Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

PEAP-TTLS

advertisement 
PEAP & EAP-TTLS
1.
2.
3.
4.
5.
6.
7.
8.
EAP-TLS Drawbacks
PEAP
EAP-TTLS
EAP-TTLS – Full Example
Security Issues
PEAP vs. EAP-TTLS
Other EAP methods
Summary
So far…
• EAP was introduced, it doesn’t provide enough
security for wireless environments.
• EAP-TLS provides protection from most attacks
2
EAP-TLS Drawbacks
• Lack of user identity protection
– Passed in the EAP/Identity and in the certificate
• Needs client certificate in order to authenticate
client
–
–
–
–
Generate and distribute the certificates
Revoke keys
Users login from different computers (Coffe shop…)
Users are more familiar with the idea of passwords.
Certificates may require some training.
3
EAP-TLS Extensions
• Two quite similar protocols are developed
in order to improve the weaker points of
EAP-TLS.
• In both, the main idea is to establish a TLS
channel and then using the TLS tunnel in
order to pass the identity of the user and
perform the authentication protocol.
4
PEAP – Protected EAP
• Developed by Microsoft, Cisco and RSA
Security
• Current status: Internet draft (draftjosefsson-pppext-eap-tls-eap-06.txt at
ieft.org)
• Provides: Mutual authentication, client
identity protection and key generation.
5
PEAP – The Participants
Perform PEAP (NAS uses as pass-through)
Trust
Some Link
Layer
Secured Link
Client
NAS
Backend Server
Can be the same machine or separated
The NAS doesn’t have to know PEAP
6
PEAP – The Protocol
Two phases:
1. Perform TLS handshake in which the server is
being authenticated to the client by using a
certificate. Optionally, the user can be
authenticated as well with a certificate.
2. If the user was not authenticated with a
certificate, perform EAP in the generated TLS
channel in order to authenticate the client.
7
PEAP Packet Format
Code
Identifier
Type
Flags
Ver
…TLS Message Length
Length
TLS Message Length…
TLS Data…. (EAP packets)
• Code: 1- Request 2- Response
• Identifier – Used to match response to request
• Type- 25 (PEAP)
• Flags: Length included, More fragments, Start flag
8
PEAP – Phase 1
EAP-Request / Identity
EAP- Response / Identity [My Domain]
EAP-Request (Type = PEAP, start)
TLS Handshake
Client
PEAP
Server
EAP- Response (empty)
9
PEAP – Phase 2
EAP-Request / Identity
EAP-Response / Identity [My ID]
EAP-Request / Type = X (MD5, OTP, etc)
Establish EAP method and
Perform authentication
Client
EAP-Success / EAP-Failure
PEAP
Server
Transfer of the generated key from the PEAP server to the
10
NAS if on different machines
EAP-TTLS
• Developed by Funk Software.
• Internet draft: draft-ieft-pppext-eap-ttls02.txt on ietf.org
• Provides: mutual authentication, key
generation , client identity privacy and data
cipher suite negotiation
11
EAP-TTLS – The Protocol
Again, two phases:
1. Establish TLS Channel, authenticate
server (Optionally authenticate user too)
2. If the user wasn’t authenticated, use the
TLS channel to authenticate user using an
authentication protocol (not only EAP)
12
EAP-TTLS – The Participants
Some Link Layer
(PPP, 802.11)
Authentication Protocol
(Radius)
Authentication, Authorizing
and/or Accounting protocol
(such as Radius)
Client NAS (EAP,AAA) TTLS Server (TLS,AAA) AAA
Server
EAP-TTLS conversation, TLS Channel
Authenticate (EAP, PAP, CHAP, etc)
13
EAP-TTLS Layers
User Authentication- PAP/CHAP/EAP etc
TLS
EAP-TTLS
EAP
Link Layer/AAA layer – PPP, Radius, etc
14
EAP-TTLS Packet Format
Code
Identifier
Type
Flags
Ver
…TLS Message Length
Contains AVPs, which encapsulates
Length information
authentication
(PAP/CHAP/...)
TLS Message Length…
TLS Data….
• Code: 1- Request 2- Response
• Identifier – Used to match response to request
• Type- 21 (EAP-TTLS)
• Flags: Length included, More fragments, Start flag
15
AVPs
• In PEAP the data exchanged between the client
and the server over the TLS channel is EAP
packets.
