EAP-PWD ================ .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP‑PWD?** **EAP‑PWD** stands for **Extensible Authentication Protocol – Password**. It is an EAP method that uses a shared password for mutual authentication between a client (peer) and server (authenticator), designed to resist dictionary attacks. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP‑PWD?** **EAP‑PWD** is a method within the EAP framework that authenticates using only a password (no certificates required), while performing a password-authenticated key exchange (PAKE) so that even if the password is weak, the exchange is resistant to passive, active, and dictionary attacks. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP‑PWD useful?** * Provides **mutual authentication** while only using a shared password. * Resists **dictionary attacks**, including when passwords are low‑entropy. * Avoids need for certificates, simplifying deployment in some environments. * Derives secure session keys (MSK/EMSK) usable for subsequent encrypted communication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * Client (“peer”) and server exchange identities and agree on parameters (ciphersuite, password processing method). * Commit exchange: both sides commit to random values and a “password element” (PWE) based on shared password, in a cryptographic group. * Confirm exchange: they exchange confirmation values proving knowledge of PWE and randomness, preventing man‑in‑the‑middle and replay attacks. * When confirmed, both derive the shared key material: Master Session Key (MSK) and Extended MSK (EMSK), etc. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Where is EAP‑PWD used?** * Wi‑Fi networks with 802.1X / RADIUS / WPA‑Enterprise, especially when certificate infrastructure is unavailable or undesirable. :contentReference[oaicite:10]{index=10} * University or eduroam‑type networks. :contentReference[oaicite:11]{index=11} * Any PPP‑based or network access system requiring username/password mutual authentication. :contentReference[oaicite:12]{index=12} .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Which OSI layer does this protocol belong to?** **EAP‑PWD** operates at the **Application Layer (Layer 7)** in the OSI model. It is part of the authentication framework, carried over lower layers like IEEE 802.11 (for Wi‑Fi) or PPP. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Is EAP‑PWD Windows specific?** No, **EAP‑PWD** is not Windows‑specific. It’s implemented in multiple platforms including Linux (hostapd, wpa_supplicant), Android, etc. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Is EAP‑PWD Linux Specific?** No, EAP‑PWD is supported on Linux, but it’s also supported on other OSes (e.g. Android). It’s not limited to Linux. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Which Transport Protocol is used by EAP‑PWD?** EAP‑PWD messages are carried over the EAP framework, which works over **IEEE 802.1X** in many cases for Wi‑Fi, and/or via RADIUS for backend. The transport between the client (peer) and authenticator is not TCP or UDP by itself but uses EAP over lower‑layer protocols; if RADIUS is used, that uses UDP. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Which Port is used by EAP‑PWD?** There is no EAP‑PWD‑specific port; when used via RADIUS, the port is typically **UDP 1812** for authentication requests. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Is EAP‑PWD using Client‑server model?** Yes. EAP‑PWD uses a **client-server model** where the “peer” (client) communicates via an authenticator (often an AP) to a server (RADIUS or similar), exchanging messages to mutually authenticate and derive keys. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Does EAP‑PWD protocol use certificates?** No, **EAP‑PWD** does *not* require certificates. Authentication is based on shared password and cryptographic operations (PAKE). .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **How many frame exchanges are seen during connection for EAP‑PWD protocol?** **EAP‑PWD** typically involves **three** main message‑exchange phases (exchanges), aside from identity request/response: * Identity exchange * Commit exchange * Confirm exchange * If successful, then EAP‑Success is sent. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Does EAP‑PWD Protocol use client certificates?** No, client certificates are *not* used. The method relies only on the shared password and cryptographic group operations. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Does EAP‑PWD Protocol use Server Certificates?** No, server certificates are not required for EAP‑PWD itself. However, infrastructure (e.g. an AP or RADIUS server) might still use TLS or certificates for other parts (but not in EAP‑PWD method). .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Does EAP‑PWD Protocol depend on TCP?** No, EAP‑PWD method itself does *not* depend on TCP. It operates within EAP messages over a lower layer (802.11, etc.). When RADIUS is used, the latter uses UDP. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Does EAP‑PWD Protocol depend on UDP?** Not inherently; only when the backend uses RADIUS (which is UDP). The EAP‑PWD method itself is transported via EAP over whatever lower layer is used. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **What are the roles involved when testing EAP‑PWD Protocol?** - **Client (Peer)**: Initiates EAP request, participates in exchanges. - **Server**: Responds, verifies the exchanges, derives shared keys. - **Authenticator / AP**: Passes EAP messages between peer and server (if separated). - **RADIUS** (if used): Backend authentication server. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **What is the RFC version used for EAP‑PWD Protocol?** **EAP‑PWD** is specified in **RFC 5931** (EAP Authentication Using Only a Password). It is further updated/extended by **RFC 8146** which adds support for salted password databases. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **During Connection Procedure which EAP packets are encrypted?** The actual commit and confirm exchanges include cryptographic computations; while identity packets are not encrypted, the commit/confirm steps derive and verify secret values. The derived keys (MSK/EMSK) are used to provide confidentiality/integrity for further communication. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **What is the final output of Connection Procedure?** The final output is successful mutual authentication and derivation of shared secret keys such as MSK (Master Session Key) and EMSK (Extended MSK), which are used for securing subsequent traffic. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **What is the format of the key generated after the connection procedure?** The format of the keys is binary, of length dependent on chosen ciphersuite / group. The keys are generated using key derivation functions (KDF) specified in RFC 5931. .. panels:: :container: container pb‑4 :column: col‑lg‑12 p‑2 :card: shadow **Where is the use of the MSK / EMSK generated by the connection procedure?** The MSK is used by the authenticator/RADIUS for session encryption and derivation of further keys (e.g. for 802.11i / WPA/WPA2) and EMSK for additional protection / extended uses. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_PWD Version&IEEE Details ` * :ref:`EAP_PWD FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_PWD FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_PWD Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up AP ` * :ref:`STEP 2: Bring up STA ` * :ref:`EAP_PWD Protocol Packet Details ` * :ref:`EAP_PWD Usecases ` * :ref:`EAP_PWD Basic Features ` * :ref:`Reference links ` .. _EAP_PWD_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_PWD_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_PWD_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_PWD_step5: .. tab-set:: .. tab-item:: EAP_PWD Version&RFC Details * rfc details .. _EAP_PWD_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) .. _EAP_PWD_step21: .. tab-set:: .. tab-item:: STEP 1: Bring up AP using hostapd .. csv-table:: :file: ./EAP_PWD/eap_pwd_ap_hostapd.csv :class: tight-table .. _EAP_PWD_step22: .. tab-set:: .. tab-item:: STEP 2: Bring up STA .. csv-table:: :file: ./EAP_PWD/eap_pwd_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_PWD ` .. _EAP_PWD_step19: .. tab-set:: .. tab-item:: EAP_PWD FreeRadius Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_PWD_step18: .. tab-set:: .. tab-item:: EAP_PWD FreeRadius Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_PWD_step6: .. tab-set:: .. tab-item:: EAP_PWD Protocol Packet Details * packet details .. _EAP_PWD_step7: .. tab-set:: .. tab-item:: EAP_PWD Usecases * usecases .. _EAP_PWD_step8: .. tab-set:: .. tab-item:: EAP_PWD Basic Features * features .. _EAP_PWD_step17: .. tab-set:: .. tab-item:: Reference links * Reference links