Beruflich Dokumente
Kultur Dokumente
initialization of the authentication procedure in which the communication between the network components as
user communicates with the wireless AP via the EAP Over EAPOL, Radius, DIAMETER, etc.
LAN (EAPOL). The user sends his identity in the format of The vulnerabilities mentioned for the GSM/GPRS
the Network Access Identifier (NAI). This identity can be authentication were concerned in the structure of the
the International Mobile Subscriber Identity (IMSI) or his UMTS-AKA protocol; this authentication protocol benefits
temporary identity (TMSI). The IMSI must be sent in a from the mutual authentication and new cryptography with
plain text in the first connection setup and the TMSI is used a higher degree of security. Because EAP-AKA is an
in the other setups. encapsulation of the AKA procedure in EAP, it certainly
does not suffer from the GSM/GPRS vulnerabilities.
2.3. EAP-TLS support the PKI in the UMTS architecture. A procedure for
Secure Socket Layer (SSL) is the most widely used security the session resumption is also presented that improves the
protocol on the wired internet which employs a public key efficiency of the repeated connection attempts. In this
infrastructure [12]. As a result, many works have focused on structure, the need for the generation of the AVs by the
applying the SSL based authentication protocols to the HSS/HLR is eliminated. Finally, EAP-TLS provides an end
wireless networks to make a compatible integration between to end authentication procedure.
wireless and wired networks [13]-[16]. Performance 2.4. EAP-TTLS
considerations have discouraged the use of SSL based
EAP-TTLS is the revision of the EAP-TLS in which the
protocols in the resource constraint environments such as
need for the PKI in the structure was a deficiency in the
the wireless environment. On the other hand, the relatively
wireless networks [6]. EAP-TTLS utilizes the secure
small sizes of wireless data transactions imply that the
connection established by the TLS protocol. The TLS
public key encryption dominates the security processing
handshake used in the TTLS may be either mutual or one
requirements in wireless networks.
UE AP AAA Server HSS/HLR way (only the server is authenticated to the client). The
Ww Wa Wx
client may be authenticated using an AAA protocol such as
EAPOL AAA (Radius or
Diameter)
SS7
RADIUS. The authentication of the client may be EAP or
another protocol such as CHAP (Challenge Handshake
1. Connection Establishment
Authentication Protocol) [15], [16].
UE AP AAA Server HSS/HLR
2. EAP Request / Identity
Ww Wa Wx
3. EAP Response / Identity (NAI) EAPOL AAA (Radius or SS7
Diameter)
4. Access Request with UserID
(EAP-Type=EAP-TLS,
start bit set, no data)
1. Connection Establishment
5. EAP-TLS Start
[EAP-Type=EAP-TLS 2. EAP Request / Identity
(TLS Client-Hello)]
6. EAP Response [EAP-Type=EAP-TLS (TLS Server-
Public key operation to Hello, TLS Certificate, TLS-Key- 3. EAP Response / Identity (NAI)
verify AAA server’s Exchange, TLS Certificate-Request,
certificate TLS Server-Hello-Done)]
7. EAP Request 4. EAP-TLS Start
[EAP-Type=EAP-TLS (TLS
Certificate, TLS Client-Key-Exchange,
TLS Certificate-Verify, TLS Change- 5. Client Hello
Cipher-Spec, TLS Finished)]
8. EAP Response
[EAP-Type=EAP-TLS (TLS Change- 6. Server Hello, Server Certificate, Server Hello Done
Cipher-Spec, TLS Finished, New
Encripted Pseudonym)]-RADIUS 7. Client Key Exchange, Change Spec
Access Success (In SSL),
9. EAP Request
Finished (Encrypted)
The session key
Decrypt New is sent using the
Pseudonym (P-TMSI) Session Key 8. Change Spec. Finish (Encrypted)
AAA protocol
[EAP-Type=EAP-TLS]
EAP-TLS is an authentication and key agreement 12. Success, Data Cipher Suit
protocol which is mainly based on SSL v.3. Similar to the Session Key
SSL protocol, EAP-TLS engages public key cryptography to 13. EAP Success
securely communicate with the AAA server. EAP-TLS is Figure 4. EAP-TTLS authentication protocol
known as one of the most secure EAP standards on wireless
EAP-TTLS has the advantage of easy deployment on an
LANs. The requirement for a client to possess a certificate is
existing structure in a wireless network. This protocol is in
part of the authentication procedure that casted doubt on the
fact a combination of two protocols: an outer and an inner
feasibility of implementing EAP-TLS on the wireless
protocol. The inner is the legacy authentication protocol and
networks. The papers in the references [13], [14] present
the outer protects the inner protocol messages. Moreover,
some practical aspects of the implementation of the EAP-
the outer protocol provides a tunnel that enables the network
TLS on the wireless networks.
