Evaluation of EAP Authentication Methods in Wired and ...831569/...considered; Authentication, Authorization, and Accounting (AAA) [1, 32]. Network connection time is one of the major

Master Thesis

Electrical Engineering

October 2012

School of Computing Blekinge Institute of Technology 371 79 Karlskrona Sweden

Evaluation of EAP Authentication Methods

in Wired and Wireless Networks

Tirumala Rao Kothaluru

Mohamed Youshah Shameel Mecca

ii

This thesis is submitted to the School of Computing at Blekinge Institute of Technology in partial fulfillment of the requirements for the degree of Master of Science in ElectricalEngineering. The thesis is equivalent to twenty weeks of full time studies.

Contact Information:

Author # 1: Tirumala Rao Kothaluru M.Sc. Electrical Engineering (Telecommunication Systems)

E-mail: [email protected]

Author # 2: Mohamed Youshah Shameel Mecca M.Sc. Electrical Engineering (Telecommunication Systems)


Supervised by: Charlott Lorentzen Section/Unit: School of Computing SE – 371 79 Karlskrona Blekinge Institute of Technology E-mail: [email protected]

Examined by: Patrik Arlos Section/Unit: School of Computing SE – 371 79 Karlskrona Blekinge Institute of Technology


School of Computing Blekinge Institute of Technology 371 79 Karlskrona

Sweden

Internet : www.bth.se/com Phone : +46 455 38 50 00 Fax : +46 455 38 50 57

1

ABSTRACT

In any networking environment, security, connection time and scalability of the network are the major concerns to keep network safe, faster and stable. Administrators working within the networking environment need to have complete account of manageability, scalability and security of the network, so that the organizational data can be kept confidential and maintain integrity.

There are different authentication methods used by

network administrators for accessing network in wired and wireless environments. As network usage and attacks on network increases, a secure, scalable and standard network protocol is needed for accessing and to keep data safe in both wired and wireless networks. IEEE 802.1x is an IEEE standard used to provide authentication and authorization to the devices over LAN/WLAN. The framework IEEE 802.1x uses EAP for authentication and authorization with a RADIUS server.

In this report, an experimental analysis for different

EAP authentication methods in both wired and wireless networks in terms of authentication time and the total processing time is presented. Wireshark is used to capture the network traffic on server and client ends.

After analyzing each packet timestamps that are

captured using Wireshark, it is seen that EAP-MD5 takes less time in both wired and wireless networks, if the number of users increases, there is not much difference in the network connection time. Concerning with security of the network, EAP-MD5 is vulnerable to many attacks so it is not used by many companies. The alternative methods with their strengths and weaknesses are discussed.

Keywords: Authentication, EAP Methods, IEEE 802.1x, RADIUS.

2

3

ACKNOWLEDGEMENT We would like to express sincere gratitude to Charlott Lorentzen our supervisor

for her great and intense support. Without her esteem guidance and consistent support it would not have been easy to accomplish this research.

We would like to convey our gratitude towards Dr. Patrik Arlos our examiner. Finally, we would like to thank our parents and friends for continuous motivation

and co-operation.

Tirumala Rao Mohamed Youshah

4

5

TABLE OF CONTENTS

LIST OF FIGURES .............................................................................................................................. 7

LIST OF TABLES ................................................................................................................................ 9

ABBREVIATIONS ............................................................................................................................. 11

1 INTRODUCTION ..................................................................................................................... 13

1.1 MOTIVATION AND CONTRIBUTION ....................................................................................... 14

1.2 AIM AND OBJECTIVES .......................................................................................................... 14

1.3 RESEARCH QUESTIONS ........................................................................................................ 15

1.4 RESEARCH METHODOLOGY ................................................................................................. 15

1.5 THESIS OUTLINE .................................................................................................................. 17

2 BACKGROUND ........................................................................................................................ 19

2.1 IEEE 802.1X ........................................................................................................................ 19

2.2 RADIUS .............................................................................................................................. 20

2.3 EXTENSIBLE AUTHENTICATION PROTOCOL (EAP) .............................................................. 23

2.4 EAP-METHODS ................................................................................................................ 23

3 IMPLEMENTATION AND EXPERIMENT .......................................................................... 27

3.1 EXPERIMENTAL SETUP ......................................................................................................... 27

3.2 EXPERIMENTAL SETUP FOR WIRED NETWORK ..................................................................... 29

3.3 EXPERIMENTAL SETUP FOR WIRELESS NETWORK ............................................................... 31

4 EXPERIMENTAL RESULTS .................................................................................................. 33

4.1 RESULTS FOR WIRED NETWORK .......................................................................................... 33

4.2 RESULTS FOR WIRELESS NETWORK ..................................................................................... 34

4.3 COMPARISON OF AUTHENTICATION TIME ............................................................................ 35

4.4 COMPARISON OF TOTAL PROCESSING TIME ......................................................................... 36

5 SCALABILITY EXPERIMENT .............................................................................................. 39

5.1 CALCULATION OF AUTHENTICATION TIME AND PROCESSING TIME ..................................... 39

6 SURVEY ..................................................................................................................................... 41

6.1 SURVEY RESULTS ................................................................................................................ 41

7 DISCUSSION ............................................................................................................................. 47

7.1 ASSESSMENT ........................................................................................................................ 49

8 CONCLUSION AND FUTURE WORK ................................................................................. 51

REFERENCES ................................................................................................................................... 53

APPENDIX A ...................................................................................................................................... 57

APPENDIX B ...................................................................................................................................... 60

6

7

LIST OF FIGURES

Figure 2.1: Authentication Process ......................................................................................... 20 Figure 2.2: RADIUS packet format [12] ................................................................................ 21 Figure 2.3: RADIUS frame format [12] ................................................................................. 21 Figure 2.4: RADIUS attribute format [12] ............................................................................. 22 Figure 3.1: Experimental Setup for Wired Network ............................................................... 29 Figure 3.2: The flow diagram of EAP TLS messages [33] .................................................... 31 Figure 3.3: Experimental Setup for Wireless Network ........................................................... 31 Figure 4.1: Comparison of Authentication Time .................................................................... 36 Figure 4.2: Comparison of Total Processing Time ................................................................. 37 Figure 5.1: Scalability Experiment ......................................................................................... 39 Figure 7.1: Authentication Time in comparison to work done by [8] .................................... 47 Figure 7.2: Total Processing Time in comparison to work done by [8] ................................. 48

8

9

LIST OF TABLES

Table 2.1: RADIUS codes and its operations [12] ................................................................. 22 Table 2.2: Comparison of EAP-methods ................................................................................ 26 Table 4.1: Authentication Time for wired network ................................................................ 33 Table 4.2: Total Processing Time for Wired Network ........................................................... 34 Table 4.3: Authentication Time for Wireless Network .......................................................... 34 Table 4.4: Processing Time for Wireless Network ................................................................. 35 Table 5.1: Authentication Time & Total Processing Time for Scalability Experiment ......... 40 Table 6.1: Participants Knowledge on Network Security ....................................................... 41 Table 6.2: Participants knowledge on importance of Network Security ................................ 42 Table 6.3: Participants preference on network connection time ............................................. 42 Table 6.4: Network connection time where participants do not have any knowledge on

security of connection ..................................................................................................... 43 Table 6.5: Connection time where participants are ready to wait if higher security is provided

........................................................................................................................................ 43 Table 6.6: BTH Campus network connection usage by participants ...................................... 44 Table 6.7: Participants opinion about security of BTH network ............................................ 44 Table 6.8: Participants preference if network upgraded to higher security ............................ 45

10

11

ABBREVIATIONS AAA Authentication, Authorization, Accounting AP Access Point CA Certificate Authority CHAP Challenge Handshake Authentication Protocol EAP Extensible Authentication Protocol EAPOL EAP over LAN GTC Generic Token Card IEEE Institute of Electrical and Electronics Engineers IP Internet Protocol LAN Local Area Network MD5 Message Digest 5 MS-CHAP Microsoft Challenge Handshake Authentication Protocol NAK Negative Acknowledgement OS Operating System PAP Password Authentication Protocol PC Personal Computer PEAP Protected Extensible Authentication Protocol PKI Public Key Infrastructure PPP Point-to-Point Protocol PNAC Port based Network Access Control RADIUS Remote Authentication Dial in User Service RFC Request for Comments RJ45 Registered Jack 45 TCP Transmission Control Protocol TLS Transport Layer Security TTLS Tunneled Transport Layer Security UDP User Datagram Protocol VPN Virtual Private Network WLAN Wireless LAN

12

13

1 INTRODUCTION In any networking environment, security is one of the major concerns to keep the

organizational data safe. Administrators working within the networking environment need to have complete account of manageability, scalability and security of the network, so that the organizational data can be kept confidential and maintain integrity.

Generally to access a network, users need to provide a username and a password to

get authorized. The main motive to use such a method is to make devices agree that only authorized user along are accessing the information. To keep the network secure from illegal activities, delay and network overload, three main aspects needs to be considered; Authentication, Authorization, and Accounting (AAA) [1, 32].

