fbpx
Wikipedia

Protected Extensible Authentication Protocol

January 01, 1970

PEAP is also an acronym for Personal Egress Air Packs.

The Protected Extensible Authentication Protocol, also known as Protected EAP or simply PEAP, is a protocol that encapsulates the Extensible Authentication Protocol (EAP) within an encrypted and authenticated Transport Layer Security (TLS) tunnel.[1][2][3][4] The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided.[5]

PEAP was jointly developed by Cisco Systems, Microsoft, and RSA Security. PEAPv0 was the version included with Microsoft Windows XP and was nominally defined in draft-kamath-pppext-peapv0-00. PEAPv1 and PEAPv2 were defined in different versions of draft-josefsson-pppext-eap-tls-eap. PEAPv1 was defined in draft-josefsson-pppext-eap-tls-eap-00 through draft-josefsson-pppext-eap-tls-eap-05,[6] and PEAPv2 was defined in versions beginning with draft-josefsson-pppext-eap-tls-eap-06.[7]

The protocol only specifies chaining multiple EAP mechanisms and not any specific method.[3][8] However, use of the EAP-MSCHAPv2 and EAP-GTC methods are the most commonly supported.[citation needed]

Overview edit

PEAP is similar in design to EAP-TTLS, requiring only a server-side PKI certificate to create a secure TLS tunnel to protect user authentication, and uses server-side public key certificates to authenticate the server. It then creates an encrypted TLS tunnel between the client and the authentication server. In most configurations, the keys for this encryption are transported using the server's public key. The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping.

As of May 2005, there were two PEAP sub-types certified for the updated WPA and WPA2 standard. They are:

  • PEAPv0/EAP-MSCHAPv2
  • PEAPv1/EAP-GTC

PEAPv0 and PEAPv1 both refer to the outer authentication method and are the mechanisms that create the secure TLS tunnel to protect subsequent authentication transactions. EAP-MSCHAPv2 and EAP-GTC refer to the inner authentication methods which provide user or device authentication. A third authentication method commonly used with PEAP is EAP-SIM.

Within Cisco products, PEAPv0 supports inner EAP methods EAP-MSCHAPv2 and EAP-SIM while PEAPv1 supports inner EAP methods EAP-GTC and EAP-SIM. Since Microsoft only supports PEAPv0 and doesn't support PEAPv1, Microsoft simply calls it "PEAP" without the v0 or v1 designator. Another difference between Microsoft and Cisco is that Microsoft only supports the EAP-MSCHAPv2 method and not the EAP-SIM method.

However, Microsoft supports another form of PEAPv0 (which Microsoft calls PEAP-EAP-TLS) that many Cisco and other third-party server and client software don't support. PEAP-EAP-TLS requires client installation of a client-side digital certificate or a more secure smartcard. PEAP-EAP-TLS is very similar in operation to the original EAP-TLS but provides slightly more protection because portions of the client certificate that are unencrypted in EAP-TLS are encrypted in PEAP-EAP-TLS. Ultimately, PEAPv0/EAP-MSCHAPv2 is by far the most prevalent implementation of PEAP, due to the integration of PEAPv0 into Microsoft Windows products. Cisco's CSSC client (discontinued in 2008 [9]) now supports PEAP-EAP-TLS.

PEAP has been so successful in the market place that even Funk Software (acquired by Juniper Networks in 2005), the inventor and backer of EAP-TTLS, added support for PEAP in their server and client software for wireless networks.

PEAPv0 with EAP-MSCHAPv2 edit

MS-CHAPv2 is an old authentication protocol which Microsoft introduced with NT4.0 SP4 and Windows 98.

PEAPv0/EAP-MSCHAPv2 is the most common form of PEAP in use, and what is usually referred to as PEAP. The inner authentication protocol is Microsoft's Challenge Handshake Authentication Protocol, meaning it allows authentication to databases that support the MS-CHAPv2 format, including Microsoft NT and Microsoft Active Directory.

Behind EAP-TLS, PEAPv0/EAP-MSCHAPv2 is the second most widely supported EAP standard in the world. There are client and server implementations of it from various vendors, including support in all recent releases from Microsoft, Apple Computer and Cisco. Other implementations exist, such as the xsupplicant from the Open1x.org project, and wpa_supplicant.

As with other 802.1X and EAP types, dynamic encryption can be used with PEAP.

A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of MS-CHAPv2 handshakes.[10]

Several weaknesses have been found in MS-CHAPv2, some of which severely reduce the complexity of brute-force attacks making them feasible with modern hardware.[11]

PEAPv1 with EAP-GTC edit

PEAPv1/EAP-GTC was created by Cisco to provide interoperability with existing token card and directory based authentication systems via a protected channel. Even though Microsoft co-invented the PEAP standard, Microsoft never added support for PEAPv1 in general, which means PEAPv1/EAP-GTC has no native Windows OS support. Since Cisco has typically recommended lightweight EAP protocols such as LEAP and EAP-FAST protocols instead of PEAP, the latter has not been as widely adopted as some had hoped.