to perform the functions such as the client authentication
Fig. 3 illustrates the structure of EAP-TLS authentication
and the key distribution. On the other hand, the inner
protocol proposed in the references [13], [14]. The message
protocol includes a TLS handshake which is used to
flow in the figure includes the essential adaptations to the
authenticate the server to the client based on a public or a
EAP-TLS to make it “mobile-enabled” [14]. The
private key certificate.
initialization procedure is NAI based and similar to the
Fig. 4 shows the EAP-TTLS authentication procedure. In
protocols mentioned in the previous sections. The user sends
this figure, the TLS protocol is used to authenticate the
his identity (IMSI or TMSI) along with the certificate in an
server and the CHAP protocol performs the client
EAP response message and the EAP server verifies the user
authentication. The server must verify the value of the
identity by this certificate. On the other side, the client
CHAP challenge to authenticate the user. The steps 1
checks the server certificate validity which is signed by a
through 3 in the Fig. 4 are the initialization procedure
trusted Certification Authority (CA).
similar to the other protocols and the steps 4 through 8
In the EAP-TLS architecture proposed in the reference
demonstrate the creation of a TLS tunnel in which the
[14], the use of PKI is mandatory; so, a CA must be
server is authenticated. The rest of the steps are to
connected to the 3G core network to issue the certificates.
authenticate the client in the established tunnel. In EAP-
Different structures are proposed in the reference [14] to
(IJCNS) International Journal of Computer and Network Security, 153
Vol. 2, No. 10, 2010
TTLS, if the client uses a certificate for the authentication, versions of this security protocol are implemented in the
the protocol will have the same procedure as the EAP-TLS wireless networks. One of the new security architectures for
[15], [16]. the 802.11 security protocol is called WiFi Protected Access
(WPA). WPA2 version, which is widely used in the wireless
2.5. PEAP
networks, suffers from a number of vulnerabilities such as
PEAP provides a wrapping of the EAP protocol within TLS denial of service attacks, session hijacking in the absence of
[7]. The PEAP, similar to the EAP-TTLS, implements a encryption, and the lack of trust relationship within the
tunnel to transfer the protocol authentication messages. One WPA architecture. On the other hand, the user equipment
of the protocols encapsulated in the PEAP tunnel is the may initiate a bottleneck. This happens when, for instance, a
EAP-AKA authentication. As mentioned earlier, the tunnel Trojan in the terminal can originate a challenge response
derives the session keys. with the UICC and forwards the results to an active attacker.
The message flow in PEAP with the EAP-AKA The attacker then analyzes the messages and sets up an
authentication is illustrated in the Fig. 5. The UE and the attack. Another example is the malicious software residing
HSS own a common secret key which is used during the in a different host which can launch Distributed Denial of
authentication. In the initialization phase, the UE sends an Service (DDOS). When a user intends to access a WLAN
Identity (IMSI/TMSI) as part of the EAP-AKA. An AAA service via a cellular authentication procedure, the
protocol like MAP or DIAMETER or RADIUS sends the SIM/USIM must be used remotely from the WLAN client
IMSI from AAA server to the HSS/HLR. Then, HSS/HLR through a serial, Infrared, or Bluetooth connection. Sending
calculates and sends the AVs (RAND, AUTN, XRES, IK, credentials on these connections can endanger the user
and CK) to the AAA server. The chosen AV is sent to the confidentiality.
