Sending EAP Identity Encrypted
alan furlong
alan250985 at gmail.com
Thu Sep 22 13:35:55 PDT 2016
Thanks Jouni.
On Thu, Sep 22, 2016 at 1:02 PM, Jouni Malinen <j at w1.fi> wrote:
> On Thu, Sep 22, 2016 at 09:47:27AM -0700, alan furlong wrote:
>> Just to add more info to this. I'm only looking for encryption of
>> username part of NAI, and there is no outer tunnel possibility to
>> protect the identity in the scenario I'm dealing with.
>
> Why would you need to that instead of using anonymous username and
> exchange the real identity in protected manner within the actual EAP
> authentication method?
Few reasons could be -
1. The inner EAP method supports mutual authentication.
2. TLS based outer tunnel could be expensive in terms of crypto and
does not offer much except privacy protection. Also pinning server
certificate may add overheads.
3. The EAP method will have to support crypto binding (PEAPv2, FAST, TEAP ?)
Which EAP method(s) are you thinking of using?
EAP-SIM and EAP-AKA
>
>> On Thu, Sep 22, 2016 at 9:06 AM, alan furlong <alan250985 at gmail.com> wrote:
>> > Is it possible to configure wpa_supplicant to send EAP Identity
>> > encrypted for privacy reasons?
>
> It is not really a question of configuration option on the client side.
> There is no specification of a protocol for doing this nor support on
> the authentication servers for doing something like this. Nor need for
> this if the EAP authentication method supports protected exchange of
> identities.
Thanks,
-Alan
>
> --
> Jouni Malinen PGP id EFC895FA
More information about the Hostap
mailing list