Communication Security: Remote Access and Messaging • Chapter 3  111

                 EAP

                 EAP was originally defined under RFC 2284 and then redefined under the
                 Internet Engineering Task Force (IETF) Internet draft dated September 13, 2002.
                 EAP is an authentication protocol designed to support several different authentica-
                 tion mechanisms. It runs directly over the data link layer and does not require the
                 use of Internet Protocol (IP).


                 NOTE

                      You can read more on the IETF Internet draft on EAP at
                      www.potaroo.net/ietf/ids/draft-ietf-pppext-rfc2284bis-06.txt.




                    EAP comes in several different forms:

                      ■  EAP over IP (EAPoIP)

                      ■  Message Digest Algorithm/Challenge-Handshake Authentication Protocol
                         (EAP-MD5-CHAP)

                      ■  EAP-TLS
                      ■  EAP-TTLS

                      ■  RADIUS
                      ■  LEAP Cisco

                    Each form of EAP has its own characteristics, but for the purpose of the
                 Security+ exam you will only need to know what it is and its different formats.
                 Vulnerabilities

                 802.1x is not without its share of vulnerabilities.The WEP uses a stream cipher
                 known as the RC4 encryption algorithm.A stream cipher operates by expanding a
                 short key into a key stream.The sender combines the key stream with the original
                 message (known as the plaintext message) to produce ciphertext.The receiver has a
                 copy of the same key, and uses it to generate an identical key stream.The receiver
                 then applies the key to the ciphertext, and views the plaintext message.









                                                                              www.syngress.com