Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Master Thesis
Electrical Engineering
October 2012
School of Computing Blekinge Institute of Technology 371 79 Karlskrona Sweden
Evaluation of EAP Authentication Methods
in Wired and Wireless Networks
Tirumala Rao Kothaluru
Mohamed Youshah Shameel Mecca
ii
This thesis is submitted to the School of Computing at Blekinge Institute of Technology in partial fulfillment of the requirements for the degree of Master of Science in ElectricalEngineering. The thesis is equivalent to twenty weeks of full time studies.
Contact Information:
Author # 1: Tirumala Rao Kothaluru M.Sc. Electrical Engineering (Telecommunication Systems)
E-mail: [email protected]
Author # 2: Mohamed Youshah Shameel Mecca M.Sc. Electrical Engineering (Telecommunication Systems)
E-mail: [email protected]
Supervised by: Charlott Lorentzen Section/Unit: School of Computing SE – 371 79 Karlskrona Blekinge Institute of Technology E-mail: [email protected]
Examined by: Patrik Arlos Section/Unit: School of Computing SE – 371 79 Karlskrona Blekinge Institute of Technology
E-mail: [email protected]
School of Computing Blekinge Institute of Technology 371 79 Karlskrona
Sweden
Internet : www.bth.se/com Phone : +46 455 38 50 00 Fax : +46 455 38 50 57
1
ABSTRACT
In any networking environment, security, connection time and scalability of the network are the major concerns to keep network safe, faster and stable. Administrators working within the networking environment need to have complete account of manageability, scalability and security of the network, so that the organizational data can be kept confidential and maintain integrity.
There are different authentication methods used by
network administrators for accessing network in wired and wireless environments. As network usage and attacks on network increases, a secure, scalable and standard network protocol is needed for accessing and to keep data safe in both wired and wireless networks. IEEE 802.1x is an IEEE standard used to provide authentication and authorization to the devices over LAN/WLAN. The framework IEEE 802.1x uses EAP for authentication and authorization with a RADIUS server.
In this report, an experimental analysis for different
EAP authentication methods in both wired and wireless networks in terms of authentication time and the total processing time is presented. Wireshark is used to capture the network traffic on server and client ends.
After analyzing each packet timestamps that are
captured using Wireshark, it is seen that EAP-MD5 takes less time in both wired and wireless networks, if the number of users increases, there is not much difference in the network connection time. Concerning with security of the network, EAP-MD5 is vulnerable to many attacks so it is not used by many companies. The alternative methods with their strengths and weaknesses are discussed.
Keywords: Authentication, EAP Methods, IEEE 802.1x, RADIUS.
2
3
ACKNOWLEDGEMENT We would like to express sincere gratitude to Charlott Lorentzen our supervisor
for her great and intense support. Without her esteem guidance and consistent support it would not have been easy to accomplish this research.
We would like to convey our gratitude towards Dr. Patrik Arlos our examiner. Finally, we would like to thank our parents and friends for continuous motivation
and co-operation.
Tirumala Rao Mohamed Youshah
4
5
TABLE OF CONTENTS
LIST OF FIGURES .............................................................................................................................. 7
LIST OF TABLES ................................................................................................................................ 9
ABBREVIATIONS ............................................................................................................................. 11
1 INTRODUCTION ..................................................................................................................... 13
1.1 MOTIVATION AND CONTRIBUTION ....................................................................................... 14
1.2 AIM AND OBJECTIVES .......................................................................................................... 14
1.3 RESEARCH QUESTIONS ........................................................................................................ 15
1.4 RESEARCH METHODOLOGY ................................................................................................. 15
1.5 THESIS OUTLINE .................................................................................................................. 17
2 BACKGROUND ........................................................................................................................ 19
2.1 IEEE 802.1X ........................................................................................................................ 19
2.2 RADIUS .............................................................................................................................. 20
2.3 EXTENSIBLE AUTHENTICATION PROTOCOL (EAP) .............................................................. 23
2.4 EAP-METHODS ................................................................................................................ 23
3 IMPLEMENTATION AND EXPERIMENT .......................................................................... 27
3.1 EXPERIMENTAL SETUP ......................................................................................................... 27
3.2 EXPERIMENTAL SETUP FOR WIRED NETWORK ..................................................................... 29
3.3 EXPERIMENTAL SETUP FOR WIRELESS NETWORK ............................................................... 31
4 EXPERIMENTAL RESULTS .................................................................................................. 33
4.1 RESULTS FOR WIRED NETWORK .......................................................................................... 33
4.2 RESULTS FOR WIRELESS NETWORK ..................................................................................... 34
4.3 COMPARISON OF AUTHENTICATION TIME ............................................................................ 35
4.4 COMPARISON OF TOTAL PROCESSING TIME ......................................................................... 36
5 SCALABILITY EXPERIMENT .............................................................................................. 39
5.1 CALCULATION OF AUTHENTICATION TIME AND PROCESSING TIME ..................................... 39
6 SURVEY ..................................................................................................................................... 41
6.1 SURVEY RESULTS ................................................................................................................ 41
7 DISCUSSION ............................................................................................................................. 47
7.1 ASSESSMENT ........................................................................................................................ 49
8 CONCLUSION AND FUTURE WORK ................................................................................. 51
REFERENCES ................................................................................................................................... 53
APPENDIX A ...................................................................................................................................... 57
APPENDIX B ...................................................................................................................................... 60
6
7
LIST OF FIGURES
Figure 2.1: Authentication Process ......................................................................................... 20 Figure 2.2: RADIUS packet format [12] ................................................................................ 21 Figure 2.3: RADIUS frame format [12] ................................................................................. 21 Figure 2.4: RADIUS attribute format [12] ............................................................................. 22 Figure 3.1: Experimental Setup for Wired Network ............................................................... 29 Figure 3.2: The flow diagram of EAP TLS messages [33] .................................................... 31 Figure 3.3: Experimental Setup for Wireless Network ........................................................... 31 Figure 4.1: Comparison of Authentication Time .................................................................... 36 Figure 4.2: Comparison of Total Processing Time ................................................................. 37 Figure 5.1: Scalability Experiment ......................................................................................... 39 Figure 7.1: Authentication Time in comparison to work done by [8] .................................... 47 Figure 7.2: Total Processing Time in comparison to work done by [8] ................................. 48
8
9
LIST OF TABLES
Table 2.1: RADIUS codes and its operations [12] ................................................................. 22 Table 2.2: Comparison of EAP-methods ................................................................................ 26 Table 4.1: Authentication Time for wired network ................................................................ 33 Table 4.2: Total Processing Time for Wired Network ........................................................... 34 Table 4.3: Authentication Time for Wireless Network .......................................................... 34 Table 4.4: Processing Time for Wireless Network ................................................................. 35 Table 5.1: Authentication Time & Total Processing Time for Scalability Experiment ......... 40 Table 6.1: Participants Knowledge on Network Security ....................................................... 41 Table 6.2: Participants knowledge on importance of Network Security ................................ 42 Table 6.3: Participants preference on network connection time ............................................. 42 Table 6.4: Network connection time where participants do not have any knowledge on
security of connection ..................................................................................................... 43 Table 6.5: Connection time where participants are ready to wait if higher security is provided
........................................................................................................................................ 43 Table 6.6: BTH Campus network connection usage by participants ...................................... 44 Table 6.7: Participants opinion about security of BTH network ............................................ 44 Table 6.8: Participants preference if network upgraded to higher security ............................ 45
10
11
ABBREVIATIONS AAA Authentication, Authorization, Accounting AP Access Point CA Certificate Authority CHAP Challenge Handshake Authentication Protocol EAP Extensible Authentication Protocol EAPOL EAP over LAN GTC Generic Token Card IEEE Institute of Electrical and Electronics Engineers IP Internet Protocol LAN Local Area Network MD5 Message Digest 5 MS-CHAP Microsoft Challenge Handshake Authentication Protocol NAK Negative Acknowledgement OS Operating System PAP Password Authentication Protocol PC Personal Computer PEAP Protected Extensible Authentication Protocol PKI Public Key Infrastructure PPP Point-to-Point Protocol PNAC Port based Network Access Control RADIUS Remote Authentication Dial in User Service RFC Request for Comments RJ45 Registered Jack 45 TCP Transmission Control Protocol TLS Transport Layer Security TTLS Tunneled Transport Layer Security UDP User Datagram Protocol VPN Virtual Private Network WLAN Wireless LAN
12
13
1 INTRODUCTION In any networking environment, security is one of the major concerns to keep the
organizational data safe. Administrators working within the networking environment need to have complete account of manageability, scalability and security of the network, so that the organizational data can be kept confidential and maintain integrity.
Generally to access a network, users need to provide a username and a password to
get authorized. The main motive to use such a method is to make devices agree that only authorized user along are accessing the information. To keep the network secure from illegal activities, delay and network overload, three main aspects needs to be considered; Authentication, Authorization, and Accounting (AAA) [1, 32].