Network connection time is one of the major aspects that need to be taken into

consideration as users generally do not tend to wait for a long time until they get authenticated. Users feel that if the connection time is longer then the performance in the network is less [31]. Hence, connection time should be as low as possible. Authentication time depends on various factors like network load, delay etc. Suppose if the load on the network is more, authentication takes higher time. So a suitable authentication protocol, which could provide better security and performance at any critical condition on the network, needs to be selected.

The Institute of Electrical and Electronics Engineers (IEEE) 802.1x is a standard

used to provide authentication and authorization to devices that have been connected via Local Area Network (LAN) ports to establish point-to-point connections. The framework of IEEE 802.1x alone cannot be used for authentication and authorization, but requires an additional authentication/authorization protocol over the framework to do so. IEEE 802.1x provides a lot of functionalities which are relatively easy to implement and allow the users to access the network after checking the users credentials.

There has been a lot of work done regarding different authentication and

encryption methods that are being used in IEEE 802.1x [3, 4, 5, 6]. In [1], Extensible Authentication Protocol-Message Digest 5 (EAP-MD5), EAP Transport Layer Security (EAP-TLS), Protected EAP (PEAP) has been compared by measuring four performance parameters namely authentication time, reauthentication time, packet loss during reauthentication, and throughput. The authors found significant change in authentication and reauthentication times. EAP-MD5 had a smaller authentication time compared to other methods in this study.

The properties and security attributes of upper layer EAP authentication methods

in wireless networks have been compared theoretically [7]. The main work performed by authors was to provide a suitable authentication method for any organization or any field which uses networking environment.

In [8], authors have performed an experiment to evaluate the performance of six

EAP authentication methods like EAP Tunneled Transport Layer Security (EAP-TTLS), EAP-PEAP-MSCHAPv2 and EAP-MD5. They have calculated the authentication time and processing time for EAP over LAN (EAPOL). There are very few papers that have been published regarding the performance of authentication methods that are available. The number of papers published in this domain is less as compared to researches done in other domains, this is the reason that motivated us to

14

do this thesis. In this study, the work focuses on both theoretical and practical aspects of a few of the widely used EAP authentication methods. We mainly focused on technical aspects and the aspects regarding the performance of different EAP methods.

1.1 Motivation and Contribution The work done previously [1, 7, 13, 14] focuses mainly on theoretical aspects and

less experimental work has been done regarding EAP-methods. Using the theoretical information like implementation complexity, kinds of network attacks, Wireless Local Area Network (WLAN) security, advantages and disadvantages isn’t enough to choose a particular authentication method. Hence, an experimental analysis is required to choose an EAP method for authentication, which gives better performance in terms of authentication time and total processing time. This motivated us to evaluate the performance of widely used EAP-methods for both wired and wireless networks. The two parameters calculated are total processing time and authentication time.

In real time it is necessary to compare the scalability of both wired and wireless

networks. This information will give us the knowledge if same protocol can be used for both wired network and wireless network, or different protocols needs to be used for wired and wireless networks.

To get the opinion of students about the security provided by BTH campus, a user

survey was chosen. The main motive behind the survey was to know if the students are ready to wait for few more seconds in order to get better security with regards to authentication. It is also interesting to know the opinion of the students regarding the security they have been using at BTH campus as they are the end users.

1.2 Aim and Objectives The aim of this work is to evaluate and analyze the performance of different EAP

authentication methods.

• Literature review of EAP-methods.

• Study about authentication time and processing time that are related to the performance of EAP-methods.

• Search of software that provides different authentication methods like X-Supplicant, WPA-Supplicant etc that are compatible with the RADIUS/DIAMETER servers.

• Experimental setup for evaluation and analyzing of different EAP methods for both wired and wireless networks. Objectives

• Calculation of authentication time and processing time for widely used EAP methods on both wired and wireless networks.

• Analyzing and comparing the results for both wired and wireless networks.

• Analyze the survey responses.

15

1.3 Research Questions RQ1. How EAP-methods effect the authentication performance in wired and wireless networks?

1.1. Which EAP-methods provide better authentication time and processing time in wired networks? 1.2. Which EAP-methods provide better authentication time and processing time in wireless networks?

RQ2. Comparing the performance of EAP authentication methods in wired and wireless networks in terms of authentication time and total processing time.

2.1. Which network provides better performance in terms of authentication time and processing time, wired and wireless? 2.2. Which EAP methods can be used for both wired and wireless networks? 2.3. Are the EAP methods scalable in wireless network in regards to number of users?

RQ3. According to user’s perspective, which is more important, authentication security or connection time?

3.1. Are users ready to wait for some additional time to get better security in terms of Authentication? 3.2. Will the survey results help the network administrator to choose a relevant protocol according to user preference?

1.4 Research Methodology This thesis consists of literature review, user survey and an experimental analysis

of EAP methods hence qualitative and quantitative study was chosen. The qualitative study contains a detailed literature review and a user survey. The quantitative study is an empirical study with an experimental setup.

The following steps explain the methodology adopted to answer the research

question at various steps fulfilling the aim and objectives.

1. In the initial stage of the research, a literature study was conducted to gather theoretical knowledge conducted about different EAP methods to know there advantage, disadvantage, network attacks possible etc.

2. The detailed study on the equipments used on the experiment.

3. As many EAP methods are available, to choose the widely used EAP methods we contacted several companies. Two companies responded. Responses obtained by the two companies is shown below,

The companies names have been kept confidential as the information concerns

with security. Company 1:

One of the leading ISPs in Pakistan. Server: Cisco ACS Protocol: PEAP-MSCHAPv2

16

Company 2:

One of the leading multinational companies around the world, present in 23 countries. This company has collaborated with a few companies in Sweden.

Server: Cisco ACS Protocol: PEAP-MSCHAPv2 OS: Windows server 2003 and 2008

Based on the responses from companies, previous work [8] and protocol used by BTH campus widely used EAP methods were selected. The protocols selected were EAP-MD5, EAP-TLS, EAP-TTLS-PAP, EAP-TTLS-MSCHAP, EAP-TTLS-MSCHAPv2, EAP-TTLS-CHAP, EAP-PEAP-MSCHAPv2, and EAP-PEAP-MD5 for the evaluation of performance in this paper.

4. After literature review, selection of EAP methods and parameters to be

calculated follows experimental setup.

5. In the next stage, experiment was carried out with different EAP methods in both wired and wireless networks. The timestamps of each incoming and outgoing packets were captured for each EAP methods and the parameters (authentication time and total processing time) were calculated.

6. To verify and valid the results, standard deviation was taken.

7. The result of wired network was compared with the result of [8] to analyze

the variation that occurs. By following above steps first research question about the performance of EAP

method in both wired and wireless can be answered.

8. In stage three, the experimental results obtained in wired and wireless are compared.

9. In next stage, to answer research question 2.3 a scalability experiment was conducted for different EAP methods on wireless network. The experimental result of wireless network scenario was compared with scalability experiment to see if the EAP methods are scalable.

By stage three comparison results, which network provides better performance can

be known and if one protocol can be used for wired and wireless networks will be known. With stage three and stage four comparison results research question two results can be answered.

10. In stage five, a user related survey was conducted among students of BTH

campus using web based online Google survey form to know their opinion regarding the security provided in BTH campus.

By stage five responses obtained and experimental result the final research

question can be answered.

17

1.5 Thesis Outline In chapter 2, brief introductions to IEEE 802.1x, EAP and RADIUS are presented,

which is followed by Experimental Setup and Implementation in chapter 3. In chapter 4 experimental results are examined followed by scalability experiment in chapter 5. The survey results are discussed in chapter 5. Finally, the report is concluded in chapter 6.

18

19

2 BACKGROUND This section presents how IEEE 802.1x and different EAP methods works. A brief

description about RADIUS Server with its procedure about its operation is provided. Furthermore, the main methods used in EAP are explained.

2.1 IEEE 802.1x The IEEE 802.1x is a Port-based Network Access Control (PNAC) that uses

Extensible Authentication Protocol (EAP) in transport layer [9]. It was originally designed for wired network, now the standard has improved and is used in wireless network also. Its standard defines encapsulation methodologies for the transport of EAP over LAN (EAPOL) and provides a powerful authentication framework in which any authentication protocol to provide high level of security [10]. IEEE 8021.x has three main components namely supplicant, authenticator and authentication server.

2.1.1 Supplicant Any device that is capable of supporting the IEEE 802.1x protocol can be used (for

example mobile phones, PCs etc) to obtain authentication rights to gain access over the network. The process takes place is the supplicant sends the necessary credentials to the authenticator for the authentication server to gain access over the network. The communication between the supplicant and the authenticator is established using EAPOL and it operates in layer 2. Since the operation is taking place in layer 2, there is no need of IP address to start the authentication process.

2.1.2 Authenticator Authenticator is a device such as a switch, router or a wireless access point. It acts

as an intermediate between a supplicant and authenticator server to control the access between them. The credentials are authenticated/rejected by the authentication server are passed through authenticator. Generally, authenticator set its ports either open or closed by response received by the authentication server in request provided by the supplicant. Depending upon the response provided by the authentication server, the authenticator decides whether the supplicant must be authorized or not.

