Extensible Authentication Protocol Research Articles

Enhancing 802.1X authentication with identity providers using EAP-OAUTH and OAuth 2.0

EAP-OAUTH is a novel Extensible Authentication Protocol (EAP) method that integrates the OAuth 2.0 framework to provide a secure and flexible authentication mechanism for LANs and WLANs that implement the IEEE 802.1X framework. EAP-OAUTH leverages existing, OAuth 2.0-enabled Identity Providers (IdPs) and their single sign-on (SSO) capabilities, thus offering a streamlined authentication experience for both users and organizations. The advantages of EAP-OAUTH for users include an SSO experience and enhanced privacy, while organizations benefit from simplified identity management, reduced operational costs, consistent security policies, and easier compliance. Furthermore, EAP-OAUTH represents a promising solution for addressing the challenges of authentication in modern wireless networks, such as the deployment of various multi-factor or risk-based, adaptive authentication strategies. This article presents an in-depth analysis of the EAP-OAUTH method, its design, implementation, and use cases in enterprise networks and public hotspots. It explores the OAuth 2.0 Device Authorization Grant flow and allows network clients to perform fast re-authentications without resorting to sessions on IdPs or even their SSO features. The implementation of EAP-OAUTH is demonstrated in real-world scenarios, using two IdPs (Google and Auth0), confirming its effectiveness, suitable performance and compatibility with various components of typical Wi-Fi infrastructures.

5G-AKA-FS: A 5G Authentication and Key Agreement Protocol for Forward Secrecy.

5G acts as a highway enabling innovative digital transformation and the Fourth Industrial Revolution in our lives. It is undeniable that the success of such a paradigm shift hinges on robust security measures. Foremost among these is primary authentication, the initial step in securing access to 5G network environments. For the 5G primary authentication, two protocols, namely 5G Authentication and Key Agreement (5G-AKA) and Improved Extensible Authentication Protocol Method for 3rd Generation Authentication and Key Agreement (EAP-AKA'), were proposed and standardized, where the former is for 3GPP devices, and the latter is for non-3GPP devices. Recent scrutiny has unveiled vulnerabilities in the 5G-AKA protocol, exposing it to security breaches, including linkability attacks. Moreover, mobile communication technologies are dramatically evolving while 3GPP has standardized Authentication and Key Management for Applications (AKMA) to reuse the credentials, generated during primary authentication, for 5G network applications. That makes it so significant for 5G-AKA to be improved to support forward secrecy as well as address security attacks. In response, several protocols have been proposed to mitigate these security challenges. In particular, they tried to strengthen security by reusing secret keys negotiated through the Elliptic Curve Integrated Encryption Scheme (ECIES) and countering linkability attacks. However, they still have encountered limitations in completing forward secrecy. Motivated by this, we propose an augmentation to 5G-AKA to achieve forward security and thwart linkability attacks (called 5G-AKA-FS). In 5G-AKA-FS, the home network (HN), instead of using its static ECIES key pair, generates a new ephemeral key pair to facilitate robust session key negotiation, truly realizing forward security. In order to thoroughly and precisely prove that 5G-AKA-FS is secure, formal security verification is performed by applying both BAN Logic and ProVerif. As a result, it is demonstrated that 5G-AKA-FS is valid. Besides, our performance comparison highlights that the communication and computation overheads are intrinsic to 5G-AKA-FS. This comprehensive analysis showcases how the protocol effectively balances between security and efficiency.

A Seamless Integration Solution for LoRaWAN Into 5G System

The Internet of Things (IoT) has succeeded to be one of the important future communication technologies. The evolution of IoT has accelerated along with the emergence of 5G considered as a leading IoT service provider. In this context, the Low Power Wide Area Network (LPWAN) has recently attracted attention as it provides an impeccable infrastructure for massive Machine-Type Communications (mMTC). Long Range Wide Area Network (LoRaWAN) is one of the most adopted LPWAN technologies in the world. However, an efficient integration of LoRaWAN technology into the 5G System (5GS) is required. In this paper, we review briefly related work trying to integrate LoRaWAN into the 5GS. Then we present our solution for the integration and we detail the adopted network architecture. We propose new authentication methods based on the Extensible Authentication Protocol (EAP) providing secure access, and an adaptation function to attain seamless and efficient integration. In addition, we evaluate our solution in terms of performance and security. Moreover, a comparison of our solution with related work confirms the efficiency of our solution.

An EAP-Based Mutual Authentication Protocol for WLAN-Connected IoT Devices

Several symmetric and asymmetric encryption based authentication protocols have been developed for the wireless local area networks (WLANs). However, recent findings reveal that these protocols are either vulnerable to numerous attacks or computationally expensive. Considering the demerits of these protocols and the necessity to provide enhanced security, a lightweight extensible authentication protocol based authentication protocol for WLAN-connected Internet of Things devices is presented. We conduct an informal and formal security analysis to ensure robustness against the attacks. Furthermore, the empirical performance analysis and comparison show that the proposed protocol outperforms its counterparts, reducing computational, communication, storage costs, and energy consumption by up to 99%, 80%, 91.8%, and 98%, respectively. Simulation results of the protocol using the NS3 and its overhead under unknown attacks demonstrate that the proposed protocol performs better in all scenarios. A prototype implementation of the protocol has also been tested to evaluate its feasibility in real-time applications.

Lightweight authentication scheme based on modified EAP security for CoAP protocol-based IoMT applications

The medical data generated from the patients that are communicated and stored on servers are highly sensitive, and also the IoMT network creates open spaces for an adversary. The proposed work designs a lightweight authentication scheme to support the extensible authentication protocol (EAP) called lightweight EAP (L-EAP). The proposed L-EAP modifies the EAP model and dynamically changes the security service as per healthcare application requirements. The L-EAP selectively applies the data encryption and integrity without frequent re-handshaking with the server using one-bit epoch field in the EAP message header. The L-EAP performs such a key generation process as a part of the authentication phase and enlarges the lifetime of the IoMT network. The advanced encryption standard (AES) is improved for providing data confidentiality in L-EAP. The L-EAP improves the confusion property of cipher text in AES and applies shift row and XOR operations to all the words.

Formalization and evaluation of EAP-AKA’ protocol for 5G network access security

The end user’s Quality of Experience (QoE) will be improved while accessing services in Fifth Generation Mobile Network (5G), supported by enhanced security and privacy. The security guarantees offered by the Authentication and Key Agreement (AKA) protocols will be depended upon by end users and network operators. The AKA protocols have been standardized for 5G networks, and the Extensible Authentication Protocol (EAP)-AKA’ protocol is one of the main authentication mechanisms that has been specified for User Equipment (UE) and network mutual authentication. This article models the EAP-AKA’ protocol and conducts an extensive formal verification of the EAP-AKA’ protocol as defined in the 5G security standard to determine whether the protocol is verifiably secure for 5G. It provides a security evaluation of the EAP–AKA’ protocol based on the current 5G specifications using ProVerif, a security protocol proof verifier. It also presents security properties that support the security verification, as well as quantitative properties that are used to assess the protocol’s performance. Finally, it compares the EAP-AKA’ and 5G-AKA protocols’ security and performance results.

Early Generation and Detection of Efficient IoT Device Fingerprints Using Machine Learning

The proliferation of Internet of Things (IoT) markets in the last decade introduces new challenges for network traffic analysis, and processing packet flows to identify IoT devices. This type of device suffers from scarcity, making them vulnerable to spoofing operations. In such circumstances, the device can be recognized by identifying its fingerprint. In this paper, a novel idea to elicit Device FingerPrint (DFP) is presented by extracting 30 features from the collected traffic packets of 19 IoT devices during setup and startup operations. Raspberry Pi 3 Model B+ is configured as an access point to collect and analyze the traffic of seven networked IoT devices using Wireshark Network Protocol Analyzer. Moreover, the rest of IoT devices traffic is taken from the publicly available network traffic dataset. Each IoT device's feature extraction process starts from getting Extensible Authentication Protocol over LAN (EAPOL) protocol, continuing with the other flowed protocols until the first session of Transmission Control Protocol (TCP) related to that device is closed. Depending on some produced variation of device traffic features, 20 fingerprints for each device are created. The probability theorem of Gaussian Naive Bayes (GNB) supervised machine learning is utilized to identify fingerprints of individual known devices and isolate the unknown ones. The performance evaluation for the proposed technique was calculated based on two measures, F1-score and identification accuracy. The average F1 score was around 0.99, while the overall identification accuracy rate was 98.35%.

Secure Network Access Authentication for IoT Devices: EAP Framework vs. Individual Protocols

Secure bootstrapping of Internet of Things (IoT) devices is often a multi-step process that begins with enabling Internet access through a local wireless network. The process of enabling Internet access on IoT devices includes network discovery and selection, access authentication, and configuration of necessary credentials and parameters. On one hand, there are many standard protocols available for network access authentication of IoT devices. On the other hand, Extensible Authentication Protocol (EAP) is a standard framework with support for many authentication methods, and it is primarily used for network access authentication in enterprise networks. This article discusses whether the EAP framework is beneficial for network access authentication of IoT devices.