Network connection time is one of the major aspects that need to be taken into
consideration as users generally do not tend to wait for a long time until they get authenticated. Users feel that if the connection time is longer then the performance in the network is less [31]. Hence, connection time should be as low as possible. Authentication time depends on various factors like network load, delay etc. Suppose if the load on the network is more, authentication takes higher time. So a suitable authentication protocol, which could provide better security and performance at any critical condition on the network, needs to be selected.
The Institute of Electrical and Electronics Engineers (IEEE) 802.1x is a standard
used to provide authentication and authorization to devices that have been connected via Local Area Network (LAN) ports to establish point-to-point connections. The framework of IEEE 802.1x alone cannot be used for authentication and authorization, but requires an additional authentication/authorization protocol over the framework to do so. IEEE 802.1x provides a lot of functionalities which are relatively easy to implement and allow the users to access the network after checking the users credentials.
There has been a lot of work done regarding different authentication and
encryption methods that are being used in IEEE 802.1x [3, 4, 5, 6]. In [1], Extensible Authentication Protocol-Message Digest 5 (EAP-MD5), EAP Transport Layer Security (EAP-TLS), Protected EAP (PEAP) has been compared by measuring four performance parameters namely authentication time, reauthentication time, packet loss during reauthentication, and throughput. The authors found significant change in authentication and reauthentication times. EAP-MD5 had a smaller authentication time compared to other methods in this study.
The properties and security attributes of upper layer EAP authentication methods
in wireless networks have been compared theoretically [7]. The main work performed by authors was to provide a suitable authentication method for any organization or any field which uses networking environment.
In [8], authors have performed an experiment to evaluate the performance of six
EAP authentication methods like EAP Tunneled Transport Layer Security (EAP-TTLS), EAP-PEAP-MSCHAPv2 and EAP-MD5. They have calculated the authentication time and processing time for EAP over LAN (EAPOL). There are very few papers that have been published regarding the performance of authentication methods that are available. The number of papers published in this domain is less as compared to researches done in other domains, this is the reason that motivated us to
14
do this thesis. In this study, the work focuses on both theoretical and practical aspects of a few of the widely used EAP authentication methods. We mainly focused on technical aspects and the aspects regarding the performance of different EAP methods.
1.1 Motivation and Contribution The work done previously [1, 7, 13, 14] focuses mainly on theoretical aspects and
less experimental work has been done regarding EAP-methods. Using the theoretical information like implementation complexity, kinds of network attacks, Wireless Local Area Network (WLAN) security, advantages and disadvantages isn’t enough to choose a particular authentication method. Hence, an experimental analysis is required to choose an EAP method for authentication, which gives better performance in terms of authentication time and total processing time. This motivated us to evaluate the performance of widely used EAP-methods for both wired and wireless networks. The two parameters calculated are total processing time and authentication time.
In real time it is necessary to compare the scalability of both wired and wireless
networks. This information will give us the knowledge if same protocol can be used for both wired network and wireless network, or different protocols needs to be used for wired and wireless networks.
To get the opinion of students about the security provided by BTH campus, a user
survey was chosen. The main motive behind the survey was to know if the students are ready to wait for few more seconds in order to get better security with regards to authentication. It is also interesting to know the opinion of the students regarding the security they have been using at BTH campus as they are the end users.
1.2 Aim and Objectives The aim of this work is to evaluate and analyze the performance of different EAP
authentication methods.
• Literature review of EAP-methods.
• Study about authentication time and processing time that are related to the performance of EAP-methods.
• Search of software that provides different authentication methods like X-Supplicant, WPA-Supplicant etc that are compatible with the RADIUS/DIAMETER servers.
• Experimental setup for evaluation and analyzing of different EAP methods for both wired and wireless networks. Objectives
• Calculation of authentication time and processing time for widely used EAP methods on both wired and wireless networks.
• Analyzing and comparing the results for both wired and wireless networks.
• Analyze the survey responses.
15
1.3 Research Questions RQ1. How EAP-methods effect the authentication performance in wired and wireless networks?
1.1. Which EAP-methods provide better authentication time and processing time in wired networks? 1.2. Which EAP-methods provide better authentication time and processing time in wireless networks?
RQ2. Comparing the performance of EAP authentication methods in wired and wireless networks in terms of authentication time and total processing time.
2.1. Which network provides better performance in terms of authentication time and processing time, wired and wireless? 2.2. Which EAP methods can be used for both wired and wireless networks? 2.3. Are the EAP methods scalable in wireless network in regards to number of users?
RQ3. According to user’s perspective, which is more important, authentication security or connection time?
3.1. Are users ready to wait for some additional time to get better security in terms of Authentication? 3.2. Will the survey results help the network administrator to choose a relevant protocol according to user preference?
1.4 Research Methodology This thesis consists of literature review, user survey and an experimental analysis
of EAP methods hence qualitative and quantitative study was chosen. The qualitative study contains a detailed literature review and a user survey. The quantitative study is an empirical study with an experimental setup.
The following steps explain the methodology adopted to answer the research
question at various steps fulfilling the aim and objectives.
1. In the initial stage of the research, a literature study was conducted to gather theoretical knowledge conducted about different EAP methods to know there advantage, disadvantage, network attacks possible etc.
2. The detailed study on the equipments used on the experiment.
3. As many EAP methods are available, to choose the widely used EAP methods we contacted several companies. Two companies responded. Responses obtained by the two companies is shown below,
The companies names have been kept confidential as the information concerns
with security. Company 1:
One of the leading ISPs in Pakistan. Server: Cisco ACS Protocol: PEAP-MSCHAPv2
16
Company 2:
One of the leading multinational companies around the world, present in 23 countries. This company has collaborated with a few companies in Sweden.
Server: Cisco ACS Protocol: PEAP-MSCHAPv2 OS: Windows server 2003 and 2008
Based on the responses from companies, previous work [8] and protocol used by BTH campus widely used EAP methods were selected. The protocols selected were EAP-MD5, EAP-TLS, EAP-TTLS-PAP, EAP-TTLS-MSCHAP, EAP-TTLS-MSCHAPv2, EAP-TTLS-CHAP, EAP-PEAP-MSCHAPv2, and EAP-PEAP-MD5 for the evaluation of performance in this paper.
4. After literature review, selection of EAP methods and parameters to be
calculated follows experimental setup.
5. In the next stage, experiment was carried out with different EAP methods in both wired and wireless networks. The timestamps of each incoming and outgoing packets were captured for each EAP methods and the parameters (authentication time and total processing time) were calculated.
6. To verify and valid the results, standard deviation was taken.
7. The result of wired network was compared with the result of [8] to analyze
the variation that occurs. By following above steps first research question about the performance of EAP
method in both wired and wireless can be answered.
8. In stage three, the experimental results obtained in wired and wireless are compared.
9. In next stage, to answer research question 2.3 a scalability experiment was conducted for different EAP methods on wireless network. The experimental result of wireless network scenario was compared with scalability experiment to see if the EAP methods are scalable.
By stage three comparison results, which network provides better performance can
be known and if one protocol can be used for wired and wireless networks will be known. With stage three and stage four comparison results research question two results can be answered.
10. In stage five, a user related survey was conducted among students of BTH
campus using web based online Google survey form to know their opinion regarding the security provided in BTH campus.
By stage five responses obtained and experimental result the final research
question can be answered.
17
1.5 Thesis Outline In chapter 2, brief introductions to IEEE 802.1x, EAP and RADIUS are presented,
which is followed by Experimental Setup and Implementation in chapter 3. In chapter 4 experimental results are examined followed by scalability experiment in chapter 5. The survey results are discussed in chapter 5. Finally, the report is concluded in chapter 6.
18
19
2 BACKGROUND This section presents how IEEE 802.1x and different EAP methods works. A brief
description about RADIUS Server with its procedure about its operation is provided. Furthermore, the main methods used in EAP are explained.
2.1 IEEE 802.1x The IEEE 802.1x is a Port-based Network Access Control (PNAC) that uses
Extensible Authentication Protocol (EAP) in transport layer [9]. It was originally designed for wired network, now the standard has improved and is used in wireless network also. Its standard defines encapsulation methodologies for the transport of EAP over LAN (EAPOL) and provides a powerful authentication framework in which any authentication protocol to provide high level of security [10]. IEEE 8021.x has three main components namely supplicant, authenticator and authentication server.
2.1.1 Supplicant Any device that is capable of supporting the IEEE 802.1x protocol can be used (for
example mobile phones, PCs etc) to obtain authentication rights to gain access over the network. The process takes place is the supplicant sends the necessary credentials to the authenticator for the authentication server to gain access over the network. The communication between the supplicant and the authenticator is established using EAPOL and it operates in layer 2. Since the operation is taking place in layer 2, there is no need of IP address to start the authentication process.
2.1.2 Authenticator Authenticator is a device such as a switch, router or a wireless access point. It acts
as an intermediate between a supplicant and authenticator server to control the access between them. The credentials are authenticated/rejected by the authentication server are passed through authenticator. Generally, authenticator set its ports either open or closed by response received by the authentication server in request provided by the supplicant. Depending upon the response provided by the authentication server, the authenticator decides whether the supplicant must be authorized or not.