2.1.3 Authentication server The authentication server is important as it needs to process and validate the

credentials provided by the supplicant. Through this process, the supplicant is authorized to access the information on the server or not is known. Authentication server is the one which provides authentication service. The main role of authentication server is that it checks the credentials provided by the supplicant in the database if the credentials are correct or not.

20

Figure 2.1: Authentication Process

In the above Figure 2.1, the operation that takes place between the three different components of IEEE 802.1x is shown.

• The supplicant is connected to the authentication server via authenticator

• The credentials provided by the supplicant to authentication server are passed through authenticator.

• The authentication server checks the credentials provided by the supplicant in the database and decides if the supplicant must be authorized or not.

• The authentication server provides necessary information to the authenticator to authorize or unauthorize the supplicant.

2.2 RADIUS RADIUS (Remote Authentication Dial in User Service) is a widely implemented

protocol used for carrying authentication, authorization and configuration information between the network accessing servers. RADIUS server originally was designed for supporting dial-up services but now it also supports authentication through switches, Virtual Private Networks (VPNs), wireless access points etc [11]. It is defined in RFC 2865 and RFC 2866 these RFC’s documents provide detailed information regarding the operation, configuration and accounting.

Key features of RADIUS server are

• It is responsible for passing the user information.

• It waits until a response is returned.

• It is responsible for user connection request, authenticating to user and providing all the necessary configuration information that will be required to deliver the information from the server to the user.

RADIUS uses UDP instead of TCP as transport protocol. The main reason to use

UDP is strictly due to technical reasons. Few of the characteristics are 1. It uses secondary authentication server if the request from user to primary

authentication server fails. 2. The timing requirement for this protocol is different as compared to the

standard TCP/IP provides.

21

3. UDP simplifies the implementation complexities (i.e.) implementation is easy as compared to TCP/IP.

4. The stateless nature is one of the main characteristics that simplify the use of UDP.

2.2.1 Packet format Every packet inside the RADIUS server is encapsulated in UDP data field [12].

The destination port of UDP indicates port number of RADIUS. The port assigned for RADIUS is 1812 and for accounting is 1813.

Figure 2.2: RADIUS packet format [12]

The frame format of RADIUS as follows

Figure 2.3: RADIUS frame format [12]

2.2.2 Code The code field is one byte. It identifies the type of RADIUS packet. The packet

received the RADIUS checks for its code field and if the code received is invalid then it silently discards the packet.

22

The RADIUS Codes (decimal) assigned are as follows:

Operation Code

Access-Request 1

Access-Accept 2

Access-Reject 3

Accounting-Request 4

Accounting-Response 5

Access-Challenge 11

Status-Server (experimental) 12

Status-Client (experimental) 13

Reserved 255

Table 2.1: RADIUS codes and its operations [12]

2.2.3 Identifier The length of identifier is one byte. It matches the request and replies between the

two communicating parties (i.e.) client and server. It identifies if any duplicate request is sent by the user within a short span of time. This is done by checking if the client is from same source and IP address.

2.2.4 Length The length field is used to check the total bytes sent in a packet this includes the

code byte identifier, length, authenticator and attributes. If the packet contains some additional bytes then the additional bytes are considered as padding and the data is ignored.

2.2.5 Authenticator The Authenticator is 16 bytes. It is used for password hiding. Authenticator works

in priorities like the most significant octet is transmitted first.

2.2.6 Attributes RADIUS attributes are used to carry authentication, authorization, information and

configuration details between the request sent and the response received. The end of attributes signifies the length of the RADIUS packet.

Figure 2.4: RADIUS attribute format [12]

The values field may be zero or may contain octets. It contains information about

the attributes.

23

2.3 Extensible Authentication Protocol (EAP) EAP is an authentication protocol which is defined in RFC 3748. It provides

framework which supports multiple authentication methods. It is necessary to point out that EAP is not a protocol but it only defines the framework of the message formats.

In EAP enabled networks, the state of port used for authentication (port 1812)

depends on the successful authorization provided by the authentication server. Once the authentication server authorizes the supplicant to use the resources then the authenticator opens the port to freely flow the traffic. If the authentication server rejects the request then the port is closed and there is no connection established between them.

2.3.1 Authentication Process The authentication process can be initiated by either supplicant or authenticator.

When supplicant starts the authentication process, it sends an EAPOL-Start message and then authenticator responds back to the supplicant with an EAP-Request/Identity message. The supplicant replies back with an identity in a form of EAP-Response/Identity. If authentication process is started by authenticator then the EAPOL-Start message step is skipped. The authentication server replies back with a challenge message to the authenticator. The challenge message contains the message to checks if the EAP-method that has been used is compactable or not. If it is compactable then an EAP-Success message is sent. If the EAP method that is been used is not compactable then a NAK message is sent, then the supplicant needs to choose a different method. The important thing that needs to be noticed is the packet received by the authenticator is encapsulated in such a way that the packet is understood by the authentication server (RADIUS). Once the EAP-method is selected an EAP-Response is sent to the authentication server via authenticator.

The authentication server checks for the credentials provided by the supplicant and

verifies if the supplicant needs to be authorized or not. If the credentials provided by the supplicant are correct then an EAP-Success message is sent and the supplicant is authorized to use the port. If the credentials are incorrect then an EAP-Failure message is sent and the supplicant is unauthorized to use the port. The important point to be noticed is, that the communication between the supplicant and the authenticator employs a LAN connection (EAPOL) and the connection between the authenticator and the authentication server is typically established using RADIUS/DIAMETER server. Then, the RADIUS re-encapsulates the packet so that the content in the packet is understood by the supplicant.

2.4 EAP-METHODS

2.4.1 MD5 EAP-MD5 is described in RFC 2284. It is analogous to PPP-CHAP protocol. It is

a challenge response handshake protocol [16]. It uses id and password for the user to get authenticated. Authentication database stores all the user ids and passwords. As MD5 is a challenge protocol the RADIUS server sends a random challenge to client. The supplicant/client creates a MD5-hash of user’s password and the challenge message, sends the hash back to the server, the server checks the hash in the database.

24

It is important to see that the supplicant never sends a password to authentication server for verification. The password stored in the database is in clear plain text.

2.4.1.1 Advantages:

• Easy to implement

• Supported by many RADIUS servers

2.4.1.2 Disadvantages

• Highly insecure as the user passwords are stored in plain text in the authentication server providing hackers to gain access over the network to perform illegal activities.

• EAP-MD5 does not support mutual authentication.

• Dynamic rekeying is not possible [17].

2.4.2 TLS EAP-TLS is described in RFC 2716 [18]. It uses public key infrastructure (PKI)

digital certificate for the supplicant and the authentication server to provide mutual authentication between them. PKI certificate will contain information about the name of the server or user’s information. It is one of the secured method been used, because TLS tunnel is created during the exchange of certificates between the supplicant and the authentication server. Another point to be noted here is even though a tunnel is created to protect the EAP messages, the users identity is send in a clear plain text before the certificate exchange process starts.

2.4.2.1 Advantages

• Dynamic rekeying is possible

• Mutual authentication

• Secure tunnel is created for certificate exchange


• Maintenance cost is more

• Even though it is secure it is unpopular among network administrators as mutual certificate needs to be exchanged between the supplicant and the authentication server which makes implementation difficult.

2.4.3 TTLS EAP-TTLS is described in RFC 5281 [19]. EAP-TTLS is an extension of EAP-

TLS, it was created to reduce the complexity of implementation that was faced while implementing TLS (i.e.,) to eliminate PKI digital certificate. After the creation of the TTLS the authentication server alone needs to authenticate itself to the supplicant. Client can optionally authenticate itself to the server. Hence it is a one or two way authentication method. EAP-TTLS supports lots of inner protocols like PAP, CHAP, MSCHAP and MSCHAPv2 for client authentication. The authentication process takes place inside the secure tunnel. There are two versions of TTLS namely TTLSv1 and TTLSv2.

25

2.4.3.1 Advantages

• Creates secure SSL tunnel

• Supports legacy authentication methods


• User identity is protected


• Poor distribution of WLAN devices

2.4.4 PEAP EAP-PEAP works in similar manner of TLS. It uses private key infrastructure

(PKI) digital certificates to authenticate. Unlike TLS, EAP-PEAP requires only one certificate to authenticate itself to the client (i.e.,) only server needs to authenticate itself to the client. Hence, it is a one way authentication method unlike TTLS which provides optional client to authenticate itself to the authentication server. EAP-PEAP creates a secure tunnel between supplicant and authentication server to pass EAP messages between them. In PEAP only variant methods like EAP-MD5, EAP-MSCHAPv2 etc can be used inside the inner secure tunnel. As PEAP uses variant legacy protocols the authenticator is used only to transfer the packets between the supplicant and authenticator server.

2.4.4.1 Advantages


• Creates secure SSL tunnel

• User identity is protected

• Supports fast reconnections

• Message authentication and encryption


• Requires more overhead due to number of message exchanges

• Requires certificate authority (CA) for authenticating server

26

2.4.5 Comparison of various EAP-methods Table 2.2 provides theoretical knowledge regarding the complexities,

requirements, security etc for four major EAP-methods [17, 22, 23, 24, 25].

Attribute

EAP-Methods

TLS TTLS PEAP MD5

Supplicant

Softwares

Windows Xsupplicant Xsupplicant Xsupplicant Xsupplicant

Linux WPA_Supplicant WPA_Supplicant WPA_Supplicant WPA_Supplicant

Deployment Hard Moderate Moderate Easy

User Identity hiding No Yes Yes No

EAP Attacks: Session

hijacking, Man-in the

middle, Dictionary

attack

Protected

Protected

Protected

Not Protected

Security Strongest Strong Strong Poor

Tunnel No Yes Yes No

Server Certificate Yes Yes Yes No

Client Certificate Yes Optional No No

Legacy Protocols - MD5, PAP, CHAP,

MSCHAP, MSCHAPv2

MD5, MSCHAPv2,

GTC

-

Encryption

Technology

Digital certificates

Digital certificates or

Diffie-Hellman algorithm to

generate keying material,

symmetric key for data

encryption

Digital certificates or

Diffie-Hellman algorithm to

generate keying material,

symmetric key for data

encryption

One way message digest

Protected Cipher

Suite Negotiation

Not Required

Yes

Yes

No

Cipher-Session

Negotiation

No

Yes

No

No

Fast reconnect Yes Yes Yes No

Table 2.2: Comparison of EAP-methods

27

3 IMPLEMENTATION AND EXPERIMENT This chapter focuses on the implementation of experiments, performed within this

study and it contains three sections. The first section contains the general description about devices, software tools, system configuration and operating system (OS) used in the experiments. The second section contains the experimental setup used in wired network. Section three contains the experimental setup for wireless network.

3.1 Experimental Setup The experimental setup consists of three entities; supplicant, authenticator and

authentication server. The role of each entity used along with the system configuration and Operating System (OS) is described below,

3.1.1 Client - The Supplicant A client is a device who connects to a network. In order to connect to the network,

a client needs to authenticate by the authentication server to establish a secure connection to use the available resources.

In this experiment, laptop running with Linux (Ubuntu) operating system is used

as a client. The main motivation to use laptop instead of personal computers are, as we are performing the experiment in both wired and wireless networks, laptops can be used to connect in both the networks, but PCs cannot be used to connect a wireless network as WiFi interface cards are not available internally. Another reason PC’s are not handy and cannot be carried all around the places, generally people carrying laptops only tend to connect to wireless network. The laptop specification is given below.

System: DELL Studio Laptop Model: PP39I Processor: Intel core i3 CPU: 2GHz RAM: 3GB OS: Ubuntu 12.04LTS The reason to use Ubuntu as operating system is, it is open source and all EAP

methods are available inbuilt and do not require any additional software but whereas in Windows operating system many EAP methods are not available internally hence require external software (Xsupplicant) to be installed. Ubuntu was used as the operating system.

3.1.2 Router /Access Point – The Authenticator The router/access point is a device used for transferring the user credentials

between the supplicant and authentication server. The main role played by authenticator [26, 28] is that they are responsible for opening or closing the port for the supplicant to access/deny the use of resources available in the server.

In the wired network, the authenticator specifications are given below:

28

Name: Cisco 2800 series Model: Cisco 2811 Version: 12.4 In the wireless network, the authentication specifications are given below: Name: Cisco Aironet 1230 AG series Model: AIR-LAP1232AG-E-K9 These devices were configured to use IEEE 802.1x. These configured devices

were used to transfer EAP messages between the supplicant and the authentication server.

3.1.3 RADIUS Server – The Authentication Server The authentication server is responsible for accepting/denying the supplicant’s

request to use the available resources on the server. The laptop specification in which RADIUS server was installed is given below.

System: Toshiba Satellite A135-s4477 Processor: Intel core 2 CPU: 2GHz RAM: 3GB OS: Ubuntu 12.04LTS Software: FreeRADIUS There are many open source RADIUS servers available, but only few servers

supports all widely used EAP methods. FreeRADIUS [30] is an open source server which supports most of the authentication protocols hence it motivated us to use this server. The configuration of RADIUS server is presented in appendix A.

3.1.4 Tools

3.1.4.1 Wireshark

Wireshark is open source software which is available for both Windows and Linux

operating systems [20]. Wireshark is a network packet analyzer used to capture network packets and display the packet data in a detailed manner. It is used to troubleshoot network problems, examine security problems, debug protocol implementation and education.

To monitor the EAP messages flowing across the supplicant and authentication server, Wireshark is used.

29

3.2 Experimental Setup for Wired Network In this section, the experimental setup for wired network is explained. The entities

required for the setup are supplicant, authenticator and authentication server. The individual operations of these entities are explained in the above section.

Figure 3.1: Experimental Setup for Wired Network

The implementation consists of a supplicant, authenticator and authentication

server. The supplicant is connected to the authenticator (router) using unshielded twisted pair cable (RJ45). The authenticator is connected to the authentication server using an RJ45 cable.

In this setup, the authentication time and processing time for widely used EAP-

methods are calculated in wired network. To calculate the timestamps of authentication time and total processing time, Wireshark is used. The authentication time provides the total time taken for the user to get authenticated in the network. The processing time provides the performance of each entity of EAP method which network administrators intend to use.

3.2.1 Authentication Time To calculate the authentication time, the EAP messages were monitored on

supplicant end using Wireshark. The EAP messages received in Wireshark were logged only for the timestamps of successful EAP message. The formula used to calculate authentication time is

StartEndTotal AAA −=

Where,

=TotalA Total authentication time

=StartA EAP message start time

=EndA EAP message end time

The calculated authentication time contains the time taken for the user to

authenticate in the network as shown in formula below,

Authentication time ( TotalA ) = TotalP + Network time

Where,

TotalP = Total processing time

30

To validate the result, 30 samples were taken. The mean value of 30 samples is

calculated. The mean value is calculated using the formula,

N

Timestion Authentica of Sum Timetion Authentica =

Where, N = Number of samples taken To verify the results, standard deviation is calculated for 30 samples.

3.2.2 Processing Time Processing time is the time taken to process a packet at each entity. The total

processing time is summation of processing time at all entities. The supplicant processing time is calculated by the time taken for the EAP messages to process at the supplicant end. The authenticator processing time is the time taken between incoming EAP message and outgoing EAP message in authenticator. Processing time of authentication server is time taken to process the EAP message at server end. The formula to calculate total processing time is shown below.

ServertorAuthenticaSupplicantTotal PPPP ++=

Where,

=TotalP Total processing time

=SupplicantP Processing time of supplicant

=torAuthenticaP Processing time of Authenticator

=ServerP Processing time of Authentication Server

SupplicantP & ServerP are calculated using Wireshark timestamps, which is the time

taken by the packet to enter supplicant/server and leave. The timestamps of torAuthenticaP

are obtained in router and the results are exported and analyzed using Wireshark to

calculated torAuthenticaP processing time.

The mean processing time of each entity and total processing time for 30 samples

are calculated using the formula,

N

Times Processing of Sum

r)ator/serve/authenticsupplicant(for

Time Processing=

Where, N = Number of samples taken.

31

Figure 3.2: The flow diagram of EAP TLS messages [33]

For example: Figure 3.2 shows the flow diagram of EAP TLS messages.

Processing time is the time taken at each entity as mentioned above. The numbers in Figure 3.2 shows the flow of packets hence Supplicant, Authenticator, Authentication Server can be calculated as,

SupplicantP = time taken at (4-3) + (12-11) + (20-19)

torAuthenticaP = time taken at (2-1) + (6-5) + (10-9) + (14-13) + (18-17) + (22-21) + (26-25)

ServerP = time taken at (8-7) + (16-15) + (24-23) Authentication time = end time – start time.

3.3 Experimental Setup for Wireless Network To setup a wireless network, a communication device which does not require a

physical medium for relying information to other devices is required. For this purpose wireless access point is used as an authenticator. A wireless connection is established between the authenticator and the supplicant.

Figure 3.3: Experimental Setup for Wireless Network

Using the timestamps of each EAP method, authentication time is calculated using

the same formula used in wired network. The processing time of SupplicantP , torAuthenticaP

and ServerP are also calculated similarly to wired network. To check the scalability of

wireless network a scalability experiment is performed which is discussed in chapter 5.

32

33

4 EXPERIMENTAL RESULTS In this section, the data collected in the experiment for both wired and wireless

networks is presented; authentication time and total processing time results are compared.

