No subject


Sun Jul 6 13:05:25 EDT 2008


&nbsp;<BR>
Differences between EAP-TLS and EAP-TTLS<BR>
1) EAP-TTLS is divided into 2 phases:&nbsp;In the first phase:&nbsp;it uses EAP-TLS to set up a tunnel. In this phase the client authenticate the server. The server is unable to authenticate the client because the client usually use anonymous id in the first phase. In the second phase, EA-TTLS uses another authentication method( can be other EAPs or MS-CHAP) in the tunnel. In this phase, the client uses its actual identity. Thew server will authenticate the client. Therefore, mutual authentication is achieved. In contrast, EAP-TLS uses only one phase, which is the TLS handshake phase to complete the mutual authentication. As a result, the identity is exposed in clear text in the first EAP-TLS message. <BR>
&nbsp;<BR>
2) EAP-TLS&nbsp;requires certs to be used at both client and server sides for mutual authentication. Therefore, key management is slightly more complex than&nbsp;EAP-TTLS. On the other hand, EAP-TTLS has a choice of using cert for the server authentication&nbsp;and other authentication credentials such as certs or passwords for client authentcation. <BR>
&nbsp;<BR>
3) If you are using EAP-TLS in the tunnel of EAP-TTLS, the authentication&nbsp;process will take slightly longer because EAP-TTLS will perform&nbsp;2 EAP-TLS. One&nbsp;for setting up the tunnel, and another inside the tunnel. Whereas EAP-TLS will only perform&nbsp;message exchanges of 1 EAP-TLS using lesser number of message exchanges. Of course if the tunnel&nbsp;in EAP-TTLS is not using EAP-TLS, it will be another story. <BR>
&nbsp;<BR>
Bryan&nbsp;&nbsp;&nbsp;<BR><BR>&gt; Date: Wed, 13 Aug 2008 08:50:21 +0200<BR>&gt; From: martincschneider at googlemail.com<BR>&gt; To: hostap at lists.shmoo.com<BR>&gt; Subject: Re: EAP-TLS vs. EAP-TTLS<BR>&gt; <BR>&gt; Hello Jouni and others<BR>&gt; <BR>&gt; Thanks for your reply.<BR>&gt; <BR>&gt; &gt; &gt; EAP-TLS is *only* used for mutual authentication based on certificates<BR>&gt; &gt; &gt; between client and server. But it won't establish a TLS tunnel, that can be<BR>&gt; &gt; &gt; used for executing other/additional EAP methods.<BR>&gt; &gt;<BR>&gt; &gt; Yes, or well, to be exact, EAP-TLS is actually completing the TLS<BR>&gt; &gt; handshake and in some sense, the tunnel would be established for<BR>&gt; &gt; application data, it is just not used in practice since EAP-TLS is<BR>&gt; &gt; completed at that point.<BR>&gt; <BR>&gt; Ok, so it is possible, but nobody uses it.<BR>&gt; <BR>&gt; Only for being sure that I got everything right: the correct way is<BR>&gt; executing EAP
 -TTLS (or PEAP or FAST), that will<BR>&gt; <BR>&gt; a.) authenticate Server and optionally Client<BR>&gt; b.) establish a secure tunnel between Client and Server<BR>&gt; <BR>&gt; and<BR>&gt; <BR>&gt; c.) execute -if needed- additional EAP methods secured by the tunnel.<BR>&gt; <BR>&gt; Is this correct?<BR>&gt; <BR>&gt; What I still do not understand is the difference between EAP-TTLS<BR>&gt; (that optionally might authenticate the client using the client cert)<BR>&gt; and EAP-TTLS / EAP-TLS. Is the only difference, that when I perform<BR>&gt; EAP-TLS as "inner" method, username won't be visible in plaintext on<BR>&gt; the wire, since EAP-TLS is executed via the tunnel?<BR>&gt; <BR>&gt; Regards,<BR>&gt; Martin<BR>&gt; _______________________________________________<BR>&gt; HostAP mailing list<BR>&gt; HostAP at lists.shmoo.com<BR>&gt; http://lists.shmoo.com/mailman/listinfo/hostap<BR><BR><br /><hr />Always-on security tools provide safer ways to connect and share anywhere. Find o
 ut more. <a href='http://get.live.com/familysafety/overview' target='_new'>Windows Live</a></body>
</html>
--_c40df985-6eed-4ca1-8cc7-8327b21264b1_--


More information about the HostAP mailing list