Cryptography Reference
In-Depth Information
6. SecurID, developed by RSA Security (see Footnote 9.20 on page 348).
7. SIM,
Subscriber Identity Module
, a card that interfaces with GSM
9.17
tech-
nology.
8. AKA,
Authentication and Key Agreement
, is an INTERNET-DRAFT (see
[9]), which is based on per-station shared secrets.
EAP was initially intended as an extension of PPP, which is
Point-to-Point
Protocol
that provides a mechanism for connectinga computer to the Internet.
PPP operates at the data-link layer by transmittingTCP/IP packets to a server,
which then places them onto the appropriate Internet site.
EAP is a port-based network access control mechanism that must establish
authentication before any port access is allowed. The reason EAP is called “ex-
tensible” is that more types of authentication can be introduced in the future,
and this may be accomplished without compromisingthe protocol's specifica-
tion.
In EAP authentication, a
Master Key
(MK) is produced between Alice and
the server. From the MK the authentication server creates the
Pairwise Master
Key
(PMK), which binds Alice to the AP for that particular connection, so is
given to the AP for that session. The authentication server makes a fresh PMK
for every such connection. Other transient keys are created from the PMK,
includingthe
Temporal Key
(TK). TK is the actual device for securingdata
traLc. When the connection is dropped/terminated, the PMK is discarded.
WPA — The Interim Solution
Due to the key recovery attack on WEP, which became increasingly easier
on the Internet, there was a call for an interim solution, out of which came
WPA. As noted earlier, WPA is a subset of RSN. It is designed so that only
software or firmware upgrades are required to existing WLANs running WEP
(by merely runningit as a security layer over WEP, namely by runningWEP
as a sub-component), allowingcurrent WEP hardware to remain unaltered, and
with minimal performance degeneration by the fixes it imposes.
Authentication for WPA is essentially done through the above-described
EAP process. The mandatory protocols for WPA include RADIUS,
9.18
EAP,
and one called 802.1X, whose principal purpose is to control access at a juncture
where a client joins a network. Originally designed for wired LANs, 802.1X's
objective is to control port access by usingthe AP as the analogue of a wired
9.17
Originally,
Groupe Special Mobile
(GSM) developed in Europe in the early 1990s as a
standard for mobile phones. (It is now called,
Global System for Mobile Communications
.)
It was the first WLAN architecture to provide user authentication, confidentiality, and key
agreement. This is a standard for digital cellular communications, currently used in the 900-
MHz and 1800-MHz bands.
9.18
This is
Remote Authentication Dial In User Service
, defined in [205], which is client-
server protocol software allowing remote-access servers to connect with a central server for
the purpose of user authentication, for access to whatever system is requested. However, RSN,
being a superset of WPA, does not
require
RADIUS for the authentication server that permits
more flexibility for implementation.
Search WWH ::
Custom Search