4.1 Results for Wired Network

4.1.1 Evaluation of Authentication Time The authentication time for wired network is shown below.

EAP-Method Authentication Time [sec]

(Stdev)

Min [sec]

Max [sec]

EAP-MD5 0.1046 (0.0077) 0.0940 0.1183

EAP-TLS 0.2627 (0.0041) 0.2578 0.2706

EAP-TTLS-PAP 0.2018 (0.0051) 0.1946 0.2107

EAP-TTLS-CHAP 0.2155 (0.0053) 0.2092 0.2239

EAP-TTLS-MSCHAP 0.2301 (0.0036) 0.2249 0.2368

EAP-TTLS-MSCHAPv2 0.2587 (0.0040) 0.2518 0.2657

EAP-PEAP-MD5 0.1858 (0.0033) 0.1802 0.1920

EAP-PEAP-MSCHAPv2 0.2532 (0.0035) 0.2483 0.2607

Table 4.1: Authentication Time for wired network

The results in Table 4.1 show that EAP MD5 has smaller authentication time and

EAP PEAP-MD5 has least variation. Remaining protocols have higher authentication time as compared to EAP MD5 and EAP PEAP-MD5. EAP TTLS-MSCHAPv2 shows higher authentication time as compared to other protocols. EAP PEAP-MSCHAPv2 shows slightly lower authentication time as compared to EAP TTLS-MSCHAPv2.

34

4.1.2 Evaluation of Processing Time The processing time of each entity in wired network with its standard deviation

value to analyze the samples is shown below.

EAP-Method

Processing Time [sec]

Supplicant

(Stdev)

Authenticator

(Stdev)

Authentication

Server

(Stdev)

Total

(Stdev)

Min

Max

MD5 0.0367 (0.0014) 0.0548 (0.0012) 0.0087 (0.0020) 0.1002 (0.0045) 0.0934 0.1092

TLS 0.0712 (0.0015) 0.1167 (0.0014) 0.0328 (0.0023) 0.2207 (0.0050) 0.2127 0.2313

TTLS-PAP 0.0705 (0.0011) 0.1026 (0.0015) 0.0285 (0.0028) 0.2016 (0.0051) 0.1941 0.2091

TTLS-CHAP 0.0746 (0.0012) 0.0988 (0.0013) 0.0281 (0.0024) 0.2015 (0.0049) 0.1917 0.2092

TTLS-MSCHAP 0.0756 (0.0009) 0.1154 (0.0015) 0.0276 (0.0018) 0.2186 (0.0042) 0.2121 0.2255

TTLS-MSCHAPv2 0.0622 (0.0014) 0.1223 (0.0008) 0.0278 (0.0016) 0.2123 (0.0037) 0.2068 0.2198

PEAP-MD5 0.0638 (0.0010) 0.0938 (0.0012) 0.0226 (0.0013) 0.1802 (0.0034) 0.1745 0.1871

PEAP-MSCHAPv2 0.0783 (0.0012) 0.1406 (0.0016) 0.0286 (0.0017) 0.2475 (0.0043) 0.2396 0.2537

Table 4.2: Total Processing Time for Wired Network

The results in Table 4.2 show that, the processing time in the authenticator is

higher as compared to authentication server and supplicant. EAP MD5 has least total processing time. EAP PEAP-MD5 has least variation of processing time as compared to the EAP MD5. PEAP-MSCHAPv2 has highest total processing time. But except that, it is difficult to find pattern in the results of other protocols

The results obtained in this experiment of wired network is compared with [8] and

found that the result has shown little variation. This might have occurred due to the change in environment as compared to [8].

4.2 Results for Wireless Network The results obtained for the wireless network for authentication time and

processing time is shown below.

4.2.1 Evaluation of Authentication Time The authentication time for wireless network is shown below.

EAP-Method Authentication Time [sec]

(Stdev)

Min [sec]

Max [sec]

EAP-MD5 0.1474 (0.0065) 0.1384 0.1593

EAP-TLS 0.3916 (0.0052) 0.3822 0.4021

EAP-TTLS-PAP 0.2941 (0.0036) 0.2855 0.3048

EAP-TTLS-CHAP 0.3008 (0.0043) 0.2927 0.3096

EAP-TTLS-MSCHAP 0.3215 (0.0038) 0.3128 0.3291

EAP-TTLS-MSCHAPv2 0.3611 (0.0056) 0.3498 0.3702

EAP-PEAP-MD5 0.2406 (0.0058) 0.2293 0.2508

EAP-PEAP-MSCHAPv2 0.3278 (0.0062) 0.3182 0.3375

Table 4.3: Authentication Time for Wireless Network

35

The results in Table 4.3 show that EAP-MD5 has smaller authentication time as

compared to other EAP methods. EAP PEAP-MSCHAPv2 and EAP TTLS-MSCHAPv2 have slight variation of authentication time between them. EAP-TLS has largest authentication time. Remaining EAP methods do not follow any pattern in the samples obtained.

4.2.2 Evaluation of Processing Time The processing time of each entity in wireless network is shown below.

EAP-Method

Processing Time [sec]

Supplicant

(Stdev)

Authenticator

(Stdev)

Authentication

Server

(Stdev)

Total

(Stdev)

Min

Max

MD5 0.0431 (0.0015) 0.0654 (0.0017) 0.0106 (0.0020) 0.1191 (0.0051) 0.1083 0.1278

TLS 0.0912 (0.0011) 0.1514 (0.0012) 0.0404 (0.0013) 0.2830 (0.0036) 0.2740 0.2916

TTLS-PAP 0.0869 (0.0012) 0.1193 (0.0010) 0.0315 (0.0014) 0.2377 (0.0034) 0.2281 0.2458

TTLS-CHAP 0.0918 (0.0013) 0.1215 (0.0015) 0.0332 (0.0015) 0.2465 (0.0043) 0.2374 0.2562

TTLS-MSCHAP 0.0905 (0.0014) 0.1372 (0.0017) 0.0316 (0.0022) 0.2593 (0.0051) 0.2503 0.2686

TTLS-MSCHAPv2 0.0768 (0.0012) 0.1457 (0.0015) 0.0323 (0.0016) 0.2548 (0.0040) 0.2467 0.2661

PEAP-MD5 0.0738 (0.0014) 0.1102 (0.0019) 0.0265 (0.0020) 0.2105 (0.0053) 0.2031 0.2177

PEAP-MSCHAPv2 0.0934 (0.0013) 0.1664 (0.0016) 0.0327 (0.0016) 0.2925 (0.0044) 0.2842 0.3013

Table 4.4: Processing Time for Wireless Network

From the Table 4.4, it is seen that the processing time of EAP MD5 has smallest

processing time. PEAP-MSCHAPv2 and TLS takes higher time for authentication as compared to remaining protocols. The authentication time of TTLS-PAP, TTLS-CHAP, TTLS-MSCHAP and TTLS-MSCHAPv2 shows slight variation between them. EAP PEAP-MSCHAPv2 takes highest authentication time.

4.3 Comparison of Authentication time The results obtained for wired and wireless network are compared to find which

network provides better performance and if a suitable EAP method for both wired and wireless network can be chosen. Figure 4.1 displays the authentication time for each EAP-method for wired and wireless networks. The x-axis denotes EAP-methods and y-axis denotes authentication time. The blue bars indicate wired network results and red bars indicate wireless network results.

36

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

MD

5TLS

TTLS-P

AP

TTLS-C

HAP

TTLS-M

SCHAP

TTLS

-MSCH

APv2

PEAP-MD

5

PEAP-M

SCHAPv2

EAP-Methods

Au

the

nti

cati

on

tim

e

Wired

Wireless

Figure 4.1: Comparison of Authentication Time

Figure 4.1 shows authentication time for wired and wireless networks. The

authentication time in wireless network has shown that it takes additional time to get authenticated in comparison to wired network. EAP-MD5 has smaller time in both the networks. EAP-TLS has seen a delay of more than a second in wireless network as compared to wired network whereas in EAP-TTLS and EAP-PEAP has a delay of approximately 500-800ms. On average, in wireless network took 0.084s additional time for each protocol to get authenticated in the network as compared to wired network.

4.4 Comparison of Total Processing time The results obtained for wired and wireless network for total processing time is

shown in Figure 4.2. The total processing time in wireless network has shown that it takes additional time to get processed in comparison to wired network. The Figure 4.2 displays the authentication time for each EAP-method for wired and wireless networks. The x-axis denotes EAP-methods and y-axis denotes total processing time. The blue bars indicate wired network results and red bars indicate wireless network results.

37

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

MD5 TLS TTLS-PAP TTLS-CHAP TTLS-

MSCHAP

TTLS-

MSCHAPv2

PEAP-MD5 PEAP-

MSCHAPv2

EAP-Methods

To

tal P

roce

ssin

g T

ime

Wired

Wireless

Figure 4.2: Comparison of Total Processing Time

Processing time of each protocol in wired network is less as compared to wireless

network scenario. MD5 takes less processing time in both wired and wireless network scenarios as compared to all other protocols, TLS and PEAP-MSCHAPv2 takes a bit higher time.

