Improving the security of EAP-EHash authentication method

Imoving th scity of EAP-EHash athntication mthod AIT HEMAD Milod 1 EL KIRAM Molay Ahmd 2 LAZREK Azzddin 3 Univsity Cadi Ayyad, Faclty of cincs EMLALIA - Datmnt of Comt cincs Bd. Pinc My Abdllah, B.P. 2390, 40000 Maakch, Moocco 1 m.aithmad@cam.ac.ma, 2 Kiam@cam.ac.ma, 3 lazk@cam.ac.ma Abstact., val EAP athntication mthods hav cntly bn oosd to ns athntication in 802.11 wilss ntwoks. Most of ths mthods qi high comtation cost fo th os of scity. Howv, thy a not sitabl fo s in a soc constaind ntwok nvionmnt. EAP-EHash is on of th vy fw intsting mthods, which w dsignd fo s in sch nvionmnt. EAP-EHash qis low comtation cost and combins simlicity and scity. In this a, w show that EAP-EHash sffs fom sios scity dfcts. Thn, w oos imovmnts to coct ths flaws. Résmé. Récmmnt, lsis méthods d'athntification EAP (Extnsibl Athntication Potocol) ont été oosés o ass l'athntification dans ls ésax sans fil 802.11. Pami cs intéssants oositions, fig EAP-EHash, qi a été conç o alli la simlicité t la sécité. Dans c ai, nos montons q EAP-EHash soff d défats imotants. Ensit, nos allons oos ds amélioations afin d combl cs lacns. Kywods: city, Athntication, Wilss ntwok, 802.1X, EAP. Mots clés : 802.1x, écité, Résa sans fil, 802.1X, WLAN, EAP. *Amélioation d la sécité d la méthod d athntification EAP-EHash 2010. Rv RIT, vol. 18, n 2,. 114-122

1. Intodction inc thi aaanc, th wilss local aa ntwoks (WLANs) (Gast, 2005) hav bn gadd as a siml xtnsion of wid LANs. Howv, th incasing nd to commnicat fly and wilssly mad ths ntwoks boom, and thy gadally incasd thi comtitivnss comad to wid ntwoks. Howv, thy a vy vlnabl to malicios avsdoing and thfo vy snsitiv to scity isss. Indd, to tansmit infomation ov adio wavs facilitats thi intction by intds. To fac th low lvl of wilss LANs scity and to mak it simila to that of wid LANs, th IEEE 802.11 woking go has dfind th WEP (Wid Eqivalnt Pivacy) mchanism (Blbl, Batmaz, Ozl, 2008). Unfotnatly, WEP sffs fom a nmb of waknsss (Mill, Hamilton, 2002; Blbl, Batmaz, Ozl, 2008). Th nw standads; scially 802.1X (IEEa, 2004a) and 802.11i (IEEa, 2004b) w t fowad to coct ths dfcts. Th 802.1X standad (ynd, 2002; IEE, 2004a) ovids athntication, accss contol and ky managmnt. Not that 802.1X is also sd in th 802.11i standad fo athntication. Th incil of 802.1X is as follows: if a clint, who is also known as slicant, wants to connct to th ntwok, th accss oint, that also calld athnticato, blocks all taffic xct th on latd to th athntication ocss ntil h is athnticatd to th athntication sv. Oftn, th athntication sv is RADIU sv (Rmot Athntication Dial-In Us vic) (Aboba, Calhon, 2003). 802.1X is basd on EAP (Extnsibl Athntication Potocol) (Aboba and al. 2004; Aboba, imon, Eonn, 2004), dfind by th IETF (Intnt Engining Task Foc) to ns athntication. This otocol scifis a gnic famwok fo mltil athntication mthods. Ths mthods dfin athntication schms and ky distibtion. Th athntication mthod sd is tansant to th accss oint; only th clint and athntication sv s it. Th accss oint simly lays EAP mssags btwn th clint and athntication sv, xct th last on which snts th slt of athntication (sccss o fail). Following this slt, th accss oint allows o blocks th clint to accss to th ntwok. Th EAP mssags xchangd btwn th mobil station and accss oint a caid in EAPOL (EAP ov LAN) fams. And th ons xchangd btwn th accss oint and athntication sv a caid in EAPOR (EAP ov RADIU) fams. EAP sots sval athntication mthods (Dant, Clothi, Ati, 2007), inclding: EAP-MD5 (Aboba and al. 2004), EAP-TL (Aboba, imon, 1999), EAP- 2010, vol.18, n 2 Rv RIT 115

