Wireless Security
Wi-Fi Alliance Expands WPA2 to include EAP-AKA, EAP-FAST Jul 28 2009 03:03PM
Joshua Wright (jwright hasborg com)
Hash: SHA1

Yesterday the Wi-Fi Alliance announced an expanded testing regimen for
WPA2 including the EAP-AKA and EAP-FAST authentication methods.


When I was working at Aruba Networks, I spoke up against the inclusion
of EAP-FAST in WPA2. While EAP-FAST can be a very secure protocol, it
suffers from a PAC provisioning security weakness.

With EAP-FAST, each client needs a Protected Access Credential (PAC) for
authentication. The PAC is unique for each device on the network. The
long-standing challenge with EAP-FAST is how to get the PAC to the end-user.

You can generate a PAC and sneaker-net it to the client, but this
doesn't scale very well. You can deliver the PAC through active
directory or some other management mechanism, but this assumes you have
some network access in the first place (which doesn't work for the
all-wireless office concept). Cisco's solution is to use
EAP-FAST-Phase-0 which uses anonymous Diffie-Hellman authentication*
(meaning an attacker can impersonate the AP and RADIUS server, getting
access to inner authentication credentials such as MS-CHAPv2 for a short

Cisco advises customers to turn on EAP-FAST-Phase-0 for a short time
until all the PAC's are provisioned, acknowledging a short period of
vulnerability. In my experience, organizations might turn off anonymous
PAC provisioning until they have a new batch of wireless clients to
authorize, then it gets turned back on and left on.

EAP-FAST can be a very secure protocol, and in Cisco's defense there
isn't an easy answer to the problem of "secure and simple authentication
with no certificates, kthxbye". For me, the Wi-Fi Alliance has to look
at the whole picture of a given EAP method, and certify only those that
have a well-rounded security picture, from provisioning to revocation
and everything in-between. I'm disappointed that EAP-FAST will get more
traction as a result of this change as I think it's a negative as far as
wireless security is concerned (but hey, it keeps me employed as a
penetration tester).

- -Josh

p.s. On Thursday I'm delivering a webcast on "Budget Wireless Assessment
Using Kismet Newcore". Attendees will also get a 10% discount on my
upcoming SANS Ethical Hacking Wireless class, details at

* To be fair, you can also use PKI configured on the client and PAC
server to protect the PAC provisioning process ... but then you would
just use PEAP and not bother with EAP-FAST.
Version: GnuPG v1.4.9 (MingW32)


[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus