Evaluation of EAP Authentication Methods in Wired and Wireless Networks

Transcription

1 Master Thesis Electrical Engineering October 2012 Evaluation of EAP Authentication Methods in Wired and Wireless Networks Tirumala Rao Kothaluru Mohamed Youshah Shameel Mecca School of Computing Blekinge Institute of Technology Karlskrona Sweden

2 This thesis is submitted to the School of Computing at Blekinge Institute of Technology in partial fulfillment of the requirements for the degree of Master of Science in Electrical Engineering. The thesis is equivalent to twenty weeks of full time studies. Contact Information: Author # 1: Tirumala Rao Kothaluru M.Sc. Electrical Engineering (Telecommunication Systems) k.tirumalarao@gmail.com Author # 2: Mohamed Youshah Shameel Mecca M.Sc. Electrical Engineering (Telecommunication Systems) youshah2005@gmail.com Supervised by: Charlott Lorentzen Section/Unit: School of Computing SE Karlskrona Blekinge Institute of Technology charlott.lorentzen@bth.se Examined by: Patrik Arlos Section/Unit: School of Computing SE Karlskrona Blekinge Institute of Technology patrik.arlos@bth.se School of Computing Blekinge Institute of Technology Karlskrona Sweden Internet : Phone : Fax : ii

3 ABSTRACT In any networking environment, security, connection time and scalability of the network are the major concerns to keep network safe, faster and stable. Administrators working within the networking environment need to have complete account of manageability, scalability and security of the network, so that the organizational data can be kept confidential and maintain integrity. There are different authentication methods used by network administrators for accessing network in wired and wireless environments. As network usage and attacks on network increases, a secure, scalable and standard network protocol is needed for accessing and to keep data safe in both wired and wireless networks. IEEE 802.1x is an IEEE standard used to provide authentication and authorization to the devices over LAN/WLAN. The framework IEEE 802.1x uses EAP for authentication and authorization with a RADIUS server. In this report, an experimental analysis for different EAP authentication methods in both wired and wireless networks in terms of authentication time and the total processing time is presented. Wireshark is used to capture the network traffic on server and client ends. After analyzing each packet timestamps that are captured using Wireshark, it is seen that EAP-MD5 takes less time in both wired and wireless networks, if the number of users increases, there is not much difference in the network connection time. Concerning with security of the network, EAP-MD5 is vulnerable to many attacks so it is not used by many companies. The alternative methods with their strengths and weaknesses are discussed. Keywords: Authentication, EAP Methods, IEEE 802.1x, RADIUS. 1

4 2

5 ACKNOWLEDGEMENT We would like to express sincere gratitude to Charlott Lorentzen our supervisor for her great and intense support. Without her esteem guidance and consistent support it would not have been easy to accomplish this research. We would like to convey our gratitude towards Dr. Patrik Arlos our examiner. Finally, we would like to thank our parents and friends for continuous motivation and co-operation. Tirumala Rao Mohamed Youshah 3

6 4

7 TABLE OF CONTENTS LIST OF FIGURES... 7 LIST OF TABLES... 9 ABBREVIATIONS INTRODUCTION MOTIVATION AND CONTRIBUTION AIM AND OBJECTIVES RESEARCH QUESTIONS RESEARCH METHODOLOGY THESIS OUTLINE BACKGROUND IEEE 802.1X RADIUS EXTENSIBLE AUTHENTICATION PROTOCOL (EAP) EAP-METHODS IMPLEMENTATION AND EXPERIMENT EXPERIMENTAL SETUP EXPERIMENTAL SETUP FOR WIRED NETWORK EXPERIMENTAL SETUP FOR WIRELESS NETWORK EXPERIMENTAL RESULTS RESULTS FOR WIRED NETWORK RESULTS FOR WIRELESS NETWORK COMPARISON OF AUTHENTICATION TIME COMPARISON OF TOTAL PROCESSING TIME SCALABILITY EXPERIMENT CALCULATION OF AUTHENTICATION TIME AND PROCESSING TIME SURVEY SURVEY RESULTS DISCUSSION ASSESSMENT CONCLUSION AND FUTURE WORK REFERENCES APPENDIX A APPENDIX B

8 6

9 LIST OF FIGURES Figure 2.1: Authentication Process Figure 2.2: RADIUS packet format [12] Figure 2.3: RADIUS frame format [12] Figure 2.4: RADIUS attribute format [12] Figure 3.1: Experimental Setup for Wired Network Figure 3.2: The flow diagram of EAP TLS messages [33] Figure 3.3: Experimental Setup for Wireless Network Figure 4.1: Comparison of Authentication Time Figure 4.2: Comparison of Total Processing Time Figure 5.1: Scalability Experiment Figure 7.1: Authentication Time in comparison to work done by [8] Figure 7.2: Total Processing Time in comparison to work done by [8]

10 8

11 LIST OF TABLES Table 2.1: RADIUS codes and its operations [12] Table 2.2: Comparison of EAP-methods Table 4.1: Authentication Time for wired network Table 4.2: Total Processing Time for Wired Network Table 4.3: Authentication Time for Wireless Network Table 4.4: Processing Time for Wireless Network Table 5.1: Authentication Time & Total Processing Time for Scalability Experiment Table 6.1: Participants Knowledge on Network Security Table 6.2: Participants knowledge on importance of Network Security Table 6.3: Participants preference on network connection time Table 6.4: Network connection time where participants do not have any knowledge on security of connection Table 6.5: Connection time where participants are ready to wait if higher security is provided Table 6.6: BTH Campus network connection usage by participants Table 6.7: Participants opinion about security of BTH network Table 6.8: Participants preference if network upgraded to higher security

