May 28, 2012

1.6.5 PEAP

PEAP

Wireless security consists of three components:
  1. The authentication framework
  2. The authentication algorithm
  3. The data privacy or encryption algorithm
Extensible Authentication Protocol (EAP) is a type of authentication algorithm.
EAP is an authentication framework that supports multiple authentication methods. PEAP adds security services to those EAP methods that EAP provides.

Protected Extensible Authentication Protocol, Protected EAP, or simply PEAP is a method to securely transmit authentication information, including passwords, over wireless networks. It was jointly developed by Microsoft, RSA Security and Cisco Systems. It is an IETF open standard. Note that PEAP is not an encryption protocol; as with other EAP types it only authenticates a client into a network.

While many consider PEAP and EAP-TTLS to be similar options, PEAP is more secure since it establishes an encrypted channel between the server and the client.

PEAP provides the security framework for mutual authentication between an EAP client and an EAP server. PEAP is not as secure as Transport Level Security (TLS), but has the advantage of being able to use username/password authentication instead of client certificate authentication.

PEAP authentication occurs as a two-part conversation between the EAP client and the EAP server. In the first part of the conversation, TLS is used to establish a secure channel for use in the second part of the authentication. Once the client authenticates the server and the secure channel is established, the second part of the PEAP conversation begins. In this second part, a complete EAP conversation occurs within the secure channel. PEAP authentication succeeds if both parts of the authentication succeed.

PEAP authenticates the server with a public key certificate and carries the authentication in a secure Transport Layer Security (TLS) session, over which the WLAN user, WLAN stations and the authentication server can authenticate themselves. Each station gets an individual encryption key.

PEAP makes it possible to authenticate wireless LAN clients without requiring them to have certificates, simplifying the architecture of secure wireless LANs.

PEAP is considered an enhancement to Lightweight EAP (LEAP )in part because it supports secure mutual authentication.

References:
  • http://www.potaroo.net/ietf/idref/draft-josefsson-pppext-eap-tls-eap/
  • http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/ps4076/prod_white_paper09186a00800b469f_ps4570_Products_White_Paper.html
  • http://msdn.microsoft.com/en-us/library/aa921396.aspx
  • http://searchmobilecomputing.techtarget.com/definition/PEAP-Protected-Extensible-Authentication-Protocol
  • http://wiki.freeradius.org/EAP-PEAP

No comments:

Post a Comment