The 5 Student Conference on Research and Development SCOReD 2007 11-12 December 2007, Malaysia

th

EAP-based Authentication with EAP Method Selection Mechanism: Simulation Design

M. A. Catur Bhakti, A. Abdullah, Senior Lecturer, and L. T. Jung, Senior Lecturer

Abstract--Wireless networks have grown rapidly and more becoming part of our life, due to its advantages over the wired network, such as convenience, mobility, and flexibility. However the security concerns in wireless networks might have prevented its further widespread adoption. One of the solutions to overcome the wireless network security concerns is the IEEE 802.1X specification, a mechanism for port-based network access control, which is based on Extensible Authentication Protocol (EAP), an authentication framework that can support multiple authentication methods. This paper proposed a design for an extension to the EAP framework for EAP authentication method selection purpose. The design then can be used to develop a simulation model of the EAP method selection mechanism. Index Terms--authentication, design, extensible authentication protocol (EAP), modeling, simulation.

and each node may support different type of authentication method. This paper proposed a design of the EAP method selection mechanism that in turn can be used to develop the simulation model in ad hoc wireless LAN environment using EAP multiplexing model. II. EXTENSIBLE AUTHENTICATION PROTOCOL Extensible Authentication Protocol (EAP) is an authentication framework which supports multiple authentication methods. EAP was initially used for Point-toPoint Protocol (PPP) authentication; however it can also run over other data-link layer such as the IEEE 802 LANs family. EAP has been used with hosts, routers, switches, and access points on dedicated links, switched circuit links, wired, and wireless links. EAP also permits the use of back-end authentication server, such as RADIUS, to implement some or all the authentication methods. A. EAP Model There are two types of EAP model specified in [1], they are: pass through behavior model and multiplexing model. In pass through behavior model, there are three entities involved in EAP authentication, i.e. Supplicant, Authenticator, and Authentication Server, are reside in three separated devices. Supplicant resides in wireless client stations, authenticator resides in access points, and authentication server resides in AAA (Authentication, Authorization, and Accounting) servers, such as RADIUS and DIAMETER. The authenticator will act only as a pass-through device. This model is the most common model used in EAP implementation in wireless LAN. In multiplexing model as shown in Fig. 1, there are only two separated devices, where authenticator and authentication server entities reside in a single device. The authenticator will implement all authentication services. Therefore, this model is more suitable for ad hoc network. B. EAP Methods Currently there are many types of EAP methods available for wireless LAN, including the following: EAP with Transport Layer Security (EAP-TLS) [6] uses TLS, successor of Secure Socket Layer version 3 (SSLv3), and requires both the client-side and server-side to have certificate in Public Key Infrastructure (PKI) in order to provide secure mutual authentication. This method is considered as the strongest method available (security wise) currently [7], [8].

I. INTRODUCTION

N the last few years, wireless communication technologies have gained much popularity mostly due to its convenience, flexibility, mobility, and rapid deployment. However wireless network technologies also introduce new security issues since network devices, including unauthorized (rogue) devices, are relatively easier to connect to the network because they do not need any physical access. Therefore, a process to guarantee the identity of the communicating parties, i.e. authentication, between wireless nodes becomes very important. Extensible Authentication Protocol (EAP) [1] is an authentication framework that has been used in wireless network security mechanisms, such as in IEEE 802.1X [2], IEEE 802.11i [3] and IEEE 802.16e [4]. Typically, an EAP implementation in a network will only support one EAP method. A mechanism was proposed in [5] to select a suitable EAP method out of a set of EAP methods to be used in authentication process in heterogeneous wireless networks, where there are different types of nodes with different specifications and capabilities,

This work was supported in part by the University of Technology Petronas Malaysia under Graduate Assistantship Scheme. Muhammad Agni Catur Bhakti is a MSc research student at the Department of Computer and Information Sciences, University of Technology Petronas, Tronoh 31750 Malaysia (e-mail: agni_catur_bhakti@utp.edu.my). Azween Abdullah is with the Department of Computer and Information Sciences, University of Technology Petronas, Tronoh 31750 Malaysia (e-mail: azweenabdullah@petronas.com.my). Low Tang Jung is with the Department of Computer and Information Sciences, University of Technology Petronas, Tronoh 31750 Malaysia (e-mail: lowtanjung@petronas.com.my).

1-4244-1470-9/07/$25.00 2007 IEEE.

Supplicant
EAP Method

Authenticator
EAP Method

which added the EAP method selection mechanism prior to the EAP authentication process. The diagram of the extended EAP framework is illustrated in Fig. 2 below.
authentication result

EAP Peer

EAP Authenticator
parameters / criteria Method Selection Algorithm EAP Methods selected method Authentication

EAP Layer

EAP Layer
Node

Lower Layer

Lower Layer

Fig. 2. Diagram of EAP authentication with EAP method selection mechanism.

Fig. 1. EAP multiplexing model.

