Page 450 - From GMS to LTE
P. 450

436  From GSM to LTE-Advanced Pro and 5G

                                                 Access
              Client
                                                  point

                  Open system auth. and association procedure
                     EAP identity request
                     EAP identity response



                     EAP auth. server certificate
                     (public key of auth.-server)
                     EAP client server certificate         Messages are
                     (public key of client)                forwarded to the
                                                           authentication
                                                           server (AS)
                     EAP client session key
                     (Encrypted with client’s public key)
                                                          AS sends success
                     EAP server session key               message + session
                     (Encrypted with server’s public key)
                                                          keys to the access
                     EAP success                          point

            Figure 6.23  EAP‐TLS authentication.


            generate the session keys that are exchanged between the client device and the network
            and are then used to encrypt the data traffic over the air interface.
             After the session key has been encrypted by the sender with the public key of the
            receiver, it can be securely sent over the air interface and can only be decrypted on the
            receiver side with the private key, as shown in Figure 6.23. As the private keys are never
            exchanged between the two parties, it is not possible to obtain the session key by inter-
            cepting the message exchange during the authentication process. A disadvantage of
            certificates, however, is that the certificates have to be installed on the client device.
            This is more complicated compared to simply assigning passwords, but much more
            secure. Not shown in Figure 6.23 is the exchange of session keys for broadcast frames,
            which is performed right after a successful authentication.
             During the authentication phase, the AP only permits the exchange of data with the
            authentication server. Only after the authentication has been performed successfully
            and after the authentication server has informed the AP about the proper authentica-
            tion will the AP grant full access to the network. At this point, the user data frames are
            already encrypted. Usually, the first user data packet is a DHCP request to receive an IP
            address from the network.
             The EAP‐TLS authentication procedure is very similar to TLS and Secure Socket
            Layer (SSL). These protocols are used by Secure Hypertext Transfer Protocol (HTTPS)
            for the authentication and the generation of session keys for secure connections between
            a web server and a web browser. The main difference between the EAP‐TLS and HTTP
            TLS authentication procedures is that EAP‐TLS performs a mutual authentication
            while HTTPS TLS is usually used only to authenticate the web server to the web browser.
   445   446   447   448   449   450   451   452   453   454   455