TTL (Fnk, Blak-Wilson, 2004), EAP-LEAP and EAP-PEAP (Palka and al. 2003). 802.1X dos not imos any scific athntication mthod. This has tiggd many sachs and woks to dvlo a obst, sc and fast on. Among th intsting cnt mthods oosd is EAP-EHash (Chikhoho, Bn Jmaa, Lant-Maknavicis, 2006; Chikhoho and al. 2009), which combins sd, fficincy and mtal athntication. Th st of this a is oganizd as follows. A viw of EAP-Hash athntication mthod is dscibd in ction 2. In ction 3, w show th scity flaws of EAP-EHash w fond and w snt o oosd imovmnts. In ction 4, w shall analyz th oosd imovmnt schm. Finally, ction 5 snts th conclsion. 2. Rviw of EAP-EHash athntication mthod Th EAP-EHash mthod (Chikhoho and al. 2009) has bn oosd to b sd in a soc constaind ntwok nvionmnt. That's why EAP- EHash dcs th cytogahic load qid fo mtal athntication, by sing th symmtic cytogahy, challng-sons athntication mchanism and on-way hash fnction. In EAP-EHash, only on sct ky PK (P-had Ky) nd to b shad btwn th clint and athntication sv. This ky is sd to div two diffnt kys AK and EK. Th clint and th athntication sv mst hav ths two kys to ov thi idntitis. o, this mitigats dictionay and foc attacks, and thn nhancs scity. Indd, to imsonat a lgitimat ntity, th intd mst hav two kys and not jst on. EAP-EHash consists of th hass (Fig 1): ngotiation has, athntication has and ky divation has. 116 Rv RIT 2010, vol.18, n 2

Clint Accss Point Athntication v EAP Idntity Rqst l i c a n t EAP Idntity Rsons EAP Rqst (challng mssag, dfalt fnctions) EAP Rsons (sotd fnctions) EAP Rqst (challng mssag) EAP Rqst (sons to challng) EAP ccss mssag EAPOL-Ky mssag v Ngotiation has Athntication has Ky divation has Fig 1: EAP-EHash hass 2.1. Ngotiation has Th ngotiation has allows th clint and th athntication sv to ngotiat th cihsit which will b sd ding athntication has. Th cihsit consists of th hash fnction and th ncytion algoithm. As shown in Fig 1, aft th qst of th athnticato, th clint shows his idntity in an EAP mssag to accss oint which lays it to th athntication sv. Ding all xchangs EAP, th ol of accss oint is limitd to lay EAP mssags btwn th clint and athntication sv. Th Ngotiation has stats with th athntication sv snding its configd dfalt cihsit to clint. Ths data consist a fild, calld "Algo". Aft, th clint chcks th "Algo" fild. In cas of sccss, th clint sonds with EAP-Rsons mssag and th ngotiation has is don. Othwis, anoth cas is dscibd into dtails in (Chikhoho and al. 2009). 2.2. Athntication has Th athntication has (Fig 2) bgins with th athntication sv snding to clint a mssag that contains two andom nmbs Challng and Rand, sv's idntity vid, cihsit (Algo) and th slt of ncytion of MIC sing ky EK and th symmtic algoithm. Th MIC (Mssag Intgity Chck) is a hash val calclatd as follows: MIC1 = F (AK, Challng vid Rand Algo) sch: 2010, vol.18, n 2 Rv RIT 117