38

39

5 SCALABILITY EXPERIMENT It is necessary to evaluate the scalability of the network to see if the methods used

have the ability to handle loads. So a scalability experiment is carried out. The experimental setup remains same as wireless network scenario. The only difference in wireless network scenario and scalability experiment is that in wireless network only one client is connected at a time but in scalability experiment ten users with different PCs running Ubuntu operating system were asked to simultaneously connect to the network, to check if there is any change in authentication time and total processing timewhen number of users tries to login simultaneously. All the ten users used inbuilt EAP-methods available in Ubuntu OS and EAP messages were captured using similar way as wireless network. The reason to perform this experiment is to know the scalability of the network if number of users increases.

Figure 5.1: Scalability Experiment

5.1 Calculation of Authentication Time and Processing

Time The authentication time and processing time was calculated as in above wireless

network scenario. Table 5.1 represents the average of 10 samples, which was obtained while 10 users logged-in to the network using valid credentials provided by us. The results show very less difference in the authentication time and total processing time as compared to wireless network.

40

EAP-Method Authentication Time (Stdev)

Total Processing Time (Stdev)

EAP-MD5 0.1526s (0.0076) 0.1257s (0.0069)

EAP-TLS 0.3962s (0.0085) 0.2943s (0.0078)

EAP-TTLS-PAP 0.2894s (0.0068) 0.2439s (0.0073)

EAP-TTLS-CHAP 0.2875s (0.0070) 0.2602s (0.0064)

EAP-TTLS-MSCHAP 0.3307s (0.0069) 0.2744s (0.0076)

EAP-TTLS-MSCHAPv2 0.3689s (0.0074) 0.2752s (0.0080)

EAP-PEAP-MD5 0.2426s (0.0079) 0.2187s (0.0068)

EAP-PEAP-MSCHAPv2 0.3294s (0.0083) 0.3121s (0.0071)

Table 5.1: Authentication Time & Total Processing Time for Scalability Experiment

From Table 5.1, it is seen that EAP MD5 takes smaller authentication time, EAP

TTLS-MSCHAPv2 takes highest authentication time, EAP MD5 shows least total processing time and EAP PEAP-MSCHAPv2 shows higher processing time. Comparing Table 5.1 with Table 4.3 and Table 4.4 we can observe that there is less than 1% difference in average authentication time and 7% difference in average total processing time which is negligible. We can say that even if the number of users simultaneously tries to connect to the network there is not much difference in the performance.

41

6 SURVEY An online survey was conducted among the students of BTH using

docs.google.com. The reason to use online user survey instead of face to face survey with the students is, the responses provided may be effected by us due to peer pressure. The survey link was sent to students of BTH via student portal.

Totally 320 responses were obtained only 292 responses were considered. The

responses in the survey were collected from different schools of BTH. Remaining responses were considered as improper responses. The improper responses were filtered by age criteria i.e., few students gave age as below 18, as in BTH it is not possible for the student to study who is below 18 years. And few students gave school names which are not available in BTH hence we knew that the students were not serious while answering the questions hence such responses were neglected. The main motive of the survey was to obtain feedback from the students regarding the network security provided by BTH.

6.1 Survey Results The complete survey results are presented appendix B. The questions that were

used in survey and responses are as follows:

1. Knowledge on computer networks: Participants having knowledge regarding computer networks was obtained from students of different schools of BTH. Number of responses obtained from different schools of BTH were divided according to their gender and results where further sub-divided according to their knowledge on computer networks as presented in Table 6.1.

Gender

School

Male Female All

Yes No Yes No

Yes

No

School of Computing 102 20 17 2

119

22

School of Engineering 74 24 15 8

89

32

Other Schools 10 6 3 11

13

17

All Schools 186 50 35 21

221

71

Table 6.1: Participants Knowledge on Network Security

The result indicates that 186 Male students in BTH campus have knowledge

and 50 students do not possess knowledge on computer networks. 35 Female students of BTH campus possess knowledge regarding the computer networks and 21 Female students do not posses any knowledge on this domain.

42

2. Do you consider security to be important when you use a network?

Table 6.2 presents the responses of male and female students with regards to the importance of network security. It is clear that majority of students consider security to be important when they use a network. Overall of 270 students considered that security is important, 3 students consider that security is not important and 10 students consider like security maybe important while using the network.

Gender

School

Male

Female

All

Yes No Maybe Yes No Maybe Yes No Maybe

School of Computing

108

1

13

18

0

1

126

1

14

School of Engineering

94

1

3

21

1

1

115

2

4

Other Schools

15 0 1 14 0 0 29

0

1

All Schools 217 2 17 53 1 2 270 3 19

Table 6.2: Participants knowledge on importance of Network Security

3. Which of the following scenarios would you prefer when connecting to a network?

Table 6.3 presents the preferences of students regarding the security and

connection time they would like to wait until connection time is established. 184 male students and 45 female students prefer high security and do not bother if the connection time is higher but remaining 52 males and 11 females prefer less connection time and less security.

Gender

School

Male Female All

High security with a long

connection time

Low security with a short

connection time

High security with a long

connection time

Low security with a short

connection time

High

security with a long

connection time

Low

security with a short

connection time


107

34


96

25


26

4


229

63

Table 6.3: Participants preference on network connection time

43

4. How long time would you be willing to wait for a connection to a network to be established, if you know nothing of the security of the connection?

Table 6.4 presents the network connection time, students are willing to wait until

the connection is established. These results obtained from the students assuming that they do not have any clear knowledge about security of the connection. From the below table, it is seen that there is a mixed opinion among the students, 84 students are ready to wait up to 3 seconds until the network connection is established and 94 students are ready to wait until 5 seconds. The view of both the genders about network connection time do not show any significant difference as majority of male and female students are ready to wait up to 1-5 seconds.

Gender

School

Male Female All

1

sec

1-3

sec

3-5

sec

5-8

sec

>8

sec

1

sec

1-3

sec

3-5

sec

5-8

sec

>8

sec

1

sec

1-3

sec

3-5

sec

5-8

sec

>8

sec

School of Computing

16

34

41

17

14

3

6

6

2

2

19

40

47

19

16


5

30

27

15

21

0

6

13

4

0

5

36

40

19

21

Other Schools

1

4

4

2

5

1

4

4

3

2

2

8

8

5

7

All

22

68

72

34

40

4

16

23

9

4

26

84

95

43

44

Table 6.4: Network connection time where participants do not have any knowledge on

security of connection

5. How long time would you be willing to wait for a connection to a network to be

established, if longer time yields higher security?

Table 6.5 presents the network connection time if students are provided with higher security. From the results, 69 students are ready to wait approximately 5 seconds, 105 students are ready to wait approximately 8 seconds and 78 students are willing to wait for more than 8 seconds until the connection is established to obtain higher security.

Gender

School

Male Female All

1

sec

1-3

sec

3-5

sec

5-8

sec

>8

sec

1

sec

1-3

sec

3-5

sec

5-8

sec

>8

sec

1

sec

1-3

sec

3-5

sec

5-8

sec

>8

sec

School of Computing

3

19

26

44

30

0

3

6

8

2

3

22

32

52

32


1

10

24

34

29

0

1

7

8

7

1

11

31

42

36

Other Schools

0

2

2

4

8

0

1

4

7

2

0

3

6

11

10

All

4

31

52

82

67

0

5

17

23

11

4

36

69

105

78

Table 6.5: Connection time where participants are ready to wait if higher security is

provided

44

6. Which type of network do you choose in BTH campus?

Table 6.6 presents the number of students using the wired and wireless networks in the BTH campus. The results indicate that majority of students use wireless network i.e. 266 students use wireless network and 26 students use wired network.

Gender

School

Male Female All

Wired Wireless Wired Wireless

Wired

Wireless


15

126


9

112


2

28


26

266

Table 6.6: BTH Campus network connection usage by participants

7. Do you regard the security of the BTH networks to be enough to keep your data

confidential?

Table 6.7 presents the number of students who regard the network security provided by BTH is secure or not. The reason for asking this question is it is important to know users perspective over the security provided by the campus as they are the end users. The results indicate that approximately 22% of the students regard that the network security provided at BTH campus isn’t enough to keep their data confidential.

Gender

School

Male Female All

Yes No Yes No

Yes

No


110

31


99

22


20

10

All Schools 187 49 42 14 229 63

Table 6.7: Participants opinion about security of BTH network

8. If network connection security were to be upgraded in the network you are using at BTH to get a higher security, inducing higher connection times, would you be willing to wait for a few more seconds or would you prefer the security and connection time to remain the same as before?

Table 6.8 presents the students preferences if the network security is upgraded to

obtain higher security. The results indicate that 206 students are willing to wait for additional connection time to obtain higher security and 86 students would like to remain with the same security mechanism used by BTH.

45

Preference

Schools

Male Female All

I am

willing to

wait a few

seconds

extra

I would

want it to

remain the

same as

before

I am

willing to

wait a few

seconds

extra

I would

want it to

remain the

same as

before

I am

willing to

wait a few

seconds

extra

I would

want it to

remain the

same as

before

School of Computing

82

40

16

3

98

43


65

33

17

6

82

39

Other Schools

16

0

10

4

26

4

All Schools

163

73

43

13

206

86

Table 6.8: Participants preference if network upgraded to higher security

46

47

7 DISCUSSION Every network needs to have a secure login method for any user to feel

comfortable so that any confidential information available in the network is kept secured. In order to maintain security in the network, network administrators need to consider what level of security can be provided. To achieve a high level of security network administrators needs to know the cost for the deployment, which includes is any additional equipment required in the existing security setup.