UE for the verification so that the network is authenticated 3.3.1 EAP-SIM
to the user. The RES is sent back to the AAA server and if EAP-SIM protocol establishes a secure connection between
RES=XRES, the UE is authenticated. After the AKA the GSM and WLAN [1]-[3]. The GSM network suffers
procedure is completed, the session keys are derived and from many security weaknesses such as the unidirectional
shared between the UE and the AP. These session keys are authentication and the key agreement protocol, the
not the same as those derived in the 3G-AKA but derived possibility of replay attacks, and the weak cryptographic
from the TLS master secret. primitives that resulted in many successful attacks to this
architecture [9], [17]. EAP-SIM claims that it has solved
many of the security flaws in the GSM though.
Some of the vulnerabilities of the EAP-SIM could be
summarized as follows.
• The mobile user is obliged to send his permanent
identity (IMSI) in a plain text during the first
authentication attempt. Correspondingly, a passive
eavesdropper may steal this identity and use it in a later
active attack.
• The messages transmitted between the UE and the
Radio Network Controller (RNC) are the only messages
provided with an integrity protection; hence, the
protocol may be vulnerable to replay attacks.
• Many EAP-SIM messages (EAP-Request/Notification,
EAP Success, or EAP Failure) are exchanged
Figure 5. PEAP authentication protocol unprotected enabling an attacker to send false
notification and mount denial of service attacks.
3. Deficiencies and Vulnerabilities • Although EAP-SIM mandates the use of fresh
authentication triplets, there is no mechanism that
The five authentication protocol candidates for the enables the user to check whether the authentication
integration of wireless networks were explained earlier. In triplets received from the AAA server are fresh.
this section, a critical evaluation is made introducing the Therefore, if an attacker has access to authentication
deficiencies and vulnerabilities of each protocol separately. triplets, he may use the compromised triplets as long as
Some of these vulnerabilities are revealed by the proposed the master secret key remains unchanged for the target
attacks in the literature which are also addressed in this user.
section. Additionally, the deficiencies are unveiled by • A possible way of implementing a Man-in-the-Middle
making critical comparisons between different protocols. (MitM) attack on the EAP-SIM is when the same
3.1 Vulnerabilities of the protocols authentication triplets are used in both GSM and
WLAN access. If the HSS is not used specifically for
Generally, the authentication protocols presented in the
the interworking of the GSM and WLAN, then HLR
previous section set up connections between the cellular
will be used as the data base that stores the
networks and the WLAN. The security protocols included in
authentication credentials. Accordingly, the
the WLANs are mainly based on the different versions of
authentication triplets stolen from a GSM connection
802.11. The basic version of the 802.11 is considered as one
of the most vulnerable security protocols. Currently, new
154 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 10, 2010
3.3.2 EAP-AKA
EAP-AKA is the authentication protocol used in the
interworking of the WLAN and the UMTS cellular networks
[1], [2], [4]. In this protocol, EAP encapsulates the AKA
procedure which is known for providing enough security.
Moreover, the authentication token (AUTN) and the
sequence number in the message flow of the authentication
procedure are engaged in order to defeat the possibility of
the replay and impersonation attacks. In spite of all the
attempts to make a secure protocol, it is blamed to have
some vulnerabilities as below.
• EAP-AKA does not support cipher suit or protocol
version negotiation and the key sizes and the algorithm
are fixed making it a less secure and inflexible protocol.
• The integrity protection is only guaranteed when
communicating between the radio network controller
and the user equipment; hence, the protocol may be
vulnerable to replay attacks. Figure 6. MitM in the EAP-TTLS
• IMSI is sent in plain text on the first authentication As it is shown in the Fig. 6, the MitM captures the
attempt; so, an adversary pretending a valid server may initialization procedure of a legitimate user and sets up a
force the user to send his IMSI and gain his permanent tunneled authentication protocol with the AAA server using
identity. the UE identity. Afterwards, the MitM forwards the
• Many EAP-AKA messages (EAP-Request/Notification, legitimate client authentication protocol messages through
EAP-Success, and EAP-Failure) are exchanged the tunnel. The MitM unwraps the messages received from
unprotected enabling an attacker to mount denial of the AAA server and forwards them to the legitimate user.
service attack. After the successful completion of the procedure, the MitM
• Although the AKA procedure is strong enough to defeat derives the session keys and starts an active or passive
the MitM attack, the integration of the UMTS with the attack.
