Credential Provisioning and Peer Configuration with Extensible Authentication Protocol

Abstract

The Internet of Things (IoT) contains an increasing number of diverse objects, ranging from simple sensors to smart speakers and industrial appliances. The continuing growth in the number and the diversity of connected devices within enterprises and homes complicates their management. Vendor-specific protocols cannot solve this problem. The Extensible Authentication Protocol (EAP) is a framework to negotiate and run EAP methods, i.e. authentication protocols between client and server. Tens of different EAP methods exist, and EAP is widely-adopted in WiFi and cellular networks. In some EAP methods the server can invoke another, “inner” EAP method for additional authentication inside the same EAP session. In this thesis we investigate how to apply EAP for managing devices in wireless networks. Our approach is to add the possibility to send short client tokens from server to client in EAP session. After successful authentication and completion of the EAP session, the client uses these tokens to access the management servers. We have designed several options for transferring client tokens inside an EAP session. These options were then implemented by extending open-source software components and evaluated experimentally, using Raspberry Pi as a platform. Based on our analysis and experiments, the most flexible option for sending client tokens in EAP is by combination of an outer EAP method (EAP-oPROV) that sequentially runs two inner EAP methods. The first inner method does peer authentication, and the tokens are sent to the client in the second inner EAP method (EAP-iPROV). Since the first inner EAP method is not fixed (it is chosen by the authentication server), there are many compatible EAP methods for peer authentication in this option. The two new EAP methods (EAP-oPROV and EAP-iPROV) could be standardized in the future.