The principle of campus network authentication

Go to http://www.douban.com/note/215440648/

EAP is an authentication protocol defined in RFC 3748 that is used for authentication in a point-to-dot network such as PPP, which supports a variety of authentication mechanisms. The simple modification of EAP in 802.1X forms the EAPOL (EAP over LAN) protocol, enabling it to be used in broadcast Ethernet. EAP works on the second layer of the OSI model and does not require the client to obtain an IP address in advance, which is simple and easy to implement, and is mainly used for authentication information interaction between clients and authentication providers.
802.1X Certified EAP Protocol (overall process)
supplicant Host Server
----------- -------------
|------------------------------>| Host sends Eapol-start to server (multicast or broadcast address)
| 1. Eapol-start |
| |
|<------------------------------| Request to verify Identity
| 2. Eap-request-identity |
| |
|------------------------------>| Response (user name)
| 3. Eap-response-identity |
| |
|<------------------------------| MD5 Checksum value (random encryption Word Challenge) required to verify the password
| 4. Eap-request-md5_challenge |
| |
|------------------------------>| Response (Encrypt password with challenge)
| 5. Eap-response-md5_challenge |
| |
|<------------------------------| Eap-success (Judging correctness)
| 6. Eap-success |
| |
At any time the server sends a EAP-FAILURE packet, indicating that the entire authentication process is terminated.
In Ethernet, the EAP protocol, of course, is also transmitted through the format of the Ethernet frame, the frame type is 0x888e, in the Pcap-based packet capture program, you can use "ether proto 0x888e" to crawl.
Ethernet-header: (802.3, LAN Standard)
################################################
# 0 5 11 13 #
# +----------------+----------------+--------+ #
# | Dst--mac | Src--mac |0x888e | #
# +----------------+----------------+--------+ #
################################################
The EAP protocol can be used not only in the Ethernet environment in which this article is concerned, but also in the wireless WLAN, Token Ring network, and these link frames are different, which is why there are EAPOL types of data frames to abstract the EAP protocol messages.
eapol-message Structure
############################################
# 0 14 15 #
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ #
# | Ethernet-header |a|b| #
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ #
# 17 #
# +-+-+------------- #
# |c | Packet Body #
# +-+-+------------- #
############################################
A:eapol Protocol version
B:eapol Message Type
C:eapol Frame length
Type a description: usually constant 0x01
Type B Value:
eapol-packet:0x00//Information interaction of various EAP protocols, encapsulated in EAPOL messages of the Eapol-packet type
eapol-start:0x01
eapol-logoff:0x02
eap-message Structure
#########################################
# 0 15 #
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ #
# | | #
# +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ #
# 17 18 19 21 22 #
# +-+-+-+-+-+-+-+-------------- #
# | |d|e|f |g| EAP Body #
# +-+-+-+-+-+-+-+-------------- #
#########################################
D:EAP Type of communication
E:eap Communication ID
F:eap Data length
G:EAP Negotiation Type
D Type value:
eap-request:0x01
eap-resopnse:0x02
eap-success:0x03
eap-failure:0x04
E Type Description:
Typically, the message sent by the server is specified, using this ID in a continuous message to negotiate or calculate one of the MD5 value data.
G Type value:
identity:0x01
md5_challenge:0x04
Note that the two length positions of the EAPOL and EAP frames, the length of which are not 5 bytes of the EAPOL head, and the latter of the 4 bytes of their own head, so the values of the two lengths may be consistent, but there may be more information on the EAPOL frame tail, the former larger than the latter.
The following is the approximate details of the packages that need to be built:
1.eapol-start, Eapol-logoff
Usually a relatively simple packet, just fill in the corresponding bits, no additional messages, Eapol-start, eapol-logoff two message length of 0, usually set up two messages are only 18 bytes long.
2.eap-request-identity
The server sent this message is also relatively simple, perhaps the only useful data is the "E:eap communication id" bit, you need to send back the corresponding bit set to the value of the message, although this is likely to be a constant.