GSM has resulted in the interception of all the UE 3.3.5 PEAP
initiated calls [18], eavesdropping attack, and an PEAP is a tunneling protocol similar to the EAP-TTLS
impersonation attack [19]. If the HSS is not used which provides a wrapping for the legacy protocols such as
specifically for the interworking of the UMTS and the the EAP-AKA. The most significant vulnerability of this
WLAN, a MitM attack is likely to happen. The protocol arises from the nature of including a tunneling
authentication credentials gained from mounting the procedure. The MitM attack in PEAP with EAP-AKA is
previously mentioned attacks on the HLR assist the displayed in the Fig. 7.
attacker to initiate a MitM attack in the EAP-AKA.
3.3.3 EAP-TLS
EAP-TLS appeared to provide the acceptable level of
security in the wired networks. It has not yet even shown
vulnerability to the MitM attacks. Nevertheless, similar to
the other interworking authentication protocols, the
Network Access Identifier (NAI) can divulge the permanent
user identity under certain circumstances thus
compromising the user privacy.
3.3.4 EAP-TTLS
EAP-TTLS was proposed to eliminate the need for a PKI in
the EAP-TLS and provide more security by tunneling which
itself augmented the possibility of a MitM attack [20]. The
attack suggested in the reference [20] is due to the fact that
the legacy client authentication protocol is not aware if it is
run in a protected or unprotected mode. The main cause of Figure 7. MitM in the PEAP with EAP-AKA
the MitM attack in EAP-TTLS is the ability of an
authentication to proceed without tunneling. The message According to the Fig. 7, the MitM initiates a tunneled
flow of the MitM attack in the EAP-TTLS is depicted in the authentication protocol with the network while
Fig. 6. masquerading as the legitimate AP to the user. MitM
unwraps the tunneled messages received from the AAA
server and forwards them to the victim. At the end of the
procedure, the MitM owns the session keys.
(IJCNS) International Journal of Computer and Network Security, 155
Vol. 2, No. 10, 2010
3.2 Deficiencies of the protocols EAP-SIM and EAP-AKA because of their easy compatibility
Each candidate protocol has its advantages and with the existing cellular network infrastructures. On the
disadvantages to be employed in the interworking of the other hand, the EAP-TLS/TTLS and PEAP, which were
WLAN with the cellular networks. The most notable used in the Internet, showed promising advantages to be
drawback in the EAP-SIM and EAP-AKA is their employed in the interworking structure. The security
dependency on the network structure and thus cannot be vulnerability and the deficiency of each authentication
dynamic. However, the advantage of the EAP-TLS/TTLS or protocol were addressed and compared.
PEAP is that the user can be authenticated locally and does Although 3GPP has accepted the interworking protocols for
not need to first connect to the cellular access gateway. the WLAN-Cellular network, more studies on the efficiency
Another deficiency of the two protocols is the latency of the of the security protocols for the beyond 3G networks are
authentication procedure which is exacerbated due to the required.
frequent roaming of the users among different WLANs; this
frequency is caused by the comparatively small range of References
each WLAN AP. Another advantage of the EAP-TLS/TTLS [1] 3GPP, “3GPP system to Wireless Local Area Network
or PEAP in comparison with the EAP-SIM/AKA is their (WLAN) interworking; System description,” 3GPP
applicability in the beyond 3G heterogeneous networks since TS 23.234 V9.0.0, Jan. 2010.
they have been successfully implemented as protocols in the [2] 3GPP, “Wireless Local Area Network (WLAN)
Internet which is the backend of the beyond 3G networks. interworking security,” 3GPP TS 23.234 V9.2.0, June
Many researches have focused on comparing the energy 2010.
consumption, latency, and the total size of these [3] H. Haverinen, J. Saloway, “EAP-SIM authentication,”
authentication protocols in an interworking scenario [13]- RFC 4186, Jan. 2006.
