Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

Advanced Network Security - RWTH > Chapter 7 - EAP > Flashcards

Chapter 7 - EAP Flashcards

1
Q

What is the basic architecture of EAP?

A

Extensible Authentication Protocol (EAP):
- Supplicant
- Authenticator
- EAP server

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

How is an EAP message structured?

A
  • 8 bit code - request, response, success, failure
  • 8 bit identifier
  • 16 bit length
  • n bit data
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

How does EAP-TLS work?

A
  • Uses TLS 1.3

Handshake:
- Server initiates EAP-TLS
- Supplicant sends “Client Hello” with supported algorithms, Client-DH and Client Rand
- Server computes Master Secret
- Server sends “Server Hello” with selected algorithms, server-DH, server rand + encrypted and integrity protected: Certificate Request, Server Certificate, Certificate verify, Finished
- Client checks Certificate Verify with Server Certificate
- Client computes Master Secret
- Client sends encrypted and integrity protected: Client certificate, Client verify, Finished
- Server checks Client verify with Client certificate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What is EAP-TTLS? How can it be attacked?

A
  • EAP-TLS with server authentication only
  • Client is authenticated after handshake and is protected with generated keys (e.g. password based (PAP))

On EAP-TTLS with Pap:
Evil Twin with fake certificate:
- If MD doesnt check certificate or attacker has an certificate from the same root certificate
- Attacker obtains username/ password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How does EAP-TTLS with MSChapv2 work?

A
  • Client and server compute challenge in TLS handshake
  • Client computes response with password and sends response and peer challenge to TTLS Server
  • TTLS verifies response and forwards peer challenge to AAA-server
  • AAA-server replies with peer-response using stored password
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Why is a EMSK needed in EAP?

A

EAP re-authentication:
- Large Network with roaming (e.g. eduroam) have multiple networks with local EAP server and a home EAP server.
- Local EAP server acts as a proxy
- To avoid re-authentication with home EAP server EMSK is saved on local EAP server
- Used to derive future MSKs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How is EAP re-authentication done?

A
  • Home EAP server provides local EAP server with Domain-Specific Root Key (DSRK) based of Extenden MSK (EMSK)
  • Local EAP server derives Domain-Specific re-authentication Root Key (DS-rRK). It then can derive rMSK for re-authentication
  • Supplicant initiates EAP re-authentication with re-authentication Integrity Key
  • Local server derives rMSK and sends in EAP finish
How well did you know this?
1
Not at all
2
3
4
5
Perfectly

Advanced Network Security - RWTH (13 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2025 Bold Learning Solutions. Terms and Conditions