Académique Documents
Professionnel Documents
Culture Documents
EAP stands for Extensible Authentication Protocol. Offers a basic framework for authentication. Many different authentication protocols can be used over it. New authentication protocols can be easily added.
EAP Background
Originally developed for use with ppp. Extends the ppp-chap authentication method. Designed to work as a link layer authentication protocol.
PPP Overview
PPP point to point protocol. A link layer protocol. Used for point to point lines, for example: dial-up lines. Has a built in authentication protocol.
PPP Authentication
PPPs authentication settings are set by the LCP before authentication begins. All of the authentication protocols used must be determined at this stage. NAS must know the protocols used for the authentication process.
EAP messages
All EAP messages have a common format:
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Identifier
Length
EAP messages 2
EAP request and response messages have the same format , with code=1 for requests and code=2 for responses
0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Code Type
Length
EAP messages 3
EAP Success messages are EAP messages with code 3 and no data. A success message means that the authentication concluded successfully. EAP failure messages are EAP messages with code 4 and no data. A Failure message means that the authentication has failed.
Notes
All the messages pass on the communication line in plain-text (unless there is a protection mechanism in the link layer below) The messages are not signed/authenticated at the EAP level although individual EAP methods may MAC/sign/encrypt their data.
Authenticator
EAP Request
EAP Response with the same type or a Nak
EAP Success or EAP Failure message Identity Request If mutual Auth Is required Repeated
as needed Identity Response
EAP Request
EAP Response with the same type or a Nak
Error/duplicate handling
To overcome a possibly unreliable linklayer below, EAP has built in duplicate handling and retransmission facilities. The authenticator is responsible for all retransmissions , if a response is lost the request will time-out and be resent. Duplicate handling is done by discarding any unexpected messages.
Peer
Type=1 Type Data= peer identity Code=1 Identifier=I Length=the total length Type=4 Code=2 Type=4 EAP Data= Response Type MD5 the md5 challenge string. Identifier=I Length=the total length Type Data=hash(I&Secret&md5-challange)
EAP-MD5 Request
Security weaknesses
The MD5 challenge has serious security problems. An offline dictionary attack on the users password is possible, because the challenge is known. The protocol is completely exposed to man in the middle and session hijacking attacks. Mounting a DOS attack is also very simple.
Are these attacks really a problem? Not really, because we are supposed to be working on a SECURE line. A man in the middle, session hijacking and DOS attacks need access to the physical communication line. The offline dictionary attack may still be a problem. However, this can be solved.
Conclusion
It is reasonable to use the MD5-challenge authentication method over a secure line for non-critical data. It is however completely irresponsible to use EAP for authentication over insecure lines. We will see how this limitation was overcome in the next lecture.