Documente Academic
Documente Profesional
Documente Cultură
EAPOL-Start
AP Blocks all requests until authentication completes
EAPOL-Request-Identity
Response Response
Weaknesses
-Susceptible to dictionary attack
-Relies too much on strong, complex passwords for security.
-Number of publically available exploit tools
Replaced by EAP-FAST
layer3.wordpress.com
EAP-FAST
Start
AP Blocks all requests until authentication completes
EAP Identity Request
TLS Finished
EAP Success
Weaknesses
-PAC can be intercepted and used to compromise credentials
-Rouge AP with same SSID could be used to inject a new PAC
which could be used to obtain username and a cleartext
password (EAP-FAST w/GTC) or launch a dictionary attack
layer3.wordpress.com
EAP-TLS
EAPOL Start
AP Blocks all requests until authentication completes
Identity Request
ChangeCipherSpec
Derive
Complete Session Key
Data
layer3.wordpress.com
PEAP
CA
EAPOL Start
AP Blocks all requests until authentication completes
Identity Request
Client Hello
PEAP Advantages
-Provides for a very strong and secure
Server Hello
Derive
authentication mechanism.
Certificate Server/Key Exchange Request
MSK
Server Hello Complete -Wide range of OS support
PEAP
Certificate Client /Key Exchange Certificate Verify -Client side certificates not required
Phase 1
Complete
-Support for Token-Based
Change Cipher Spec authentication or Windows based
Derive
EAP Success MSK authentication via MSCHAPv2
Weaknesses
EAP-Request /EAP-TLV/EAP-Payload-TLV (EAP Request Identity) -Requires more overhead due to
number of message exchanges
Tunneled Identity Response
EAP-Request /EAP-TLV/EAP-Payload-TLV (EAP Request Identity-Type X) -Requires CA for the authenticating
PEAP
Tunneled Response for EAP Type X servers
Phase 2
EAP Type X Exchange
EAP-Request /EAP-TLV/Result-TLV (CryptoBinding)
Derive
CSK Result-TLV Response
Derive
CSK CSK
EAP Success EAP Success