An EAP-EHash authentication method adapted to resource constrained terminals

  • Omar Cheikhrouhou
  • Maryline Laurent
  • Amin Ben Abdallah
  • Maher Ben Jemaa
Article

Abstract

In the era of mobile and wireless networks, the growing complexity of end devices and the accentuated tendency towards miniaturization of them raise new security challenges. Authentication is a crucial concern in resource constrained environments, and despite the great number of existing EAP methods, as explained in the article, we are still in need for EAP methods tightly adapted to wireless environments and satisfying heterogeneity of terminals and their limitations of resources. After a first comparative analysis of existing EAP methods, this article presents a new EAP-EHash method (EHash for encrypted hash) that is adapted to the highly vulnerable wireless environment by supporting mutual authentication and session key derivation and offering simplicity, rapidity, and easy-to-deploy features. This EAP-EHash was formally proven to satisfy the claimed security properties, thanks to the AVISPA tool. Implementation of it on an 802.11 testbed platform gave realistic authentication delays averaging 26 ms and thus proved that EAP-EHash is competitive to EAP-MD5 that is known to be the simplest of the EAP methods. Features of EAP-EHash include short execution delays and low bandwidth consumption, and as such, it appears attractive for wireless.

Keywords

EAP EAP methods EAP-MD5 EAP-TLS EAP-EHash Authentication protocol Validation AVISPA 

