The Unofficial EAP Security Web Page

Last update: June 22, 2009

Extensible Authentication Protocol (EAP)

EAP is the IETF standard for extensible authentication in network access. It is standardized for use within PPP (RFC 2284), wired IEEE 802 networks (IEEE 802.1X), and VPNs (L2TP/IPsec and PIC). Here are pointers to information on the EAP protocol:

EAP (Proposed Standard, RFC 3748)
EAP Issues List
EAP state machine (Informational, RFC 4137)
EAP WG mailing list archives
How to develop an EAP method for Windows

EAP Key Management

EAP methods provide keying material. Here are the documents describing EAP key management.

EAP Key Management Framework (Proposed Standard, RFC 5247)
MPPE Key Derivation (Informational, RFC 3079)

EAP methods

Security requirements

Since EAP is extensible there are lots of proposals for authentication methods that work with it. Only some of these methods meet the requirements for use in wireless authentication; others have known security vulnerabilities. Here are the security requirements for EAP methods as laid out by IEEE 802.11i:

EAP method requirements (Informational, RFC 4017)

Here are some of the proposed EAP methods:

Security vulnerabilities in EAP methods

Here is a summary of the known security vulnerabilities of implemented or proposed EAP methods.

Kerberos vulnerability

Kerberos is vulnerable to dictionary attacks. Here are the details on the vulnerability:

EAP-GSS (Internet Draft, work in progress)
IAKERB (Internet Draft, work in progress)
Thomas Wu's security analysis of Kerberos (why using Kerberos for wireless authentication isn't a good idea)

LEAP vulnerability

Cisco's LEAP protocol is also vulnerable to dictionary attacks, and several LEAP cracking tools are now available. Here are the details on the vulnerability and cracking tools:

ASLEAP cracking tool
THC LEAP cracking tool
ANWRAP LEAP cracking tool
Cisco Security Advisory on default username/password vulnerability
Cisco LEAP specification
Cisco Tech Note on LEAP Dictionary Attack Vulnerabilities
Computerworld story
Defcon 11 Presentation on LEAP cracking
Light-Reading Presentation on LEAP cracking
Security analysis of MS-CHAPv1
Security analysis of MS-CHAPv2

EAP-SIM vulnerability

The security weaknesses in GSM/GPRS are well known. Recently there have been proposals for reuse of GSM (SIM) and 3G (AKA) security mechanisms in WLAN. Here are pointers to the specifications and papers describing how GSM/GPRS security can be cracked in real time. The attacks can be used against EAP-SIM where a single SIM is used for both WLAN and WWAN authentication:

EAP-SIM Specification (Informational, RFC 4186)
Security Analysis of EAP SIM
Instant Ciphertext-only Cryptanalysis of GSM Encrypted Communication
Other GSM security analyses
EAP AKA (Informational, RFC 4187)
EAP AKA' (Informational, RFC 5448)
3GPP security (AKA)

PAP vulnerability

Authentication protocols supporting cleartext authentication using RADIUS (even within a protected tunnel) are vulnerable to known plaintext attacks. IETF protocols vulnerable to this attack include:

IKEv2 (Proposed Standard, RFC 4306)
EAP TTLSv0 (Informational, RFC 5281)

Here are the details of the vulnerability:

PAP security vulnerability

Man-in-the-Middle Attacks on Tunneled Authentication Protocols

It has recently been discovered that a number of protocols proposed within the IETF are vulnerable to man-in-the-middle attacks. IETF protocols vulnerable to the attack include:

HTTP digest over TLS
XAUTH within IKE
PIC
PANA over TLS
EAP TTLSv0 (Informational, RFC 5281)
Microsoft Windows XP SP1 PEAPv0 Implemention
Cisco PEAPv1 Implementation (Internet Draft, work in progress).

Details of the attacks are described in these papers:

The Compound Authentication Binding Problem (Internet Draft, work in progress)
Man-in-the-Middle Attacks in Tunneled Authentication Protocols (Nokia Research Center)
What's Wrong with PIC? (Presentation to IETF 55 Credentials Workshop)

The Unofficial EAP Security Web Page

Related Sites