Identity format
+-+-+-+-.....-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP Header | Username
+-+-+-+-.....-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
3.eap-response-identity
You only need to set the "D:eap communication id" bit, and then immediately after the EAP header, the ASCII code information for the user name. Some brands of the protocol, in passing this packet began to verify the client's IP, version number and other information.
4.eap-request-md5_challenge
Find the password information corresponding to the user name and encrypt it with a randomly generated encryption word challenge (MD5)
Server request MD5 Check the message contains important information, the first is the "E:eap communication id" bit, the latter message also needs to set the bit;
Immediately after the EAP header, the length value of a single bit, L (constant 0x10), indicates the length of the important data immediately following it, and the subsequent 16-bit value needs to be used to calculate the information in the next message, which we call Attach-key.
Md5_challenge format
+-+-+-+-.....-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| EAP Header | l| Md5-key/value
+-+-+-+-.....-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
5.eap-response-md5_challenge
First, you need to set the "D:eap communication id" bit, then build a byte array [(E:eap communication ID) (ASCII of user password) (attach-key)], the length of this byte is of course (1+ user password length +16), and then fed into the MD5 calculation function, A 16-bit calculation is obtained, and the 16-bit results are then filled into the message. The message format is similar to the request, followed by a length value at the end of the packet, of course 0x10, followed by a 16-bit calculation. Using this encryption word to encrypt the password part (MD5) to the encrypted password information and its own encrypted operation after the password information to determine whether the user is legitimate
A client program usually does so much, and because of the "extensible" nature of the EAP protocol, almost every brand agreement we see expands and varies, so that devices such as clients or even switches between brands can be completely incompatible, The protocol is likely to add a tail of information to the above message to verify various information.
Eap-sim Learning
eap-
Response/sim/challenge (AT_MAC) Step Description:
According to At_rand and other sres information | Nonce_mt| Version| ... Calculate your own At_mac ' and At_mac comparison
Then generate a sequence, part four-time handshake MK (Universal key, which increases the security of the back four handshake)
Response with Sres At_mac ", let the server re-certification.
GSM subscribers identification: IMSI (International Mobile subscriber Identity). IMSI: No more than 15 digits of STRING,MCC (mobile Country code) 3-bit, MNC (mobile Network Code) 2 or 3-bit, Msin (mobile subscriber Identification Number) is no more than 10 bits.
Internet AAA Protocols Identity: NAI (Network Access Identifier) [RFC4282]. form: ([[Email Protected]][email protected][/email]). For permanent users, you can use IMSI to generate the user name (the first bit Plus ' 1 '); pseudonym Usernames and fast Re-authentication, identities is generated by the authentication server.
Eap-aka Learning
Eap-aka is used for authentication and key negotiation mechanisms (authentication and key agreement) for the third generation Mobile communication network (3G). AKA is based on the principle of symmetric cryptography, usually running on the SIM card of a mobile phone, called Usim in 3G.
Peer Authenticator
| eap-request/identity |
|<------------------------------------------------------|
| |
| eap-response/identity |
| (includes user's NAI) |
|------------------------------------------------------>|
| +------------------------------+
| | Server runs AKA algorithms, |
| | Generates RAND and AUTN. |
| +------------------------------+
| Eap-request/aka-challenge |
| (At_rand, At_autn, At_mac) |
|<------------------------------------------------------|
+-------------------------------------+ |
| Peer runs AKA algorithms, | |
| Verifies autn and MAC, derives RES | |
| and Session key | |
+-------------------------------------+ |
| Eap-response/aka-challenge |
| (At_res, At_mac) |
|------------------------------------------------------>|
| +--------------------------------+
| | Server checks the given RES, |
| | And MAC and finds them correct.|
| +--------------------------------+
| eap-success |
|<------------------------------------------------------|
Figure 1:eap-aka Full authentication procedure?
At_mac (Message authentication Code) is used to protect the integrity of EAP packets.
?
Eap-aka supports rapid re-authentication with the obtained key.
To support confidentiality of user identities
Interaction Logging:
The server should not rely on indentity information in eap-response/identity and should use the Eap-request/aka-identity package unsolicited request (Eap-response/aka-identity At_ The Identity property indicates).
1) Use the At_permanent_id_req property: Server wants peer feedback on the at_identity attribute of the Eap-response/aka-identity package for permanent authentication (PERMANENT identity). If peer has only permanent identity, feedback eap-response/aka-identity (permanent identity is included in the at_identity attribute); If there is pseudonym Identity, the feedback may be Eap-response/aka-client-error (code "Unable to process packet"), or permanent identity. Then, if the server discovers that it is not a legitimate permanent identity, send eap-request/aka-notification (at_notification code "general Failure" (16384)) To terminate the EAP authentication. Otherwise eap-request/aka-challenge begins the full authentication process.
2) at_fullauth_id_req attribute: Server wants peer feedback full authentication identity (authentication identity pseudonym identity). The server does not support fast re-authentication. First feedback pseudonym identity (if any), otherwise the feedback permanent identity. Then, if the server discovers that the pseudonym identity cannot be mapped to a legitimate PERMANENT identity, the at_permanent_id_req is sent.
3) At_any_id_req Property: Server wants peer to give feedback on an identity. If peer maintains fast re-connect status information and wants to use fast re-connect, feedback re-authentication identity property information. Second, Judge pseudonym Identity, and finally judge permanent identity. If the server agrees to re-authenticate, send eap-request/aka-reauthentication, otherwise send at_fullauth_id_req or at_permanent_id_req.
Eap/aka-identity may be recurrent multiple times (up to 3 times), in the order of this case:
At_any_id_req, At_fullauth_id_req, At_permanent_id_req.
WLAN\3G Application AKA:
Wlan-ue (user equipment): Mobile terminal device for WLAN users
Wlan-an (Access Network): WLAN access Networks
3GPP AAA Server: 3GPP network authentication, authorization, billing server
HSS/HLR: Home User Server/home location register
IMSI: International Mobile User logo (International Mobile station Identity)
F1 ~f5. Algorithms defined for the 3G security architecture,
The F1 algorithm is used to generate the message authentication code,
The F2 algorithm is used to calculate the expected response value in message authentication,
The F3 algorithm is used to generate the encryption key,
The F4 algorithm is used to generate the integrity key,
The F5 algorithm is used to generate anonymous keys.
Protocol Flow
①wlan-ue→wlan-an:nai (identity symbol)
②WLAN-AN→3GPP Aaa:nai
③3GPP Aaa→wlan-an:rand, AUTH, wlan-ue temporary sign, message identification code
④wlan-an→wlan-ue:rand, AUTH, wlan-ue temporary sign, message identification code
⑤wlan-ue→wlan-an:res, message Identification code
⑥WLAN-AN→3GPP aaa:res, message identification code
⑦3GPP Aaa→wlan-an:wlan-ue authentication results, Wlan-an and Wlan-ue shared key
⑧WLAN-AN→WLAN-UE:WLAN-UE Certification Results
Description
After ③ receives the WLAN-UE identity flag, the 3GPP AAA server first asks HSS if the user has access to the service provided by WLAN. The authentication vector AV associated with the user is then obtained from the HSS/HLR, and a new temporary flag corresponding to the user IMSI is obtained.
where AV = Rand‖xres‖ck‖ik‖autn, RAND is a random number, xres = f2k (rand), CK = f3k (rand), IK = f4k (rand), autn = SQN‖AK‖AMF ‖mac; SQN is the serial number, AK = f5k (RAND), AMF is the authentication admin domain, MAC = f1k (SQN‖RAND‖AMF).
The shared keys are then generated from IK and CK, which can be used to protect the confidentiality and consistency of WLAN traffic on the one hand, and on the other, to protect wlan-ue temporary flags.
Constructs the EAP Request/aka Challenge message, which contains Rand, AUTH, temporary flags, and computes the message identification code. Finally, the EAP Request/aka Challenge message is sent to Wlan-an.
⑤wlan-ue first verifies the Auth and verifies that the received serial number sqn is within the valid range, and if all is correct, the authentication to the 3G network is achieved.