F dnots a on-way hash fnction (chni, 1996) (sch as HMAC-HA-1 o HMAC-MD5). AK (Athntication Ky) and EK (Encytion Ky) a two sssion kys divd fom PK as AK = F(PK, Rand) and EK = F(PK, Rand vid ClintID) wh dnots th concatnation and ClintID dnots th clint's idntity. Thn, th clint calclats th sam kys as th sv. Thn, h comts th MIC and comas it with th on civd. If thy match, th athntication sv is athnticatd to th clint. Thn, th clint snds th sv a andom nmb RandC combind with th cihsit (Algo) and th slt of ncytion of Hash sing ky EK and th symmtic algoithm. Th Hash is a hash val calclatd as follows: Hash = F(AK, Challng RandC Algo). In tn, th sv calclats th Hash and comas it with th on civd. In cas of sccss, th clint is athnticatd to th athntication sv. EAP ov LAN Accss Point EAP ov RADIU Athntication v l i c a n t Challng, vid, Rand, Algo, {MIC} EK RandC, Algo, {Hash} EK EAP ccss mssag v Fig 2: EAP-EHash athntication has 2.3. Ky divation has Th ky divation has (Chikhoho, 2009) allows th clint and th accss oint to ag on a sssion ky PTK. Th goal is to sc th taffic xchangd ov adio link. 118 Rv RIT 2010, vol.18, n 2

3. Vlnabilitis and oosd imovmnt of EAP-EHash Th athntication has of EAP-EHash snts two majo scity flaws: Vlnability to lay attack. Vlnability to known ky attack. 3.1. Vlnability to lay attack EAP-EHash is an EAP mthod that is basd on challng-sons athntication mchanism. In sch a mchanism, th vifi ntity snds a andom nmb, it is th challng. Using a shad sct, th ntity, who claims athntication, mst sond accoding to th challng. This mchanism is sd mainly to ns th fshnss of xchangd mssags and ths to cont th lay attack which consists of laying som old mssags intctd ding an ali commnication. EAP-EHash is vlnabl to lay attack. Indd, th clint athnticats th sv bfo it snds a challng. o, th challng-sons mchanism is not oly imlmntd in th clint sid. This mits any intd, who lads this ty of attack, to imsonat a lgitimat sv to th clint. To cay ot this attack, what th intd has to do is only intct th fist mssag ding an ali commnication btwn th clint and th athntication sv. Onc h has this mssag, th intd can asily imsonat th sv by snding this mssag to th clint. In EAP-EHash, bfo athnticating th sv, th clint mst vify th MIC, which contains th challng of sv bt not his. To athnticat th clint, th sv mst chck th Hash which contains th clint's challng. To cont lay attack, w oos vsing th ocss, that is to say, th MIC will b sd to athnticat th clint and th Hash to athnticat th athntication sv. O oosd imovmnt of EAP-EHash athntication has is shown in Fig 3. 2010, vol.18, n 2 Rv RIT 119

EAP ov LAN Accss Point EAP ov RADIU Athntication v l i c a n t Challng, vid, Rand RandC, Algo, {MIC} EK Algo, {Hash} EK No data EAP ccss mssag v Fig 3: O oosd imovmnt of EAP-EHash athntication has 3.2. Vlnability to known ky attack As sssion kys a stod in mmoy ding th sssion, thy a lativly asi to b comomisd than th P-shad kys. Th known ky attack consists of sing an old comomisd sssion ky fo imsonation in a nw sssion. Using only th challng gnatd by th athntication sv whn calclating two kys AK and EK, maks th EAP-EHash vlnabl to known ky attack. Indd, if an intd can sccssflly comomis th kys AK and EK in a givn sssion, h may s ths two kys as oftn as h wishs, in od to imsonat a lgitimat athntication sv to th clint, ovidd that h ss th sam challng Rand slctd ding th comomisd sssion. To coct this dfct, w oos to s also th clint's challng RandC whn calclating kys AK and EK. Ths, ths kys will b comtd as follows: AK = F(PK, Rand RandC) and EK = F(PK, Rand RandC vid ClintID). In ths two attacks, th intd dos not obtain ky PTK sd fo ncytion of mssags xchangd btwn th clint and accss oint. o, th goal of ths attacks is not to allow th intd to dcyt th xchangd mssags, bt to mislad th clint by making him think h is connctd to a lgitimat sv and so to a lgitimat ntwok whil it is not th cas. 120 Rv RIT 2010, vol.18, n 2