12 10

13 ABBREVIATIONS AAA Authentication, Authorization, Accounting AP Access Point CA Certificate Authority CHAP Challenge Handshake Authentication Protocol EAP Extensible Authentication Protocol EAPOL EAP over LAN GTC Generic Token Card IEEE Institute of Electrical and Electronics Engineers IP Internet Protocol LAN Local Area Network MD5 Message Digest 5 MS-CHAP Microsoft Challenge Handshake Authentication Protocol NAK Negative Acknowledgement OS Operating System PAP Password Authentication Protocol PC Personal Computer PEAP Protected Extensible Authentication Protocol PKI Public Key Infrastructure PPP Point-to-Point Protocol PNAC Port based Network Access Control RADIUS Remote Authentication Dial in User Service RFC Request for Comments RJ45 Registered Jack 45 TCP Transmission Control Protocol TLS Transport Layer Security TTLS Tunneled Transport Layer Security UDP User Datagram Protocol VPN Virtual Private Network WLAN Wireless LAN 11

14 12

15 1 INTRODUCTION In any networking environment, security is one of the major concerns to keep the organizational data safe. Administrators working within the networking environment need to have complete account of manageability, scalability and security of the network, so that the organizational data can be kept confidential and maintain integrity. Generally to access a network, users need to provide a username and a password to get authorized. The main motive to use such a method is to make devices agree that only authorized user along are accessing the information. To keep the network secure from illegal activities, delay and network overload, three main aspects needs to be considered; Authentication, Authorization, and Accounting (AAA) [1, 32]. Network connection time is one of the major aspects that need to be taken into consideration as users generally do not tend to wait for a long time until they get authenticated. Users feel that if the connection time is longer then the performance in the network is less [31]. Hence, connection time should be as low as possible. Authentication time depends on various factors like network load, delay etc. Suppose if the load on the network is more, authentication takes higher time. So a suitable authentication protocol, which could provide better security and performance at any critical condition on the network, needs to be selected. The Institute of Electrical and Electronics Engineers (IEEE) 802.1x is a standard used to provide authentication and authorization to devices that have been connected via Local Area Network (LAN) ports to establish point-to-point connections. The framework of IEEE 802.1x alone cannot be used for authentication and authorization, but requires an additional authentication/authorization protocol over the framework to do so. IEEE 802.1x provides a lot of functionalities which are relatively easy to implement and allow the users to access the network after checking the users credentials. There has been a lot of work done regarding different authentication and encryption methods that are being used in IEEE 802.1x [3, 4, 5, 6]. In [1], Extensible Authentication Protocol-Message Digest 5 (EAP-MD5), EAP Transport Layer Security (EAP-TLS), Protected EAP (PEAP) has been compared by measuring four performance parameters namely authentication time, reauthentication time, packet loss during reauthentication, and throughput. The authors found significant change in authentication and reauthentication times. EAP-MD5 had a smaller authentication time compared to other methods in this study. The properties and security attributes of upper layer EAP authentication methods in wireless networks have been compared theoretically [7]. The main work performed by authors was to provide a suitable authentication method for any organization or any field which uses networking environment. In [8], authors have performed an experiment to evaluate the performance of six EAP authentication methods like EAP Tunneled Transport Layer Security (EAP- TTLS), EAP-PEAP-MSCHAPv2 and EAP-MD5. They have calculated the authentication time and processing time for EAP over LAN (EAPOL). There are very few papers that have been published regarding the performance of authentication methods that are available. The number of papers published in this domain is less as compared to researches done in other domains, this is the reason that motivated us to 13

16 do this thesis. In this study, the work focuses on both theoretical and practical aspects of a few of the widely used EAP authentication methods. We mainly focused on technical aspects and the aspects regarding the performance of different EAP methods. 1.1 Motivation and Contribution The work done previously [1, 7, 13, 14] focuses mainly on theoretical aspects and less experimental work has been done regarding EAP-methods. Using the theoretical information like implementation complexity, kinds of network attacks, Wireless Local Area Network (WLAN) security, advantages and disadvantages isn t enough to choose a particular authentication method. Hence, an experimental analysis is required to choose an EAP method for authentication, which gives better performance in terms of authentication time and total processing time. This motivated us to evaluate the performance of widely used EAP-methods for both wired and wireless networks. The two parameters calculated are total processing time and authentication time. In real time it is necessary to compare the scalability of both wired and wireless networks. This information will give us the knowledge if same protocol can be used for both wired network and wireless network, or different protocols needs to be used for wired and wireless networks. To get the opinion of students about the security provided by BTH campus, a user survey was chosen. The main motive behind the survey was to know if the students are ready to wait for few more seconds in order to get better security with regards to authentication. It is also interesting to know the opinion of the students regarding the security they have been using at BTH campus as they are the end users. 1.2 Aim and Objectives The aim of this work is to evaluate and analyze the performance of different EAP authentication methods. Literature review of EAP-methods. Study about authentication time and processing time that are related to the performance of EAP-methods. Search of software that provides different authentication methods like X-Supplicant, WPA-Supplicant etc that are compatible with the RADIUS/DIAMETER servers. Experimental setup for evaluation and analyzing of different EAP methods for both wired and wireless networks. Objectives Calculation of authentication time and processing time for widely used EAP methods on both wired and wireless networks. Analyzing and comparing the results for both wired and wireless networks. Analyze the survey responses. 14

