A Modular Security Analysis of EAP and IEEE 802.11

  • Chris Brzuska
  • Håkon Jacobsen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10175)


We conduct a reduction-based security analysis of the Extensible Authentication Protocol (EAP), a widely used three-party authentication framework. We show that the main EAP construction, considered as a 3P-AKE protocol, achieves a security notion which we call AKE\(^w\) under the assumption that the EAP method employs channel binding. The AKE\(^w\) notion resembles two-pass variant of the eCK model. Our analysis is modular and reflects the compositional nature of EAP. Furthermore, we show that the security of EAP can easily be upgraded by adding an additional key-confirmation step. This key-confirmation step is often carried out in practice in the form of a link-layer specific AKE protocol that uses EAP for bootstrapping its authentication. A concrete example of this is the extremely common IEEE 802.11 4-Way-Handshake protocol used in WLANs. Building on our modular results for EAP, we get as our second major result the first provable security result for IEEE 802.11 with upper-layer authentication.


Forward Secrecy Extensible Authentication Protocol Pseudorandom Function Composition Theorem Server Session 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We would like to thank Colin Boyd, Britta Hale and Cas Cremers for helpful comments and discussions. Chris Brzuska is grateful to NXP for supporting his chair for IT Security Analysis.


  1. 1.
    IEEE standard for local and metropolitan area networks - port-based network access control. IEEE Std 802.1X-2010 (Revision of IEEE Std 802.1X-2004), pp. C1–205, February 2010Google Scholar
  2. 2.
    IEEE standard for information technology-telecommunications and information exchange between systems local and metropolitan area networks-specific requirements part 11: wireless LAN medium access control (MAC) and physical layer (PHY) specifications. IEEE Std 802.11-2012, pp. 1–2793, March 2012Google Scholar
  3. 3.
    Abdalla, M., Fouque, P.-A., Pointcheval, D.: Password-based authenticated key exchange in the three-party setting. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 65–84. Springer, Heidelberg (2005). doi: 10.1007/978-3-540-30580-4_6 CrossRefGoogle Scholar
  4. 4.
    Aboba, B., Blunk, L.J., Vollbrecht, J.R., Carlson, J., Levkowetz, H.: Extensible Authentication Protocol. RFC 3748, RFC Editor, June 2004.
  5. 5.
    Alt, S., Fouque, P.-A., Macario-rat, G., Onete, C., Richard, B.: A cryptographic analysis of UMTS/LTE AKA. In: Manulis, M., Sadeghi, A.-R., Schneider, S. (eds.) ACNS 2016. LNCS, vol. 9696, pp. 18–35. Springer, Heidelberg (2016). doi: 10.1007/978-3-319-39555-5_2 CrossRefGoogle Scholar
  6. 6.
    Bellare, M., Pointcheval, D., Rogaway, P.: Authenticated key exchange secure against dictionary attacks. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 139–155. Springer, Heidelberg (2000). doi: 10.1007/3-540-45539-6_11 CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Rogaway, P.: Entity authentication and key distribution. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 232–249. Springer, Heidelberg (1994). doi: 10.1007/3-540-48329-2_21 CrossRefGoogle Scholar
  8. 8.
    Bellare, M., Rogaway, P.: Provably secure session key distribution: the three party case. In: 27th ACM STOC, pp. 57–66. ACM Press, May/June 1995Google Scholar
  9. 9.
    Bhargavan, K., Fournet, C., Kohlweiss, M., Pironti, A., Strub, P.-Y., Zanella-Béguelin, S.: Proving the TLS handshake secure (as It Is). In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 235–255. Springer, Heidelberg (2014). doi: 10.1007/978-3-662-44381-1_14 CrossRefGoogle Scholar
  10. 10.
    Brzuska, C., Cremers, C., Jacobsen, H., Kohbrok, K., Warinschi, B.: Partner mechanisms in key exchange protocols (2017, unpublished manuscript)Google Scholar
  11. 11.
    Brzuska, C., Fischlin, M., Warinschi, B., Williams, S.C.: Composability of Bellare-Rogaway key exchange protocols. In: Chen, Y., Danezis, G., Shmatikov, V. (eds.) ACM CCS 11. pp. 51–62. ACM Press, October 2011Google Scholar
