Most of the more recent EAP types are made up of two components: an outer and an inner authentication type, separated by a forward slash—such as PEAPv0/EAP-MSCHAPv2. The outer type defines the method used to establish an encrypted channel between the client (peer) and the Authentication Server.
| Note |
The primary goal of the Transport Level Security (TLS) Protocol is to provide privacy and data integrity between two communicating applications. TLS is based on the Netscape SSL 3.0 Protocol Specification, although they are not interoperable. The protocol is composed of two layers: the TLS Record Protocol and the TLS Handshake Protocol, and is situated between ISO layers 3 and 4. Symmetric cryptography is used for data encryption (e.g., DES, RC4, AES, etc). The keys for this symmetric encryption are generated uniquely for each connection. Message transport includes a message integrity check using a keyed MAC (SHA, MD5). These two elements ensure data confidentiality and integrity for each connection.
|
In Figure 1 an outer authentication method, PEAP, is negotiated between a client such as an IP phone or a workstation and a RADIUS authentication server. The intermediate NAS proxies the first several exchanges and then serves to passively mediate traffic in both directions. The NAS does not have knowledge of the keys used to instantiate the TLS tunnel, and thus, cannot be used to snoop on the encrypted traffic passing through it.
This outer tunnel verifies the server to the client using digital certificates.
Once the outer channel is established, the inner authentication type passes the user’s credentials to the Authentication Server over this TLS encrypted tunnel for additional authentication of, typically, user credentials. Passing user credentials through the TLS encrypted tunnel protects them from exposure (see Figure 2).
One of EAP’s potential security vulnerabilities is that data exchanged as part of some of the outer authentication types, such as identity data, and the results of parameter negotiations are sent in the clear. This can result in a Denial-of-Service (DoS) condition since an attacker, for example, can flood the connection with different types of EAP notification messages.
In Table 1some of the characteristics for the different types are summarized. In the last two fields more plus signs (&) equals greater difficulty and more strength, respectively.
Most of the newer EAP types defined by the Wi-Fi Alliance (those with the forward slash and EAP-SIM) are derived from this EAP type. EAP-PEAP and PEAPv0/EAP-MSCHAPv2 are the same thing. PEAPv1/EAP-GTC is a Cisco invention.
EAP-TLS
EAP-TLS (Extensible Authentication Protocol—Transport Layer Security) provides for certificate-based and mutual authentication of the client and the network. EAP-TLS is the most secure of the common EAP types, but requires a PKI (public key infrastructure) to manage and distribute client certificates. The TLS protocol has its roots in the Netscape SSL protocol, which was originally intended to secure HTTP. It provides either one-way or mutual authentication of client and server based on certificates. In its most typical use in HTTP, the client authenticates the server based on the server’s certificate and establishes a tunnel through which HTTP traffic is passed. Username and password management in this scheme is irrelevant as identity is based upon possession of the appropriate private key. The obligatory overhead of a certificate management infrastructure normally precludes use of this EAP type.
Table 1: EAP Types Summary
EAP Type
|
Server Authentication
|
Client Authentication
|
Native Windows 2003 Support
|
Confidentiality
|
Integrity
|
Deployment Difficulty
|
Security Strength
|
EAP-TLS
|
Certificate
|
Certificate
|
Yes
|
TLS
|
+
|
+++++
|
+++++
|
EAP-PEAP
|
Certificate
|
Certificate, Smartcard, MS-CHAP-V2
|
Yes
|
TLS
|
+
|
++
|
++++
|
PEAPv0/ EAP-MS CHAPv2
|
Certificate
|
Certificate, Smartcard, MS-CHAP-V2
|
Yes
|
TLS
|
+
|
++
|
++++
|
EAP-TTLS
|
Certificate
|
PAP, CHAP, EAP, MS-CHAP-V2, Certificate
|
No
|
TLS
|
+
|
+++
|
++++
|
PEAPv1/ EAP-GTC
|
Password hash
|
Password hash (Token)
|
No
|
No
|
+
|
???
|
+++
|
EAP-SIM
|
128-bit secret
|
SIM secret
|
No
|
+/−
|
+/−
|
+++
|
++
|
EAP-FAST
|
Optional (PAC) password
|
Password (PAC)
|
No
|
+
|
+
|
+++
|
+++
|
LEAP
|
Password
|
Password
|
No
|
+
|
+
|
+++
|
+
|
MD5
|
None
|
None
|
Yes
|
−
|
−
|
+
|
+
|
EAP-PEAP
EAP-PEAP (Extensible Authentication Protocol-Protected Extensible Authentication Protocol) provides a method to transport secure authentication data, including legacy pass-word-based protocols. PEAP accomplishes this by tunneling user credentials over a TLS tunnel between PEAP clients and an authentication server. EAP-PEAP is the best combination of security and ease of deployment in Windows environments today. EAP-PEAP requires only a server certificate (which is simple enough to create for testing using the native MS Certification Authority) and client side username/password combinations. EAP-PEAP is natively supported on Windows XP and Windows 2000 SP4 and above client platforms and IAS (Internet Authentication server). PEAPvO/EAP-MSCHAPv2 is the same thing as EAP-PEAP.