Calculates IK and CK, generates a shared key from IK and CK, and then verifies that the message discriminator is correct and saves the temporary flag received.
Computes the res = f2k (RAND), constructs the EAP Response/aka Challenge message, the message contains the res, and computes the message identification code. Finally, the EAP Response/aka Challenge message is sent to Wlan-an.
The ⑦3GPP AAA server first validates the message identification code, then calculates the xres and compares it to the received Res. If correct, the identity of the Wlan-ue is authenticated and an EAP successful message is sent to Wlan-an. Shared keys for confidentiality and consistency protection are also sent together in WLAN communications.
⑧wlan-an Save the shared key, which will be used for confidentiality and consistency protection when communicating with Wlanue, and to send the EAP successful message to Wlan-ue.
Security analysis
Based on the secret key K shared between Wlan-ue and HSS/HLR, the Eap-aka protocol realizes mutual authentication and key distribution between WLAN users and 3G networks.
(1) Two-way authentication between WLAN user and 3G network.
The authentication of the WLAN user to the 3G network is implemented in step ⑤ above. Wlan-ue received a 3GPP AAA server sent over autn = Sqnīak‖amf‖mac, confirm that the serial number sqn is within the valid range, and verify Auth is correct. Because only use the correct secret key k to generate the correct autn, and only the legitimate HSS/HLR have secret key K, so the above process to achieve the legitimacy of the 3G network authentication.
3G network authentication for WLAN users is implemented in step ⑦ above. The 3GPP AAA server first Calculates xres = f2k (rand) and then compares it to the received res= f2k (RAND). It is also because only legitimate WLAN users have secret key K, so if xres = RES, you can authenticate the legitimate identity of the WLAN user.
(2) The key distribution between Wlan-ue and Wlan-an.
After the legitimate wlan-ue receives the correct random number RAND, it can correctly generate CK = F3K (rand) and ik= f4k (rand), thus correctly generating session keys for confidentiality and consistency protection in WLAN communications. While the Wlan-an session key is obtained from the 3GPP AAA server, the 3GPP AAA server first generates CK and IK, then generates the session key and then passes it to Wlan-an. Therefore, the Eap-aka protocol ensures that the session key can be shared between Wlan-ue and Wlan-an, and that the session key is not transmitted in the wireless interface, which has some security.
(3) The freshness of the key.
During each authentication process of the Eap-aka protocol, the session key shared between Wlan-ue and Wlan-an is generated by CK and IK, while CK and IK are computed using random numbers, thus ensuring the freshness of the key.
(4) Anti-replay attack.
Protocol-delivered messages use a random number and a continuously incrementing sequence number sqn as input, thus guaranteeing the freshness of the message. Also, the random number is included in the message identification code that guarantees the integrity of the message, and the responder contains the random number in the authentication code of the response message, so no third party can exploit the previously intercepted message to initiate a replay attack.
(5) Potential vulnerabilities.
As with the 3G authentication and Key Distribution protocol AKA, the Eap-aka protocol does not have the update mechanism of the secret key K shared between the WLAN user and the 3G network, which may lead to usim cloning attacks. Also, when a WLAN user authenticates for the first time, or if the 3G network does not recognize the temporary flag of the WLAN user, the WLAN user is required to transmit the IMSI and use clear text, which affects the confidentiality of the user's identity.
(6) Possible attacks.
Authentication of 3G Network and Key Distribution protocol AKA presence of MS (Mobile station) is possible for counterfeit attacks. In fact, the same attack could happen on the Eap-aka protocol. And, because the WLAN coverage is small, wlan-an and Wlan-ue are in a relatively open environment, so there is a possibility of wlan-an impersonation attacks. Described below: ①wlan-an impersonation attack. The Eap-aka protocol enables mutual authentication between the WLAN user and the 3G network, but neither side authenticates the identity of the Wlan-an. Also, in step ⑧ of the protocol, the 3GPPAAA server will use the session key for confidentiality and integrity protection in WLAN communications and send it directly to Wlan-an in plaintext. If an attacker first exploits wlan-an in some way (such as a Dos attack) and then pretends to be Wlan-an, the session key in the WLAN can be acquired, which makes the WLAN communication loss of confidentiality. ②wlan-ue fake attacks. Attacker A can also exploit the intercepted legitimate user identity flag. In this way, attacker a can impersonate the user's identity to the network. Because there is no session key, attacker A will not be able to communicate properly at this time. And if attacker a simultaneously wlan-an to the 3GPP AAA server
Communication for eavesdropping, you can get the session key for the Wlan-ue. At this point, attacker a can impersonate the user and perform normal communication between the 3G and the WLAN internetwork.
