Скачать презентацию PEAP EAP-TTLS 1 2 3 4 5 Скачать презентацию PEAP EAP-TTLS 1 2 3 4 5

a8816aaecd60b32e09d1ea3947ec93c5.ppt

  • Количество слайдов: 35

PEAP & EAP-TTLS 1. 2. 3. 4. 5. 6. 7. 8. EAP-TLS Drawbacks PEAP PEAP & EAP-TTLS 1. 2. 3. 4. 5. 6. 7. 8. EAP-TLS Drawbacks PEAP EAP-TTLS – Full Example Security Issues PEAP vs. EAP-TTLS Other EAP methods Summary

So far… • EAP was introduced, it doesn’t provide enough security for wireless environments. So far… • EAP was introduced, it doesn’t provide enough security for wireless environments. • EAP-TLS provides protection from most attacks 2

EAP-TLS Drawbacks • Lack of user identity protection – Passed in the EAP/Identity and EAP-TLS Drawbacks • Lack of user identity protection – Passed in the EAP/Identity and in the certificate • Needs client certificate in order to authenticate client – – Generate and distribute the certificates Revoke keys Users login from different computers (Coffe shop…) Users are more familiar with the idea of passwords. Certificates may require some training. 3

EAP-TLS Extensions • Two quite similar protocols are developed in order to improve the EAP-TLS Extensions • Two quite similar protocols are developed in order to improve the weaker points of EAP-TLS. • In both, the main idea is to establish a TLS channel and then using the TLS tunnel in order to pass the identity of the user and perform the authentication protocol. 4

PEAP – Protected EAP • Developed by Microsoft, Cisco and RSA Security • Current PEAP – Protected EAP • Developed by Microsoft, Cisco and RSA Security • Current status: Internet draft (draft-josefsson -pppext-eap-tls-eap-06. txt at ieft. org) • Provides: Mutual authentication, client identity protection and key generation. 5

PEAP – The Participants (Perform PEAP (NAS uses as pass-through Trust Some Link Layer PEAP – The Participants (Perform PEAP (NAS uses as pass-through Trust Some Link Layer Secured Link Client NAS Backend Server Can be the same machine or separated The NAS doesn’t have to know PEAP 6

PEAP – The Protocol Two phases: 1. Perform TLS handshake in which the server PEAP – The Protocol Two phases: 1. Perform TLS handshake in which the server is being authenticated to the client by using a certificate. Optionally, the user can be authenticated as well with a certificate. 2. If the user was not authenticated with a certificate, perform EAP in the generated TLS channel in order to authenticate the client. 7

PEAP Packet Format Code Identifier Type Flags Ver …TLS Message Length… TLS Data…. (EAP PEAP Packet Format Code Identifier Type Flags Ver …TLS Message Length… TLS Data…. (EAP packets) • Code: 1 - Request 2 - Response • Identifier – Used to match response to request • Type- 25 (PEAP) • Flags: Length included, More fragments, Start flag 8

PEAP – Phase 1 EAP-Request / Identity [EAP- Response / Identity [My Domain EAP-Request PEAP – Phase 1 EAP-Request / Identity [EAP- Response / Identity [My Domain EAP-Request (Type = PEAP, start) Client TLS Handshake PEAP Server (EAP- Response (empty 9

PEAP – Phase 2 EAP-Request / Identity [EAP-Response / Identity [My ID EAP-Request / PEAP – Phase 2 EAP-Request / Identity [EAP-Response / Identity [My ID EAP-Request / Type = X (MD 5, OTP, etc) Establish EAP method and Perform authentication Client EAP-Success / EAP-Failure PEAP Server Transfer of the generated key from the PEAP server to the 10 NAS if on different machines

EAP-TTLS • Developed by Funk Software. • Internet draft: draft-ieft-pppext-eap-ttls 02. txt on ietf. EAP-TTLS • Developed by Funk Software. • Internet draft: draft-ieft-pppext-eap-ttls 02. txt on ietf. org • Provides: mutual authentication, key generation , client identity privacy and data cipher suite negotiation 11

EAP-TTLS – The Protocol Again, two phases: 1. Establish TLS Channel, authenticate server (Optionally EAP-TTLS – The Protocol Again, two phases: 1. Establish TLS Channel, authenticate server (Optionally authenticate user too) 2. If the user wasn’t authenticated, use the TLS channel to authenticate user using an authentication protocol (not only EAP) 12

EAP-TTLS – The Participants Some Link Layer (PPP, 802. 11) Authentication Protocol (Radius) Authentication, EAP-TTLS – The Participants Some Link Layer (PPP, 802. 11) Authentication Protocol (Radius) Authentication, Authorizing and/or Accounting protocol (such as Radius) Client (NAS (EAP, AAA (TTLS Server (TLS, AAA Server EAP-TTLS conversation, TLS Channel (Authenticate (EAP, PAP, CHAP, etc 13

EAP-TTLS Layers User Authentication- PAP/CHAP/EAP etc TLS EAP-TTLS EAP Link Layer/AAA layer – PPP, EAP-TTLS Layers User Authentication- PAP/CHAP/EAP etc TLS EAP-TTLS EAP Link Layer/AAA layer – PPP, Radius, etc 14

EAP-TTLS Packet Format Code Identifier Type Flags Ver …TLS Message Length Contains AVPs, which EAP-TTLS Packet Format Code Identifier Type Flags Ver …TLS Message Length Contains AVPs, which encapsulates Length authentication information (PAP/CHAP/. . . ) TLS Message Length… TLS Data…. • Code: 1 - Request 2 - Response • Identifier – Used to match response to request • Type- 21 (EAP-TTLS) • Flags: Length included, More fragments, Start flag 15

AVPs • In PEAP the data exchanged between the client and the server over AVPs • In PEAP the data exchanged between the client and the server over the TLS channel is EAP packets. • In EAP-TTLS, AVPs – attribute-values pairs are exchanged. Encrypted by TLS and encapsulated in EAP-TTLS packets. • The AVPs format of EAP-TTLS is compatible with the Diameter & Radius AVP format. • This allows easy translation of AVP packets by the EAP-TTLS server between the client and the AAA server (using Radius for example). 16

EAP-TTLS AVP Format AVP Code VMrrrrrr AVP Length Vendor-ID (optional) Data… AVP Code + EAP-TTLS AVP Format AVP Code VMrrrrrr AVP Length Vendor-ID (optional) Data… AVP Code + Vendor ID : Used to identify attributes V: Does Vendor-ID appear M: 0 - This AVP can be ignored if not supported 1 - If this AVP isnt supported, fail the negotation 17

EAP-TTLS - Phase 1 EAP-Request / Identity [EAP- Response / Identity [My Domain EAP-Request EAP-TTLS - Phase 1 EAP-Request / Identity [EAP- Response / Identity [My Domain EAP-Request (Type= EAP-TTLS, start) Client TLS Handshake TTLS Server (EAP- Response (empty 18

EAP-TTLS – Phase 2 Exchange AVPs over the TLS Channel, encapsulated in EAPTTLS AVPs EAP-TTLS – Phase 2 Exchange AVPs over the TLS Channel, encapsulated in EAPTTLS AVPs (extracted from the TTLS records) EAP-Success/ EAP-Failure Client Success/Failure TTLS Server TTLS Message Exchange NAS as a pass-through AAA Server Radius Message Exchange 19

EAP-TTLS – Key Distribution • EAP-TTLS Enables key distribution to the client and to EAP-TTLS – Key Distribution • EAP-TTLS Enables key distribution to the client and to the access point. • The key is used for the communication between the AP and the client. • Supports exchange of: – Data cipher suite (cryptographic algorithm, key length) not the same as the suite used in the TLS phase – Keying Material (from which the used keys will be generated) Supported by PEAP as well. 20

EAP-TTLS – Key Distribution (2) • The client and the AP send their data EAP-TTLS – Key Distribution (2) • The client and the AP send their data cipher suite preferences to the TTLS server which select a cipher suite supported by both and sends it to both. (we’ll see when exactly in the following example) • If the client and/or the AP do not send their preferences, other means of negotiation should be used. (link layer…) • The client and TTLS server generate their keying material (as in EAP-TLS) and the TTLS sends the keying material to the AP 21

EAP-TTLS – Full Example LAN Radius Access Point Radius TTLS Server AAA Client • EAP-TTLS – Full Example LAN Radius Access Point Radius TTLS Server AAA Client • Usage of CHAP in order to authenticate the client • Establishment of data cipher suite and keying material 22

EAP-TTLS – Full Example (1) Radius Access Point Client Radius TTLS Server AAA EAP-Request/Identity EAP-TTLS – Full Example (1) Radius Access Point Client Radius TTLS Server AAA EAP-Request/Identity EAP-Response/Identity Radius Access Request: Data-Cipher-Suite+ EAP-Response/Identity Radius Access Challenge: EAP-Request/TTLS-Start EAP-Response/TTLS: client_hello RAR: EAP-Response/TTLS: client_hello RAC: EAP-Request/TTLS (server_hello, certificate, server_key_exchange, server_hello_done) 23

EAP-TTLS – Full Example (2) Radius Client Access Point Radius TTLS Server AAA EAP-Request/TTLS EAP-TTLS – Full Example (2) Radius Client Access Point Radius TTLS Server AAA EAP-Request/TTLS (server_hello, certificate, server_key_exchange, srv_hello_done) EAP-Response/TTLS (client_key_exchange, CCS, client_finish) RAR: EAP-Response/TTLS (client_key_exchange, CCS, client_finish) RAC: EAP-Request/TTLS (CCS, server_finish) EAP-Response/TTLS (user_name, CHAP-Challenge&Password) Data-Cipher. Suite+ RAR: EAP-Response/TTLS (user_name, CHAP-Challenge, CHAP-Password) +Data-Cipher. Suite RAR: User_name, CHAP-Challenge, Chap-Password 24

