Where EAP security claims fail.

The Extensible Authentication Protocol (EAP) is widely used as an authentication framework to control the access to wireless networks, e.g. in IEEE 802.11 and IEEE 802.16 networks. In this paper, we discuss limitations of EAP security and demonstrate how these limitations can be exploited to launch attacks on existing EAP methods. In particular, we present a series of attacks which cause some standard security claims, namely channel binding, protected ciphersuite negotiation and cryptobinding, to fail and compromise the key exchange, authentication and privacy of EAP communications. Next, we identify the special security challenges of EAP systems that may cause the considered security claims to fail. EAP differs from other authentication frameworks as a two party protocol, like IKE and TLS, because it is conducted with three parties involved across two communication links with different media. Another security challenge of EAP is the negotiability of EAP methods, ciphersuites, and protocol versions. These challenges make it difficult to derive a trust model for EAP and to securely adopt existing protocols. Finally, we conclude with recommendations for more secure EAP implementations.