EAP-TLS is based on asymmetric cryptography (also known as PKI), smart card implementation of high cost, system implementation complex, mainly used in online banking, e-commerce field. The Eap-aka overcomes the known flaws of the Eap-sim and provides sufficient security.
? Eap-aka to 3G, WLAN, the Internet provides a unified authentication method possible.
= = = = = =
EAP authentication method
With Extensible Authentication Protocol (EAP), any authentication mechanism can authenticate a remote access connection. Negotiate the exact authentication scheme to use through the remote VPN client and the validator (ISA server or RADIUS server). ISA Server includes support for Message Digest 5 Challenge (Md5-challenge) and Eap-transport level Security (EAP-TLS) by default.
EAP allows a start-up conversation between a remote VPN client and a validator. The dialog consists of the validator request for authentication information and the response of the remote VPN client. For example, when EAP is used with a security token card, the validator can independently query the name, PIN, and card tag values of the remote access client. After asking questions and answering a round of queries, the remote access client passes another level of authentication. After all the questions have been answered correctly, the remote access client is authenticated.
A specific EAP authentication scheme is called an EAP type. The remote access client and the validator must support the same EAP type in order to successfully authenticate.
For instructions on configuring authentication methods, see Configure VPN authentication methods.
EAP structure
EAP is a set of internal components that provide structural support for any EAP type in the form of plug-in modules. For authentication to succeed, the remote access client and the validator must have the same EAP authentication module installed. ISA server supports two types of EAP: Md5-challenge and EAP-TLS.
Md5-challenge
Message Digest 5 Challenge (Md5-challenge) is a required EAP type that uses the same challenge/handshake protocol as PPP-based CHAP, but the challenge and response is sent as an EAP message. A typical use of md5-challenge is to authenticate the credentials of a remote VPN client by using a user name and password security system. You can also use Md5-challenge to test the interoperability of EAP.
EAP-TLS
Eap-transport level Security (EAP-TLS) is the type of EAP that is used in a certificate-based security environment. If you are using a smart card for remote access authentication, you must use the EAP-TLS authentication method. The EAP-TLS message Exchange can provide mutual authentication between the remote VPN client and the validator, the negotiation of the encryption method, and the determination of the encryption key. EAP-TLS provides the most powerful authentication and key determination methods.
Eap-radius
Eap-radius is not an EAP type, but it is possible to pass an EAP message from any EAP type to the RADIUS server for authentication by the validator. For example, when ISA server is configured for RADIUS authentication, the EAP messages sent between the remote VPN client and the ISA Server are encapsulated, and the format is set to RADIUS messages between the remote access server and the RADIUS server.
Eap-radius is used in an environment where RADIUS is used as the authentication provider. The advantage of using Eap-radius is that you do not need to install the EAP type on each remote access server, just install it on the RADIUS server. In Internet authentication Services (IAS), you only need to install the EAP type on the ISA server.
------------------------------------------------
2.2. EAPOL protocol
The 802.1X protocol defines a message encapsulation format, called the EAPOL (Extended authentication protocol) message on the EAP over LANs LAN, which is primarily used to transmit EAP protocol messages between the client and the authentication system to allow the EAP protocol messages to be transmitted over the LAN.
When the EAPOL frame is transferred at Layer two, the target MAC address must be available, and when the client and authentication system do not know the destination of the sending, the destination MAC address is used by the multicast address 01-80-c2-00-00-03 assigned by the 802.1X protocol.

The principle of campus network authentication