SECURITY ARCHITECTURE ON WIRELESS NETWORK TRAFFIC HANDOFF : A REVIEW

This paper provides an overview of the wireless handoff process on wireless networks by investigating Authentication Protocol using EAP -AKA (Extensible Authentication Protocol) - Authentication and Key Agreement The EAP-AKA protocol was developed for LAN networks or mobile network devices, the authors found ineffective network procedures guaranteed that made the attacks MITM and DoS attacks may occur. In addition, we find the storage procedures and resource submissions not safe enough to withstand DoS attacks. Focusing on Both types of attacks, the authors are interested in existing security protocol methods and written by researchers, then perform Systematic Literature Review (SLR) by using international journals database ie from the IEEE organization with the use of wireless handoff attack keyword in the middle of the world and obtained some related journals which need further research to deepen the Systematic Literature review, by offering a structured, methodical, and meticulous approach to understanding the research trends of handoff security issues on wireless networks and mobile networks. The purpose of this research is to provide credible intellectual guidance for future researchers to help them identify areas in the study. Most SLR is limited to conference papers and journal articles published by IEEE from 2015 to 2021. This study reveals that the protocol, privacy and security of the handoff process are the least studied, while the operating problems, architecture, methods in the handoff process get much attention in the literature.

A MODERATE WEIGHT EAP AUTHENTICATION METHOD (EAP-MEAP) FOR WIRELESS LOCAL AREA NETWORK

By Ahmed M. El-Nagar, Ahmed A. Abd El-hafez & 1 more. A new Extensible Authentication Protocol-Moderate Weight Extensible Authentication Protocol (EAP-MEAP) is proposed and properties were verified using the specialized model checker AVISPA.

A Composable Multifactor Identity Authentication and Authorization Scheme for 5G Services

The fifth-generation (5G) mobile communication technology has already deployed commercially and become a global research focus. The new features of 5G include unlimited information exchange, a large variety of connections with independent energy, and diversified high transmission rate services. Collective synergy of services is expected to change the way of life and future generations and introduce new converged services to the ICT industry. Different application services have to meet differentiated security demands. From the perspective of security, in order to support the multiservice of 5G services, it is necessary to consider the new security mechanism driven by the service. Based on 5G massive data stream, the 5G system can provide customized real-world services for potential users and reduce the user experience gap in different scenarios. However, 3GPP Extensible Authentication Protocol (EAP), which is the present entity authentication mechanism for the 5G service layer, is only an individual authentication architecture and unable to fulfill the flexible security objectives of differentiated services. In this paper, we present a new hierarchical identity management framework as well as an adaptable and composable three-factor authentication and session key agreement protocol for different applications in 5G multiservice systems. Finally, we propose an authorization process by combining with the proposed three-factor authentication mechanism and Service-Based Architecture (SBA) proposed by the 3GPP committee. The proposed mechanism can concurrently provide diverse identity authentication schemes corresponding to four different security levels by easily splitting or assembling three-factor authentication protocol blocks. The proposed scheme can be simultaneously applied to a variety of applications to improve the efficiency and quality of service and reduce the complexity of the whole 5G multiservice system, instead of designing or adopting several different authentication protocols. The performance evaluation results indicate that the proposed scheme can guarantee the multiple security of the system with ideal efficiency.

Empirical Evaluation of Attacks Against IEEE 802.11 Enterprise Networks: The AWID3 Dataset

This work serves two key objectives. First, it markedly supplements and extends the well-known AWID corpus by capturing and studying traces of a wide variety of attacks hurled in the IEEE 802.1X Extensible Authentication Protocol (EAP) environment. Second, given that all the 802.11-oriented attacks have been carried out when the defenses introduced by Protected Management Frames (PMF) were operative, it offers the first to our knowledge full-fledged empirical study regarding the robustness of the IEEE 802.11w amendment, which is mandatory for WPA3 certified devices. Under both the aforementioned settings, the dataset, and study at hand are novel and are anticipated to be of significant aid towards designing and evaluating intrusion detection systems. Moreover, in an effort to deliver a well-rounded dataset of greater lifespan, and under the prism of an attacker escalating their assault from the wireless MAC layer to higher ones, we have additionally included several assaults that are common to IEEE 802.3 networks. Since the corpus is publicly offered in the form of raw cleartext pcap files, future research can straightforwardly exploit any subset of features, depending on the particular application scenario.

