Making the case for EAP channel bindings

In current networks that use EAP and AAA for authenticated admission control, such as WiFi, WiMAX, and various 3G internetworking protocols, a malicious base station can advertise false information to prospective users in an effort to manipulate network access in some way. This paper identifies and discusses the resulting threats (e.g. the lying NAS problem in enterprise networks and the newly identified lying provider problem in roaming environments) and shows how these threats can be exploited for a number of attacks, including traffic herding, denial of service, cryptographic downgrade attacks, and forced roaming. Finally, the paper presents how an EAP channel binding protocol can thwart the identified attacks by allowing a client to inform the EAP server about the unauthenticated information it received during the network selection process. The back-end server can then ensure the consistency of the advertised information with its configured policy. As a result, EAP channel bindings enable an end-to-end validation of network properties, which is otherwise infeasible in existing AAA infrastructures. Standardization activities currently exist within the IETF to implement this technique.