2.1.3 Authentication server The authentication server is important as it needs to process and validate the
credentials provided by the supplicant. Through this process, the supplicant is authorized to access the information on the server or not is known. Authentication server is the one which provides authentication service. The main role of authentication server is that it checks the credentials provided by the supplicant in the database if the credentials are correct or not.
20
Figure 2.1: Authentication Process
In the above Figure 2.1, the operation that takes place between the three different components of IEEE 802.1x is shown.
• The supplicant is connected to the authentication server via authenticator
• The credentials provided by the supplicant to authentication server are passed through authenticator.
• The authentication server checks the credentials provided by the supplicant in the database and decides if the supplicant must be authorized or not.
• The authentication server provides necessary information to the authenticator to authorize or unauthorize the supplicant.
2.2 RADIUS RADIUS (Remote Authentication Dial in User Service) is a widely implemented
protocol used for carrying authentication, authorization and configuration information between the network accessing servers. RADIUS server originally was designed for supporting dial-up services but now it also supports authentication through switches, Virtual Private Networks (VPNs), wireless access points etc [11]. It is defined in RFC 2865 and RFC 2866 these RFC’s documents provide detailed information regarding the operation, configuration and accounting.
Key features of RADIUS server are
• It is responsible for passing the user information.
• It waits until a response is returned.
• It is responsible for user connection request, authenticating to user and providing all the necessary configuration information that will be required to deliver the information from the server to the user.
RADIUS uses UDP instead of TCP as transport protocol. The main reason to use
UDP is strictly due to technical reasons. Few of the characteristics are 1. It uses secondary authentication server if the request from user to primary
authentication server fails. 2. The timing requirement for this protocol is different as compared to the
standard TCP/IP provides.
21
3. UDP simplifies the implementation complexities (i.e.) implementation is easy as compared to TCP/IP.
4. The stateless nature is one of the main characteristics that simplify the use of UDP.
2.2.1 Packet format Every packet inside the RADIUS server is encapsulated in UDP data field [12].
The destination port of UDP indicates port number of RADIUS. The port assigned for RADIUS is 1812 and for accounting is 1813.
Figure 2.2: RADIUS packet format [12]
The frame format of RADIUS as follows
Figure 2.3: RADIUS frame format [12]
2.2.2 Code The code field is one byte. It identifies the type of RADIUS packet. The packet
received the RADIUS checks for its code field and if the code received is invalid then it silently discards the packet.
22
The RADIUS Codes (decimal) assigned are as follows:
Operation Code
Access-Request 1
Access-Accept 2
Access-Reject 3
Accounting-Request 4
Accounting-Response 5
Access-Challenge 11
Status-Server (experimental) 12
Status-Client (experimental) 13
Reserved 255
Table 2.1: RADIUS codes and its operations [12]
2.2.3 Identifier The length of identifier is one byte. It matches the request and replies between the
two communicating parties (i.e.) client and server. It identifies if any duplicate request is sent by the user within a short span of time. This is done by checking if the client is from same source and IP address.
2.2.4 Length The length field is used to check the total bytes sent in a packet this includes the
code byte identifier, length, authenticator and attributes. If the packet contains some additional bytes then the additional bytes are considered as padding and the data is ignored.
2.2.5 Authenticator The Authenticator is 16 bytes. It is used for password hiding. Authenticator works
in priorities like the most significant octet is transmitted first.
2.2.6 Attributes RADIUS attributes are used to carry authentication, authorization, information and
configuration details between the request sent and the response received. The end of attributes signifies the length of the RADIUS packet.
Figure 2.4: RADIUS attribute format [12]
The values field may be zero or may contain octets. It contains information about
the attributes.
23
2.3 Extensible Authentication Protocol (EAP) EAP is an authentication protocol which is defined in RFC 3748. It provides
framework which supports multiple authentication methods. It is necessary to point out that EAP is not a protocol but it only defines the framework of the message formats.
In EAP enabled networks, the state of port used for authentication (port 1812)
depends on the successful authorization provided by the authentication server. Once the authentication server authorizes the supplicant to use the resources then the authenticator opens the port to freely flow the traffic. If the authentication server rejects the request then the port is closed and there is no connection established between them.
2.3.1 Authentication Process The authentication process can be initiated by either supplicant or authenticator.
When supplicant starts the authentication process, it sends an EAPOL-Start message and then authenticator responds back to the supplicant with an EAP-Request/Identity message. The supplicant replies back with an identity in a form of EAP-Response/Identity. If authentication process is started by authenticator then the EAPOL-Start message step is skipped. The authentication server replies back with a challenge message to the authenticator. The challenge message contains the message to checks if the EAP-method that has been used is compactable or not. If it is compactable then an EAP-Success message is sent. If the EAP method that is been used is not compactable then a NAK message is sent, then the supplicant needs to choose a different method. The important thing that needs to be noticed is the packet received by the authenticator is encapsulated in such a way that the packet is understood by the authentication server (RADIUS). Once the EAP-method is selected an EAP-Response is sent to the authentication server via authenticator.
The authentication server checks for the credentials provided by the supplicant and
verifies if the supplicant needs to be authorized or not. If the credentials provided by the supplicant are correct then an EAP-Success message is sent and the supplicant is authorized to use the port. If the credentials are incorrect then an EAP-Failure message is sent and the supplicant is unauthorized to use the port. The important point to be noticed is, that the communication between the supplicant and the authenticator employs a LAN connection (EAPOL) and the connection between the authenticator and the authentication server is typically established using RADIUS/DIAMETER server. Then, the RADIUS re-encapsulates the packet so that the content in the packet is understood by the supplicant.
2.4 EAP-METHODS
2.4.1 MD5 EAP-MD5 is described in RFC 2284. It is analogous to PPP-CHAP protocol. It is
a challenge response handshake protocol [16]. It uses id and password for the user to get authenticated. Authentication database stores all the user ids and passwords. As MD5 is a challenge protocol the RADIUS server sends a random challenge to client. The supplicant/client creates a MD5-hash of user’s password and the challenge message, sends the hash back to the server, the server checks the hash in the database.
24
It is important to see that the supplicant never sends a password to authentication server for verification. The password stored in the database is in clear plain text.
2.4.1.1 Advantages:
• Easy to implement
• Supported by many RADIUS servers
2.4.1.2 Disadvantages
• Highly insecure as the user passwords are stored in plain text in the authentication server providing hackers to gain access over the network to perform illegal activities.
• EAP-MD5 does not support mutual authentication.
• Dynamic rekeying is not possible [17].
2.4.2 TLS EAP-TLS is described in RFC 2716 [18]. It uses public key infrastructure (PKI)
digital certificate for the supplicant and the authentication server to provide mutual authentication between them. PKI certificate will contain information about the name of the server or user’s information. It is one of the secured method been used, because TLS tunnel is created during the exchange of certificates between the supplicant and the authentication server. Another point to be noted here is even though a tunnel is created to protect the EAP messages, the users identity is send in a clear plain text before the certificate exchange process starts.
2.4.2.1 Advantages
• Dynamic rekeying is possible
• Mutual authentication
• Secure tunnel is created for certificate exchange
2.4.2.2 Disadvantages
• Maintenance cost is more
• Even though it is secure it is unpopular among network administrators as mutual certificate needs to be exchanged between the supplicant and the authentication server which makes implementation difficult.
2.4.3 TTLS EAP-TTLS is described in RFC 5281 [19]. EAP-TTLS is an extension of EAP-
TLS, it was created to reduce the complexity of implementation that was faced while implementing TLS (i.e.,) to eliminate PKI digital certificate. After the creation of the TTLS the authentication server alone needs to authenticate itself to the supplicant. Client can optionally authenticate itself to the server. Hence it is a one or two way authentication method. EAP-TTLS supports lots of inner protocols like PAP, CHAP, MSCHAP and MSCHAPv2 for client authentication. The authentication process takes place inside the secure tunnel. There are two versions of TTLS namely TTLSv1 and TTLSv2.
25
2.4.3.1 Advantages
• Creates secure SSL tunnel
• Supports legacy authentication methods
• Dynamic rekeying is possible
• User identity is protected
2.4.3.2 Disadvantages
• Poor distribution of WLAN devices
2.4.4 PEAP EAP-PEAP works in similar manner of TLS. It uses private key infrastructure
(PKI) digital certificates to authenticate. Unlike TLS, EAP-PEAP requires only one certificate to authenticate itself to the client (i.e.,) only server needs to authenticate itself to the client. Hence, it is a one way authentication method unlike TTLS which provides optional client to authenticate itself to the authentication server. EAP-PEAP creates a secure tunnel between supplicant and authentication server to pass EAP messages between them. In PEAP only variant methods like EAP-MD5, EAP-MSCHAPv2 etc can be used inside the inner secure tunnel. As PEAP uses variant legacy protocols the authenticator is used only to transfer the packets between the supplicant and authenticator server.
