EAP-SAKE =========== .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is Expansion of EAP-SAKE?** EAP-SAKE stands for **Extensible Authentication Protocol – Shared-secret Authentication and Key Establishment**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is EAP-SAKE?** EAP-SAKE is an EAP method that provides mutual authentication and key derivation using a pre-shared secret, without relying on public key infrastructure (PKI). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Why is EAP-SAKE useful?** * Avoids complexity of certificates or asymmetric cryptography. * Lightweight and suitable for constrained devices or environments. * Provides mutual authentication and key derivation. * More secure than simple password-based methods. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How it works?** * Based on a challenge-response mechanism using a shared secret. * Involves exchange of random nonces and authentication tokens. * Key derivation is performed after successful mutual verification. * MACs (Message Authentication Codes) ensure integrity and authenticity. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where is EAP-SAKE used?** * Environments where certificate management is undesirable or too heavy. * Embedded systems or IoT applications. * Wireless or VPN networks needing pre-shared key authentication. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which OSI layer does this protocol belong to?** * Operates at the Application Layer (Layer 7). * Encapsulated within EAP which rides over lower layers (like EAPOL or RADIUS). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-SAKE Windows specific?** * No, it is not Windows-specific. * Platform-independent, though not natively supported in many Windows clients. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-SAKE Linux Specific?** * No, but it may require custom implementation or patching on Linux clients (e.g., wpa_supplicant or FreeRADIUS). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Transport Protocol is used by EAP-SAKE?** * Transported via EAP. * Underlying protocols: EAPOL, RADIUS (typically over UDP), or Diameter (over TCP). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Which Port is used by EAP-SAKE?** * Standard RADIUS ports: * UDP 1812 (Authentication) * UDP 1813 (Accounting) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Is EAP-SAKE using Client server model?** * Yes. * Client: Supplicant device * Server: Authentication server (e.g., RADIUS) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-SAKE protocol uses certificates?** * No. * It relies only on pre-shared symmetric keys. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **How many frame exchanges are seen during connection for EAP-SAKE protocol?** * Typically involves **4–6 EAP messages**, depending on the implementation and configuration. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-SAKE Protocol uses client certificates?** * No, it does not use client certificates. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Whether EAP-SAKE Protocol uses Server Certificates?** * No, it does not use server certificates. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-SAKE Protocol depends on TCP?** * No direct dependency. * May use TCP if backend protocol (e.g., Diameter) is configured that way. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **IS EAP-SAKE Protocol depends on UDP?** * Yes, when used with RADIUS, it typically relies on UDP 1812. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What are the roles involved when testing EAP-SAKE Protocol?** * Supplicant (Client) * Authenticator (e.g., AP or switch) * Authentication Server (e.g., FreeRADIUS with EAP-SAKE support) .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-SAKE Protocol work with FreeRADIUS server on Linux?** * Yes, but it may require enabling or configuring the `eap-sake` module. * Not commonly enabled by default. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Does EAP-SAKE Protocol work with Internal radius server of hostapd?** * No, hostapd's internal RADIUS server is too limited. * External RADIUS (like FreeRADIUS) is required. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the RFC version use for EAP-SAKE Protocol?** * Defined in **RFC 4763**. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **During Connection Procedure which EPoL Packets are encrypted?** * EAPOL packets are not encrypted at Layer 2. * However, authentication payloads are integrity protected via MACs using the shared secret. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Can you Explain different stages of Connection Procedure for EAP-SAKE Protocol?** * **Stage 1:** EAP Identity exchange * **Stage 2:** Server sends random challenge and authentication ID * **Stage 3:** Client responds with its own random nonce and MAC * **Stage 4:** Server verifies and replies with final MAC * **Stage 5:** Success message sent after mutual verification .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the final output of Connection Procedure?** * Generation of a shared **Master Session Key (MSK)**. * Optionally an **Extended Master Session Key (EMSK)** is also derived. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **What is the format of the key generate after the connection procedure?** * MSK is 64 bytes (512 bits). * EMSK is also 64 bytes (optional, for future re-authentication or derivations). .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow **Where the use of PMK generated by the Connection Procedure?** * The PMK (derived from MSK) is used by the Authenticator (e.g., AP) to generate encryption keys like PTK. * Enables secure data communication in WPA2-Enterprise/WPA3-Enterprise environments. .. panels:: :container: container pb-4 :column: col-lg-12 p-2 :card: shadow Topics in this section, * :ref:`Learnings in this section ` * :ref:`Terminology ` * :ref:`Version Info ` * :ref:`EAP_SAKE Version&IEEE Details ` * :ref:`EAP_SAKE FreeRadius Basic Setup on Ubuntu (2 Machines) ` * :ref:`EAP_SAKE FreeRadius Basic Setup on Ubuntu (3 Machines) ` * :ref:`EAP_SAKE Internal Radius Server Basic Setup on Ubuntu (2 Machines) ` * :ref:`STEP 1: Bring up AP ` * :ref:`STEP 2: Bring up STA ` * :ref:`EAP_SAKE Protocol Packet Details ` * :ref:`EAP_SAKE Usecases ` * :ref:`EAP_SAKE Basic Features ` * :ref:`Reference links ` .. _EAP_SAKE_step1: .. tab-set:: .. tab-item:: Learnings in this section * In this section, you are going to learn .. _EAP_SAKE_step2: .. tab-set:: .. tab-item:: Terminology * Terminology .. _EAP_SAKE_step3: .. tab-set:: .. tab-item:: Version Info * Version Info .. _EAP_SAKE_step5: .. tab-set:: .. tab-item:: EAP_SAKE Version&RFC Details * rfc details .. _EAP_SAKE_step20: .. tab-set:: .. tab-item:: Internal Radius Server Basic Setup on Ubuntu (2 Machines) .. _EAP_SAKE_step21: .. tab-set:: .. tab-item:: STEP 1: Bring up AP using hostapd .. csv-table:: :file: ./EAP_SAKE/eap_sake_ap_hostapd.csv :class: tight-table .. _EAP_SAKE_step22: .. tab-set:: .. tab-item:: STEP 2: Bring up STA .. csv-table:: :file: ./EAP_SAKE/eap_sake_sta_wpa_supplicant.csv :class: tight-table .. tab-set:: .. tab-item:: Wireshark Output * Download file to check wireshark output :download:`Packet capture in EAP_SAKE ` .. _EAP_SAKE_step19: .. tab-set:: .. tab-item:: FreeRADIUS EAP_SAKE Basic Setup on Ubuntu (3 Machines) * setup .. _EAP_SAKE_step18: .. tab-set:: .. tab-item:: FreeRADIUS EAP_SAKE Basic Setup on Ubuntu (2 Machines) * setup .. _EAP_SAKE_step6: .. tab-set:: .. tab-item:: EAP_SAKE Protocol Packet Details * packet details .. _EAP_SAKE_step7: .. tab-set:: .. tab-item:: EAP_SAKE Usecases * usecases .. _EAP_SAKE_step8: .. tab-set:: .. tab-item:: EAP_SAKE Basic Features * features .. _EAP_SAKE_step17: .. tab-set:: .. tab-item:: Reference links * Reference links