Nothing Special   »   [go: up one dir, main page]
Skip to main content
Springer Nature Link
Log in

Authentication Components: Engineering Experiences and Guidelines

  • Conference paper
Security Protocols (Security Protocols 2004)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3957))

Included in the following conference series:

  • 419 Accesses

Abstract

Security protocols typically employ an authentication phase followed by a protected data exchange. In some cases, such TLS, these two phases are tightly integrated, while in other cases, such as EAP (Extensible Authentication Protocol) and Kerberos, they are separate and often implemented in different endpoints. However, careless application of this separation has lead to several vulnerabilities. In this paper we discuss reasons why this separation is often useful, what mistakes have been made, and what these mistakes have in common. We then describe some approaches how these problems could be avoided, especially focusing on EAP in wireless LANs. We also present some engineering observations that should be taken into account when designing reusable authentication components in the future.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Abadi, M., Needham, R.: Prudent Engineering Practice for Cryptographic Protocols. IEEE Transactions on Software Engineering 22(1), 6–15 (1996)

    Article  Google Scholar 

  2. Aboba, B., Calhoun, P.: RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication Protocol (EAP), RFC 3579 (2003)

    Google Scholar 

  3. Aboba, B., Simon, D., Arkko, J., Levkowetz, H.: EAP Key Management Framework, work in progress (IETF Internet-Draft draft-ietf-eap-keying-01.txt) (2003)

    Google Scholar 

  4. Arkko, J., Eronen, P.: Authenticated Service Identities for the Extensible Authentication Protocol (EAP), work in progress (2004)

    Google Scholar 

  5. Asokan, N., Niemi, V., Nyberg, K.: Man-in-the-middle in tunnelled authentication protocols. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2003. LNCS, vol. 3364, pp. 28–41. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  6. Barkan, E., Biham, E., Keller, N.: Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 600–616. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  7. Blunk, L., Vollbrecht, J., Aboba, B., Carlson, J., Levkowetz, H.: Extensible Authentication Protocol (EAP), work in progress (IETF Internet-Draft draft-ietf-eap-rfc2284bis-09.txt) (2004)

    Google Scholar 

  8. Clark, D.D., Wroclawski, J., Sollins, K.R., Braden, R.: Tussle in Cyberspace: Defining Tomorrow’s Internet. In: Proc. ACM SIGCOMM 2002 (2002)

    Google Scholar 

  9. Ericsson, Sonera, T.: Implications of the A5/2 Attack for 3GPP WLAN Access, 3GPP TSG SA3 working document S3-030733 (2003)

    Google Scholar 

  10. Eronen, P., Hiller, T., Zorn, G.: Diameter Extensible Authentication Protocol (EAP) Application, work in progress (IETF Internet-Draft draft-ietf-aaa-eap-05.txt) (2004)

    Google Scholar 

  11. Institute of Electrical and Electronics Engineers. IEEE Standard for Information technology – Telecommunications and information exchange between systems – Local and metropolitan area networks – Specific requirements – Part 11: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications: Amendment 6: Medium Access Control (MAC) Security Enhancements, work in progress (IEEE Draft P802.11i/10.0) (2004)

    Google Scholar 

  12. Haverinen, H., Salowey, J.: EAP SIM Authentication, work in progress (IETF Internet-Draft draft-haverinen-pppext-eap-sim-13.txt) (2004)

    Google Scholar 

  13. Housley, R., Moore, T.: Certificate Extensions and Attributes Supporting Authentication in Point-to-Point Protocol (PPP) and Wireless Local Area Networks (WLAN), RFC 3770 (2004)

    Google Scholar 

  14. Kaufman, C. (ed.): Internet Key Exchange (IKEv2) Protocol, work in progress (IETF Internet-Draft draft-ietf-ipsec-ikev2-13.txt) (2004)

    Google Scholar 

  15. Kohl, J., Neuman, C.: The Kerberos Network Authentication service (V5), RFC 1510 (1993)

    Google Scholar 

  16. Krawzcyk, H.: Changes to EAP methods, message on eap@frascone.com mailing list (2003-09-03), http://mail.frascone.com/pipermail/public/eap/2003-September/001638.html

  17. Linn, J.: Generic Security Service Application Program Interface Version 2, Update 1, RFC 2743 (2000)

    Google Scholar 

  18. Myers, J.: Simple Authentication and Security Layer (SASL), RFC 2222 (1997)

    Google Scholar 

  19. Nokia, Using Special RANDs to separate WLAN and GSM/GPRS, 3GPP TSG SA3 working document S3-040100 (2004)

    Google Scholar 

  20. Orange and Vodafone, Introducing the special RAND mechanism, 3GPP TSG SA3 working document S3-030698 (2003)

    Google Scholar 

  21. Puthenkulam, J., Lortz, V., Palekar, A., Simon, D.: The Compound Authentication Binding Problem, work in progress (IETF Internet-Draft draft-puthenkulam-eap-binding-04.txt) (2003)

    Google Scholar 

  22. 3rd Generation Partnership Project, Technical Specification Group Core Network; Numbering, addressing and identification (Release 5), 3GPP Technical Specification 23.003 V5.8.0 (2003)

    Google Scholar 

  23. 3rd Generation Partnership Project, Technical Specification Group Services and System Aspects; 3G Security; Security Architecture (Release 5), 3GPP Technical Specification 33.102 V5.1.0 (2002)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Nokia Research Center, Finland

    Pasi Eronen

  2. Ericsson Research NomadicLab, Finland

    Jari Arkko

Authors
  1. Pasi Eronen
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jari Arkko
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Computer Science Department, University of Hertfordshire, UK

    Bruce Christianson

  2. Computer Systems Group, Vrije Universiteit, Amsterdam, The Netherlands

    Bruno Crispo

  3. Georgia Institute of Technology, Atlanta, GA, USA

    James A. Malcolm

  4. Microsoft Research, Cambridge, UK

    Michael Roe

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Eronen, P., Arkko, J. (2006). Authentication Components: Engineering Experiences and Guidelines. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds) Security Protocols. Security Protocols 2004. Lecture Notes in Computer Science, vol 3957. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11861386_8

Download citation

  • DOI: https://doi.org/10.1007/11861386_8

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-40925-0

  • Online ISBN: 978-3-540-40926-7

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation