How to Bootstrap Trust among Devices in Wireless Environments via EAP-STLS

  • Massimiliano Pala
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7868)


Wireless networks are becoming the de-facto standard for home communications. Computers, phones, and appliances access broadband internet connections via a common Access Point (AP) directly connected to the ISP network or via phone lines. As we introduce more and more smart devices in our homes, the security and authentication of our “personal devices” is paramount. Regrettably, because of the difficulties in managing user credentials, the vast majority of home environments are secured via Pre-Shared Keys (PSKs). This leads to the usage of long-lived weak passwords for network authentication and data encryption. In this paper we analyze the different possibilities offered by current standards and describe a new authentication mechanism, Simple TLS (EAP-TTLS/EAP-STLS), that allows to bootstrap trust among devices via strong credentials (PK certificates). Our work specifically targets the security of home wireless environments where security is often forfeited in favor of practicality.


Smart Card Access Server Mutual Authentication Authentication Server Authentication Mechanism 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Security of the wep algorithm (2001),
  2. 2.
    Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., Levkowetz, H.: Extensible Authentication Protocol (EAP). RFC 3748 (Proposed Standard) (June 2004),, updated by RFC 5247
  3. 3.
    Cooper, D., Santesson, S., Farrell, S., Boeyen, S., Housley, R., Polk, W.: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. RFC 5280 (Proposed Standard) (May 2008),
  4. 4.
    Dierks, T., Allen, C.: The TLS Protocol Version 1.0. RFC 2246 (Proposed Standard) (January 1999),, obsoleted by RFC 4346, updated by RFCs 3546, 5746, 6176
  5. 5.
    Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.1. RFC 4346 (Proposed Standard) (April 2006),, obsoleted by RFC 5246, updated by RFCs 4366, 4680, 4681, 5746, 6176
  6. 6.
    Dworkin, M.: Recommendation for block cipher modes of operation: The ccm mode for authentication and confidentiality. NIST special Publication 800-38C (May 2004),
  7. 7.
    Fluhrer, S.R., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  8. 8.
  9. 9.
    Halvorsen, F.M., Haugen, O., Eian, M., Mjølsnes, S.F.: An improved attack on TKIP. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 120–132. Springer, Heidelberg (2009), CrossRefGoogle Scholar
  10. 10.
    Nystrom, M., Kaliski, B.: PKCS #10: Certification Request Syntax Specification Version 1.7. RFC 2986 (Informational) (November 2000),, updated by RFC 5967
  11. 11.
    Pala, M.: Libpki: an high level pki processing library (2009),
  12. 12.
    Ramsdell, B.: Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.1 Message Specification. RFC 3851 (Proposed Standard) (July 2004),, obsoleted by RFC 5751
  13. 13.
    Rigney, C., Willens, S., Rubens, A., Simpson, W.: Remote Authentication Dial In User Service (RADIUS). RFC 2865 (Draft Standard) (June 2000),, updated by RFCs 2868, 3575, 5080
  14. 14.
    RSA: The public-key cryptography standards - cryptographic token interface standard. version 2.10. PKCS 11 (December 1999)Google Scholar
  15. 15.
    Schaad, J.: Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF). RFC 4211 (Proposed Standard) (September 2005),
  16. 16.
    Simon, D., Aboba, B., Hurst, R.: The EAP-TLS Authentication Protocol. RFC 5216 (Proposed Standard) (March 2008),
  17. 17.
    Stanley, D., Walker, J., Aboba, B.: Extensible Authentication Protocol (EAP) Method Requirements for Wireless LANs. RFC 4017 (Informational) (March 2005),
  18. 18.
    TCG: Trusted Platform Module (TPM) Specifications (2007),
  19. 19.
    Tews, E., Beck, M.: Practical attacks against wep and wpa. In: Proceedings of the Second ACM Conference on Wireless Network Security, WiSec 2009, pp. 79–86. ACM, New York (2009), CrossRefGoogle Scholar
  20. 20.
    Todo, Y., Ozawa, Y., Ohigashi, T., Morii, M.: Falsification attacks against wpa-tkip in a realistic environment. IEICE Transactions 95-D(2), 588–595 (2012)Google Scholar
  21. 21.
    Whiting, D., Housley, R., Ferguson, N.: Counter with CBC-MAC (CCM). RFC 3610 (Informational) (September 2003),

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Massimiliano Pala
    • 1
  1. 1.PKI/Trust Labs — CSE DepartmentPolytechnic Institute of NYUBrooklynUSA

Personalised recommendations