With no interest from Microsoft to support PEAPv1 and no promotion from Cisco, PEAPv1 authentication is rarely used.[when?] Even in Windows 7, released in late 2009, Microsoft has not added support for any other authentication system other than MSCHAPv2.

Nokia E66 and later mobile phones ship with a version of Symbian which includes EAP-GTC support.

LDAP (Lightweight Directory Access Protocol) only supports EAP-GTC.[citation needed]

References edit

  1. ^ "Understanding the updated WPA and WPA2 standards". ZDNet. 2005-06-02. Retrieved 2012-07-17.
  2. ^ Microsoft's PEAP version 0, draft-kamath-pppext-peapv0-00, §1.1
  3. ^ a b Protected EAP Protocol (PEAP) Version 2, draft-josefsson-pppext-eap-tls-eap-10, abstract
  4. ^ Protected EAP Protocol (PEAP) Version 2, draft-josefsson-pppext-eap-tls-eap-10, §1
  5. ^ Protected EAP Protocol (PEAP) Version 2, draft-josefsson-pppext-eap-tls-eap-07, §1
  6. ^ Protected EAP Protocol (PEAP), draft-josefsson-pppext-eap-tls-eap-05, §2.3
  7. ^ Protected EAP Protocol (PEAP), draft-josefsson-pppext-eap-tls-eap-06, §2.3
  8. ^ Protected EAP Protocol (PEAP) Version 2, draft-josefsson-pppext-eap-tls-eap-10, §2
  9. ^ "End-of-Sale and End-of-Life Announcement for the Cisco Secure Services Client v4.0". Cisco. Retrieved 2021-05-04.
  10. ^ "Man-in-the-Middle in Tunneled Authentication Protocols" (PDF). Nokia Research Center. Retrieved 14 November 2013.
  11. ^ . 2016-03-16. Archived from the original on 2016-03-16. Retrieved 2022-10-19.

External links edit

  • Kamath, Vivek; Palekar, Ashwin; Wodrich, Mark (25 October 2002). Microsoft's PEAP version 0 (Implementation in Windows XP SP1). IETF. I-D draft-kamath-pppext-peapv0-00.
  • draft-josefsson-pppext-eap-tls-eap - The EAP-TLS protocol specifications

