Strong mutual authentication in a user-friendly way in EAP-TLS

EAP-TLS is one of the best authentication schemes in wireless networks. To make it one of the most secure ones, a client has to authenticate itself using certificates, which allow to authenticate client and server mutually. But as certificates are widespread in a business environment but only less used by private users, mutual authentication in EAP-TLS for public hot-spots is not suitable. Therefore several solutions emerged, which on the one hand disclaim EAP completely, or on the other hand establish secure server authenticated EAP-TLS tunnels and use other EAP protocols inside this tunnel to authenticate the client. However, apart from reducing the level of security, these solutions usually do not provide automated login procedures and/or are not suitable for small devices. We propose a way to make EAP-TLS with mutual authentication more comfortable even for private users. To do so, we propose to use Trusted Platform Modules with their integrated certificate infrastructure. This leads to an authentication scheme, which can be used on full computers as well as on embedded devices. Furthermore, it will provide the possibility for automated login and real anonymity support.