHAP,EAP-TLS of EAP. Table 1 summarizes some of the most accessorsite-to-site important. connections Virtualprivate EAP-MD5CHAP,EAP-TLS network(VPN) In wireless LANs, ononehand,Wi-FiProtected remoteaccessor Access (WPA) originally recommended EAP- site-to-site PSK—mainly, because home/small office connections applications were not required to support IEEE 802.1X EAP-MD5CHAP,PEAP-MS- authenticationtoan CHAPv2,EAP-TLS,PEAP-TLS, 802.1x authentication [4]. EAP-PSK is based on authenticating EAP-FAST pre-shared keys—where a shared secret key is switch(wired) shared in advance between the two parties, using 802.1X PEAP-MS-CHAPv2,EAP-TLS, some secure channel [5]. EAP-PSK is a very authenticationtoa PEAP-TLS,EAP-TTLS wirelessaccesspoint lightweight protocol—it only requires four (AP) messages to complete the authentication stage[4]. See[2]formoredetails. Regardless of EAP-PSK simplicity and economy, WPAlaterrecommendedusingEAP-TLSandEAP- TTLSforincreasedsecurity[4]. some specific valid authentication methods. Consequently, EAP implementations may furnish Ontheotherhand,IEEE802.11i(alsoknownas with security vulnerabilities. The following WPA2) requires enterprise-level security. paragraphs summarize some of the most common Therefore, in addition to EAP-TLS/TTLS, WPA2 security issues associated to the different EAP devices also support PEAPv0, PEAPv1 and other implementations. openstandards[4][6]. A. DictionaryAttacks Currently, the two most used EAP Adictionaryattackisatechniquefordefeatinga implementationsareEAP-TTLSandPEAPv0.Both code or authentication mechanism by trying each areextensivelysupportedbymostcommonlyused wordfromadictionary—alistofcommonwords— operatingsystems(Microsoft,MacOS,andLinux) and encoding it the same way the original aswellasbymostnetworkappliancevendors[4]. passphrasewasencoded[6][7].Dictionaryattacks Table 2 summarizes the most common EAP differ from brute-force attack on the fact that only methods used by the different types of network themostlikelywordsaretried[7]. access. Several EAP implementations are vulnerable to dictionary attacks. For instance, Cisco’s III. SECURITY ISSUES Lightweight EAP (LEAP) relies on a shared As mentioned before, EAP is a standard that secret—theuser’slogonpassword.Systemslacking providesaninfrastructurefornetworkaccessclients strongpasswordpoliciescaneasilybecompromised andauthenticationservers.EAPdoesnotspecifythe withdictionaryattacks[8].Asaconsequenceofthis authentication mechanism itself but the way it is vulnerability, Cisco developed EAP-FAST to negotiated by the communicating parties. providebetterprotectionagainstdictionaryattacks. Consequently,EAPhasnosecurityissuesinitself. However,EAP-FASTisvulnerabletoMitMattacks SotilloECU 4 asexplainedbelow[2]. instance,plainEAP)vulnerabletoMitMwithinthe securedtunnel.Also,iftheclientdoesnotsupport EAP-GSS is another example of an EAP mutualauthenticationorsomeformofsessionkey implementation vulnerable to dictionary attacks. agreement, then the backend server cannot be sure GSSreliesontheKerberosprotocol,whichisitself that the identity of the client using the legacy vulnerabletodictionaryattacks[9]. authenticationprotocolandtheidentityoftheclient endpointarethesame[12]. B. PlaintextAttacks ThesameMitMvulnerabilityhasalsobeenfound onthefirstPEAPv0implementationforMicrosoft EAP implementations that rely on clear-text Windows XP (SP1). The problem was later authentication using RADIUS (even within a correctedforSP2[11]. protectedtunnel)arevulnerabletoknown-plaintext attacks[2].Inaknown-plaintextattack(KPA),the AnotherEAPimplementationvulnerabletoMitM attackerusessamplesofboththeplaintextandits attacksisEAP-FAST,theprotocolCiscodeveloped encrypted version to reveal further secret asreplacementforLEAP.EAP-FASTwasdesigned informationsuchasthesecretencryptionkey[10]. toaddressthevulnerabilitiesofLEAP(seeprevious EAP-IKE2andEAP-TTLSareexamplesofEAP discussion on dictionary attacks) while keepingits implementations that may use password-based simplicity and economy. However, the (automatic) authentication(PAP)andthereforearevulnerableto private key provisioning mechanism reuse legacy this type of attacks [11]. In PAP-based authentication methods that makes the authentication, passwords are transmitted authenticationmodelvulnerabletothesameMitM unencrypted. attacks all other tunneled implementations are exposedto[2]. C. Man-in-the-middleAttacks(MitM) TunnelingprotocolssuchasTLSandTTLSoffer Fortunately, several solutions to the problem of a server-authenticated tunnel that secures both the MitMattackshavebeensuggestedsincetheoriginal authenticationmethodandtheuser’sidentity[12]. research on this issue was first published in 2003 Unfortunately, original implementations of EAP [11]. that are based on these protocols may also be vulnerabletoman-in-the-middle(MitM)attacks.In D. Ciphertextattacks aMitMattack,arogueclientassumestheidentities Theoretically, EAP-SIM improves the original ofboththeclientandtheserverinordertointercept GSM security model—based on a pre-shared key communicationfromonedeviceandsendatainted and challenge-response mechanism. The original onetotheotherdevice[6]. GSMstandardusesA5/1andA5/2streamciphers with key length of 64 bits [13] [15]. EAP-SIM Themainreasonsforthesevulnerabilitiesare: improves the original GSM standard by increasing the key length to128bits.Unfortunately,theway --Re-using of legacy client authentication thenew128-bitkeyisgeneratedhasbeenshownto protocolsthatruninsidetheauthenticatedtunnel. be defective [14]. Rather than being 128-bit long, --Clients cannot or do not properly authenticate the resulting key has an effective key lengthof64 the server—even when the authentication protocol bitsonly. is used within a supposedly server-authenticated tunnel.[12] Theprobabilityofdecryptinga64-bitlongkeyis approx.: Inanutshell,theproblemariseswhentheclient re-use a legacy authentication mechanism (for SotilloECU 5

1 − many flavors and colors, based on well known = .5 4210 ×10 20 ,whichisconsiderablylarger 264 authentication schemes, some of them with thantheprobabilityfora128-bitlongkey: importantsecurityweaknesses.

