Credential Provisioning and Peer Configuration with Extensible Authentication Protocol

Thumbnail Image

Files

master_Boire_Sébastien_2021.pdf (1.24 MB)

URL

Journal Title

Journal ISSN

Volume Title

Perustieteiden korkeakoulu | Master's thesis
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2021-06-14

Department

Major/Subject

Security and Cloud Computing

Mcode

SCI3084

Degree programme

Master’s Programme in Security and Cloud Computing (SECCLO)

Language

en

Pages

61+5

Series

Abstract

The Internet of Things (IoT) contains an increasing number of diverse objects, ranging from simple sensors to smart speakers and industrial appliances. The continuing growth in the number and the diversity of connected devices within enterprises and homes complicates their management. Vendor-specific protocols cannot solve this problem.The Extensible Authentication Protocol (EAP) is a framework to negotiate and run EAP methods, i.e. authentication protocols between client and server. Tens of different EAP methods exist, and EAP is widely-adopted in WiFi and cellular networks. In some EAP methods the server can invoke another, “inner” EAP method for additional authentication inside the same EAP session.In this thesis we investigate how to apply EAP for managing devices in wireless networks.Our approach is to add the possibility to send short client tokens from server to client in EAP session. After successful authentication and completion of the EAP session, the client uses these tokens to access the management servers.We have designed several options for transferring client tokens inside an EAP session.These options were then implemented by extending open-source software components and evaluated experimentally, using Raspberry Pi as a platform.Based on our analysis and experiments, the most flexible option for sending client tokens in EAP is by combination of an outer EAP method (EAP-oPROV) that sequentially runs two inner EAP methods. The first inner method does peer authentication, and the tokens are sent to the client in the second inner EAP method (EAP-iPROV). Since the first inner EAP method is not fixed (it is chosen by the authentication server), there are many compatible EAP methods for peer authentication in this option. The two new EAP methods(EAP-oPROV and EAP-iPROV) could be standardized in the future.

Description

Supervisor

Aura, Tuomas

Thesis advisor

Ginzboorg, Philip

Keywords

IoT, EAP, authentication, credential, certificate

Other note

Citation

Permanent link to this item

https://urn.fi/URN:NBN:fi:aalto-202106207479

Collections

[dipl] Perustieteiden korkeakoulu / SCI