January 01, 1970
protected, extensible, authentication, protocol, peap, also, acronym, personal, egress, packs, also, known, protected, simply, peap, protocol, that, encapsulates, extensible, authentication, protocol, within, encrypted, authenticated, transport, layer, securit. PEAP is also an acronym for Personal Egress Air Packs The Protected Extensible Authentication Protocol also known as Protected EAP or simply PEAP is a protocol that encapsulates the Extensible Authentication Protocol EAP within an encrypted and authenticated Transport Layer Security TLS tunnel 1 2 3 4 The purpose was to correct deficiencies in EAP EAP assumed a protected communication channel such as that provided by physical security so facilities for protection of the EAP conversation were not provided 5 PEAP was jointly developed by Cisco Systems Microsoft and RSA Security PEAPv0 was the version included with Microsoft Windows XP and was nominally defined in draft kamath pppext peapv0 00 PEAPv1 and PEAPv2 were defined in different versions of draft josefsson pppext eap tls eap PEAPv1 was defined in draft josefsson pppext eap tls eap 00 through draft josefsson pppext eap tls eap 05 6 and PEAPv2 was defined in versions beginning with draft josefsson pppext eap tls eap 06 7 The protocol only specifies chaining multiple EAP mechanisms and not any specific method 3 8 However use of the EAP MSCHAPv2 and EAP GTC methods are the most commonly supported citation needed Contents 1 Overview 2 PEAPv0 with EAP MSCHAPv2 3 PEAPv1 with EAP GTC 4 References 5 External linksOverview editPEAP is similar in design to EAP TTLS requiring only a server side PKI certificate to create a secure TLS tunnel to protect user authentication and uses server side public key certificates to authenticate the server It then creates an encrypted TLS tunnel between the client and the authentication server In most configurations the keys for this encryption are transported using the server s public key The ensuing exchange of authentication information inside the tunnel to authenticate the client is then encrypted and user credentials are safe from eavesdropping As of May 2005 there were two PEAP sub types certified for the updated WPA and WPA2 standard They are PEAPv0 EAP MSCHAPv2 PEAPv1 EAP GTC PEAPv0 and PEAPv1 both refer to the outer authentication method and are the mechanisms that create the secure TLS tunnel to protect subsequent authentication transactions EAP MSCHAPv2 and EAP GTC refer to the inner authentication methods which provide user or device authentication A third authentication method commonly used with PEAP is EAP SIM Within Cisco products PEAPv0 supports inner EAP methods EAP MSCHAPv2 and EAP SIM while PEAPv1 supports inner EAP methods EAP GTC and EAP SIM Since Microsoft only supports PEAPv0 and doesn t support PEAPv1 Microsoft simply calls it PEAP without the v0 or v1 designator Another difference between Microsoft and Cisco is that Microsoft only supports the EAP MSCHAPv2 method and not the EAP SIM method However Microsoft supports another form of PEAPv0 which Microsoft calls PEAP EAP TLS that many Cisco and other third party server and client software don t support PEAP EAP TLS requires client installation of a client side digital certificate or a more secure smartcard PEAP EAP TLS is very similar in operation to the original EAP TLS but provides slightly more protection because portions of the client certificate that are unencrypted in EAP TLS are encrypted in PEAP EAP TLS Ultimately PEAPv0 EAP MSCHAPv2 is by far the most prevalent implementation of PEAP due to the integration of PEAPv0 into Microsoft Windows products Cisco s CSSC client discontinued in 2008 9 now supports PEAP EAP TLS PEAP has been so successful in the market place that even Funk Software acquired by Juniper Networks in 2005 the inventor and backer of EAP TTLS added support for PEAP in their server and client software for wireless networks PEAPv0 with EAP MSCHAPv2 editMS CHAPv2 is an old authentication protocol which Microsoft introduced with NT4 0 SP4 and Windows 98 PEAPv0 EAP MSCHAPv2 is the most common form of PEAP in use and what is usually referred to as PEAP The inner authentication protocol is Microsoft s Challenge Handshake Authentication Protocol meaning it allows authentication to databases that support the MS CHAPv2 format including Microsoft NT and Microsoft Active Directory Behind EAP TLS PEAPv0 EAP MSCHAPv2 is the second most widely supported EAP standard in the world There are client and server implementations of it from various vendors including support in all recent releases from Microsoft Apple Computer and Cisco Other implementations exist such as the xsupplicant from the Open1x org project and wpa supplicant As with other 802 1X and EAP types dynamic encryption can be used with PEAP A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials If the CA certificate is not validated in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of MS CHAPv2 handshakes 10 Several weaknesses have been found in MS CHAPv2 some of which severely reduce the complexity of brute force attacks making them feasible with modern hardware 11 PEAPv1 with EAP GTC editPEAPv1 EAP GTC was created by Cisco to provide interoperability with existing token card and directory based authentication systems via a protected channel Even though Microsoft co invented the PEAP standard Microsoft never added support for PEAPv1 in general which means PEAPv1 EAP GTC has no native Windows OS support Since Cisco has typically recommended lightweight EAP protocols such as LEAP and EAP FAST protocols instead of PEAP the latter has not been as widely adopted as some had hoped With no interest from Microsoft to support PEAPv1 and no promotion from Cisco PEAPv1 authentication is rarely used when Even in Windows 7 released in late 2009 Microsoft has not added support for any other authentication system other than MSCHAPv2 Nokia E66 and later mobile phones ship with a version of Symbian which includes EAP GTC support LDAP Lightweight Directory Access Protocol only supports EAP GTC citation needed References edit Understanding the updated WPA and WPA2 standards ZDNet 2005 06 02 Retrieved 2012 07 17 Microsoft s PEAP version 0 draft kamath pppext peapv0 00 1 1 a b Protected EAP Protocol PEAP Version 2 draft josefsson pppext eap tls eap 10 abstract Protected EAP Protocol PEAP Version 2 draft josefsson pppext eap tls eap 10 1 Protected EAP Protocol PEAP Version 2 draft josefsson pppext eap tls eap 07 1 Protected EAP Protocol PEAP draft josefsson pppext eap tls eap 05 2 3 Protected EAP Protocol PEAP draft josefsson pppext eap tls eap 06 2 3 Protected EAP Protocol PEAP Version 2 draft josefsson pppext eap tls eap 10 2 End of Sale and End of Life Announcement for the Cisco Secure Services Client v4 0 Cisco Retrieved 2021 05 04 Man in the Middle in Tunneled Authentication Protocols PDF Nokia Research Center Retrieved 14 November 2013 Divide and Conquer Cracking MS CHAPv2 with a 100 success rate 2016 03 16 Archived from the original on 2016 03 16 Retrieved 2022 10 19 External links editKamath Vivek Palekar Ashwin Wodrich Mark 25 October 2002 Microsoft s PEAP version 0 Implementation in Windows XP SP1 IETF I D draft kamath pppext peapv0 00 draft josefsson pppext eap tls eap The EAP TLS protocol specifications Retrieved from https en wikipedia org w index php title Protected Extensible Authentication Protocol amp oldid 1194451809, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.