• In EAP-TTLS, AVPs – attribute-values pairs are
exchanged. Encrypted by TLS and encapsulated in
EAP-TTLS packets.
• The AVPs format of EAP-TTLS is compatible
with the Diameter & Radius AVP format.
• This allows easy translation of AVP packets by the
EAP-TTLS server between the client and the AAA
server (using Radius for example).
16
EAP-TTLS AVP Format
AVP Code
VMrrrrrr
AVP Length
Vendor-ID (optional)
Data…
AVP Code + Vendor ID : Used to identify attributes
V: Does Vendor-ID appear
M: 0- This AVP can be ignored if not supported
1- If this AVP isnt supported, fail the negotation
17
EAP-TTLS - Phase 1
EAP-Request / Identity
EAP- Response / Identity [My Domain]
EAP-Request (Type= EAP-TTLS, start)
TLS Handshake
Client
TTLS
Server
EAP- Response (empty)
18
EAP-TTLS – Phase 2
Exchange AVPs over the
TLS Channel,
encapsulated in EAPTTLS
AVPs (extracted from the
TTLS records)
EAP-Success/
EAP-Failure
Client
Success/Failure
TTLS
Server
TTLS Message Exchange
NAS as a pass-through
AAA
Server
Radius Message Exchange
19
EAP-TTLS – Key
Distribution
• EAP-TTLS Enables key distribution to the client
and to the access point.
• The key is used for the communication between
the AP and the client.
• Supports exchange of:
– Data cipher suite (cryptographic algorithm, key length)
not the same as the suite used in the TLS phase
– Keying Material (from which the used keys will be
generated) Supported by PEAP as well.
20
EAP-TTLS – Key
Distribution (2)
• The client and the AP send their data cipher suite
preferences to the TTLS server which select a
cipher suite supported by both and sends it to both.
(we’ll see when exactly in the following example)
• If the client and/or the AP do not send their
preferences, other means of negotiation should be
used. (link layer…)
• The client and TTLS server generate their keying
material (as in EAP-TLS) and the TTLS sends the
keying material to the AP
21
EAP-TTLS – Full Example
LAN
Radius
Access Point
Radius
TTLS Server
AAA
Client
• Usage of CHAP in order to authenticate the client
• Establishment of data cipher suite and keying material
22
EAP-TTLS – Full Example (1)
Radius
Access Point
Client
Radius
TTLS Server
AAA
EAP-Request/Identity
EAP-Response/Identity
Radius Access Request: Data-Cipher-Suite+ EAP-Response/Identity
Radius Access Challenge: EAP-Request/TTLS-Start
EAP-Request/TTLS-Start
EAP-Response/TTLS: client_hello
RAR: EAP-Response/TTLS: client_hello
RAC: EAP-Request/TTLS (server_hello,certificate,
server_key_exchange,server_hello_done)
23
EAP-TTLS – Full Example (2)
Radius
Client
Access Point
Radius
TTLS Server
AAA
EAP-Request/TTLS (server_hello,certificate,server_key_exchange,srv_hello_done)
EAP-Response/TTLS (client_key_exchange,CCS,client_finish)
RAR: EAP-Response/TTLS (client_key_exchange,CCS,client_finish)
RAC: EAP-Request/TTLS (CCS, server_finish)
EAP-Request/TTLS (CCS, server_finish)
EAP-Response/TTLS (user_name, CHAP-Challenge&Password) Data-CipherSuite+
RAR: EAP-Response/TTLS (user_name, CHAP-Challenge, CHAP-Password)
+Data-CipherSuite
RAR: User_name, CHAP-Challenge, Chap-Password
24
EAP-TTLS – Full Example (3)
Radius
Access Point
Client
Radius
TTLS Server
AAA
Radius Access-Accept [RAA]
RAC: EAP-Request/TTLS (Data-Cipher-Suite)
EAP-Request/TTLS (Data-Cipher-Suite)
EAP-Response (No data)
RAR: EAP-Response (No data)
RAA: Data-Cipher-Suite, Data-Keying-Material, EAP-Success
EAP-Success
Mutual Authentication done
Data cipher suite and key established
25
PEAP & EAP-TTLS
Security Issues
• Based on TLS which is well tested. Using TLS
grants protection from:
– Man in the middle attacks
– Snooping user ID & password
– Session hijacking
• Usage of tunneling:
– Enables using existing protocols over a protected layer
– Provides client identity protection:
• Identity passed over the TLS channel
• If the client is to be authenticated using a certificate, can be
done after the TLS channel was established
26
Open Security Problems
• Relies on the security between the AAA,
TTLS/PEAP server and AP.