EAP-TTLS
EAP-TTLS (Extensible Authentication Protocol-Tunneled Transport Layer Security) is supported primarily by the Funk RADIUS people. EAP-TTLS, like PEAP, is also relatively easy to deploy (it requires only a server-side certificate) and quite secure since it tunnels user credentials inside of a TLS tunnel; however, this Funk Software invention has not been supported by Microsoft on clients or IAS server. Thus, EAP-TTLS requires the use of an additional software. TTLS and PEAP are similar in other ways, but there are differences: TTLS supports other EAP authentication methods and also supports inner authentication methods, PAP, CHAP, MS-CHAP, and MS-CHAPv2; whereas PEAP can tunnel only EAP-type protocols such as EAP-TLS, EAP-MS-CHAPv2, and EAP-SIM.
PEAPv1/EAP-GTC
PEAPv1/EAP-GTC (Extensible Authentication Protocol-Generic Token Card) was defined in RFC2284 along with one-time passwords, and MD5 was one of the initial set of EAP Types used in Request/Response exchanges. Cisco supports this type of PEAP (v1 vs. v0) and Microsoft supports only PEAPv0.
EAP-FAST
EAP-FAST (Extensible Authentication Protocol-Flexible Authentication via Secure Tunneling) was developed by Cisco. EAP-FAST authenticates both the client and the authentication server using a preshared secret known as the Protected Access Credential (PAC). EAP-FAST is a certificate-free replacement for LEAP EAP-FAST is easy to implement in Windows/Cisco mixed environments, but this method is vulnerable to MITM (man in the middle) attacks in which an attacker can acquire the MS-CHAPv2 hash of the user’s passwords, which can then be subjected to off-line dictionary attacks.
LEAP
LEAP (Lightweight Extensible Authentication Protocol) is an EAP authentication type used primarily in Cisco Aironet WLANs. LEAP supports strong mutual authentication, based upon a modified MS-CHAPv2 challenge/response, between the client and a RADIUS server using a logon password as the shared secret. It provides dynamic per-user, per-session WEP encryption keys. LEAP has been superseded by EAP-FAST due to the public availability of LEAP hash cracking tools such as ASLEAP. There is some disagreement regarding the value of complex password enforcement when using LEAP. When in doubt, use the longest, most complicated passwords that your userbase will agree to.
EAP-MD-5
EAP-MD-5 (Extensible Authentication Protocol-Message Digest) is an EAP authentication type that provides base-level EAP support. EAP-MD5-Tunneled is an EAP protocol designed for use as an inner authentication protocol within a tunneling protocol such as EAP- TTLS or EAP-PEAP. This has additional security features, but has not been widely deployed.
Notes from the Underground
—RainbowCrack
Passwords are the most common form of computer authentication today. Password encryption is done using a one-way hashing algorithm such as MD5 or SHA-1. A one-way hash function, also known as a message digest, is a mathematical function that takes a variable-length input string and converts it into a f ixed-length binary sequence that is computationally difficult to invert—that is, generate the original string from the hash. Conventional password crackers grab a word or string of wordlike tokens and run it though the hash algorithm. It then compares its generated hash with the target password hash. If they match, then the password has been discovered. The computationally expensive part of this process is the hash generation preceding the hash comparison, not the actual comparison process itself.
RainbowCrack is a general-purpose implementation of Philippe Oechslin’s faster time-memory trade-off technique. In short, the RainbowCrack tool is an extremely fast and effective hash cracker The simple but brilliant idea of time-memory trade-off is to do all the hash generation computation in advance and store the result in chains of files called “rainbow tables.” It does take a long time to precompute the tables (it takes 2–3 days to generate the rainbow tables necessary to crack a lowercase-letters-only Windows (LM hash) password that’s between 1 and 7 characters in length), but after this one-time computation is finished, a time-memory trade off crarker can crack passwords hundreds or thousands of times faster than a brute force cracker.
Inner Authentication Types
A number of inner authentication methods exist. The most commonly used is MS-CHAP-V2 because it is relatively secure and it is supported natively on all recent Microsoft clients. Additionally, PAP, CHAP, MD5, GTC, and other inner authentication methods exist but are not nearly as commonly used. Interestingly, even EAP itself can be tunneled within EAP.