Abbreviations

3DES

Triple DES

AAA

Authentication, authorization, accounting

AK

Authentication key

AP

Access point

AS

Authentication server

AVISPA

Automated validation of internet security protocols and applications

CPU

Central processing unit

DES

Data encryption standard

DoS

Denial of service

EAP

Extensible authentication protocol

EHash

Encrypted hash

EK

Encryption key

EP

Enforcement point

IKEv2

Internet Key Exchange version 2

KDK

Key derivation key

MK

Master key

MD5

Message digest 5

MIC

Message integrity check

MITM

Man-in-the-middle

PKI

Public key infrastructure

PMK

Pairwise master key

PRF

Pseudo-random function

PSK

Pre-shared key

PTK

Pairwise transient key

SHA-1

Secure hash algorithm-1

References

  1. 1.
    Yegin A, Ohba Y, Penno R, Tsirtsis G, Wang C (2005) Protocol for carrying authentication for network access (PANA) Requirements. IETF RFC 4058, InformationalGoogle Scholar
  2. 2.
    IEEE 802.1X–2004 (2004) IEEE standards for local and metropolitan area networks—port-based network access control. IEEE, PiscatawayGoogle Scholar
  3. 3.
    Forsberg D, Ohba Y, Patil B, Tschofenig H, Yegin A (2008) Protocol for carrying authentication for network access (PANA). IETF RFC 5191, Standards TrackGoogle Scholar
  4. 4.
    Rigney C, Willens S, Rubens A, Simpson A (2000) Remote authentication dial in user service (RADIUS). IETF RFC 2865, Standards TrackGoogle Scholar
  5. 5.
    Aboba B, Calhoun P (2003) RADIUS (remote authentication dial in user service) support for extensible authentication protocol (EAP). IETF RFC 3579, InformationalGoogle Scholar
  6. 6.
    Aboba B, Blunk L, Vollbrecht J, Carlson J, Levkowetz H (2004) Extensible authentication protocol (EAP). IETF RFC 3748, Standards TrackGoogle Scholar
  7. 7.
    Blunk L, Vollbrecht J (1998) PPP extensible authentication protocol (EAP). IETF RFC 2284, Standards TrackGoogle Scholar
  8. 8.
    Kaufman C (2005) Internet key exchange (IKEv2) protocol. IETF RFC 4306, Standards TrackGoogle Scholar
  9. 9.
    Eronen P, Hiller T, Zorn G (2005) Diameter extensible authentication protocol (EAP) application. IETF RFC 4072, Standards TrackGoogle Scholar
  10. 10.
    Dierks T, Rescorla E (2008) The transport layer security (TLS) protocol version 1.2. IETF RFC 5246, Standards TrackGoogle Scholar
  11. 11.
    Dantu R, Clothier G, Atri A (2007) EAP methods for wireless networks. Comput Stand Interfaces 29(3):289–301CrossRefGoogle Scholar
  12. 12.
    Lei J, Fu X, Hogrefe D, Tan J (2007) Comparative studies on authentication and key exchange methods for 802.11 wireless LAN. Comput Secur 26(5):401–409CrossRefGoogle Scholar
  13. 13.
    Cheikhrouhou O, Laurent-Maknavicius M, Ben Jemaa M (2006) “Nouvelle méthode d'authentification EAP-EHash”, 12ème Colloque Francophone sur l'Ingénierie des Protocoles CFIP'2006, Hermès Science et Publication, ISBN 978-2-7462-1587-0, Tozeur, Tunisie, Octobre 2006Google Scholar
  14. 14.
    Simpson W (2006) PPP challenge handshake authentication protocol (CHAP). IETF RFC 1994, Standards TrackGoogle Scholar
  15. 15.
    Simon D, Aboba B, Hurst R (2008) The EAP-TLS Authentication Protocol. IETF RFC 5216, Standards TrackGoogle Scholar
  16. 16.
    Dierks T, Allen C (1998) The TLS protocol version 1.0. IETF RFC 2246, Standards TrackGoogle Scholar
  17. 17.
    Bersani F, Tschofenig H (2007) The EAP-PSK protocol: a pre-shared key extensible authentication protocol (EAP) Method. IETF RFC 4764, ExperimentalGoogle Scholar
  18. 18.
    Vanderveen M, Soliman H (2006) Extensible Authentication protocol method for shared-secret authentication and key establishment (EAP-SAKE). IETF RFC 4763, InformationalGoogle Scholar
  19. 19.
    Clancy T, Tschofenig H (2009) Extensible authentication protocol—generalized pre-shared key (EAP-GPSK) Method. IETF RFC 5433, Standard TrackGoogle Scholar
  20. 20.
    Clancy T, Arbaugh W (2006) Extensible authentication protocol (EAP) password authenticated exchange. IETF RFC 4746, InformationalGoogle Scholar
  21. 21.
    Nystroem M (2007) The EAP protected one-time password protocol (EAP-POTP). IETF RFC 4793, InformationalGoogle Scholar
  22. 22.
    Cam-Winget N, McGrew D, Salowey J, Zhou H (2007) The Flexible authentication via secure tunneling extensible authentication protocol method (EAP-FAST). IETF RFC 4851, InformationalGoogle Scholar
  23. 23.
    Stanley D, Walker J, Aboba B (2005) Extensible authentication protocol (EAP) method requirements for wireless LANs. IETF RFC 4017, InformationalGoogle Scholar
  24. 24.
    IEEE Std 802.11i (2004) IEEE Standard for Information technology—Telecommunications and information exchange between systems—local and metropolitan area networks—specific requirements—part 11: wireless LAN medium access control (MAC) and physical layer (PHY) specifications. IEEE, PiscatawayGoogle Scholar
  25. 25.
    Aboba B, Simon D, Eronen P (2007) Extensible authentication protocol (EAP) key management framework. IETF RFC 5247, Standards TrackGoogle Scholar
  26. 26.
    Donovan B, Norris P, Lowe G (1999) Analyzing a library of security protocols using casper and FDR. In Workshop on Formal Methods and Security Protocols, Trento, ItalyGoogle Scholar
  27. 27.
    EVA RNTL project, Explication et Vérification Automatique de protocoles cryptographiques. http://www-eva.imag.fr, 2001
  28. 28.
    AVISPA project, http://www.avispa-project.org, 2006
  29. 29.
    Chevalier Y, Compagna L, Cuellar J, Drielsma PH, Mantovani J, Modersheim S, Vigneron L (2004) A high level protocol specification language for industrial security-sensitive protocols. Proc Automated Software Eng 180:193–205Google Scholar
  30. 30.
    Narayanan V, Dondeti L (2008) EAP extensions for EAP re-authentication protocol (ERP). IETF RFC 5296, Proposed standardGoogle Scholar

Copyright information

© Institut TELECOM and Springer-Verlag 2009

Authors and Affiliations

  • Omar Cheikhrouhou
    • 1
  • Maryline Laurent
    • 2
  • Amin Ben Abdallah
    • 2
  • Maher Ben Jemaa
    • 1
  1. 1.Ecole Nationale d’Ingénieurs de SfaxUnité de recherche ReDCADSfaxTunisia
  2. 2.Institut TELECOMEvryFrance

Personalised recommendations