Link Setup Time Reduction by FILS on IEEE 802.11-Based Inter-Vehicular Communications

This paper reports the performance of link setup time reduction outlined by IEEE 802.11ai, which is also known as Fast Initial Link Setup (FILS), in real intermittent inter-vehicular communications. Fast link establishment is a significant concern in communications between mobile devices with high mobility, such as passing vehicles on roads, because short link setup times enable vehicles to transfer larger amounts of application data. However, secure links are also important because they prevent both unauthorized access by unauthenticated users and misinformation circulation by malicious persons. Conventional security protocols such as IEEE 1609.2 and IEEE 802.11i/IEEE 802.1X, which is also known as theWi-Fi Protected Access 2 Extensible Authentication Protocol (WPA2-EAP), archive user authentication in vehicular networks but often take several seconds to establish a secure link due to numerous frame exchanges. In contrast, FILS is designed to establish a secure WPA2-EAP link in 100 ms using cached authentication information. However, since the effectiveness of FILS in real vehicular networks has not yet been reported, this paper describes experiments that clarify its setup time reduction abilities in 2.4 GHz IEEE 802.11n-based inter-vehicular communications by measuring the initial link setup times between two passing vehicles in a real environment. The results show that FILS significantly reduces the initial link setup times between the passing vehicles to around 150 ms and increases the size of application data transferred between vehicles. Additionally, it is demonstrated that FILS always establishes a secure link, while Protected EAP (PEAP) sometimes fails. Finally, in communications between vehicles passing each other at the relative speed of 80 km/h, we confirm that the FILS link setup time reduction effectively increases transferrable application data sizes by 10MB compared with WPA2-PEAP.

Formal verification of secondary authentication protocol for 5G secondary authentication

The Fifth-Generation mobile network (5G) will enable interconnectivity between the Home Network (HN) and Data Network (DN) whereby mobile users with their User Equipment (UE) will be able to access services provided by external Service Providers (SP) seamlessly. The mobile user and SP will rely on security assurances provided by authentication protocols used. For 5G, primary authentication between the UE and the HN has been defined and specified by the Third Generation Partnership Project (3GPP) while the secondary authentication has also been defined but not specified. 3GPP recommends the Extensible Authentication Protocol (EAP) framework for secondary authentication between the UE and the SP. However, the secondary authentication methods have not been formally verified, so this paper proposes a Secondary Authentication Protocol (SAP) for service authentication and provides a comprehensive formal analysis using ProVerif a security protocol verifier. Finally, it conducts a security analysis on the protocol's security properties.

Enterprise Security for the Internet of Things (IoT): Lightweight Bootstrapping with EAP-NOOB.

The emergence of radio technologies, such as Zigbee, Z-Wave, and Bluetooth Mesh, has transformed simple physical devices into smart objects that can understand and react to their environment. Devices, such as light bulbs, door locks, and window blinds, can now be connected to, and remotely controlled from, the Internet. Given the resource-constrained nature of many of these devices, they have typically relied on the use of universal global shared secrets for the initial bootstrapping and commissioning phase. Such a scheme has obvious security weaknesses and it also creates undesirable walled-gardens where devices of one ecosystem do not inter-operate with the other. In this paper, we investigate whether the standard Extensible Authentication Protocol (EAP) framework can be used for secure bootstrapping of resource-constrained devices. EAP naturally provides the benefits of per-device individual credentials, straightforward revocation, and isolation of devices. In particular, we look at the Nimble out-of-band authentication for EAP (EAP-NOOB) as a candidate EAP authentication method. EAP-NOOB greatly simplifies deployment of such devices as it does not require them to be pre-provisioned with credentials of any sort. Based on our implementation experience on off-the-shelf hardware, we demonstrate that lightweight EAP-NOOB is indeed a way forward to securely bootstrap such devices.

A secure n-secret based client authentication protocol for 802.11 WLANs

Authentication has strong impact on the overall security model of every information system. Various authentication techniques are available for restricting the access of unauthorized users to the enterprise scale networks. IEEE 802.1X defines a secure and reliable authentication framework for 802.11 WLANs, where Extensible Authentication Protocol (EAP) provides the base to this architecture. EAP is a generic architectural framework which supports extensibility by incorporating the new and improved authentication schemes, which are based on different types of credentials. Currently there exist a number of EAP and Non-EAP methods with varying level of security and complexity. In this work, we have designed a new n-secret based authentication scheme referred here as Personal Dialogue Based Authentication, for the client authentication to the network. It is a Transport Layer Security (TLS) protected authentication protocol, which will be executed inside the secure TLS tunnel for providing the privacy and credential security to the wireless client. The developed authentication protocol has a reasonable set of features like; strong security, user privacy, simplicity and extensibility. For the formal analysis of the protocol we have used SPAN–AVISAP model checker on Ubuntu platform for validating the realization of the specified security goals. The experimental results obtained by simulation performed with the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool shows that our protocol is efficient and secured.