17 1.3 Research Questions RQ1. How EAP-methods effect the authentication performance in wired and wireless networks? 1.1. Which EAP-methods provide better authentication time and processing time in wired networks? 1.2. Which EAP-methods provide better authentication time and processing time in wireless networks? RQ2. Comparing the performance of EAP authentication methods in wired and wireless networks in terms of authentication time and total processing time Which network provides better performance in terms of authentication time and processing time, wired and wireless? 2.2. Which EAP methods can be used for both wired and wireless networks? 2.3. Are the EAP methods scalable in wireless network in regards to number of users? RQ3. According to user s perspective, which is more important, authentication security or connection time? 3.1. Are users ready to wait for some additional time to get better security in terms of Authentication? 3.2. Will the survey results help the network administrator to choose a relevant protocol according to user preference? 1.4 Research Methodology This thesis consists of literature review, user survey and an experimental analysis of EAP methods hence qualitative and quantitative study was chosen. The qualitative study contains a detailed literature review and a user survey. The quantitative study is an empirical study with an experimental setup. The following steps explain the methodology adopted to answer the research question at various steps fulfilling the aim and objectives. 1. In the initial stage of the research, a literature study was conducted to gather theoretical knowledge conducted about different EAP methods to know there advantage, disadvantage, network attacks possible etc. 2. The detailed study on the equipments used on the experiment. 3. As many EAP methods are available, to choose the widely used EAP methods we contacted several companies. Two companies responded. Responses obtained by the two companies is shown below, The companies names have been kept confidential as the information concerns with security. Company 1: One of the leading ISPs in Pakistan. Server: Cisco ACS Protocol: PEAP-MSCHAPv2 15

18 Company 2: One of the leading multinational companies around the world, present in 23 countries. This company has collaborated with a few companies in Sweden. Server: Cisco ACS Protocol: PEAP-MSCHAPv2 OS: Windows server 2003 and 2008 Based on the responses from companies, previous work [8] and protocol used by BTH campus widely used EAP methods were selected. The protocols selected were EAP-MD5, EAP-TLS, EAP-TTLS-PAP, EAP- TTLS-MSCHAP, EAP-TTLS-MSCHAPv2, EAP-TTLS-CHAP, EAP- PEAP-MSCHAPv2, and EAP-PEAP-MD5 for the evaluation of performance in this paper. 4. After literature review, selection of EAP methods and parameters to be calculated follows experimental setup. 5. In the next stage, experiment was carried out with different EAP methods in both wired and wireless networks. The timestamps of each incoming and outgoing packets were captured for each EAP methods and the parameters (authentication time and total processing time) were calculated. 6. To verify and valid the results, standard deviation was taken. 7. The result of wired network was compared with the result of [8] to analyze the variation that occurs. By following above steps first research question about the performance of EAP method in both wired and wireless can be answered. 8. In stage three, the experimental results obtained in wired and wireless are compared. 9. In next stage, to answer research question 2.3 a scalability experiment was conducted for different EAP methods on wireless network. The experimental result of wireless network scenario was compared with scalability experiment to see if the EAP methods are scalable. By stage three comparison results, which network provides better performance can be known and if one protocol can be used for wired and wireless networks will be known. With stage three and stage four comparison results research question two results can be answered. 10. In stage five, a user related survey was conducted among students of BTH campus using web based online Google survey form to know their opinion regarding the security provided in BTH campus. By stage five responses obtained and experimental result the final research question can be answered. 16

19 1.5 Thesis Outline In chapter 2, brief introductions to IEEE 802.1x, EAP and RADIUS are presented, which is followed by Experimental Setup and Implementation in chapter 3. In chapter 4 experimental results are examined followed by scalability experiment in chapter 5. The survey results are discussed in chapter 5. Finally, the report is concluded in chapter 6. 17

20 18

21 2 BACKGROUND This section presents how IEEE 802.1x and different EAP methods works. A brief description about RADIUS Server with its procedure about its operation is provided. Furthermore, the main methods used in EAP are explained. 2.1 IEEE 802.1x The IEEE 802.1x is a Port-based Network Access Control (PNAC) that uses Extensible Authentication Protocol (EAP) in transport layer [9]. It was originally designed for wired network, now the standard has improved and is used in wireless network also. Its standard defines encapsulation methodologies for the transport of EAP over LAN (EAPOL) and provides a powerful authentication framework in which any authentication protocol to provide high level of security [10]. IEEE 8021.x has three main components namely supplicant, authenticator and authentication server Supplicant Any device that is capable of supporting the IEEE 802.1x protocol can be used (for example mobile phones, PCs etc) to obtain authentication rights to gain access over the network. The process takes place is the supplicant sends the necessary credentials to the authenticator for the authentication server to gain access over the network. The communication between the supplicant and the authenticator is established using EAPOL and it operates in layer 2. Since the operation is taking place in layer 2, there is no need of IP address to start the authentication process Authenticator Authenticator is a device such as a switch, router or a wireless access point. It acts as an intermediate between a supplicant and authenticator server to control the access between them. The credentials are authenticated/rejected by the authentication server are passed through authenticator. Generally, authenticator set its ports either open or closed by response received by the authentication server in request provided by the supplicant. Depending upon the response provided by the authentication server, the authenticator decides whether the supplicant must be authorized or not Authentication server The authentication server is important as it needs to process and validate the credentials provided by the supplicant. Through this process, the supplicant is authorized to access the information on the server or not is known. Authentication server is the one which provides authentication service. The main role of authentication server is that it checks the credentials provided by the supplicant in the database if the credentials are correct or not. 19

