Protected Extensible Authentication Protocol: Difference between revisions

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Revision as of 21:31, 19 October 2022 edit 2a02:a469:8d99::3 (talk) MS-CHAPv2 weakness citation Tag: Visual edit ← Previous edit		Latest revision as of 16:36, 5 July 2024 edit undo GreenC bot (talk \| contribs) Bots 3,054,794 edits Reformat 1 archive link; Move 1 url. Wayback Medic 2.5 per WP:URLREQ#zdnet.com
(5 intermediate revisions by 5 users not shown)
Line 3: <span lang="English" dir="ltr">The</span> '''Protected Extensible Authentication Protocol''', also known as '''Protected EAP''' or simply '''PEAP''', is a protocol that encapsulates the [[Extensible Authentication Protocol]] (EAP) within an encrypted and authenticated [[Transport Layer Security]] (TLS) [[tunneling protocol\|tunnel]].<ref>{{cite news \| url=~~http~~https://www.zdnet.com/~~blog~~home-and-office/ounetworking/understanding-the-updated-wpa-and-wpa2-standards/67 \| title=Understanding the updated WPA and WPA2 standards \| work=ZDNet \| author= \| date=2005-06-02 \| ~~accessdate~~access-date=2012-07-17 }} </ref><ref>Microsoft's PEAP version 0, [//tools.ietf.org/html/draft-kamath-pppext-peapv0-00 draft-kamath-pppext-peapv0-00], §1.1</ref><ref name="peapv2-10_abstract">Protected EAP Protocol (PEAP) Version 2, [//tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10 draft-josefsson-pppext-eap-tls-eap-10], abstract</ref><ref>Protected EAP Protocol (PEAP) Version 2, [//tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-10 draft-josefsson-pppext-eap-tls-eap-10], §1</ref> The purpose was to correct deficiencies in EAP; EAP assumed a protected communication channel, such as that provided by physical security, so facilities for protection of the EAP conversation were not provided.<ref>Protected EAP Protocol (PEAP) Version 2, [//tools.ietf.org/html/draft-josefsson-pppext-eap-tls-eap-07 draft-josefsson-pppext-eap-tls-eap-07], §1</ref> Line 37: Behind [[EAP-TLS]], PEAPv0/EAP-MSCHAPv2 is the second most widely supported EAP standard in the world. There are client and server implementations of it from various vendors, including support in all recent releases from [[Microsoft]], [[Apple Computer]] and [[Cisco Systems\|Cisco]]. Other implementations exist, such as the [[xsupplicant]] from the Open1x.org project, and [[wpa_supplicant]]. As with other 802.1X and EAP types, [[dynamic encryption]] can be used with PEAP. A CA certificate must be used at each client to authenticate the server to each client before the client submits authentication credentials. If the CA certificate is not validated, in general it is trivial to introduce a fake Wireless Access Point which then allows gathering of [[MS-CHAPv2]] handshakes.<ref name="Man-in-the-Middle in Tunneled Authentication Protocols">{{cite web\|title=Man-in-the-Middle in Tunneled Authentication Protocols\|url=http://eprint.iacr.org/2002/163.pdf\|publisher=Nokia Research Center\|accessdate=14 November 2013}}</ref> Several weaknesses have been found in MS-CHAPv2, some of which severely reduce the complexity of brute-force attacks making them feasible with modern hardware.<ref>{{Cite web \|date=2016-03-16 \|title=Divide and Conquer: Cracking MS-CHAPv2 with a 100% success rate \|url=https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ \|archive-url=https://web.archive.org/web/20160316174007/https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ \|archive-date=2016-03-16 \|access-date=2022-10-19 ~~\|website=web.archive.org~~}}</ref> == PEAPv1 with EAP-GTC ==