2.4.4.1 Advantages
• Dynamic rekeying is possible
• Creates secure SSL tunnel
• User identity is protected
• Supports fast reconnections
• Message authentication and encryption
2.4.4.2 Disadvantages
• Requires more overhead due to number of message exchanges
• Requires certificate authority (CA) for authenticating server
26
2.4.5 Comparison of various EAP-methods Table 2.2 provides theoretical knowledge regarding the complexities,
requirements, security etc for four major EAP-methods [17, 22, 23, 24, 25].
Attribute
EAP-Methods
TLS TTLS PEAP MD5
Supplicant
Softwares
Windows Xsupplicant Xsupplicant Xsupplicant Xsupplicant
Linux WPA_Supplicant WPA_Supplicant WPA_Supplicant WPA_Supplicant
Deployment Hard Moderate Moderate Easy
User Identity hiding No Yes Yes No
EAP Attacks: Session
hijacking, Man-in the
middle, Dictionary
attack
Protected
Protected
Protected
Not Protected
Security Strongest Strong Strong Poor
Tunnel No Yes Yes No
Server Certificate Yes Yes Yes No
Client Certificate Yes Optional No No
Legacy Protocols - MD5, PAP, CHAP,
MSCHAP, MSCHAPv2
MD5, MSCHAPv2,
GTC
-
Encryption
Technology
Digital certificates
Digital certificates or
Diffie-Hellman algorithm to
generate keying material,
symmetric key for data
encryption
Digital certificates or
Diffie-Hellman algorithm to
generate keying material,
symmetric key for data
encryption
One way message digest
Protected Cipher
Suite Negotiation
Not Required
Yes
Yes
No
Cipher-Session
Negotiation
No
Yes
No
No
Fast reconnect Yes Yes Yes No
Table 2.2: Comparison of EAP-methods
27
3 IMPLEMENTATION AND EXPERIMENT This chapter focuses on the implementation of experiments, performed within this
study and it contains three sections. The first section contains the general description about devices, software tools, system configuration and operating system (OS) used in the experiments. The second section contains the experimental setup used in wired network. Section three contains the experimental setup for wireless network.
3.1 Experimental Setup The experimental setup consists of three entities; supplicant, authenticator and
authentication server. The role of each entity used along with the system configuration and Operating System (OS) is described below,
3.1.1 Client - The Supplicant A client is a device who connects to a network. In order to connect to the network,
a client needs to authenticate by the authentication server to establish a secure connection to use the available resources.
In this experiment, laptop running with Linux (Ubuntu) operating system is used
as a client. The main motivation to use laptop instead of personal computers are, as we are performing the experiment in both wired and wireless networks, laptops can be used to connect in both the networks, but PCs cannot be used to connect a wireless network as WiFi interface cards are not available internally. Another reason PC’s are not handy and cannot be carried all around the places, generally people carrying laptops only tend to connect to wireless network. The laptop specification is given below.
System: DELL Studio Laptop Model: PP39I Processor: Intel core i3 CPU: 2GHz RAM: 3GB OS: Ubuntu 12.04LTS The reason to use Ubuntu as operating system is, it is open source and all EAP
methods are available inbuilt and do not require any additional software but whereas in Windows operating system many EAP methods are not available internally hence require external software (Xsupplicant) to be installed. Ubuntu was used as the operating system.
3.1.2 Router /Access Point – The Authenticator The router/access point is a device used for transferring the user credentials
between the supplicant and authentication server. The main role played by authenticator [26, 28] is that they are responsible for opening or closing the port for the supplicant to access/deny the use of resources available in the server.
In the wired network, the authenticator specifications are given below:
28
Name: Cisco 2800 series Model: Cisco 2811 Version: 12.4 In the wireless network, the authentication specifications are given below: Name: Cisco Aironet 1230 AG series Model: AIR-LAP1232AG-E-K9 These devices were configured to use IEEE 802.1x. These configured devices
were used to transfer EAP messages between the supplicant and the authentication server.
3.1.3 RADIUS Server – The Authentication Server The authentication server is responsible for accepting/denying the supplicant’s
request to use the available resources on the server. The laptop specification in which RADIUS server was installed is given below.
System: Toshiba Satellite A135-s4477 Processor: Intel core 2 CPU: 2GHz RAM: 3GB OS: Ubuntu 12.04LTS Software: FreeRADIUS There are many open source RADIUS servers available, but only few servers
supports all widely used EAP methods. FreeRADIUS [30] is an open source server which supports most of the authentication protocols hence it motivated us to use this server. The configuration of RADIUS server is presented in appendix A.
3.1.4 Tools
3.1.4.1 Wireshark
Wireshark is open source software which is available for both Windows and Linux
operating systems [20]. Wireshark is a network packet analyzer used to capture network packets and display the packet data in a detailed manner. It is used to troubleshoot network problems, examine security problems, debug protocol implementation and education.
To monitor the EAP messages flowing across the supplicant and authentication server, Wireshark is used.
29
3.2 Experimental Setup for Wired Network In this section, the experimental setup for wired network is explained. The entities
required for the setup are supplicant, authenticator and authentication server. The individual operations of these entities are explained in the above section.
Figure 3.1: Experimental Setup for Wired Network
The implementation consists of a supplicant, authenticator and authentication
server. The supplicant is connected to the authenticator (router) using unshielded twisted pair cable (RJ45). The authenticator is connected to the authentication server using an RJ45 cable.
In this setup, the authentication time and processing time for widely used EAP-
methods are calculated in wired network. To calculate the timestamps of authentication time and total processing time, Wireshark is used. The authentication time provides the total time taken for the user to get authenticated in the network. The processing time provides the performance of each entity of EAP method which network administrators intend to use.
3.2.1 Authentication Time To calculate the authentication time, the EAP messages were monitored on
supplicant end using Wireshark. The EAP messages received in Wireshark were logged only for the timestamps of successful EAP message. The formula used to calculate authentication time is
StartEndTotal AAA −=
Where,
=TotalA Total authentication time
=StartA EAP message start time
=EndA EAP message end time
The calculated authentication time contains the time taken for the user to
authenticate in the network as shown in formula below,
Authentication time ( TotalA ) = TotalP + Network time
Where,
TotalP = Total processing time
30
To validate the result, 30 samples were taken. The mean value of 30 samples is
calculated. The mean value is calculated using the formula,
N
Timestion Authentica of Sum Timetion Authentica =
Where, N = Number of samples taken To verify the results, standard deviation is calculated for 30 samples.
3.2.2 Processing Time Processing time is the time taken to process a packet at each entity. The total
processing time is summation of processing time at all entities. The supplicant processing time is calculated by the time taken for the EAP messages to process at the supplicant end. The authenticator processing time is the time taken between incoming EAP message and outgoing EAP message in authenticator. Processing time of authentication server is time taken to process the EAP message at server end. The formula to calculate total processing time is shown below.
ServertorAuthenticaSupplicantTotal PPPP ++=
Where,
=TotalP Total processing time
=SupplicantP Processing time of supplicant
=torAuthenticaP Processing time of Authenticator
=ServerP Processing time of Authentication Server
SupplicantP & ServerP are calculated using Wireshark timestamps, which is the time
taken by the packet to enter supplicant/server and leave. The timestamps of torAuthenticaP
are obtained in router and the results are exported and analyzed using Wireshark to
calculated torAuthenticaP processing time.
The mean processing time of each entity and total processing time for 30 samples
are calculated using the formula,
N
Times Processing of Sum
r)ator/serve/authenticsupplicant(for
Time Processing=
Where, N = Number of samples taken.
31
Figure 3.2: The flow diagram of EAP TLS messages [33]
For example: Figure 3.2 shows the flow diagram of EAP TLS messages.
Processing time is the time taken at each entity as mentioned above. The numbers in Figure 3.2 shows the flow of packets hence Supplicant, Authenticator, Authentication Server can be calculated as,
SupplicantP = time taken at (4-3) + (12-11) + (20-19)
torAuthenticaP = time taken at (2-1) + (6-5) + (10-9) + (14-13) + (18-17) + (22-21) + (26-25)
ServerP = time taken at (8-7) + (16-15) + (24-23) Authentication time = end time – start time.
3.3 Experimental Setup for Wireless Network To setup a wireless network, a communication device which does not require a
physical medium for relying information to other devices is required. For this purpose wireless access point is used as an authenticator. A wireless connection is established between the authenticator and the supplicant.
Figure 3.3: Experimental Setup for Wireless Network
Using the timestamps of each EAP method, authentication time is calculated using
the same formula used in wired network. The processing time of SupplicantP , torAuthenticaP
and ServerP are also calculated similarly to wired network. To check the scalability of
wireless network a scalability experiment is performed which is discussed in chapter 5.
32
33
4 EXPERIMENTAL RESULTS In this section, the data collected in the experiment for both wired and wireless
networks is presented; authentication time and total processing time results are compared.