22 Figure 2.1: Authentication Process In the above Figure 2.1, the operation that takes place between the three different components of IEEE 802.1x is shown. The supplicant is connected to the authentication server via authenticator The credentials provided by the supplicant to authentication server are passed through authenticator. The authentication server checks the credentials provided by the supplicant in the database and decides if the supplicant must be authorized or not. The authentication server provides necessary information to the authenticator to authorize or unauthorize the supplicant. 2.2 RADIUS RADIUS (Remote Authentication Dial in User Service) is a widely implemented protocol used for carrying authentication, authorization and configuration information between the network accessing servers. RADIUS server originally was designed for supporting dial-up services but now it also supports authentication through switches, Virtual Private Networks (VPNs), wireless access points etc [11]. It is defined in RFC 2865 and RFC 2866 these RFC s documents provide detailed information regarding the operation, configuration and accounting. Key features of RADIUS server are It is responsible for passing the user information. It waits until a response is returned. It is responsible for user connection request, authenticating to user and providing all the necessary configuration information that will be required to deliver the information from the server to the user. RADIUS uses UDP instead of TCP as transport protocol. The main reason to use UDP is strictly due to technical reasons. Few of the characteristics are 1. It uses secondary authentication server if the request from user to primary authentication server fails. 2. The timing requirement for this protocol is different as compared to the standard TCP/IP provides. 20

23 3. UDP simplifies the implementation complexities (i.e.) implementation is easy as compared to TCP/IP. 4. The stateless nature is one of the main characteristics that simplify the use of UDP Packet format Every packet inside the RADIUS server is encapsulated in UDP data field [12]. The destination port of UDP indicates port number of RADIUS. The port assigned for RADIUS is 1812 and for accounting is Figure 2.2: RADIUS packet format [12] The frame format of RADIUS as follows Figure 2.3: RADIUS frame format [12] Code The code field is one byte. It identifies the type of RADIUS packet. The packet received the RADIUS checks for its code field and if the code received is invalid then it silently discards the packet. 21

24 The RADIUS Codes (decimal) assigned are as follows: Operation Code Access-Request 1 Access-Accept 2 Access-Reject 3 Accounting-Request 4 Accounting-Response 5 Access-Challenge 11 Status-Server (experimental) 12 Status-Client (experimental) 13 Reserved 255 Table 2.1: RADIUS codes and its operations [12] Identifier The length of identifier is one byte. It matches the request and replies between the two communicating parties (i.e.) client and server. It identifies if any duplicate request is sent by the user within a short span of time. This is done by checking if the client is from same source and IP address Length The length field is used to check the total bytes sent in a packet this includes the code byte identifier, length, authenticator and attributes. If the packet contains some additional bytes then the additional bytes are considered as padding and the data is ignored Authenticator The Authenticator is 16 bytes. It is used for password hiding. Authenticator works in priorities like the most significant octet is transmitted first Attributes RADIUS attributes are used to carry authentication, authorization, information and configuration details between the request sent and the response received. The end of attributes signifies the length of the RADIUS packet. Figure 2.4: RADIUS attribute format [12] The values field may be zero or may contain octets. It contains information about the attributes. 22

25 2.3 Extensible Authentication Protocol (EAP) EAP is an authentication protocol which is defined in RFC It provides framework which supports multiple authentication methods. It is necessary to point out that EAP is not a protocol but it only defines the framework of the message formats. In EAP enabled networks, the state of port used for authentication (port 1812) depends on the successful authorization provided by the authentication server. Once the authentication server authorizes the supplicant to use the resources then the authenticator opens the port to freely flow the traffic. If the authentication server rejects the request then the port is closed and there is no connection established between them Authentication Process The authentication process can be initiated by either supplicant or authenticator. When supplicant starts the authentication process, it sends an EAPOL-Start message and then authenticator responds back to the supplicant with an EAP-Request/Identity message. The supplicant replies back with an identity in a form of EAP- Response/Identity. If authentication process is started by authenticator then the EAPOL-Start message step is skipped. The authentication server replies back with a challenge message to the authenticator. The challenge message contains the message to checks if the EAP-method that has been used is compactable or not. If it is compactable then an EAP-Success message is sent. If the EAP method that is been used is not compactable then a NAK message is sent, then the supplicant needs to choose a different method. The important thing that needs to be noticed is the packet received by the authenticator is encapsulated in such a way that the packet is understood by the authentication server (RADIUS). Once the EAP-method is selected an EAP-Response is sent to the authentication server via authenticator. The authentication server checks for the credentials provided by the supplicant and verifies if the supplicant needs to be authorized or not. If the credentials provided by the supplicant are correct then an EAP-Success message is sent and the supplicant is authorized to use the port. If the credentials are incorrect then an EAP-Failure message is sent and the supplicant is unauthorized to use the port. The important point to be noticed is, that the communication between the supplicant and the authenticator employs a LAN connection (EAPOL) and the connection between the authenticator and the authentication server is typically established using RADIUS/DIAMETER server. Then, the RADIUS re-encapsulates the packet so that the content in the packet is understood by the supplicant. 2.4 EAP-METHODS MD5 EAP-MD5 is described in RFC It is analogous to PPP-CHAP protocol. It is a challenge response handshake protocol [16]. It uses id and password for the user to get authenticated. Authentication database stores all the user ids and passwords. As MD5 is a challenge protocol the RADIUS server sends a random challenge to client. The supplicant/client creates a MD5-hash of user s password and the challenge message, sends the hash back to the server, the server checks the hash in the database. 23