4. Th scity analysis of th oosd imovmnt W hav shown in th vios sction that EAP-EHash has two sios waknsss abot th athntication of athntication sv. Ths flaws a d ssntially to inaoiat s of th challng-sons mchanism. At fist, w admit that th challng-sons mchanism mits to ns th fshnss of xchangd mssags. Th coct s of clint's challng fo athntication of sv maks it infasibl fo an intd to lad th lay attack against EAP-EHash fo imsonating as valid athntication sv. am, th s of clint's challng whn comting sssion kys avoids known ky attack against EAP-EHash. O oosd imovmnts basd on th s of clint's challng whil th athntication of sv and th calclation of sssion kys. As a slt, o oosd imovmnts can ctainly ai th scity flaws of EAP-EHash. 5. Conclsion Th EAP-EHash is an intsting oosal, as it gatly dcs th cytogahic load qid by most EAP athntication mthods and it ovids mtal athntication. Dsit its mits, EAP-EHash, as oosd by its athos, has two sios scity waknsss abot th athntication of athntication sv. Th athos of EAP-EHash claim that thi mthod sists attacks. W hav shown that EAP-EHash is vlnabl to known ky attack. W hav also shown that any intd, who avsdos on th ntwok, can lay mssags intctd ding a io commnication and thfo imsonat a lgitimat sv. Fthmo, w hav oosd th imovmnts to cont sch attacks. Ths oosd imovmnts mak EAP-EHash mo sc and obst. 6. Réféncs Aboba, B. t al. 2004. Extnsibl Athntication Potocol (EAP). «IETF RFC 3748», Jn 2004 Aboba, B., Calhon, P. 2003. RADIU (Rmot Athntication Dial In Us vic) ot Fo Extnsibl Athntication Potocol (EAP). «IETF RFC 3579». tmb 2003 Aboba, B., imon, D. 1999. PPP EAP TL Athntication Potocol. «RFC 2716» Aboba, B., imon, D., Eonn, P. 2008. Extnsibl Athntication Potocol (EAP) Ky Managmnt Famwok. «IETF RFC 5247», Agst 2008 Blbl, H., Batmaz, I., Ozl, M. 2008. Wilss ntwok scity: comaison of WEP (Wid Eqivalnt Pivacy) mchanism, WPA (Wi-Fi Potctd Accss) and RN (Robst city Ntwok) scity otocols. Pocdings of th 1st intnational 2010, vol.18, n 2 Rv RIT 121

confnc on «Fonsic alications and tchniqs in tlcommnications, infomation, and mltimdia and woksho, Aticl 9», Janay 2008 Chikhoho, O. t al. 2009. An EAP-EHash Athntication Mthod Adatd to Rsoc Constaind Tminals. Annals ds Télécommnications. (Engining Collction) Chikhoho, O., Bn Jmaa, M., Lant-Maknavicis M. 2006. Novll méthod d'athntification EAP-EHash. «12èm Colloq Fancohon s l'ingénii ds Potocols - CFIP» Convy,., Mill, D., ndaalingam,. 2003. Cisco AFE: Wilss LAN scity in dth. Cisco ystms Dant, R., Clothi, G., Ati, A. 2007. EAP mthods fo wilss ntwoks. Comt tandads & Intfacs. Mach, 29(3).. 289-301 Fnk, P., Blak-Wilson,. 2004. EAP Tnnld TL Athntication Potocol (EAP- TTL). «daft-itf-xt-a-ttls-05.txt, intnt daft», Jly 2004 Gast, M.. 2005. 802.11 wilss ntwok. O'Rilly IEEE 802. 1X-2004. 2004. IEEE tandad fo Local and Mtoolitan Aa Ntwoks Pot-Basd Ntwok Accss Contol. «IEEE, Piscataway» IEEE 802.11i standad. 2004. LAN/MAN cific Rqimnts, Pat 11: Wilss LAN Mdim Accss Contol (MAC) and Physical Lay (PHY) scifications: cification fo Enhancd city Mill, B.R., Hamilton, B.A. 2002. Isss in Wilss city WEP, WPA& 802.11i. Pocdings of th «18th Annal Comt city Alications Confnc», Dcmb 2002 Palka, A. t al. 2003. Potctd EAP Potocol (PEAP) vsion 2. «daft-josfssonxt-a-tls-a-07.txt, intnt daft», Octob 2003 chni, B. 1996. Alid Cytogahy. cond dition, John Wily & ons. nyd, J. 2002. What is 802.1X?. Ntwok Wold Global Tst Allianc. [n lign]. May 2002. Disonibl à l adss : www.ntwokwold.com 122 Rv RIT 2010, vol.18, n 2