EAP-EKE ========== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP‑EKE?** **EAP‑EKE** stands for **Extensible Authentication Protocol – Encrypted Key Exchange**. It is an EAP method based on the Encrypted Key Exchange (EKE) protocol, enabling mutual authentication and key exchange using a shared password. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP‑EKE?** **EAP‑EKE** is an EAP authentication method that performs a password-authenticated key exchange (PAKE), providing mutual authentication using a short, human-memorable password without relying on certificates. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP‑EKE useful?** * Enables **mutual authentication** using only a shared password. * Resistant to **dictionary attacks**, even with weak passwords. * Does **not require public-key certificates**, simplifying deployments. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * **Identity exchange**: Peer and server exchange identities and negotiate cryptographic algorithms. * **Commit exchange**: Each side generates ephemeral values and exchanges encrypted commitments based on the shared password. * **Confirm exchange**: Both parties prove knowledge of the password and liveness, then derive a shared secret. .. panels:: :container: container pb-4 :column: col‑lg‑12 p‑2 :card: shadow **Where is EAP‑EKE used?** * In **Wi‑Fi (802.1X / WPA‑Enterprise)** environments where password-based mutual authentication is needed and certificate infrastructure is not available. * In networks using **RADIUS** for centralized authentication. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Which OSI layer does this protocol belong to?** EAP‑EKE operates at the **Application Layer (Layer 7)**, although it is transported via the EAP framework over lower-layer protocols such as 802.1X or RADIUS. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Is EAP‑EKE Windows specific?** No. EAP‑EKE is **not Windows-specific**. It is a general EAP method, though support depends on platform and supplicant implementations. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Is EAP‑EKE Linux specific?** No. It is **not Linux-specific**, although implementations like *hostapd* and *wpa_supplicant* can provide support on Linux systems. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP‑EKE?** EAP‑EKE uses the EAP framework (RFC 3748), typically carried over **IEEE 802.1X** EAPOL for Wi‑Fi, and **RADIUS** (via UDP) in the backend. .. panels:: :container: container pb‑4 :column: col-lg-12 p‑2 :card: shadow **Which Port is used by EAP‑EKE?** There is **no dedicated port** for EAP‑EKE. When used with RADIUS, **UDP port 1812** is used for authentication messages. .. panels:: :container: container pb‑4 :column: col-lg‑12 p‑2 :card: shadow **Is EAP‑EKE using Client‑server model?** Yes. It follows a **client-server model**: the client (peer) and the server mutually authenticate via commits and confirms, with the authenticator (like an AP) forwarding messages to the backend. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Does EAP‑EKE protocol use certificates?** No. EAP‑EKE **does not use certificates** for authentication. It leverages password-based cryptographic exchanges instead. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **How many message exchanges happen during EAP‑EKE authentication?** There are typically **three main message exchanges** (plus identity exchange): * Identity exchange * Commit exchange * Confirm exchange If successful, it ends with an EAP Success message. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **What is the final output of the connection procedure?** Establishment of mutual authentication and derivation of a **shared key** (e.g., MSK) used for securing subsequent communication. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **What cryptographic primitives are used?** * Uses **Diffie-Hellman groups** for ephemeral key exchanges. * Uses a **pseudo-random function (PRF)** built on HMAC-SHA1 or HMAC-SHA256. * Encryption (e.g., AES‑128‑CBC) and integrity protection (MAC) are used for certain fields. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_EKE Version&IEEE Details ` * :ref:`EAP_EKE FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_EKE FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_EKE Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up AP ` * :ref:`STEP 2: Bring up STA ` * :ref:`EAP_EKE Protocol Packet Details ` * :ref:`EAP_EKE Usecases ` * :ref:`EAP_EKE Basic Features ` * :ref:`Reference links ` .. _EAP_EKE_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_EKE_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_EKE_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_EKE_step5: .. tab-set:: .. tab-item:: EAP_EKE Version&RFC Details * rfc details .. _EAP_EKE_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) .. _EAP_EKE_step21: .. tab-set:: .. tab-item:: STEP 1: Bring up AP using hostapd .. csv-table:: :file: ./EAP_EKE/eap_eke_ap_hostapd.csv :class: tight-table .. _EAP_EKE_step22: .. tab-set:: .. tab-item:: STEP 2: Bring up STA .. csv-table:: :file: ./EAP_EKE/eap_eke_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_EKE ` .. _EAP_EKE_step19: .. tab-set:: .. tab-item:: EAP_EKE FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_EKE_step18: .. tab-set:: .. tab-item:: EAP_EKE FreeRadius Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_EKE_step6: .. tab-set:: .. tab-item:: EAP_EKE Protocol Packet Details * packet details .. _EAP_EKE_step7: .. tab-set:: .. tab-item:: EAP_EKE Usecases * usecases .. _EAP_EKE_step8: .. tab-set:: .. tab-item:: EAP_EKE Basic Features * features .. _EAP_EKE_step17: .. tab-set:: .. tab-item:: Reference links * Reference links