26 It is important to see that the supplicant never sends a password to authentication server for verification. The password stored in the database is in clear plain text Advantages: Easy to implement Supported by many RADIUS servers Disadvantages Highly insecure as the user passwords are stored in plain text in the authentication server providing hackers to gain access over the network to perform illegal activities. EAP-MD5 does not support mutual authentication. Dynamic rekeying is not possible [17] TLS EAP-TLS is described in RFC 2716 [18]. It uses public key infrastructure (PKI) digital certificate for the supplicant and the authentication server to provide mutual authentication between them. PKI certificate will contain information about the name of the server or user s information. It is one of the secured method been used, because TLS tunnel is created during the exchange of certificates between the supplicant and the authentication server. Another point to be noted here is even though a tunnel is created to protect the EAP messages, the users identity is send in a clear plain text before the certificate exchange process starts Advantages Dynamic rekeying is possible Mutual authentication Secure tunnel is created for certificate exchange Disadvantages Maintenance cost is more Even though it is secure it is unpopular among network administrators as mutual certificate needs to be exchanged between the supplicant and the authentication server which makes implementation difficult TTLS EAP-TTLS is described in RFC 5281 [19]. EAP-TTLS is an extension of EAP- TLS, it was created to reduce the complexity of implementation that was faced while implementing TLS (i.e.,) to eliminate PKI digital certificate. After the creation of the TTLS the authentication server alone needs to authenticate itself to the supplicant. Client can optionally authenticate itself to the server. Hence it is a one or two way authentication method. EAP-TTLS supports lots of inner protocols like PAP, CHAP, MSCHAP and MSCHAPv2 for client authentication. The authentication process takes place inside the secure tunnel. There are two versions of TTLS namely TTLSv1 and TTLSv2. 24

27 Advantages Creates secure SSL tunnel Supports legacy authentication methods Dynamic rekeying is possible User identity is protected Disadvantages Poor distribution of WLAN devices PEAP EAP-PEAP works in similar manner of TLS. It uses private key infrastructure (PKI) digital certificates to authenticate. Unlike TLS, EAP-PEAP requires only one certificate to authenticate itself to the client (i.e.,) only server needs to authenticate itself to the client. Hence, it is a one way authentication method unlike TTLS which provides optional client to authenticate itself to the authentication server. EAP-PEAP creates a secure tunnel between supplicant and authentication server to pass EAP messages between them. In PEAP only variant methods like EAP-MD5, EAP- MSCHAPv2 etc can be used inside the inner secure tunnel. As PEAP uses variant legacy protocols the authenticator is used only to transfer the packets between the supplicant and authenticator server Advantages Dynamic rekeying is possible Creates secure SSL tunnel User identity is protected Supports fast reconnections Message authentication and encryption Disadvantages Requires more overhead due to number of message exchanges Requires certificate authority (CA) for authenticating server 25

28 2.4.5 Comparison of various EAP-methods Table 2.2 provides theoretical knowledge regarding the complexities, requirements, security etc for four major EAP-methods [17, 22, 23, 24, 25]. EAP-Methods Attribute TLS TTLS PEAP MD5 Supplicant Windows Xsupplicant Xsupplicant Xsupplicant Xsupplicant Softwares Linux WPA_Supplicant WPA_Supplicant WPA_Supplicant WPA_Supplicant Deployment Hard Moderate Moderate Easy User Identity hiding No Yes Yes No EAP Attacks: Session hijacking, Man-in the Protected Protected Protected Not Protected middle, Dictionary attack Security Strongest Strong Strong Poor Tunnel No Yes Yes No Server Certificate Yes Yes Yes No Client Certificate Yes Optional No No Legacy Protocols - MD5, PAP, CHAP, MSCHAP, MSCHAPv2 Encryption Technology Digital certificates Digital certificates or Diffie-Hellman algorithm to generate keying material, symmetric key for data encryption MD5, MSCHAPv2, GTC Digital certificates or Diffie-Hellman algorithm to generate keying material, symmetric key for data encryption - One way message digest Protected Cipher Suite Negotiation Not Required Yes Yes No Cipher-Session Negotiation No Yes No No Fast reconnect Yes Yes Yes No Table 2.2: Comparison of EAP-methods 26

