The Extensible Authentication Protocol (EAP) is widely used as an authentication framework to control the access to wireless networks, e.g. in IEEE 802.11 and IEEE 802.16 networks. In this paper, we discuss limitations of EAP security and demonstrate how these limitations can be exploited to launch attacks on existing EAP methods. In particular, we present a series of attacks which cause some standard security claims, namely channel binding, protected ciphersuite negotiation and cryptobinding, to fail and compromise the key exchange, authentication and privacy of EAP communications. Next, we identify the special security challenges of EAP systems that may cause the considered security claims to fail. EAP differs from other authentication frameworks as a two party protocol, like IKE and TLS, because it is conducted with three parties involved across two communication links with different media. Another security challenge of EAP is the negotiability of EAP methods, ciphersuites, and protocol versions. These challenges make it difficult to derive a trust model for EAP and to securely adopt existing protocols. Finally, we conclude with recommendations for more secure EAP implementations. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. not provide any physical protection. Without implementing any layer of security, adversaries can eavesdrop on wireless communications and unauthorized users can easily access the network. To prevent these and other attacks, wireless networks need to provide an access control mechanism that enables authentication of all wireless users who wish to access the network. The authentication needs to be mutual to prevent an adversary from masquerading as a wireless access point. Furthermore, a key management scheme is needed to establish keys that can be used to secure all communications over the wireless channel.
Categories and Subject DescriptorsCurrently, the Extensible Authentication Protocol (EAP), defined in IETF RFC 3748 [13], has been adopted by a few wireless standards as an access authentication and key establishment protocol. For example, IEEE 802.11i [6] makes use of IEEE 802.1X [8], which relies on EAP for authentication. EAP is also an authentication option in IEEE 802.16e [9]. EAP is an authentication framework that defines message formats and flows to support different authentication methods, referred to as EAP methods in the remainder of this paper. There are currently more than 40 EAP methods, e.g.
EAP-TLS [16], EAP-TTLS [4], and EAP-GPSK [3]. EAP was originally designed for the use with the Point-to-Point Protocol (PPP). However, today EAP is widely used to control access to wireless networks and we limit our d...