  12. 12.
    Brzuska, C., Jacobsen, H., Stebila, D.: Safely exporting keys from secure channels. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 670–698. Springer, Heidelberg (2016). doi: 10.1007/978-3-662-49890-3_26 CrossRefGoogle Scholar
  13. 13.
    Canetti, R., Krawczyk, H.: Security analysis of IKE’s signature-based key-exchange protocol. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 143–161. Springer, Heidelberg (2002). doi: 10.1007/3-540-45708-9_10. CrossRefGoogle Scholar
  14. 14.
    Hartman, S., Clancy, T.C., Hoeper, K.: Channel-Binding Support for Extensible Authentication Protocol (EAP) Methods. RFC 6677, RFC Editor, July 2012.
  15. 15.
    Hoeper, K., Chen, L.: Where EAP security claims fail. In: QSHINE, p. 46. ACM (2007)Google Scholar
  16. 16.
    Jager, T., Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DHE in the standard model. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 273–293. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-32009-5_17 CrossRefGoogle Scholar
  17. 17.
    Kobara, K., Shin, S., Strefler, M.: Partnership in key exchange protocols. In: Li, W., Susilo, W., Tupakula, U.K., Safavi-Naini, R., Varadharajan, V. (eds.) ASIACCS 09, pp. 161–170. ACM Press, New York (2009)CrossRefGoogle Scholar
  18. 18.
    Kohlar, F., Schäge, S., Schwenk, J.: On the security of TLS-DH and TLS-RSA in the standard model. Cryptology ePrint Archive, report 2013/367 (2013).
  19. 19.
    Krawczyk, H.: HMQV: A high-performance secure Diffie-Hellman protocol. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 546–566. Springer, Heidelberg (2005). doi: 10.1007/11535218_33 CrossRefGoogle Scholar
  20. 20.
    Krawczyk, H., Paterson, K.G., Wee, H.: On the security of the TLS protocol: a systematic analysis. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8042, pp. 429–448. Springer, Heidelberg (2013). doi: 10.1007/978-3-642-40041-4_24 CrossRefGoogle Scholar
  21. 21.
    LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. Cryptology ePrint Archive, report 2006/073 (2006).
  22. 22.
    LaMacchia, B., Lauter, K., Mityagin, A.: Stronger security of authenticated key exchange. In: Susilo, W., Liu, J.K., Mu, Y. (eds.) ProvSec 2007. LNCS, vol. 4784, pp. 1–16. Springer, Heidelberg (2007). doi: 10.1007/978-3-540-75670-5_1 CrossRefGoogle Scholar
  23. 23.
    Li, Y., Schäge, S., Yang, Z., Kohlar, F., Schwenk, J.: On the security of the pre-shared key ciphersuites of TLS. In: Krawczyk, H. (ed.) PKC 2014. LNCS, vol. 8383, pp. 669–684. Springer, Heidelberg (2014). doi: 10.1007/978-3-642-54631-0_38 CrossRefGoogle Scholar
  24. 24.
    Nam, J., Choo, K.K.R., Paik, J., Won, D.: Two-round password-only authenticated key exchange in the three-party setting. Cryptology ePrint Archive, report 2014/017 (2014).
  25. 25.
    Ohba, Y., Parthasarathy, M., Yanagiya, M.: Channel Binding Mechanism based on Parameter Binding in Key Derivation. RFC (Informational), RFC Editor, December 2006.
  26. 26.
    Rigney, C., Willens, S., Rubens, A., Simpson, W.: Remote Authentication Dial in User Service (RADIUS). RFC 2865, RFC Editor, June 2000.
  27. 27.
    Rogaway, P.: On the role definitions in and beyond cryptography. In: Maher, M.J. (ed.) ASIAN 2004. LNCS, vol. 3321, pp. 13–32. Springer, Heidelberg (2004). doi: 10.1007/978-3-540-30502-6_2 CrossRefGoogle Scholar
  28. 28.
    Schwenk, J.: Nonce-based kerberos is a secure delegated AKE protocol. Cryptology ePrint Archive, report 2016/219 (2016).
  29. 29.
    Shoup, V., Rubin, A.: Session key distribution using smart cards. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 321–331. Springer, Heidelberg (1996). doi: 10.1007/3-540-68339-9_28 CrossRefGoogle Scholar
  30. 30.
    Winter, S., McCauley, M., Venaas, S., Wierenga, K.: Transport Layer Security (TLS) encryption for RADIUS. RFC 6614 (Experimental), RFC Editor, May 2012.

Copyright information

© International Association for Cryptologic Research 2017

Authors and Affiliations

  1. 1.Hamburg University of TechnologyHamburgGermany
  2. 2.Norwegian University of Science and TechnologyTrondheimNorway

Personalised recommendations