29 3 IMPLEMENTATION AND EXPERIMENT This chapter focuses on the implementation of experiments, performed within this study and it contains three sections. The first section contains the general description about devices, software tools, system configuration and operating system (OS) used in the experiments. The second section contains the experimental setup used in wired network. Section three contains the experimental setup for wireless network. 3.1 Experimental Setup The experimental setup consists of three entities; supplicant, authenticator and authentication server. The role of each entity used along with the system configuration and Operating System (OS) is described below, Client - The Supplicant A client is a device who connects to a network. In order to connect to the network, a client needs to authenticate by the authentication server to establish a secure connection to use the available resources. In this experiment, laptop running with Linux (Ubuntu) operating system is used as a client. The main motivation to use laptop instead of personal computers are, as we are performing the experiment in both wired and wireless networks, laptops can be used to connect in both the networks, but PCs cannot be used to connect a wireless network as WiFi interface cards are not available internally. Another reason PC s are not handy and cannot be carried all around the places, generally people carrying laptops only tend to connect to wireless network. The laptop specification is given below. System: DELL Studio Laptop Model: PP39I Processor: Intel core i3 CPU: 2GHz RAM: 3GB OS: Ubuntu 12.04LTS The reason to use Ubuntu as operating system is, it is open source and all EAP methods are available inbuilt and do not require any additional software but whereas in Windows operating system many EAP methods are not available internally hence require external software (Xsupplicant) to be installed. Ubuntu was used as the operating system Router /Access Point The Authenticator The router/access point is a device used for transferring the user credentials between the supplicant and authentication server. The main role played by authenticator [26, 28] is that they are responsible for opening or closing the port for the supplicant to access/deny the use of resources available in the server. In the wired network, the authenticator specifications are given below: 27

30 Name: Cisco 2800 series Model: Cisco 2811 Version: 12.4 In the wireless network, the authentication specifications are given below: Name: Cisco Aironet 1230 AG series Model: AIR-LAP1232AG-E-K9 These devices were configured to use IEEE 802.1x. These configured devices were used to transfer EAP messages between the supplicant and the authentication server RADIUS Server The Authentication Server The authentication server is responsible for accepting/denying the supplicant s request to use the available resources on the server. The laptop specification in which RADIUS server was installed is given below. System: Toshiba Satellite A135-s4477 Processor: Intel core 2 CPU: 2GHz RAM: 3GB OS: Ubuntu 12.04LTS Software: FreeRADIUS There are many open source RADIUS servers available, but only few servers supports all widely used EAP methods. FreeRADIUS [30] is an open source server which supports most of the authentication protocols hence it motivated us to use this server. The configuration of RADIUS server is presented in appendix A Tools Wireshark Wireshark is open source software which is available for both Windows and Linux operating systems [20]. Wireshark is a network packet analyzer used to capture network packets and display the packet data in a detailed manner. It is used to troubleshoot network problems, examine security problems, debug protocol implementation and education. To monitor the EAP messages flowing across the supplicant and authentication server, Wireshark is used. 28

31 3.2 Experimental Setup for Wired Network In this section, the experimental setup for wired network is explained. The entities required for the setup are supplicant, authenticator and authentication server. The individual operations of these entities are explained in the above section. Figure 3.1: Experimental Setup for Wired Network The implementation consists of a supplicant, authenticator and authentication server. The supplicant is connected to the authenticator (router) using unshielded twisted pair cable (RJ45). The authenticator is connected to the authentication server using an RJ45 cable. In this setup, the authentication time and processing time for widely used EAPmethods are calculated in wired network. To calculate the timestamps of authentication time and total processing time, Wireshark is used. The authentication time provides the total time taken for the user to get authenticated in the network. The processing time provides the performance of each entity of EAP method which network administrators intend to use Authentication Time To calculate the authentication time, the EAP messages were monitored on supplicant end using Wireshark. The EAP messages received in Wireshark were logged only for the timestamps of successful EAP message. The formula used to calculate authentication time is A Total = A End A Start Where, A = Total authentication time Total A = EAP message start time Start A = EAP message end time End The calculated authentication time contains the time taken for the user to authenticate in the network as shown in formula below, Authentication time ( Where, P = Total processing time Total A Total ) = P Total + Network time 29

32 To validate the result, 30 samples were taken. The mean value of 30 samples is calculated. The mean value is calculated using the formula, Sum of Authentication Times Authentica tion Time = N Where, N = Number of samples taken To verify the results, standard deviation is calculated for 30 samples Processing Time Processing time is the time taken to process a packet at each entity. The total processing time is summation of processing time at all entities. The supplicant processing time is calculated by the time taken for the EAP messages to process at the supplicant end. The authenticator processing time is the time taken between incoming EAP message and outgoing EAP message in authenticator. Processing time of authentication server is time taken to process the EAP message at server end. The formula to calculate total processing time is shown below. P = P + P + P Total Where, P = Total processing time P Total Supplicant PAuthenticator P Server Supplicant = Processing time of supplicant = Processing time of Authenticator Authenticator = Processing time of Authentication Server Server P Supplicant & P Server are calculated using Wireshark timestamps, which is the time taken by the packet to enter supplicant/server and leave. The timestamps of P Authenticator are obtained in router and the results are exported and analyzed using Wireshark to calculated P processing time. Authenticator The mean processing time of each entity and total processing time for 30 samples are calculated using the formula, Processing Time = (for supplicant/authenticator/server) Sum of Processing Times N Where, N = Number of samples taken. 30

