Sebastien Boire
ABSTRACT
The Extensible Authentication Protocol (EAP) is used for authenticating client devices to WiFi networks, and it is designed to be extensible with new authentication methods. We look at ways to extend the protocol to support credential provisioning and configuration of new client devices. As large numbers of IoT devices are deployed, the task will be simplified by combining the network connectivity, identity and certificate provisioning, and application-layer connectivity to one process. The solution will also allow the use of a one-time credential for the initial authentication, so that the long-term device certificate is issued automatically after the first connection to the network. The paper analyzes the requirements and architectural design options that implement such a user experience. We consider solutions that transfer short bootstrapping data inside the EAP session and then implement the provisioning and configuration with web APIs over HTTPS. This allows future flexibility and speed of development in the provisioning and configuration steps. We designed and implemented several architecturally different solutions and present the comparison results and also compare with previous proposals that have similar goals.
- Tolgahan Akgun and Sebastien Boire. 2021. EAP-OPROV. https://github.com/Sebastien2/EAP-PROVGoogle Scholar
- Open Mobile Alliance. 2017--2021. OMA Specifications. Open Mobile Alliance. http://openmobilealliance.org/wp/index.htmlGoogle Scholar
- Android documentation. 2020. Verifying hardware-backed key pairs with key attestation. https://developer.android.com/training/articles/security-key-attestationGoogle Scholar
- Tuomas Aura, Mohit Sethi, and Aleksi Peltonen. 2021. Nimble out-of-band authentication for EAP (EAP-NOOB). Internet-Draft draft-ietf-emu-eap-noob-04. Internet Engineering Task Force. https://www.ietf.org/archive/id/draft-ietf-emu-eap-noob-04.txtGoogle Scholar
- Cisco. 2021. Implementing Network Admission Control Phase One Configuration and Deployment. https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Security/ImplNAC/ImpNAC/nac01.htmlGoogle Scholar
- Geoffrey Cooper, Brad Behm, Ankur Chakraborty, Hanu Kommalapati, Giri Mandyam, and Hannes Tschofenig. 2020. FIDO Device Onboard Specification. Review Draft December 02, 2020. FIDO Alliance. https://fidoalliance.org/specs/FDO/FIDO-Device-Onboard-RD-v1.0--20201202.htmlGoogle Scholar
- Open Connectivity Foundation. 2021. OCF Specification 2.2.3, April 14, 2021. https://openconnectivity.org/developer/specifications/Google Scholar
- IBM. 2021. IBM Watson IoT Platform. https://internetofthings.ibmcloud.com/Google Scholar
- Michael Jones. 2015. JSON Web Algorithms (JWA). RFC 7518. https://doi.org/10.17487/RFC7518Google ScholarDigital Library
- Michael Jones, John Bradley, and Nat Sakimura. 2015. JSON Web Token (JWT). RFC 7519. https://doi.org/10.17487/RFC7519Google ScholarDigital Library
- Jouni Malinen. 2013. hostapd and wpa supplicant. https://w1.fi/Google Scholar
- Microsoft. 2021. NAP Server-side Architecture. https://docs.microsoft.com/en-us/windows/win32/nap/nap-server-side-architectureGoogle Scholar
- Massimiliano Pala. 2020 a. Credentials Provisioning and Management via EAP (EAP-CREDS). Internet-Draft draft-pala-eap-creds-07. Internet Engineering Task Force. https://datatracker.ietf.org/doc/html/draft-pala-eap-creds-07 Work in Progress.Google Scholar
- Massimiliano Pala. 2020 b. EAP-CREDS: Enabling Policy-Oriented Credential Management in Access Networks. https://www.cablelabs.com/eap-creds-enabling-policy-oriented-credential-management-in-access-networksGoogle Scholar
- Nick L. Petroni, John Vollbrecht, Yoshihiro Ohba, and Pasi Eronen. 2005. State Machines for Extensible Authentication Protocol (EAP) Peer and Authenticator. RFC 4137. https://doi.org/10.17487/RFC4137Google ScholarDigital Library
- Max Pritikin, Peter E. Yee, and Dan Harkins. 2013. Enrollment over Secure Transport. RFC 7030. https://doi.org/10.17487/RFC7030Google ScholarDigital Library
- Eric Rescorla and Tim Dierks. 2008. The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246. https://doi.org/10.17487/RFC5246Google ScholarDigital Library
- Jukka-Pekka Sarjanen. 2019. Simplest Git repository for EST provisioning. https://github.com/abrox/simplestGoogle Scholar
- Mohit Sethi, Elena Oat, Mario Di Francesco, and Tuomas Aura. 2014. Secure Bootstrapping of Cloud-Managed Ubiquitous Displays. In Proceedings of the 2014 ACM International Joint Conference on Pervasive and Ubiquitous Computing (UbiComp '14). ACM, 739--750. https://doi.org/10.1145/2632048.2632049Google ScholarDigital Library
- John Vollbrecht and Larry Blunk. 1998. PPP Extensible Authentication Protocol (EAP). RFC 2284. https://doi.org/10.17487/RFC2284Google ScholarDigital Library
- John Vollbrecht, James D. Carlson, Larry Blunk, Dr. Bernard D. Aboba, and Henrik Levkowetz. 2004. Extensible Authentication Protocol (EAP). RFC 3748. https://doi.org/10.17487/RFC3748Google ScholarDigital Library
- Hao Zhou, Nancy Cam-Winget, Joseph A. Salowey, and Steve Hanna. 2014. Tunnel Extensible Authentication Protocol (TEAP) Version 1. RFC 7170. https://doi.org/10.17487/RFC7170Google ScholarDigital Library
Index Terms
- Credential Provisioning and Device Configuration with EAP
Recommendations
USIM-based EAP-TLS authentication protocol for wireless local area networks
Due to the rapid growth in popularity of Wireless Local Area Network (WLAN), wireless security has become one of many important research issues. For the WLAN security, the IEEE 802.1X standard provides an authentication framework that is based on the ...
Network access authentication infrastructure using EAP-TTLS on diameter EAP application
AINTEC '11: Proceedings of the 7th Asian Internet Engineering ConferenceIn our universal AAA (Authentication, Authorization, and Accounting) infrastructure project, we have already developed the implementations of Diameter Base Protocol and Diameter EAP Application. As part of this project, we developed the first open-...
Comments