1 − = 2.9387 ×10 39 . 2128 REFERENCES Itiswellknownthatthelargertheprobability,the [1] B.Aboda,L.Blunk,J.Vollbrecht,J.Carlson,andH. lower the time complexity of the attack; which Levkowetz.(2004,June). ExtensibleAuthentication meansthatasmalleramountoftimeisneededfor Protocol(EAP) .[Online]Available: the attacker being able to expose significant information[15]. http://www.ietf.org/rfc/rfc3748.txt .IETFRFC3748. [2] “ExtensibleAuthenticationProtocol.”(2007,November In a known-plaintext attack, the attacker uses 18).In Wikipedia,TheFreeEncyclopedia .[Online] samples of both the plaintext and its ciphertext Available: (encrypted version) to disclose further secret http://en.wikipedia.org/w/index.php?title=Extensible_Aut informationsuchasasecretkey[13].Aweakkey makes the disclosing process a lot easier to hentication_Protocol&oldid=174317627 . accomplish. Today, attackers have access to [3] “ExtensibleAuthenticationProtocolOverview.”(n.d).In increasing computing power. Consequently, the MicrosoftTechNet .[Online]Available: pressure on weak cryptosystems such as GSM http://www.microsoft.com/technet/network/eap/eap.mspx . increasesaswell.64-bitlongsystemsaredifficultto [4] “Wi-Fi Protected Access.” (2007, November 19). In justify today, the same way 128-bit long systems Wikipedia, The Free Encyclopedia . [Online] Available: mightbelikelydifficulttojustifyinthenearfuture. http://en.wikipedia.org/wiki/Wi-Fi_Protected_Access. [5] “Pre-sharedkey.”(2007,August29).In Wikipedia,The IV. CONCLUSION FreeEncyclopedia .[Online]Available: TheExtensibleAuthenticationProtocol(EAP)is http://en.wikipedia.org/wiki/Pre-shared_key . an Internet standard that provides an infrastructure [6] M.Ciampa.(2006).CWNAGuidetoWirelessLANs . fornetworkclientsandauthenticationservers.Ina nutshell, EAP provides a flexible mechanism for Boston:Thomson. hosting authenticating plug-in modules for current [7] “Dictionaryattack.”(2007,September27).In Wikipedia, andfutureauthenticationmethods. The Free Encyclopedia . [Online] Available:

http://en.wikipedia.org/wiki/Dictionary_attack . EAP has been implemented based on several [8] “CiscoSecurityNotice:DictionaryAttackonCiscoLEAP well-known authentication technologies. For Vulnerability.”(2004,July19).In CiscoSecurityNotice . instance,thereareversionsofEAPbuiltontopof PSK,TLS,TTLS,GSM,AKA,amongmanyothers. [Online] Available: http://www.cisco.com/warp/public/707/cisco- Unfortunately, some of these implementations sn-20030802-leap.pdf . present significant security vulnerabilities such as [9] T. Wu. (1999). A Real-World Analysis of Kerberos exposure to dictionary attacks, plaintext attacks, Password Security. In Symposium on Network and known-ciphertext attacks, and man-in-the-middle DistributedSystemsSecurity(NDSS'99),SanDiego,CA . attacks. [Online] Available: To conclude, EAP is a highly flexible http://www.isoc.org/isoc/conferences/ndss/99/proceedings/papers/wu.pd infrastructure for secure network access f. authentication.Thusfar,ithasbeenimplementedin SotilloECU 6 [10] “Known-plaintextattack.”(2007,November1).In Wikipedia,TheFreeEncyclopedia .[Online]Available: http://en.wikipedia.org/wiki/Known-plaintext_attack. [11] B.Aboda.(2006,June13). TheUnofficial802.11 SecurityWebPage .[Online]Available: http://www.drizzle.com/~aboba/IEEE/ . [12] N.Asokan,V.Niemi,andK.Nyberg.(2003,June). “Man-in-the-MiddleinTunneledAuthentication,”In11th SecurityProtocolsWorkshop,Cambridge,United Kingdom .[Online]Available: http://www.saunalahti.fi/~asokan/research/tunnel_extab_fi nal.pdf . [13] “GSM.”(2007,November10).In Wikipedia,TheFree Encyclopedia .[Online]Available: http://en.wikipedia.org/wiki/GSM . [14] S.Patel.(2003,May29).“AnalysisofEAP-SIMSession Keyagreement.”Inwww.Drizzle.com.[Online] Available: http://www.drizzle.com/~aboba/EAP/AnalyisOfEAP.pdf . [15] E.Barkan,E.Biham,N.Keller.(2003).“Instant Ciphertext-onlyCryptanalysisofGSMEncrypted Communication.”In Crypto2003 .[Online]Available: http://www.springerlink.com/index/ythkwv4gfq0fr5j4.pdf . ©2007SamuelSotillo (Samuel.sotilloatgmaildotcom )