33 Figure 3.2: The flow diagram of EAP TLS messages [33] For example: Figure 3.2 shows the flow diagram of EAP TLS messages. Processing time is the time taken at each entity as mentioned above. The numbers in Figure 3.2 shows the flow of packets hence Supplicant, Authenticator, Authentication Server can be calculated as, P Supplicant = time taken at (4-3) + (12-11) + (20-19) P Authenticator = time taken at (2-1) + (6-5) + (10-9) + (14-13) + (18-17) + (22-21) + (26-25) P Server = time taken at (8-7) + (16-15) + (24-23) Authentication time = end time start time. 3.3 Experimental Setup for Wireless Network To setup a wireless network, a communication device which does not require a physical medium for relying information to other devices is required. For this purpose wireless access point is used as an authenticator. A wireless connection is established between the authenticator and the supplicant. Figure 3.3: Experimental Setup for Wireless Network Using the timestamps of each EAP method, authentication time is calculated using the same formula used in wired network. The processing time of P Supplicant, P Authenticator and P Server are also calculated similarly to wired network. To check the scalability of wireless network a scalability experiment is performed which is discussed in chapter 5. 31

34 32

35 4 EXPERIMENTAL RESULTS In this section, the data collected in the experiment for both wired and wireless networks is presented; authentication time and total processing time results are compared. 4.1 Results for Wired Network Evaluation of Authentication Time The authentication time for wired network is shown below. EAP-Method Authentication Time [sec] Min [sec] Max [sec] (Stdev) EAP-MD (0.0077) EAP-TLS (0.0041) EAP-TTLS-PAP (0.0051) EAP-TTLS-CHAP (0.0053) EAP-TTLS-MSCHAP (0.0036) EAP-TTLS-MSCHAPv (0.0040) EAP-PEAP-MD (0.0033) EAP-PEAP-MSCHAPv (0.0035) Table 4.1: Authentication Time for wired network The results in Table 4.1 show that EAP MD5 has smaller authentication time and EAP PEAP-MD5 has least variation. Remaining protocols have higher authentication time as compared to EAP MD5 and EAP PEAP-MD5. EAP TTLS-MSCHAPv2 shows higher authentication time as compared to other protocols. EAP PEAP-MSCHAPv2 shows slightly lower authentication time as compared to EAP TTLS-MSCHAPv2. 33

36 EAP-Method Evaluation of Processing Time The processing time of each entity in wired network with its standard deviation value to analyze the samples is shown below. Supplicant (Stdev) Processing Time [sec] Authenticator (Stdev) Authentication Server (Stdev) Total (Stdev) MD (0.0014) (0.0012) (0.0020) (0.0045) TLS (0.0015) (0.0014) (0.0023) (0.0050) TTLS-PAP (0.0011) (0.0015) (0.0028) (0.0051) TTLS-CHAP (0.0012) (0.0013) (0.0024) (0.0049) TTLS-MSCHAP (0.0009) (0.0015) (0.0018) (0.0042) TTLS-MSCHAPv (0.0014) (0.0008) (0.0016) (0.0037) PEAP-MD (0.0010) (0.0012) (0.0013) (0.0034) PEAP-MSCHAPv (0.0012) (0.0016) (0.0017) (0.0043) Table 4.2: Total Processing Time for Wired Network Min The results in Table 4.2 show that, the processing time in the authenticator is higher as compared to authentication server and supplicant. EAP MD5 has least total processing time. EAP PEAP-MD5 has least variation of processing time as compared to the EAP MD5. PEAP-MSCHAPv2 has highest total processing time. But except that, it is difficult to find pattern in the results of other protocols The results obtained in this experiment of wired network is compared with [8] and found that the result has shown little variation. This might have occurred due to the change in environment as compared to [8]. 4.2 Results for Wireless Network The results obtained for the wireless network for authentication time and processing time is shown below Evaluation of Authentication Time The authentication time for wireless network is shown below. EAP-Method Authentication Time [sec] Min [sec] Max [sec] (Stdev) EAP-MD (0.0065) EAP-TLS (0.0052) EAP-TTLS-PAP (0.0036) EAP-TTLS-CHAP (0.0043) EAP-TTLS-MSCHAP (0.0038) EAP-TTLS-MSCHAPv (0.0056) EAP-PEAP-MD (0.0058) EAP-PEAP-MSCHAPv (0.0062) Table 4.3: Authentication Time for Wireless Network Max 34

