Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Where EAP Security Claims Fail



Katrin Hoeper, Lei Chen


The Extensible Authentication Protocol (EAP) is widely used as an authentication framework to control the access to wireless networks, e.g. in IEEE 802.11 and IEEE 802.16 networks. In this paper, we discuss limitations of EAP security and demonstrate how these limitations can be exploited to launch attacks on existing EAP methods. In particular, we present a series of attacks which cause some standard security claims, namely channel binding, protected ciphersuite negotiation and cryptobinding, to fail and compromise the key exchange, authentication and privacy of EAP communications. Next, we identify the special security challenges of EAP systems that may cause the considered security claims to fail.  EAP differs from other authentication frameworks as a two party protocol, like IKE and TLS, because it is conducted with three parties involved across two communication links with different media. Another security challenge of EAP is the negotiability of EAP methods, ciphersuites, and protocol versions. These challenges make it difficult to derive a trust model for EAP and to securely adopt existing protocols. Finally, we conclude with recommendations for more secure EAP implementations.
Proceedings Title
Reliability, Security and Robustness (QShine 2007)
Conference Dates
August 14-17, 2007
Conference Location
Vancouver, CA
Conference Title
The Fourth International Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness (QShine 2007)


Extensible Authentication Protocol, Wireless Security


Hoeper, K. and Chen, L. (2007), Where EAP Security Claims Fail, Reliability, Security and Robustness (QShine 2007), Vancouver, CA (Accessed June 24, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created August 14, 2007, Updated January 27, 2020