4.1 Results for Wired Network
4.1.1 Evaluation of Authentication Time The authentication time for wired network is shown below.
EAP-Method Authentication Time [sec]
(Stdev)
Min [sec]
Max [sec]
EAP-MD5 0.1046 (0.0077) 0.0940 0.1183
EAP-TLS 0.2627 (0.0041) 0.2578 0.2706
EAP-TTLS-PAP 0.2018 (0.0051) 0.1946 0.2107
EAP-TTLS-CHAP 0.2155 (0.0053) 0.2092 0.2239
EAP-TTLS-MSCHAP 0.2301 (0.0036) 0.2249 0.2368
EAP-TTLS-MSCHAPv2 0.2587 (0.0040) 0.2518 0.2657
EAP-PEAP-MD5 0.1858 (0.0033) 0.1802 0.1920
EAP-PEAP-MSCHAPv2 0.2532 (0.0035) 0.2483 0.2607
Table 4.1: Authentication Time for wired network
The results in Table 4.1 show that EAP MD5 has smaller authentication time and
EAP PEAP-MD5 has least variation. Remaining protocols have higher authentication time as compared to EAP MD5 and EAP PEAP-MD5. EAP TTLS-MSCHAPv2 shows higher authentication time as compared to other protocols. EAP PEAP-MSCHAPv2 shows slightly lower authentication time as compared to EAP TTLS-MSCHAPv2.
34
4.1.2 Evaluation of Processing Time The processing time of each entity in wired network with its standard deviation
value to analyze the samples is shown below.
EAP-Method
Processing Time [sec]
Supplicant
(Stdev)
Authenticator
(Stdev)
Authentication
Server
(Stdev)
Total
(Stdev)
Min
Max
MD5 0.0367 (0.0014) 0.0548 (0.0012) 0.0087 (0.0020) 0.1002 (0.0045) 0.0934 0.1092
TLS 0.0712 (0.0015) 0.1167 (0.0014) 0.0328 (0.0023) 0.2207 (0.0050) 0.2127 0.2313
TTLS-PAP 0.0705 (0.0011) 0.1026 (0.0015) 0.0285 (0.0028) 0.2016 (0.0051) 0.1941 0.2091
TTLS-CHAP 0.0746 (0.0012) 0.0988 (0.0013) 0.0281 (0.0024) 0.2015 (0.0049) 0.1917 0.2092
TTLS-MSCHAP 0.0756 (0.0009) 0.1154 (0.0015) 0.0276 (0.0018) 0.2186 (0.0042) 0.2121 0.2255
TTLS-MSCHAPv2 0.0622 (0.0014) 0.1223 (0.0008) 0.0278 (0.0016) 0.2123 (0.0037) 0.2068 0.2198
PEAP-MD5 0.0638 (0.0010) 0.0938 (0.0012) 0.0226 (0.0013) 0.1802 (0.0034) 0.1745 0.1871
PEAP-MSCHAPv2 0.0783 (0.0012) 0.1406 (0.0016) 0.0286 (0.0017) 0.2475 (0.0043) 0.2396 0.2537
Table 4.2: Total Processing Time for Wired Network
The results in Table 4.2 show that, the processing time in the authenticator is
higher as compared to authentication server and supplicant. EAP MD5 has least total processing time. EAP PEAP-MD5 has least variation of processing time as compared to the EAP MD5. PEAP-MSCHAPv2 has highest total processing time. But except that, it is difficult to find pattern in the results of other protocols
The results obtained in this experiment of wired network is compared with [8] and
found that the result has shown little variation. This might have occurred due to the change in environment as compared to [8].
4.2 Results for Wireless Network The results obtained for the wireless network for authentication time and
processing time is shown below.
4.2.1 Evaluation of Authentication Time The authentication time for wireless network is shown below.
EAP-Method Authentication Time [sec]
(Stdev)
Min [sec]
Max [sec]
EAP-MD5 0.1474 (0.0065) 0.1384 0.1593
EAP-TLS 0.3916 (0.0052) 0.3822 0.4021
EAP-TTLS-PAP 0.2941 (0.0036) 0.2855 0.3048
EAP-TTLS-CHAP 0.3008 (0.0043) 0.2927 0.3096
EAP-TTLS-MSCHAP 0.3215 (0.0038) 0.3128 0.3291
EAP-TTLS-MSCHAPv2 0.3611 (0.0056) 0.3498 0.3702
EAP-PEAP-MD5 0.2406 (0.0058) 0.2293 0.2508
EAP-PEAP-MSCHAPv2 0.3278 (0.0062) 0.3182 0.3375
Table 4.3: Authentication Time for Wireless Network
35
The results in Table 4.3 show that EAP-MD5 has smaller authentication time as
compared to other EAP methods. EAP PEAP-MSCHAPv2 and EAP TTLS-MSCHAPv2 have slight variation of authentication time between them. EAP-TLS has largest authentication time. Remaining EAP methods do not follow any pattern in the samples obtained.
4.2.2 Evaluation of Processing Time The processing time of each entity in wireless network is shown below.
EAP-Method
Processing Time [sec]
Supplicant
(Stdev)
Authenticator
(Stdev)
Authentication
Server
(Stdev)
Total
(Stdev)
Min
Max
MD5 0.0431 (0.0015) 0.0654 (0.0017) 0.0106 (0.0020) 0.1191 (0.0051) 0.1083 0.1278
TLS 0.0912 (0.0011) 0.1514 (0.0012) 0.0404 (0.0013) 0.2830 (0.0036) 0.2740 0.2916
TTLS-PAP 0.0869 (0.0012) 0.1193 (0.0010) 0.0315 (0.0014) 0.2377 (0.0034) 0.2281 0.2458
TTLS-CHAP 0.0918 (0.0013) 0.1215 (0.0015) 0.0332 (0.0015) 0.2465 (0.0043) 0.2374 0.2562
TTLS-MSCHAP 0.0905 (0.0014) 0.1372 (0.0017) 0.0316 (0.0022) 0.2593 (0.0051) 0.2503 0.2686
TTLS-MSCHAPv2 0.0768 (0.0012) 0.1457 (0.0015) 0.0323 (0.0016) 0.2548 (0.0040) 0.2467 0.2661
PEAP-MD5 0.0738 (0.0014) 0.1102 (0.0019) 0.0265 (0.0020) 0.2105 (0.0053) 0.2031 0.2177
PEAP-MSCHAPv2 0.0934 (0.0013) 0.1664 (0.0016) 0.0327 (0.0016) 0.2925 (0.0044) 0.2842 0.3013
Table 4.4: Processing Time for Wireless Network
From the Table 4.4, it is seen that the processing time of EAP MD5 has smallest
processing time. PEAP-MSCHAPv2 and TLS takes higher time for authentication as compared to remaining protocols. The authentication time of TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP and TTLS-MSCHAPv2 shows slight variation between them. EAP PEAP-MSCHAPv2 takes highest authentication time.
4.3 Comparison of Authentication time The results obtained for wired and wireless network are compared to find which
network provides better performance and if a suitable EAP method for both wired and wireless network can be chosen. Figure 4.1 displays the authentication time for each EAP-method for wired and wireless networks. The x-axis denotes EAP-methods and y-axis denotes authentication time. The blue bars indicate wired network results and red bars indicate wireless network results.
36
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
MD
5TLS
TTLS-P
AP
TTLS-C
HAP
TTLS-M
SCHAP
TTLS
-MSCH
APv2
PEAP-MD
5
PEAP-M
SCHAPv2
EAP-Methods
Au
the
nti
cati
on
tim
e
Wired
Wireless
Figure 4.1: Comparison of Authentication Time
Figure 4.1 shows authentication time for wired and wireless networks. The
authentication time in wireless network has shown that it takes additional time to get authenticated in comparison to wired network. EAP-MD5 has smaller time in both the networks. EAP-TLS has seen a delay of more than a second in wireless network as compared to wired network whereas in EAP-TTLS and EAP-PEAP has a delay of approximately 500-800ms. On average, in wireless network took 0.084s additional time for each protocol to get authenticated in the network as compared to wired network.
4.4 Comparison of Total Processing time The results obtained for wired and wireless network for total processing time is
shown in Figure 4.2. The total processing time in wireless network has shown that it takes additional time to get processed in comparison to wired network. The Figure 4.2 displays the authentication time for each EAP-method for wired and wireless networks. The x-axis denotes EAP-methods and y-axis denotes total processing time. The blue bars indicate wired network results and red bars indicate wireless network results.
37
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
MD5 TLS TTLS-PAP TTLS-CHAP TTLS-
MSCHAP
TTLS-
MSCHAPv2
PEAP-MD5 PEAP-
MSCHAPv2
EAP-Methods
To
tal P
roce
ssin
g T
ime
Wired
Wireless
Figure 4.2: Comparison of Total Processing Time
Processing time of each protocol in wired network is less as compared to wireless
network scenario. MD5 takes less processing time in both wired and wireless network scenarios as compared to all other protocols, TLS and PEAP-MSCHAPv2 takes a bit higher time.
38
39
5 SCALABILITY EXPERIMENT It is necessary to evaluate the scalability of the network to see if the methods used
have the ability to handle loads. So a scalability experiment is carried out. The experimental setup remains same as wireless network scenario. The only difference in wireless network scenario and scalability experiment is that in wireless network only one client is connected at a time but in scalability experiment ten users with different PCs running Ubuntu operating system were asked to simultaneously connect to the network, to check if there is any change in authentication time and total processing timewhen number of users tries to login simultaneously. All the ten users used inbuilt EAP-methods available in Ubuntu OS and EAP messages were captured using similar way as wireless network. The reason to perform this experiment is to know the scalability of the network if number of users increases.