EAP-TTLS – Full Example (3) Radius Access Point Client Radius TTLS Server AAA Radius EAP-TTLS – Full Example (3) Radius Access Point Client Radius TTLS Server AAA Radius Access-Accept [RAA] RAC: EAP-Request/TTLS (Data-Cipher-Suite) EAP-Response (No data) RAR: EAP-Response (No data) RAA: Data-Cipher-Suite, Data-Keying-Material, EAP-Success Mutual Authentication done Data cipher suite and key established 25

PEAP & EAP-TTLS Security Issues • Based on TLS which is well tested. Using PEAP & EAP-TTLS Security Issues • Based on TLS which is well tested. Using TLS grants protection from: – Man in the middle attacks – Snooping user ID & password – Session hijacking • Usage of tunneling: – Enables using existing protocols over a protected layer – Provides client identity protection: • Identity passed over the TLS channel • If the client is to be authenticated using a certificate, can be done after the TLS channel was established 26

Open Security Problems • Relies on the security between the AAA, TTLS/PEAP server and Open Security Problems • Relies on the security between the AAA, TTLS/PEAP server and AP. • Injection of EAP-Success / EAP-Failure packets – Possible solution: Other EAP message? inside the channel? 27

Compare PEAP, EAP-TTLS, EAP-TLS PEAP EAP-TTLS EAP-TLS Server Authentication certificate Client Authentication Any EAP Compare PEAP, EAP-TTLS, EAP-TLS PEAP EAP-TTLS EAP-TLS Server Authentication certificate Client Authentication Any EAP method Any Authentication method certificate User identity protection Yes, TLS No Cipher-Session Negotiation No Yes No EAP Attacks: Session hijacking, Man-in the middle, Dictionary attack Protected (TLS) 28

Additional Issues In addition to the security issues we introduced about PEAP & EAP-TTLS Additional Issues In addition to the security issues we introduced about PEAP & EAP-TTLS , they have some additional features: • Same as in EAP-TLS: • Support for fragmentation of long messages • Support for fast re-connection to the network (using TLS resumption abilities) • Exchange of information between the client and the authentication server. (EAP-TTLS: AVPs, PEAP: Latest draft defines something similar – TLVs) Example for such information: language settings for notifications 29

Other EAP Methods • EAP-MD 5 – Only user authentication – Uses user id Other EAP Methods • EAP-MD 5 – Only user authentication – Uses user id and password – Vulnerable to Dictionary attack, man in the middle, session hijack – Easy implementation • EAP-SRP (Secure Remote Password) – Usage of DH in order to authenticate both sides. (The DH exchange is protected via usage of hash and salt) – Does not use certificates at all – Mutual authentication – Uses user id and password 30

(EAP Methods (2 • EAP-LEAP (Light Extensible Authentication Protocol) – Developed by Cisco as (EAP Methods (2 • EAP-LEAP (Light Extensible Authentication Protocol) – Developed by Cisco as a proprietary protocol, can only be supported by Cisco NASes – Usage of challenge and response – Mutual authentication – Uses user id and password (no certificates) – Vulnerable to dictionary attack • EAP-SIM – Used for cellular communication, based on challengeresponse which is done according to a key stored in the SIM card of a GSM cell phone. – Mutual Authentication – Vulnerable to spoofing 31

(EAP Methods (3 • EAP-Secur. ID – Usage of one time password in order (EAP Methods (3 • EAP-Secur. ID – Usage of one time password in order to authenticated client. – No authentication of the server (solution: use tunneling) – Vulnerable to Man in the middle attack, session hijack 32

(Summary (1 • EAP enables usage of diverse methods in order to perform authentication. (Summary (1 • EAP enables usage of diverse methods in order to perform authentication. It defines the exchange of message until authentication process is done. • EAP-TLS makes use of the existing TLS protocol in order to provide safe mutual authentication. • PEAP and EAP-TTLS use TLS to authenticate server and offer tunneling of other methods in order to authenticate the client. 33

Summary (2) EAP Architecture P A P MD 5 TLS C H A P Summary (2) EAP Architecture P A P MD 5 TLS C H A P E A P TTLS E A P PEAP MS-CHAPv 2 EAP 802. 1 X PPP 802. 11 34

(Summary (3 What to use? A few examples: • On a wired network EAP-MD (Summary (3 What to use? A few examples: • On a wired network EAP-MD 5 is probably enough for most uses. Can be tunneled through PEAP/EAP-TTLS for extended security and server authentication • If a certificate system is existing EAP-TLS can be used to provide a high level of security. • If an existing non-EAP authentication system exists- EAPTTLS is the only option to enable its usage in a secure way. • EAP-Secur. ID can be used tunneled if OTPs are to be used. LEAP can be used if the NAS is from cisco. • Many more methods are being developed. 35