[16]. All the researches demonstrate that EAP-SIM and [4] J. Arkko, H. Haverinen, “EAP-AKA authentication,”
EAP-AKA suffer from the considerable latency but benefit RFC 4187, Jan. 2006.
from the small total size on the UE. [5] B. Aboba, D. Simon, “PPP EAP TLS Authentication
The most significant problem in the implementation of Protocol,” IETF RFC 2716, Oct. 1999.
the legacy wired internet protocols in the interworking of [6] P. Funk, S. Blake-Wilson, "EAP Tunneled TLS
the WLAN with the cellular networks is the infrastructures Authentication Protocol version0," IETF RFC 5281,
required for using the public key and the PKI. EAP- Feb. 2005.
TLS/TTLS or PEAP use a public key infrastructure and [7] H. Anderson, S. Josefsson, “Protected Extensible
certificate authority which are not introduced in the existing Authentication Protocol (PEAP)” IETF RFC 2026,
2G and 3G cellular networks. Another problem of using the Aug. 2001.
certificate authority is that the USIM, which is a constraint [8] L. Blunk, J. Vollbrecht, “Extensible Authentication
resource, must be preloaded with all the CA public keys. Protocol (EAP)” IETF RFC 3748, March 1998.
Furthermore, most of the UEs are not equipped with the [9] E. Barkan, E. Biham, N. Keller, “Instant ciphertext-
digital certificate. only cryptanalysis of GSM encrypted communication,”
The Table 1 summarizes the main vulnerabilities and Journal of Cryptology, Vol. 21 Issue3, 2008.
deficiencies mentioned earlier. [10] A. Bogdanov, T. Eisenbath, A. Rupp, “A hardware-
assisted real time attack on A5/2 without
Table 1: Vulnerabilities and deficiencies comparison precomputations,” in Cryptographic Hardware and
EAP- EAP- EAP- EAP-
PEAP Embeded Systems, vol. 4727 , pp. 394-412, 2007.
SIM AKA TLS TTLS
[11] Ch. Xenakis, Ch. Ntantogin, “Security architectures for
User identity
û û û ü ü B3G mobile networks,” Journal of Telecommunication
protection
Secure against Systems, vol.35, pp. 123-139, Sept. 2007.
û û ü û û [12] V. Gupta, S. Gupta, “Experiments in wireless internet
the MitM
Secure against security,” Proc. IEEE Wireless Communication and
û û û û û Networking Conf., Vol. 1, pp. 859-863, March 2002.
replay attack
Interworking [13] G. Kambourakis, A. Rouskas, S. Gritzalis, “Using SSL
û û ü ü ü
with Internet in authentication and key agreement procedures of
Short future mobile networks,” Proc. 4th IEEE Int. Conf. on
û û ü ü ü
latency Mobile and Wireless Communication Networks 2002,
Low energy pp. 152-156, Sept. 2002.
ü ü û û û
consumption [14] G. Kambourakis, A. Rouskas, G. Kormentzas, S.
Small Gritzalis, “Advanced SSL/TLS-based authentication
ü ü û û û
total size for secure WLAN-3G interworking,” IEEE
Communications Proceedings, Vol. 151, pp.501-506,
4. Conclusion Oct.2004.
The authentication and the key agreement procedure of the [15] P. Prasithsangaree, P. Krishnamurthy, “ A new
interworking architecture between the WLAN and the authentication mechanism for loosely coupled 3G-
cellular networks for different candidate protocols were WLAN integrated networks,” In Proceeding of
discussed. The two accepted protocols by the 3GPP were the Vehicular Technology Conference 2004, IEEE, Vol. 5,
pp.2284-3003, May 2004.
156 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 10, 2010