EAP with Tunneled TLS (EAP-TTLS) [9] requires only server-side certificate for server authentication while user-side can use an extensible set of user authentication, including legacy user authentication methods, such as MS Windows login user ID and password. EAP-TTLS consists of two steps. In the first step, server authentication is executed based on the servers certificate and then a symmetric encryption tunnel is set up. In the second step, the tunnel is used to protect the exchange of information between client and server during client authentication. It offers strong security while avoiding the complexities of PKI implementation on clients side. EAP-TTLS was co-developed by Funk Software and Certicom. Protected EAP (PEAP) [10] is almost identical to EAPTTLS, it only requires server-side certificate, selectively encrypts the clients authentication credentials, uses TLS tunnel, and offers strong security. The difference is in compatibility with legacy (older) methods and platforms which PEAP is less compatible compared to EAP-TTLS. PEAP was jointly developed by Microsoft, Cisco, and RSA Security. Lightweight EAP (LEAP) [11] is a proprietary EAP method developed by Cisco Systems for their wireless LAN devices. LEAP supports mutual authentication and dynamic security keys changes in every (re)authentication with the hope that the keys will not live long enough to be used by attacker. EAP with MD5 hash (EAP-MD5), as specified in [1], uses Message-Digest algorithm 5 (MD5) hash to authenticate client. This method considered weak and gives poor security due to its unilateral authentication (only authenticate client to server) and the lack of session key. III. EAP METHOD SELECTION An extension to the EAP framework was proposed in [5]

The function of the EAP method selection module is to select one EAP method suitable for the node. The selection is based on the following criteria: Previous communication records: these records will tell about the previous network communications information, such as previous possible malicious (suspicious) packets from other nodes, etc. If the level of this parameter is set into high level, then any history of suspicious packets within certain time interval from other node trying to be authenticated would terminate the authentication process. These records could be an output or a log from a network communication analyzer program which will monitor and analyze the network activities and records them in log file. Previous authentication records: these records will tell about the previous authentications information, such as the last successful authentication method and the most used authentication method. Every authentication results will be recorded into this record. The nodes resources: certificates availability, node specifications, i.e. operating system or platform. The paper only consider the selection of three EAP methods: EAP-TLS, EAP-TTLS, and PEAP since these EAP methods give strongest and strong security protections [7], thus it can avoid vulnerability to attacks that would negotiate less or the least secure method among a set. And these methods also have been widely used in wireless LAN environment. IV. SIMULATION DESIGN The Objective Modular Network Testbed in C++ (OMNeT++) [12] is used as the network simulator for the simulation model design. OMNet++ is a public-source, free (for academic and non-profit use), component-based, modular and open-architecture discrete event simulation environment with strong Graphical User Interface (GUI) support and an embeddable simulation kernel. Its primary application area is the simulation of communication networks and because of its generic and flexible architecture; it has been successfully used in other areas like the simulation of IT systems, queuing networks, hardware architectures and business processes as

well. OMNeT++ is rapidly becoming a popular simulation platform in the scientific community as well as in industrial settings. Several open source simulation models have been published, in the field of internet simulations (IP, IPv6, MPLS, etc), mobility and ad-hoc simulations, and other areas. MobileHost compound module from OMNet++ INET Framework is used which models a mobile host with 802.11b wireless card in ad hoc mode. This model contains the IEEE 802.11 implementation, and IP, TCP, and UDP protocols. The module is illustrated in Fig. 3.

TCP: TCP protocol implementation. Supports RFC 793, RFC 1122, RFC 2001. Compatible with both IPv4 and IPv6. TCPApp: Template for TCP applications. UDP: UDP protocol implementation, for IPv4 and IPv6. UDPApp: Template for UDP applications. We modify the MobileHost module by adding the EAP module between Ieee80211NicAdhoc module and NetworkLayer module, as illustrated in Fig. 4.

Fig. 3. MobileHost compound module [13]

The MobileHost compound module contains the following modules: BasicMobility: a prototype for mobility models. Ieee80211NicAdhoc: this NIC (Network Interface Module) implements an 802.11 network interface card in ad-hoc mode. InterfaceTable: keeps the table of network interfaces. NetworkLayer: network layer of an IP node. NotificationBoard: using NotificationBoard, modules can notify each other about "events" such as routing table changes, interface status changes (up/down), interface configuration changes, wireless handovers, changes in the state of the wireless channel, mobile node position changes, etc. PingApp: generates ping requests and calculates the packet loss and round trip parameters of the replies. RoutingTable: stores the routing table. (Per-interface configuration is stored in InterfaceTable).

Fig. 4. Modified MobileHost module

And the EAP compound module contains the following modules, as illustrated in Fig. 5. eapLayer: implementation of EAP Layer. eapPeerAuth: implementation of EAP Peer and EAP Authenticator layer. eapMethod: implementation of EAP Method layer. The EAP method selection algorithm is then put into the application layer of the simulation, i.e. the TCPApp, since the selection is executed at the application level.