Port based access control (802.1x) can be used to authenticate users, which

requires one or more authentication methods to establish high level of security. It is necessary to evaluate the performance of widely used EAP methods for wired and wireless networks and compare the results for both the networks to check if any additional delay occurs, if one particular protocol can be implemented for both wired and wireless networks and if the EAP methods are capable of handling heavy loads.

For RQ1 results in Table 4.1 and Table 4.2, the authentication time and total

processing time of EAP-MD5 is less compared to other protocols but it is vulnerable to many attacks and it is not secured as shown in the Table 2.2. The better protocol is one which provides good security and performance on the network. EAP-PEAP, EAP-TTLS and EAP-TLS are secure protocols, but TLS is more secure than EAP-TTLS and EAP-PEAP. The reason for EAP-TLS to be more secure is that it provides client-server certificate exchange in the authentication process whereas in EAP-TTLS and EAP-PEAP requires only server side certificate exchange.

The experiment performed in wired scenario is similar to the work done by [8]. A

switch is used as authenticator in [8] and in this paper a router is used. The experiment performed by [8] is in personal computer, whereas we performed the experiment using laptops. Figure 7.1 and Figure 7.2 shows the comparison of our wired network results and experimental result of [8]. The comparison results of authentication time and total processing time has shown little variation and the variation might have occurred due to change in authenticator device or might be due to the change in supplicant and authentication server devices, as in [8] PCs were used but in our work laptops were used.

0

0.05

0.1

0.15

0.2

0.25

0.3

MD5 TTLS-PAP TTLS-CHAP TTLS-

MSCHAPv2

PEAP-MSCHAPv2

This work

Previous work

Figure 7.1: Authentication Time in comparison to work done by [8]

48

0

0.05

0.1

0.15

0.2

0.25

0.3

MD5 TTLS-PAP TTLS-CHAP TTLS-MSCHAPv2 PEAP-MSCHAPv2

This work

Previous work

Figure 7.2: Total Processing Time in comparison to work done by [8]

For RQ2 results in Table 4.3 and Table 4.4, the processing time and authentication

time of EAP-MD5 shows smaller time. The EAP TLS takes higher authentication time and processing time. The reason for EAP TLS to have higher time may be due to two way certificate exchange. EAP-TTLS and EAP-PEAP provides moderate authentication time and processing time as it has only one way certificate exchange.

From Table 4.1 and Table 4.3 the authentication time for different EAP methods in

wired network is seen to be comparatively less than wireless network. As 30 samples were collected for each EAP method to check the variation obtained, standard deviation was calculated for 30 samples. The standard deviation results shows less variation.

From Table 4.2 and Table 4.4 it is seen that the total processing time for wired

network provides better performance as compared to wireless network. The reason for the delay might be due to flow of packets wirelessly. As mentioned above the standard deviation for each EAP method for total processing time was seen to have less variation.

To check if different EAP methods are scalable with number of users in wireless

network, a scalability experiment was conducted, where 10 users were asked to login simultaneously into the network. From Table 5.1 the results of Scalability experiment indicates even if number of users tries to login simultaneously the variation in the results seems to be negligible for both authentication time and total processing time.

From the information given by the companies, PEAP-MSCHAPv2 is the protocol

they use. The results for authentication time in wired network, PEAP-MSCHAPv2 takes 0.2532 seconds to authenticate, whereas in wireless network it takes 0.3278 seconds. PEAP-MSCHAPv2 is not a considerably secure protocol in comparison to EAP-TLS, but due to implementation complexities, deployment charges and low maintenance cost it has become highly popular among network administrators. We think that EAP-TLS is the more secure protocol as compared to the other protocol in this study, if high level of security needs to be achieved.

A user survey with a series of question was asked to students of BTH using online

survey form. The survey was conducted to obtain the opinion of the students regarding

49

the network security provided by BTH network administrator. Approximately 22% of the questioned students regard the network security provided by BTH isn’t secured. The responses also indicate that the majority of the students are willing to wait more time to get higher security when connecting to the network.

7.1 Assessment

• There may be some impact of Wireshark in the measurement; the packet may not reach Wireshark at the same time as it reaches the supplicant. Few packets may get lost and might not reach the Wireshark itself. Hence every successful login packets must be counted, and the number of packets received same for all.

• The results are calculated manually there may be little variation in each sample time as compared to automated system. We feel that the variation between the samples obtained in manual and automated system may have little variation which can be negligible.

50

51

8 CONCLUSION AND FUTURE WORK This report shows a study on the performance of different EAP methods. The

experiments were carried out on both wired and wireless networks in order to observe for any pattern.

From the companies point of view, it is important to know the performance of

TLS, TTLS and PEAP as they are widely used today. Using the results of this study, the delay provided by each protocol with the intensity to handle load can be known. This will help to select a suitable protocol before implementing.

Based on the analysis, TLS provides better performance and moderate

authentication time in wired and wireless networks. The criteria used to choose a better protocol is by analyzing the background (advantages and disadvantages) and experimental results obtained in our thesis.

The wired network provides better processing time and authentication time as

compared to wireless network. EAP-MD5 provides less delay in comparison to other EAP methods in both wired and wireless networks but it is less secure. EAP-TLS takes more processing time and authentication time as compared to other EAP methods in both wired and wireless networks but it is highly secured as compared to other methods, as it is highly unpopular among network administrators due to its complexities on implementation, deployment cost and difficulties in maintenance. If moderate security is enough, best option to implement is PEAP-MSCHAPv2 as the maintenance cost is low and implementation is easy.

Based on the user survey, users/students prefer higher security with moderate

connection time. It is seen that 70% of users/students are willing to wait additional time to get higher security. The results also demonstrate that 22% of students regard security provided in BTH campus networks is not secured. Though, based on theoretical knowledge and our experimental results the protocol used in BTH campus, EAP-PEAP-MSCHAPv2 is the best protocol in terms of security, maintenance cost and maintenance. Hence, network administrators of BTH do not need to change the authentication method that is being used now. Though based on the survey results, if network administrator would like to upgrade to higher security students would be fine with higher response times, as long as more security is provided.

As for future work, a real time survey could be done among companies about the

usage of protocols and difficulties faced while implementing and during maintenance this will help the protocol developers improve the protocol and make life easy of network administrators.

In this work for wireless network, we evaluated the performance using laptops, but

repeating the experiment for mobile phones and examining the performance could be interesting. All these EAP-methods are in some way vulnerable to different attacks. A study on implementing these attacks and its countermeasures could also be interesting.

52

53

REFERENCES

1. C. Alexandra, G. Laura, R. Daniel, “A practical analysis of EAP authentication methods,” in Proc. 9

th Roedunet International Conference (RoEduNet), 2010, pp.31-

35.

2. “IEEE Standard for Local and metropolitan area networks - Port-Based Network Access Control,” in IEEE Std 802.1X-2010 (Revision of IEEE Std 802.1X-2004), pp.C1-205, Feb 2010 [online]. Available: http://ieeexplore.ieee.org.miman.bib.bth.se/stamp/stamp.jsp?tp=&arnumber=935759 [Accessed: 2012-05-15].

3. Ronny Haryanto, “802.1x,” [online]. Available:

http://www.scribd.com/doc/51588347/802-1x. [Accessed: 2012-05-15]

4. G. Lopez, A.F. Gomez, R. Marin, O. Canovas, “A network access control approach based on the AAA architecture and authorization attributes,” in Journal of Network

and Computer Applications, vol. 30, no. 3, pp. 900-919, 2007.

5. T.Henderson, D. Kotz, I. Abyzov. “The changing usage of a mature campus-wide wireless network,” in Computer Networks, vol. 52, no. 14, pp. 2690-2712, Oct. 2008.

6. Mishra, W. A. Arbaugh. (2002,Feb.) An Initial Security Analysis of the IEEE

802.1X Standard. [online]. Available: http://www.cs.umd.edu/~waa/1x.pdf [Accessed: 2012-05-15].

7. K.M. Ali, A. Al-Khlifa, “A Comparative Study of Authentication Methods for Wi-Fi

Networks,” in Proc. Third International Conference on Computational Intelligence,

Communication Systems and Networks (CICSyN), 2011, pp.190-194.

8. L. Peter, L. Johan, “Evaluation of EAP-methods Performance testing on IEEE 802.1x,” Master Thesis, School of Computing, Blekinge Institute of Technology, Sweden, 2011.

9. K. Yang, J. Ma , “Implementation of IEEE802.1x in OPNET,” in Proc. 7

th Asia

Simulation Conference on System Simulation and Scientific Computing (ICSC), 2008, pp.1390-1394.

