NIST spells out security requirements for wireless access
Draft of new special pub on EAP issued for public comment
- By William Jackson
- Jan 05, 2009
The increasing mobility of workers and the proliferation of powerful mobile networking tools has made wireless access to government information resources a given, and along with that has come security concerns. The National Institute of Standards and Technology addresses these concerns in a draft of a new publication.
NIST has released for public comment recommended security requirements for authentication methods under the Extensible Authentication Protocols, or EAP.
Because EAP is extensible it is not a specific authentication mechanism and can vary from platform to platform. It provides common ways of negotiating an authentication mechanism when accessing a network. NIST Special Publication 800-120, titled Recommendation for EAP Methods Used in Wireless Network Access Authentication, spells out how agencies should assess the security of these mechanisms.
“These assessments must be based on a well-defined set of common security requirements for EAP methods used for wireless access authentication and key establishment for link protection,” the publication says.
EAP has evolved from its original function of supporting password authentication over dial-up Point-to-Point Protocol connections, and today it often is associated with wireless access technologies such as Wi-Fi and WiMax.
“In such environments and with much more sophisticated modern Internet attack models, naïve implementations of early EAP methods are insecure,” NIST says.
Some EAP methods support a suite of cryptographic schemes and algorithms, while others support only one. This diversity in the protocols enables the use of a variety of authentication methods and ways of establishing cryptographic keys to protect access and transmission. “Security assessments of each EAP method with all its supported cryptographic algorithms and schemes are crucial for securely launching wireless applications and providing mobility services,” NIST says.
The recommendations set out in SP 800-120 are intended to be applicable to government EAP authentication servers and to mobile devices accessing them. The publication specifies several preconditions for using EAP on government networks:
• Secure setup of long-term credentials prior to use in EAP. This includes generation, storage and management of credentials and keys.
• Secure connections to backend networks being accessed. EAP assumes that wired and wireless connections used in the authentication process already are secure.
• Access by authentication servers to information used by remote users for authentication. The server must be able to verify the accuracy, authenticity and authorization of all information used by all entities participating in the process.
NIST strongly encourages that all cryptographic algorithms used in EAP comply with requirements and specification in existing special publications and in Federal Information Processing Standards publications. Only ciphersuites meeting all the requirements in SP 800-120 can be used in EAP for government applications.
The publication also includes a discussion of the compliance of some commonly used EAP methods, including EAP-GPSK, EAP-TLS, EAP-TTLSv0 and EAP-FAST. “However, this selection is purely illustrative and does not represent favorable methods for federal use,” NIST says.
Comments on the draft recommendations should be sent by Jan. 30 to email@example.com with “Comments on SP 800-120” in the subject line.
William Jackson is a Maryland-based freelance writer.