Figure 5.1: Scalability Experiment
5.1 Calculation of Authentication Time and Processing
Time The authentication time and processing time was calculated as in above wireless
network scenario. Table 5.1 represents the average of 10 samples, which was obtained while 10 users logged-in to the network using valid credentials provided by us. The results show very less difference in the authentication time and total processing time as compared to wireless network.
40
EAP-Method Authentication Time (Stdev)
Total Processing Time (Stdev)
EAP-MD5 0.1526s (0.0076) 0.1257s (0.0069)
EAP-TLS 0.3962s (0.0085) 0.2943s (0.0078)
EAP-TTLS-PAP 0.2894s (0.0068) 0.2439s (0.0073)
EAP-TTLS-CHAP 0.2875s (0.0070) 0.2602s (0.0064)
EAP-TTLS-MSCHAP 0.3307s (0.0069) 0.2744s (0.0076)
EAP-TTLS-MSCHAPv2 0.3689s (0.0074) 0.2752s (0.0080)
EAP-PEAP-MD5 0.2426s (0.0079) 0.2187s (0.0068)
EAP-PEAP-MSCHAPv2 0.3294s (0.0083) 0.3121s (0.0071)
Table 5.1: Authentication Time & Total Processing Time for Scalability Experiment
From Table 5.1, it is seen that EAP MD5 takes smaller authentication time, EAP
TTLS-MSCHAPv2 takes highest authentication time, EAP MD5 shows least total processing time and EAP PEAP-MSCHAPv2 shows higher processing time. Comparing Table 5.1 with Table 4.3 and Table 4.4 we can observe that there is less than 1% difference in average authentication time and 7% difference in average total processing time which is negligible. We can say that even if the number of users simultaneously tries to connect to the network there is not much difference in the performance.
41
6 SURVEY An online survey was conducted among the students of BTH using
docs.google.com. The reason to use online user survey instead of face to face survey with the students is, the responses provided may be effected by us due to peer pressure. The survey link was sent to students of BTH via student portal.
Totally 320 responses were obtained only 292 responses were considered. The
responses in the survey were collected from different schools of BTH. Remaining responses were considered as improper responses. The improper responses were filtered by age criteria i.e., few students gave age as below 18, as in BTH it is not possible for the student to study who is below 18 years. And few students gave school names which are not available in BTH hence we knew that the students were not serious while answering the questions hence such responses were neglected. The main motive of the survey was to obtain feedback from the students regarding the network security provided by BTH.
6.1 Survey Results The complete survey results are presented appendix B. The questions that were
used in survey and responses are as follows:
1. Knowledge on computer networks: Participants having knowledge regarding computer networks was obtained from students of different schools of BTH. Number of responses obtained from different schools of BTH were divided according to their gender and results where further sub-divided according to their knowledge on computer networks as presented in Table 6.1.
Gender
School
Male Female All
Yes No Yes No
Yes
No
School of Computing 102 20 17 2
119
22
School of Engineering 74 24 15 8
89
32
Other Schools 10 6 3 11
13
17
All Schools 186 50 35 21
221
71
Table 6.1: Participants Knowledge on Network Security
The result indicates that 186 Male students in BTH campus have knowledge
and 50 students do not possess knowledge on computer networks. 35 Female students of BTH campus possess knowledge regarding the computer networks and 21 Female students do not posses any knowledge on this domain.
42
2. Do you consider security to be important when you use a network?
Table 6.2 presents the responses of male and female students with regards to the importance of network security. It is clear that majority of students consider security to be important when they use a network. Overall of 270 students considered that security is important, 3 students consider that security is not important and 10 students consider like security maybe important while using the network.
Gender
School
Male
Female
All
Yes No Maybe Yes No Maybe Yes No Maybe
School of Computing
108
1
13
18
0
1
126
1
14
School of Engineering
94
1
3
21
1
1
115
2
4
Other Schools
15 0 1 14 0 0 29
0
1
All Schools 217 2 17 53 1 2 270 3 19
Table 6.2: Participants knowledge on importance of Network Security
3. Which of the following scenarios would you prefer when connecting to a network?
Table 6.3 presents the preferences of students regarding the security and
connection time they would like to wait until connection time is established. 184 male students and 45 female students prefer high security and do not bother if the connection time is higher but remaining 52 males and 11 females prefer less connection time and less security.
Gender
School
Male Female All
High security with a long
connection time
Low security with a short
connection time
High security with a long
connection time
Low security with a short
connection time
High
security with a long
connection time
Low
security with a short
connection time
School of Computing 92 30 15 4
107
34
School of Engineering 77 21 19 4
96
25
Other Schools 15 1 11 3
26
4
All Schools 184 52 45 11
229
63
Table 6.3: Participants preference on network connection time
43
4. How long time would you be willing to wait for a connection to a network to be established, if you know nothing of the security of the connection?
Table 6.4 presents the network connection time, students are willing to wait until
the connection is established. These results obtained from the students assuming that they do not have any clear knowledge about security of the connection. From the below table, it is seen that there is a mixed opinion among the students, 84 students are ready to wait up to 3 seconds until the network connection is established and 94 students are ready to wait until 5 seconds. The view of both the genders about network connection time do not show any significant difference as majority of male and female students are ready to wait up to 1-5 seconds.
Gender
School
Male Female All
1
sec
1-3
sec
3-5
sec
5-8
sec
>8
sec
1
sec
1-3
sec
3-5
sec
5-8
sec
>8
sec
1
sec
1-3
sec
3-5
sec
5-8
sec
>8
sec
School of Computing
16
34
41
17
14
3
6
6
2
2
19
40
47
19
16
School of Engineering
5
30
27
15
21
0
6
13
4
0
5
36
40
19
21
Other Schools
1
4
4
2
5
1
4
4
3
2
2
8
8
5
7
All
22
68
72
34
40
4
16
23
9
4
26
84
95
43
44
Table 6.4: Network connection time where participants do not have any knowledge on
security of connection
5. How long time would you be willing to wait for a connection to a network to be
established, if longer time yields higher security?
Table 6.5 presents the network connection time if students are provided with higher security. From the results, 69 students are ready to wait approximately 5 seconds, 105 students are ready to wait approximately 8 seconds and 78 students are willing to wait for more than 8 seconds until the connection is established to obtain higher security.
Gender
School
Male Female All
1
sec
1-3
sec
3-5
sec
5-8
sec
>8
sec
1
sec
1-3
sec
3-5
sec
5-8
sec
>8
sec
1
sec
1-3
sec
3-5
sec
5-8
sec
>8
sec
School of Computing
3
19
26
44
30
0
3
6
8
2
3
22
32
52
32
School of Engineering
1
10
24
34
29
0
1
7
8
7
1
11
31
42
36
Other Schools
0
2
2
4
8
0
1
4
7
2
0
3
6
11
10
All
4
31
52
82
67
0
5
17
23
11
4
36
69
105
78
Table 6.5: Connection time where participants are ready to wait if higher security is
provided
44
6. Which type of network do you choose in BTH campus?
Table 6.6 presents the number of students using the wired and wireless networks in the BTH campus. The results indicate that majority of students use wireless network i.e. 266 students use wireless network and 26 students use wired network.
Gender
School
Male Female All
Wired Wireless Wired Wireless
Wired
Wireless
School of Computing 15 107 0 19
15
126
School of Engineering 8 90 1 22
9
112
Other Schools 1 15 1 13
2
28
All Schools 24 212 2 54
26
266
Table 6.6: BTH Campus network connection usage by participants
7. Do you regard the security of the BTH networks to be enough to keep your data
confidential?
Table 6.7 presents the number of students who regard the network security provided by BTH is secure or not. The reason for asking this question is it is important to know users perspective over the security provided by the campus as they are the end users. The results indicate that approximately 22% of the students regard that the network security provided at BTH campus isn’t enough to keep their data confidential.
Gender
School
Male Female All
Yes No Yes No
Yes
No
School of Computing 96 26 14 5
110
31
School of Engineering 82 16 17 6
99
22
Other Schools 9 7 11 3
20
10
All Schools 187 49 42 14 229 63
Table 6.7: Participants opinion about security of BTH network
8. If network connection security were to be upgraded in the network you are using at BTH to get a higher security, inducing higher connection times, would you be willing to wait for a few more seconds or would you prefer the security and connection time to remain the same as before?
Table 6.8 presents the students preferences if the network security is upgraded to
obtain higher security. The results indicate that 206 students are willing to wait for additional connection time to obtain higher security and 86 students would like to remain with the same security mechanism used by BTH.
