EAP-Kerberos II: An adaptation of Kerberos to EAP for mutual authentication

The phenomenal popularity of the 802.11 network stems from its promise of easy and convenient tetherless connections. The recent identification of security risks in the operation of an 802.11 network led to announcement of the 802.11i protocol to alleviate them. Nevertheless, a number of security issues remain that prevent the 802.11 network from being the best protocol to be chosen for use in a wireless local area network (WLAN). We have dealt with three popular such remaining issues, namely, the potential loss of personal information, the implicit trust relation, and rogue access point attacks. These risks exist for two reasons: (1) unsafe key distribution and (2) imperfect mutual authentication. We propose a new authentication mechanism in extensible authentication protocol (EAP), called EAP-Kerberos II, by adapting a ticket in Kerberos. The proposed mechanism uses mutual authentication to resolve all these security issues. Moreover, the proposed mechanism improves performance of the 802.11i protocol. First, the key is downloaded from the server rather than derived in the client side. As a result, the key is available earlier than it is in the 802.11i protocol; consequently, protection of messages begins earlier. Second, authentication is much more efficient. The number of messages required to complete the entire authentication procedure is decreased by 55 percent compared with the popular authentication mechanism now used in 802.11i. Furthermore, the simulation result indicates that the improvement in efficiency can be as high as 71 percent.