Secure Authentication and Credential Establishment in Narrowband IoT and 5G.

Security is critical in the deployment and maintenance of novel IoT and 5G networks. The process of bootstrapping is required to establish a secure data exchange between IoT devices and data-driven platforms. It entails, among other steps, authentication, authorization, and credential management. Nevertheless, there are few efforts dedicated to providing service access authentication in the area of constrained IoT devices connected to recent wireless networks such as narrowband IoT (NB-IoT) and 5G. Therefore, this paper presents the adaptation of bootstrapping protocols to be compliant with the 3GPP specifications in order to enable the 5G feature of secondary authentication for constrained IoT devices. To allow the secondary authentication and key establishment in NB-IoT and 4G/5G environments, we have adapted two Extensible Authentication Protocol (EAP) lower layers, i.e., PANATIKI and LO-CoAP-EAP. In fact, this approach presents the evaluation of both aforementioned EAP lower layers, showing the contrast between a current EAP lower layer standard, i.e., PANA, and one specifically designed with the constraints of IoT, thus providing high flexibility and scalability in the bootstrapping process in 5G networks. The proposed solution is evaluated to prove its efficiency and feasibility, being one of the first efforts to support secure service authentication and key establishment for constrained IoT devices in 5G environments.

The implementation of radius server for wifi pass using the mechanism of access point controller in Department of Electrical Engineering building, Bali State Polytechnic

The problem in accessing the internet network in the Department of Electrical Engineering is that there is no security for WLAN, only normal login page to access to the network. In its application wifi pass requires Radius Server to authenticate against remote network access using Virtual Private Networking (VPN), wireless access points, ethernet switches. Radius Server can protect wireless networks from spoofing MAC Address and also WEP/WPA crack using free Radius authentication. Another problem is to monitoring access points in the area still manually done by IT administrators. With the application of the Radius Server which is a means of wifi pass application, and the access point controller application for monitoring all access points. It will facilitate IT administrators in the operation and maintenance of existing internet networks. Based on the measured QoS table, the hotspot network at the Department of Electrical Engineering for the largest parameter is AP Signal 53 dBm, Bandwidth 1036 bytes, throughput 198, 735 bytes, 14 ms delay, jitter 36, 777 ms and packet loss 3 percent. The technology used is 802.11 G Wi-Fi that uses DDWRT which has an Extensible Authentication Protocol (EAP) system that supports the implementation of facilities at Radius Server.

An Improved Mechanism for SDN Flow Space to Control Oriented Authentication NAA Network

The Open Daylight platform with its power by working with IEEE 802.1X port level authentication for wired and wireless networks has been very supportive because of the massive deployments at mean charge for main design considerations. Within the current marketplace, 802.1X has flourished the ground works for wireless, wire stability, LAN stability and authentication methods. EAP (Extensible Authentication Protocol) supports long time protection of the supplicant and the authentication software till the end condition of the RADIUS (Remote Authentication Dial-In User Service) server is met. This paper is focused on the RAR (RADIUS Access Request) unique identification about the users on the network with SAA (Supplicant, Authenticator and Authentication server) system which records on the attribute cost of RFC 2865 according to the forwarding server. NAA (Non-Adaptive Algorithm) using FlowVisor based virtualization packages drive inward the network timescales or statistics, dynamically controlling the flow space of switches to control the speed and results in scaling of networks. NAA is an application level protocol that contains authentication and configuration information between a Network Access Server and a shared authentication server. It avoids the attacker from listening for requests and responses from the server and calculates the improved MD5 client secret key of the response.

Testing the Conformance of Implementations of the EAP Protocol and Its Methods to Internet Specifications

Generation of tests for checking the conformance of implementations of the Extensible Authentication Protocol (EAP) and its methods to Internet specifications is described. The project is based on the UniTESK technology that allows one to automate the verification of network protocols using their formal models and the extension JavaTesK, which implements the UniTESK technology in Java. The additional use of mutation testing techniques makes it possible to test the stability of a protocol implementation to corrupt messages. This approach proved to be effective in finding a number of critical vulnerabilities and other deviations from the EAP in some implementations.