45
Preference
Schools
Male Female All
I am
willing to
wait a few
seconds
extra
I would
want it to
remain the
same as
before
I am
willing to
wait a few
seconds
extra
I would
want it to
remain the
same as
before
I am
willing to
wait a few
seconds
extra
I would
want it to
remain the
same as
before
School of Computing
82
40
16
3
98
43
School of Engineering
65
33
17
6
82
39
Other Schools
16
0
10
4
26
4
All Schools
163
73
43
13
206
86
Table 6.8: Participants preference if network upgraded to higher security
46
47
7 DISCUSSION Every network needs to have a secure login method for any user to feel
comfortable so that any confidential information available in the network is kept secured. In order to maintain security in the network, network administrators need to consider what level of security can be provided. To achieve a high level of security network administrators needs to know the cost for the deployment, which includes is any additional equipment required in the existing security setup.
Port based access control (802.1x) can be used to authenticate users, which
requires one or more authentication methods to establish high level of security. It is necessary to evaluate the performance of widely used EAP methods for wired and wireless networks and compare the results for both the networks to check if any additional delay occurs, if one particular protocol can be implemented for both wired and wireless networks and if the EAP methods are capable of handling heavy loads.
For RQ1 results in Table 4.1 and Table 4.2, the authentication time and total
processing time of EAP-MD5 is less compared to other protocols but it is vulnerable to many attacks and it is not secured as shown in the Table 2.2. The better protocol is one which provides good security and performance on the network. EAP-PEAP, EAP-TTLS and EAP-TLS are secure protocols, but TLS is more secure than EAP-TTLS and EAP-PEAP. The reason for EAP-TLS to be more secure is that it provides client-server certificate exchange in the authentication process whereas in EAP-TTLS and EAP-PEAP requires only server side certificate exchange.
The experiment performed in wired scenario is similar to the work done by [8]. A
switch is used as authenticator in [8] and in this paper a router is used. The experiment performed by [8] is in personal computer, whereas we performed the experiment using laptops. Figure 7.1 and Figure 7.2 shows the comparison of our wired network results and experimental result of [8]. The comparison results of authentication time and total processing time has shown little variation and the variation might have occurred due to change in authenticator device or might be due to the change in supplicant and authentication server devices, as in [8] PCs were used but in our work laptops were used.
0
0.05
0.1
0.15
0.2
0.25
0.3
MD5 TTLS-PAP TTLS-CHAP TTLS-
MSCHAPv2
PEAP-MSCHAPv2
This work
Previous work
Figure 7.1: Authentication Time in comparison to work done by [8]
48
0
0.05
0.1
0.15
0.2
0.25
0.3
MD5 TTLS-PAP TTLS-CHAP TTLS-MSCHAPv2 PEAP-MSCHAPv2
This work
Previous work
Figure 7.2: Total Processing Time in comparison to work done by [8]
For RQ2 results in Table 4.3 and Table 4.4, the processing time and authentication
time of EAP-MD5 shows smaller time. The EAP TLS takes higher authentication time and processing time. The reason for EAP TLS to have higher time may be due to two way certificate exchange. EAP-TTLS and EAP-PEAP provides moderate authentication time and processing time as it has only one way certificate exchange.
From Table 4.1 and Table 4.3 the authentication time for different EAP methods in
wired network is seen to be comparatively less than wireless network. As 30 samples were collected for each EAP method to check the variation obtained, standard deviation was calculated for 30 samples. The standard deviation results shows less variation.
From Table 4.2 and Table 4.4 it is seen that the total processing time for wired
network provides better performance as compared to wireless network. The reason for the delay might be due to flow of packets wirelessly. As mentioned above the standard deviation for each EAP method for total processing time was seen to have less variation.
To check if different EAP methods are scalable with number of users in wireless
network, a scalability experiment was conducted, where 10 users were asked to login simultaneously into the network. From Table 5.1 the results of Scalability experiment indicates even if number of users tries to login simultaneously the variation in the results seems to be negligible for both authentication time and total processing time.
From the information given by the companies, PEAP-MSCHAPv2 is the protocol
they use. The results for authentication time in wired network, PEAP-MSCHAPv2 takes 0.2532 seconds to authenticate, whereas in wireless network it takes 0.3278 seconds. PEAP-MSCHAPv2 is not a considerably secure protocol in comparison to EAP-TLS, but due to implementation complexities, deployment charges and low maintenance cost it has become highly popular among network administrators. We think that EAP-TLS is the more secure protocol as compared to the other protocol in this study, if high level of security needs to be achieved.
A user survey with a series of question was asked to students of BTH using online
survey form. The survey was conducted to obtain the opinion of the students regarding
49
the network security provided by BTH network administrator. Approximately 22% of the questioned students regard the network security provided by BTH isn’t secured. The responses also indicate that the majority of the students are willing to wait more time to get higher security when connecting to the network.
7.1 Assessment
• There may be some impact of Wireshark in the measurement; the packet may not reach Wireshark at the same time as it reaches the supplicant. Few packets may get lost and might not reach the Wireshark itself. Hence every successful login packets must be counted, and the number of packets received same for all.
• The results are calculated manually there may be little variation in each sample time as compared to automated system. We feel that the variation between the samples obtained in manual and automated system may have little variation which can be negligible.
50
51
8 CONCLUSION AND FUTURE WORK This report shows a study on the performance of different EAP methods. The
experiments were carried out on both wired and wireless networks in order to observe for any pattern.
From the companies point of view, it is important to know the performance of
TLS, TTLS and PEAP as they are widely used today. Using the results of this study, the delay provided by each protocol with the intensity to handle load can be known. This will help to select a suitable protocol before implementing.
Based on the analysis, TLS provides better performance and moderate
authentication time in wired and wireless networks. The criteria used to choose a better protocol is by analyzing the background (advantages and disadvantages) and experimental results obtained in our thesis.
The wired network provides better processing time and authentication time as
compared to wireless network. EAP-MD5 provides less delay in comparison to other EAP methods in both wired and wireless networks but it is less secure. EAP-TLS takes more processing time and authentication time as compared to other EAP methods in both wired and wireless networks but it is highly secured as compared to other methods, as it is highly unpopular among network administrators due to its complexities on implementation, deployment cost and difficulties in maintenance. If moderate security is enough, best option to implement is PEAP-MSCHAPv2 as the maintenance cost is low and implementation is easy.
Based on the user survey, users/students prefer higher security with moderate
connection time. It is seen that 70% of users/students are willing to wait additional time to get higher security. The results also demonstrate that 22% of students regard security provided in BTH campus networks is not secured. Though, based on theoretical knowledge and our experimental results the protocol used in BTH campus, EAP-PEAP-MSCHAPv2 is the best protocol in terms of security, maintenance cost and maintenance. Hence, network administrators of BTH do not need to change the authentication method that is being used now. Though based on the survey results, if network administrator would like to upgrade to higher security students would be fine with higher response times, as long as more security is provided.
As for future work, a real time survey could be done among companies about the
usage of protocols and difficulties faced while implementing and during maintenance this will help the protocol developers improve the protocol and make life easy of network administrators.
In this work for wireless network, we evaluated the performance using laptops, but
repeating the experiment for mobile phones and examining the performance could be interesting. All these EAP-methods are in some way vulnerable to different attacks. A study on implementing these attacks and its countermeasures could also be interesting.
52
53
REFERENCES
1. C. Alexandra, G. Laura, R. Daniel, “A practical analysis of EAP authentication methods,” in Proc. 9
th Roedunet International Conference (RoEduNet), 2010, pp.31-
35.
2. “IEEE Standard for Local and metropolitan area networks - Port-Based Network Access Control,” in IEEE Std 802.1X-2010 (Revision of IEEE Std 802.1X-2004), pp.C1-205, Feb 2010 [online]. Available: http://ieeexplore.ieee.org.miman.bib.bth.se/stamp/stamp.jsp?tp=&arnumber=935759 [Accessed: 2012-05-15].
3. Ronny Haryanto, “802.1x,” [online]. Available:
http://www.scribd.com/doc/51588347/802-1x. [Accessed: 2012-05-15]
4. G. Lopez, A.F. Gomez, R. Marin, O. Canovas, “A network access control approach based on the AAA architecture and authorization attributes,” in Journal of Network
and Computer Applications, vol. 30, no. 3, pp. 900-919, 2007.
5. T.Henderson, D. Kotz, I. Abyzov. “The changing usage of a mature campus-wide wireless network,” in Computer Networks, vol. 52, no. 14, pp. 2690-2712, Oct. 2008.
6. Mishra, W. A. Arbaugh. (2002,Feb.) An Initial Security Analysis of the IEEE
802.1X Standard. [online]. Available: http://www.cs.umd.edu/~waa/1x.pdf [Accessed: 2012-05-15].
7. K.M. Ali, A. Al-Khlifa, “A Comparative Study of Authentication Methods for Wi-Fi
Networks,” in Proc. Third International Conference on Computational Intelligence,
Communication Systems and Networks (CICSyN), 2011, pp.190-194.
8. L. Peter, L. Johan, “Evaluation of EAP-methods Performance testing on IEEE 802.1x,” Master Thesis, School of Computing, Blekinge Institute of Technology, Sweden, 2011.