37 EAP-Method The results in Table 4.3 show that EAP-MD5 has smaller authentication time as compared to other EAP methods. EAP PEAP-MSCHAPv2 and EAP TTLS- MSCHAPv2 have slight variation of authentication time between them. EAP-TLS has largest authentication time. Remaining EAP methods do not follow any pattern in the samples obtained Evaluation of Processing Time The processing time of each entity in wireless network is shown below. Supplicant (Stdev) Processing Time [sec] Authenticator (Stdev) Authentication Server (Stdev) Total (Stdev) MD (0.0015) (0.0017) (0.0020) (0.0051) TLS (0.0011) (0.0012) (0.0013) (0.0036) TTLS-PAP (0.0012) (0.0010) (0.0014) (0.0034) TTLS-CHAP (0.0013) (0.0015) (0.0015) (0.0043) TTLS-MSCHAP (0.0014) (0.0017) (0.0022) (0.0051) TTLS-MSCHAPv (0.0012) (0.0015) (0.0016) (0.0040) PEAP-MD (0.0014) (0.0019) (0.0020) (0.0053) PEAP-MSCHAPv (0.0013) (0.0016) (0.0016) (0.0044) Table 4.4: Processing Time for Wireless Network From the Table 4.4, it is seen that the processing time of EAP MD5 has smallest processing time. PEAP-MSCHAPv2 and TLS takes higher time for authentication as compared to remaining protocols. The authentication time of TTLS-PAP, TTLS- CHAP, TTLS-MSCHAP and TTLS-MSCHAPv2 shows slight variation between them. EAP PEAP-MSCHAPv2 takes highest authentication time. Min Max 4.3 Comparison of Authentication time The results obtained for wired and wireless network are compared to find which network provides better performance and if a suitable EAP method for both wired and wireless network can be chosen. Figure 4.1 displays the authentication time for each EAP-method for wired and wireless networks. The x-axis denotes EAP-methods and y-axis denotes authentication time. The blue bars indicate wired network results and red bars indicate wireless network results. 35

38 Authentication time Wired Wireless MD5 TLS TTLS-PAP TTLS-CHAP TTLS-MSCHAP TTLS-MSCHAPv2 PEAP-MD5 PEAP-MSCHAPv2 EAP-Methods Figure 4.1: Comparison of Authentication Time Figure 4.1 shows authentication time for wired and wireless networks. The authentication time in wireless network has shown that it takes additional time to get authenticated in comparison to wired network. EAP-MD5 has smaller time in both the networks. EAP-TLS has seen a delay of more than a second in wireless network as compared to wired network whereas in EAP-TTLS and EAP-PEAP has a delay of approximately ms. On average, in wireless network took 0.084s additional time for each protocol to get authenticated in the network as compared to wired network. 4.4 Comparison of Total Processing time The results obtained for wired and wireless network for total processing time is shown in Figure 4.2. The total processing time in wireless network has shown that it takes additional time to get processed in comparison to wired network. The Figure 4.2 displays the authentication time for each EAP-method for wired and wireless networks. The x-axis denotes EAP-methods and y-axis denotes total processing time. The blue bars indicate wired network results and red bars indicate wireless network results. 36

39 Wired Wireless Total Processing Time MD5 TLS TTLS-PAP TTLS-CHAP TTLS- MSCHAP EAP-Methods TTLS- MSCHAPv2 PEAP-MD5 PEAP- MSCHAPv2 Figure 4.2: Comparison of Total Processing Time Processing time of each protocol in wired network is less as compared to wireless network scenario. MD5 takes less processing time in both wired and wireless network scenarios as compared to all other protocols, TLS and PEAP-MSCHAPv2 takes a bit higher time. 37

40 38

41 5 SCALABILITY EXPERIMENT It is necessary to evaluate the scalability of the network to see if the methods used have the ability to handle loads. So a scalability experiment is carried out. The experimental setup remains same as wireless network scenario. The only difference in wireless network scenario and scalability experiment is that in wireless network only one client is connected at a time but in scalability experiment ten users with different PCs running Ubuntu operating system were asked to simultaneously connect to the network, to check if there is any change in authentication time and total processing timewhen number of users tries to login simultaneously. All the ten users used inbuilt EAP-methods available in Ubuntu OS and EAP messages were captured using similar way as wireless network. The reason to perform this experiment is to know the scalability of the network if number of users increases. Figure 5.1: Scalability Experiment 5.1 Calculation of Authentication Time and Processing Time The authentication time and processing time was calculated as in above wireless network scenario. Table 5.1 represents the average of 10 samples, which was obtained while 10 users logged-in to the network using valid credentials provided by us. The results show very less difference in the authentication time and total processing time as compared to wireless network. 39

42 EAP-Method Authentication Time (Stdev) Total Processing Time (Stdev) EAP-MD s (0.0076) s (0.0069) EAP-TLS s (0.0085) s (0.0078) EAP-TTLS-PAP s (0.0068) s (0.0073) EAP-TTLS-CHAP s (0.0070) s (0.0064) EAP-TTLS-MSCHAP s (0.0069) s (0.0076) EAP-TTLS-MSCHAPv s (0.0074) s (0.0080) EAP-PEAP-MD s (0.0079) s (0.0068) EAP-PEAP-MSCHAPv s (0.0083) s (0.0071) Table 5.1: Authentication Time & Total Processing Time for Scalability Experiment From Table 5.1, it is seen that EAP MD5 takes smaller authentication time, EAP TTLS-MSCHAPv2 takes highest authentication time, EAP MD5 shows least total processing time and EAP PEAP-MSCHAPv2 shows higher processing time. Comparing Table 5.1 with Table 4.3 and Table 4.4 we can observe that there is less than 1% difference in average authentication time and 7% difference in average total processing time which is negligible. We can say that even if the number of users simultaneously tries to connect to the network there is not much difference in the performance. 40