10. T. Thomas and D. Stoddard, “Security Protocols,” in Network Security First-Step,

2nd ed., Indianapolis, Cisco press, ch. 6, pp. 169-192.

11. C. Rigney et al., “Remote Authentication Dial In User Service (RADIUS),” [online]. Available: http://www.ietf.org/rfc/rfc2865.txt [Accessed: 2012-03-05].

12. J. Postel, “User Datagram Protocol” [online]. Available:

http://www.ietf.org/rfc/rfc768.txt [Accessed : 2012-03-05].

13. Fan Yang, “Analysis and Application of EAP_AKA for IEEE Standard 802.16e,” in

proc. 7th International conference on Wireless Communications, Networking and

Mobile Computing (WiCOM), 2011, pp.1-4.

14. K.M.Ali, T.J. Owens, “selection of an EAP authentication method for a WLAN,” in

Int. J. Inf. Comput. Sec, vol. 1, no. 1/2, pp. 210-233, Jan 2007.

54

15. B. Aboba et al., “Extensible Authentication Protocol (EAP)” [online]. Available: http://www.ietf.org/rfc/rfc3748.txt [Accessed: 2012-03-05].

16. L. Blunk, J. Vollbrecht, “PPP Extensible Authentication Protocol (EAP),” [online].

Available: http://www.ietf.org/rfc/rfc2284.txt [Accessed: 2012-03-05].

17. D. Ram, C. Gabriel, A. Anuj. (2006, Sept). EAP methods for wireless networks. Computer Standards & Interfaces. [online]. 29(2007), pp. 289-301. Available: http://nsl.cse.unt.edu/~dantu/cae/Dantu/EAP_Methods_for_Wireless_Networks.pdf

18. B. Aboba, D. Simon, “PPP EAP TLS Authentication Protocol,” [online]. Available:

http://www.ietf.org/rfc/rfc2716.txt [Accessed: 2012-05-15].

19. P. Funk, S. Blake-Wilson, “Eextensible Authentication Protocol Tunneled Transport Layer Security Authentication Protocol Version 0 (EAP-TTLSv0),” [online]. Available: http://tools.ietf.org/html/rfc5281 [Accessed: 2012-05-15].

20. Wireshark, “the world's foremost network protocol analyzer,” [online]. Available:

http://www.wireshark.org/. [Accessed: 2012-03-05].

21. P. Funk, “EAP Tunneled TLS Authentication Protocol,” [online]. Available: http://www.ietf.org/proceedings/53/slides/eap-1/sld002.htm [Accessed: 2012-05-15].

22. Lei Han, “A Threat Analysis of The Extensible Authentication Protocol,” School of

Computer Science, Carleton University, April 2006. Available: http://people.scs.carleton.ca/~barbeau/Honours/Lei_Han.pdf

23. “PEAP & EAP-TTLS,” [online]. Available:

www.cs.huji.ac.il/~sans/students_lectures/PEAP-TTLS.ppt [Accessed: 2012-05-15].

24. “Setup IEEE 802.1x Access Control (Authentication and Accounting),” [online]. Available: http://www.zyxeltech.de/snotep335wt/app/8021x.htm [Accessed: 2012-05-15].

25. M.A. Catur Bhakti, A. Abdullah, L.T. Jung, “EAP-based authentication with EAP

method selection mechanism,” in Proc. International Conference on Intelligent and

Advanced Systems. ICIAS 2007. pp. 393-396.

26. Cisco, “Fast Secure Roaming,” [online]. Available: http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/fastroam.html [Accessed: 2012-05-15].

27. Evil Routers, “Configuring FreeRADIUS to support Cisco AAA Clients,” [online].

Available: http://evilrouters.net/2008/11/19/configuring-freeradius-to-support-cisco-aaa-clients/ [Accessed: 2012-05-15].

28. Cisco, “EAP Authentication with RADIUS Server,” [online]. Available:

http://www.cisco.com/en/US/products/hw/wireless/ps4570/products_configuration_example09186a00801bd035.shtml [Accessed: 2012-05-15].

29. “Cisco Command Summary,” [online]. Available:

http://networking.ringofsaturn.com/Cisco/ciscocommandguide.php [Accessed:2012-05-15]

55

30. FreeRADIUS, “The world’s most popular RADIUS Server,” [online]. Available: http://freeradius.org/ [Accessed: 2012-05-15].

31. M. Asad, W. Ali, “Response Time Effects on Quality of Security Experience,”

School of Computing, Blekinge Institute of Technology, 2012, Sweden.

32. Nakhjiri, M., "Use of EAP-AKA, IETF Hokey and AAA Mechanisms to Provide Access and Handover Security and 3G-802.16M Interworking," in Proc. PIMRC

2007. IEEE 18th International Symposium, on Personal, Indoor and Mobile Radio

Communications, 2007., pp.1-5, Sept. 2007.

33. “802.11 Sniffer Capture Analysis - WPA/WPA2 with PSK or EAP,” [online].

Available: https://supportforums.cisco.com/docs/DOC-24494 [Accessed: 2012-05-15].

56

57

APPENDIX A

FreeRADIUS configuration

Step 1: Install lamp-server

Step 2: sudo apt-get install freeradius

Step 3: sudo apt-get install freeradius-ldap

Step 4: sudo apt-get install freeradius-mysql\

Step 5: sudo /etc/init.d/freeradius restart

Step 6: Login to MySQL database

Step 7: Create a user ‘radius’@’localhost’ identified by ‘setupRADIUS’;

Step 8: Create database radius

Step 9: Grant all privileges on radius.* to ‘radius’@’localhost’

Step 10: Exit MySQL

Step 11: Create tables from schema.sql and nas.sql with following commands, when prompted for password, enter MySQL password.

mysql -u radius -p radius < /etc/freeradius/sql/mysql/schema.sql

mysql -u radius -p radius < /etc/freeradius/sql/mysql/nas.sql

Step 12:

sudo gedit /etc/freeradius/sites-enabled/default

Step 13: uncomment “sql” in authorize{} module, accounting{}module, session{} module and post-auth{} module

Step 14: sudo gedit /etc/freeradius/radiusd.conf, enter following port numbers

58

Authentication port: 1812 Accounting port: 1813 auth = yes auth_badpass = yes auth_goodpass = no and uncomment $INCLUDE sql.conf in the modules{}

Step 15: sudo gedit /etc/freeradius/sql.conf

in sql {} module use the following lines

database = “mysql” server = “localhost” login = “radius” password = ”setupRADIUS” radius_db = ”radius” radclients = yes

Step 16:

Add the following line to the bottom of /etc/freeradius/users radius Cleartext-Password := “setupRADIUS”

Wireshark

Output Screenshots

59

60

APPENDIX B

Survey Results

1. Select your gender.

Female 56

Male 236

Grand Total 292

2. Please select your age.

19 years 8

20 years 11

21 years 22

22 years 21

23 years 40

24 years 59

25 years 30

26 years 19

27 years 14

28 years 22

29 years 9

30 years 8

30+ years 29

Grand Total 292

3. At which school do you study?

Business 1

Culture Department 1

Digital Image production 1

DSN 2

Economics 3

Masters in computer security 1

Media design and spatial planning 3

MSLS 1

Nursing 1

School of Computing 141

School of Engineering 121

School of Management 8

School of Media 1

School of planning 2

School of Software Engineering 1

School of Spatial Planning 2

School of urban design 1

School of urban planning 1

Grand Total 292

61

4. Do you have knowledge on computer networks?

No 71

Yes 221

Grand Total 292

5. Do you consider security to be important when you use a network?

Maybe 19

No 3

Yes 270

Grand Total 292

6. Which of the following scenarios would you prefer when connecting to a network?

High security with a long connection time

229

Low security with a short connection time

63

Grand Total 292


established, if you know nothing of the security of the connection?

1 second 26

1-3 seconds 84

3-5 seconds 95

5-8 seconds 43

more than 8 seconds 44

Grand Total 292


established, if longer time yields higher security?

1 second 4

1-3 seconds 36

3-5 seconds 69

5-8 seconds 105

more than 8 seconds 78

Grand Total 292

9. How often do you use an Internet connection at the BTH Campus?

Daily 158

More than once in week 63

Once in a month 23

Once in a week 48

Grand Total 292

10. Which type of network do you choose in BTH campus?

62

Wired 26

Wireless 266

Grand Total 292

11. Do you regard the security of the BTH networks to be enough to keep your data

confidential?

No 63

Yes 229

Grand Total 292

12. Have you thought about the security of the BTH networks before you answered this

survey?

No 97

Yes, but only once or twice 106

Yes, many times 89

Grand Total 292

13. If network connection security were to be upgraded in the network you are using at

BTH to get a higher security, inducing higher connection times, would you be willing to wait for a few more seconds or would you prefer the security and connection time to remain the same as before?

I am willing to wait a few seconds extra

206

I would want it to remain the same as before

86

Grand Total 292

Documents

Evaluation of EAP Authentication Methods in Wired and ...831569/...considered; Authentication, Authorization, and Accounting (AAA) [1, 32]. Network connection time is one of the major