[11] Cisco Systems Inc. (2002, Apr.). Under the Hood: Wireless Authentication. Cisco Packet. [Online]. Available: http://www.cisco.com/warp/public/784/packet/exclusive/apr02.html [12] OMNet++, Discrete Event Simulation System. [Online]. Available: http://www.omnetpp.org/index.php [13] GloMoSim, Global Mobile Information Systems Simulation Library. [Online]. Available: http://pcl.cs.ucla.edu/projects/glomosim/ [14] The Network Simulator ns-2. [Online]. Available: http://www.isi.edu/nsnam/ns/

VII. BIOGRAPHIES
Muhammad Agni Catur Bhakti was born in Jakarta, Indonesia, on August 30, 1977. He graduated from Electrical Engineering Department, University of Indonesia, and currently is pursuing MSc in IT at the University of Technology Petronas, Malaysia. His employment experience include the Computer Center at Faculty of Engineering University of Indonesia and private telecommunication and IT services provider Company, in Jakarta, Indonesia, as computer network engineer and trainer. His research fields of interest include computer network, wireless network, computer security, and embedded systems. Azween Abdullah obtained his bachelors degree in Computer Science in 1985, Master in Software Engineering in 1999, and his PhD in Computer Science in 2003. His work experiences includes eighteen years as a lecturer / senior lecturer in institutions of higher learning and as director of research and academic affairs at two institutions of higher learning, twelve years in commercial companies as Software Engineer, Systems Analyst and as a computer software developer and IT/MIS and educational consultancy and training. He has many years of experience in the application of IT in business, engineering and research and has personally designed and developed a variety of computer software systems including business accounting systems, software for investment analysis, website traffic analysis, determination of hydrodynamic interaction of ships and computation of environmental loads on offshore structures. His area of research specialization includes system survivability, formal specifications and modeling and software engineering. Low Tang Jung was born in 1956 in Johor, Malaysia. He obtained his Bachelor degree in Computer Technology from Teesside University, UK in 1989 and studied at Universiti Kebangsaan Malaysia in 2001 for MSc IT. Low has been in the academic line for the past 18 years as lecturer in various public and private institutes of higher learning. He teaches various engineering and ICT courses. He is currently a senior lecturer in Computer and Information Sciences Department of Universiti Technology Petronas (UTP), Malaysia. He joined UTP in late 2003. His research interests include wireless technology, embedded systems, networking, and grid computing. He has developed a remote control and monitoring system for oil pipelines corrosion detection using SMS via GSM network. His other similar researches have been recognized at national as well as international level where two projects were awarded silver medals in 2005 and 2007 respectively in International Invention Innovation Industrial Design & Technology Exhibition (ITEX), an international exhibition organized by Malaysian Invention and Design Society (MINDS). Low is currently involved in sign language to voice translation R&D where an initial working prototype is already in place. He is also the supervisor of 3D Spatial Sensor project which is in the early stage of development.

Figure 5. EAP compound module

V. CONCLUSION & FUTURE WORK This paper presented a simulation model design of EAP with authentication method selection using OMNet++ network simulator in ad hoc wireless LAN environment. More research work is needed to be done to develop this model and further evaluate it. We are considering using other open source network simulator software, such as GloMoSim [13] and ns-2 [14] to develop simulation model of the mechanism in several other network scenarios. VI. REFERENCES
B. Aboba, L. Blunk, J. Vollbrecht, J. Carlson, and H. Levkowetz, Ed., RFC 3748, Extensible Authentication Protocol (EAP), Internet Society, Jun. 2004. [2] IEEE Standard for Local and metropolitan area networks, Port-Based Network Access Control, IEEE Standard 802.1X, Dec. 2004. [3] IEEE Standard for Information Technology Telecommunication and information exchange between systems Local and metropolitan area networks Specific requirements, Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) specifications, Amendment 6: Medium Access Control (MAC) Security Enhancements, IEEE Standard 802.11i, Jul. 2004. [4] IEEE Standard for Local and metropolitan area networks, Part 16: Air Interface for Fixed and Mobile Broadband Wireless Access Systems, Amendment 2: Physical and Medium Access Control Layers for Combined Fixed and Mobile Operations in Licensed Bands, and Corrigendum 1, IEEE Standard 802.16e, Feb. 2006. [5] M. A. Catur Bhakti, A. Abdullah, and L. T. Jung, "EAP-based Authentication with EAP Method Selection Mechanism," to be presented at the International Conference on Intelligence and Advance Systems (ICIAS), Kuala Lumpur, Malaysia, 2007. [6] B. Aboba and D. Simon, RFC 2716, PPP EAP TLS Authentication Protocol, The Internet Society, Oct. 1999. [7] K. M. Ali and T. J. Owens, "Selection of an EAP authentication method for a WLAN," Int. J. Information and Computer Security, vol. 1, no. 1/2, pp. 210-233, 2007. [8] Microsoft Corp., IEEE 802.11 Wireless LAN Security with Microsoft Windows, Jan. 2007. [Online]. Available: http://www.microsoft.com/downloads/ [9] P. Funk and S. Blake-Wilson, EAP Tunneled TLS Authentication Protocol Version 1 (EAP-TTLSv1), The Internet Society, Mar. 2006. [10] V. Kamath, A. Palekar, and M. Wodrich, Microsofts PEAP version 0 (Implementation in Windows XP SP1), The Internet Society, Oct. 2002. [1]