• Injection of EAP-Success / EAP-Failure
packets
– Possible solution: Other EAP message? inside
the channel?
27
Compare PEAP, EAP-TTLS,
EAP-TLS
PEAP
EAP-TTLS
EAP-TLS
Server
Authentication
certificate
certificate
certificate
Client
Authentication
Any EAP
method
Any
Authentication
method
certificate
User identity
protection
Yes, TLS
Yes, TLS
No
Cipher-Session
Negotiation
No
Yes
No
EAP Attacks:
Session hijacking,
Man-in the
middle,
Dictionary attack
Protected
(TLS)
Protected
(TLS)
Protected
(TLS)
28
Additional Issues
In addition to the security issues we introduced about PEAP &
EAP-TTLS , they have some additional features:
• Same as in EAP-TLS:
•Support for fragmentation of long messages
•Support for fast re-connection to the network (using TLS
resumption abilities)
• Exchange of information between the client and the
authentication server. (EAP-TTLS: AVPs, PEAP: Latest draft
defines something similar – TLVs)
Example for such information: language settings for notifications
29
Other EAP Methods
• EAP-MD5
– Only user authentication
– Uses user id and password
– Vulnerable to Dictionary attack, man in the middle,
session hijack
– Easy implementation
• EAP-SRP (Secure Remote Password)
– Usage of DH in order to authenticate both sides.
(The DH exchange is protected via usage of hash and
salt)
– Does not use certificates at all
– Mutual authentication
– Uses user id and password
30
EAP Methods (2)
• EAP-LEAP (Light Extensible Authentication Protocol)
– Developed by Cisco as a proprietary protocol, can only
be supported by Cisco NASes
– Usage of challenge and response
– Mutual authentication
– Uses user id and password (no certificates)
– Vulnerable to dictionary attack
• EAP-SIM
– Used for cellular communication, based on challengeresponse which is done according to a key stored in the
SIM card of a GSM cell phone.
– Mutual Authentication
– Vulnerable to spoofing
31
EAP Methods (3)
• EAP-SecurID
– Usage of one time password in order to
authenticated client.
– No authentication of the server (solution: use
tunneling)
– Vulnerable to Man in the middle attack, session
hijack
32
Summary (1)
• EAP enables usage of diverse methods in order to
perform authentication. It defines the exchange of
message until authentication process is done.
• EAP-TLS makes use of the existing TLS protocol
in order to provide safe mutual authentication.
• PEAP and EAP-TTLS use TLS to authenticate
server and offer tunneling of other methods in
order to authenticate the client.
33
Summary (2)
EAP Architecture
P
A
P
MD5
TLS
C
H
A
P
E
A
P
TTLS
E
A
P
PEAP
MS-CHAPv2
EAP
802.1X
PPP
802.11
34
Summary (3)
What to use? A few examples:
• On a wired network EAP-MD5 is probably enough for
most uses. Can be tunneled through PEAP/EAP-TTLS for
extended security and server authentication
• If a certificate system is existing EAP-TLS can be used to
provide a high level of security.
• If an existing non-EAP authentication system exists- EAPTTLS is the only option to enable its usage in a secure
way.
• EAP-SecurID can be used tunneled if OTPs are to be used.
LEAP can be used if the NAS is from cisco.
• Many more methods are being developed.
35
Related documents
EAP Protocols Supported - Cisco Support Community
EAP Protocols Supported - Cisco Support Community
Created
Created
Introduction
Introduction
here. - Training for Learning and Serving
here. - Training for Learning and Serving
Employing Web Authentication and Encryption Technologies
Employing Web Authentication and Encryption Technologies
EDUCAUSE/Internet2 Computer and Network Security Task Force
EDUCAUSE/Internet2 Computer and Network Security Task Force
802.1x What it Really Means to Wireless Security
802.1x What it Really Means to Wireless Security
Master Thesis Proposal
Master Thesis Proposal
Theoretical Basis for this Curriculum
Theoretical Basis for this Curriculum
Download
advertisement