Professional Documents
Culture Documents
EAP Intro
EAP Intro
EAP Background
Originally developed for use with ppp.
Extends the ppp-chap authentication
method.
Designed to work as a link layer
authentication protocol.
PPP Overview
PPP point to point protocol.
A link layer protocol.
Used for point to point lines, for example:
dial-up lines.
Has a built in authentication protocol.
PPP Authentication
PPPs authentication settings are set by
the LCP before authentication begins.
All of the authentication protocols used
must be determined at this stage.
NAS must know the protocols used for the
authentication process.
EAP messages
All EAP messages have a common
format:
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Code: 1 byte,
representing the
type of EAP
message
Code
Identifier
...Data
ID: 1 byte,
Length
Length: 2 byte,
The total message
length
EAP messages 2
EAP request and response messages
have the same format , with code=1 for
requests and code=2 for responses
0
1
2
3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
Code
Identifier
Type
.Type Data
Length
Type: 1 byte,
The type of
authentication protocol
used
EAP messages 3
EAP Success messages are EAP
messages with code 3 and no data.
A success message means that the
authentication concluded successfully.
EAP failure messages are EAP
messages with code 4 and no data.
A Failure message means that the
authentication has failed.
Notes
All the messages pass on the
communication line in plain-text (unless
there is a protection mechanism in the link
layer below)
The messages are not
signed/authenticated at the EAP level
although individual EAP methods may
MAC/sign/encrypt their data.
Identity Request
Authenticator
Identity Response
Repeated as many
times as needed
EAP Request
EAP Response with the same type or a Nak
Identity Response
EAP Request
EAP Response with the same type or a Nak
Error/duplicate handling
To overcome a possibly unreliable linklayer below, EAP has built in duplicate
handling and retransmission facilities.
The authenticator is responsible for all
retransmissions , if a response is lost the
request will time-out and be resent.
Duplicate handling is done by discarding
any unexpected messages.
Authentication example
using MD5
Authenticator
Peer
Identity Request
Code=1
Type=1
Response
= Identity
Type Data
Code=2
Type=1
Code=1
Type=4
EAP-MD5 Request
Code=2
Type=4
Type Data=hash(I&Secret&md5-challange)
Security weaknesses
The MD5 challenge has serious security
problems.
An offline dictionary attack on the users
password is possible, because the challenge is
known.
The protocol is completely exposed to man in
the middle and session hijacking attacks.
Mounting a DOS attack is also very simple.
Conclusion
It is reasonable to use the MD5-challenge
authentication method over a secure line
for non-critical data.
It is however completely irresponsible to
use EAP for authentication over insecure
lines.
We will see how this limitation was
overcome in the next lecture.