9. K. Yang, J. Ma , “Implementation of IEEE802.1x in OPNET,” in Proc. 7
th Asia
Simulation Conference on System Simulation and Scientific Computing (ICSC), 2008, pp.1390-1394.
10. T. Thomas and D. Stoddard, “Security Protocols,” in Network Security First-Step,
2nd ed., Indianapolis, Cisco press, ch. 6, pp. 169-192.
11. C. Rigney et al., “Remote Authentication Dial In User Service (RADIUS),” [online]. Available: http://www.ietf.org/rfc/rfc2865.txt [Accessed: 2012-03-05].
12. J. Postel, “User Datagram Protocol” [online]. Available:
http://www.ietf.org/rfc/rfc768.txt [Accessed : 2012-03-05].
13. Fan Yang, “Analysis and Application of EAP_AKA for IEEE Standard 802.16e,” in
proc. 7th International conference on Wireless Communications, Networking and
Mobile Computing (WiCOM), 2011, pp.1-4.
14. K.M.Ali, T.J. Owens, “selection of an EAP authentication method for a WLAN,” in
Int. J. Inf. Comput. Sec, vol. 1, no. 1/2, pp. 210-233, Jan 2007.
54
15. B. Aboba et al., “Extensible Authentication Protocol (EAP)” [online]. Available: http://www.ietf.org/rfc/rfc3748.txt [Accessed: 2012-03-05].
16. L. Blunk, J. Vollbrecht, “PPP Extensible Authentication Protocol (EAP),” [online].
Available: http://www.ietf.org/rfc/rfc2284.txt [Accessed: 2012-03-05].
17. D. Ram, C. Gabriel, A. Anuj. (2006, Sept). EAP methods for wireless networks. Computer Standards & Interfaces. [online]. 29(2007), pp. 289-301. Available: http://nsl.cse.unt.edu/~dantu/cae/Dantu/EAP_Methods_for_Wireless_Networks.pdf
18. B. Aboba, D. Simon, “PPP EAP TLS Authentication Protocol,” [online]. Available:
http://www.ietf.org/rfc/rfc2716.txt [Accessed: 2012-05-15].
19. P. Funk, S. Blake-Wilson, “Eextensible Authentication Protocol Tunneled Transport Layer Security Authentication Protocol Version 0 (EAP-TTLSv0),” [online]. Available: http://tools.ietf.org/html/rfc5281 [Accessed: 2012-05-15].
20. Wireshark, “the world's foremost network protocol analyzer,” [online]. Available:
http://www.wireshark.org/. [Accessed: 2012-03-05].
21. P. Funk, “EAP Tunneled TLS Authentication Protocol,” [online]. Available: http://www.ietf.org/proceedings/53/slides/eap-1/sld002.htm [Accessed: 2012-05-15].
22. Lei Han, “A Threat Analysis of The Extensible Authentication Protocol,” School of
Computer Science, Carleton University, April 2006. Available: http://people.scs.carleton.ca/~barbeau/Honours/Lei_Han.pdf
23. “PEAP & EAP-TTLS,” [online]. Available:
www.cs.huji.ac.il/~sans/students_lectures/PEAP-TTLS.ppt [Accessed: 2012-05-15].
24. “Setup IEEE 802.1x Access Control (Authentication and Accounting),” [online]. Available: http://www.zyxeltech.de/snotep335wt/app/8021x.htm [Accessed: 2012-05-15].
25. M.A. Catur Bhakti, A. Abdullah, L.T. Jung, “EAP-based authentication with EAP
method selection mechanism,” in Proc. International Conference on Intelligent and
Advanced Systems. ICIAS 2007. pp. 393-396.
26. Cisco, “Fast Secure Roaming,” [online]. Available: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/fastroam.html [Accessed: 2012-05-15].
27. Evil Routers, “Configuring FreeRADIUS to support Cisco AAA Clients,” [online].
Available: http://evilrouters.net/2008/11/19/configuring-freeradius-to-support-cisco-aaa-clients/ [Accessed: 2012-05-15].
28. Cisco, “EAP Authentication with RADIUS Server,” [online]. Available:
http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml [Accessed: 2012-05-15].
29. “Cisco Command Summary,” [online]. Available:
http://networking.ringofsaturn.com/Cisco/ciscocommandguide.php [Accessed:2012-05-15]
55
30. FreeRADIUS, “The world’s most popular RADIUS Server,” [online]. Available: http://freeradius.org/ [Accessed: 2012-05-15].
31. M. Asad, W. Ali, “Response Time Effects on Quality of Security Experience,”
School of Computing, Blekinge Institute of Technology, 2012, Sweden.
32. Nakhjiri, M., "Use of EAP-AKA, IETF Hokey and AAA Mechanisms to Provide Access and Handover Security and 3G-802.16M Interworking," in Proc. PIMRC
2007. IEEE 18th International Symposium, on Personal, Indoor and Mobile Radio
Communications, 2007., pp.1-5, Sept. 2007.
33. “802.11 Sniffer Capture Analysis - WPA/WPA2 with PSK or EAP,” [online].
Available: https://supportforums.cisco.com/docs/DOC-24494 [Accessed: 2012-05-15].
56
57
APPENDIX A
FreeRADIUS configuration
Step 1: Install lamp-server
Step 2: sudo apt-get install freeradius
Step 3: sudo apt-get install freeradius-ldap
Step 4: sudo apt-get install freeradius-mysql\
Step 5: sudo /etc/init.d/freeradius restart
Step 6: Login to MySQL database
Step 7: Create a user ‘radius’@’localhost’ identified by ‘setupRADIUS’;
Step 8: Create database radius
Step 9: Grant all privileges on radius.* to ‘radius’@’localhost’
Step 10: Exit MySQL
Step 11: Create tables from schema.sql and nas.sql with following commands, when prompted for password, enter MySQL password.
mysql -u radius -p radius < /etc/freeradius/sql/mysql/schema.sql
mysql -u radius -p radius < /etc/freeradius/sql/mysql/nas.sql
Step 12:
sudo gedit /etc/freeradius/sites-enabled/default
Step 13: uncomment “sql” in authorize{} module, accounting{}module, session{} module and post-auth{} module
Step 14: sudo gedit /etc/freeradius/radiusd.conf, enter following port numbers
58
Authentication port: 1812 Accounting port: 1813 auth = yes auth_badpass = yes auth_goodpass = no and uncomment $INCLUDE sql.conf in the modules{}
Step 15: sudo gedit /etc/freeradius/sql.conf
in sql {} module use the following lines
database = “mysql” server = “localhost” login = “radius” password = ”setupRADIUS” radius_db = ”radius” radclients = yes
Step 16:
Add the following line to the bottom of /etc/freeradius/users radius Cleartext-Password := “setupRADIUS”
Wireshark
Output Screenshots
59
60
APPENDIX B
Survey Results
1. Select your gender.
Female 56
Male 236
Grand Total 292
2. Please select your age.
19 years 8
20 years 11
21 years 22
22 years 21
23 years 40
24 years 59
25 years 30
26 years 19
27 years 14
28 years 22
29 years 9
30 years 8
30+ years 29
Grand Total 292
3. At which school do you study?
Business 1
Culture Department 1
Digital Image production 1
DSN 2
Economics 3
Masters in computer security 1
Media design and spatial planning 3
MSLS 1
Nursing 1
School of Computing 141
School of Engineering 121
School of Management 8
School of Media 1
School of planning 2
School of Software Engineering 1
School of Spatial Planning 2
School of urban design 1
School of urban planning 1
Grand Total 292
61
4. Do you have knowledge on computer networks?
No 71
Yes 221
Grand Total 292
5. Do you consider security to be important when you use a network?
Maybe 19
No 3
Yes 270
Grand Total 292
6. Which of the following scenarios would you prefer when connecting to a network?
High security with a long connection time
229
Low security with a short connection time
63
Grand Total 292
7. How long time would you be willing to wait for a connection to a network to be
established, if you know nothing of the security of the connection?
1 second 26
1-3 seconds 84
3-5 seconds 95
5-8 seconds 43
more than 8 seconds 44
Grand Total 292
8. How long time would you be willing to wait for a connection to a network to be
established, if longer time yields higher security?
1 second 4
1-3 seconds 36
3-5 seconds 69
5-8 seconds 105
more than 8 seconds 78
Grand Total 292
9. How often do you use an Internet connection at the BTH Campus?
Daily 158
More than once in week 63
Once in a month 23
Once in a week 48
Grand Total 292
10. Which type of network do you choose in BTH campus?
62
Wired 26
Wireless 266
Grand Total 292
11. Do you regard the security of the BTH networks to be enough to keep your data
confidential?
No 63
Yes 229
Grand Total 292
12. Have you thought about the security of the BTH networks before you answered this
survey?
No 97
Yes, but only once or twice 106
Yes, many times 89
Grand Total 292
13. If network connection security were to be upgraded in the network you are using at
BTH to get a higher security, inducing higher connection times, would you be willing to wait for a few more seconds or would you prefer the security and connection time to remain the same as before?
I am willing to wait a few seconds extra
206
I would want it to remain the same as before
86
Grand Total 292