On Sun, Nov 2, 2008 at 11:00 PM, Joseph Salowey (jsalowey) < [EMAIL PROTECTED]> wrote:
> > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of Katrin Höper > > Sent: Friday, October 31, 2008 8:22 AM > > To: emu@ietf.org > > Subject: [Emu] Review of Requirements for a Tunnel Based EAP Method > > > > Hi, > > > > I have problems with some of the cryptographic binding claims > > in the curent document (draft-ietf-emu-eaptunnel-req-00.txt) > > and would like to discuss them on the list. > > Basically it is about claiming cryptographic bindings for > > MitM protection even if the inner method(s) does not derive keys. > > > > Section 3.1 Password Authentication > > "The tunnel method MUST meet this use case. However, it MUST > > NOT expose the username and password to untrusted parties and > > it MUST provide protection against man-in-the-middle and > > dictionary attacks." > > > > KH: How is the last MUST possible? The considered password > > authentication methods typically do not derive keying > > material. As result, the cryptographic binding key has only > > the tunnel key as input, i.e. no actual binding is provided. > > Consequently, MitM attacks are still feasible. > > The only way to ensure that MitM attacks are prevented for > > inner method that do NOT derive keys is to enforce a policy > > that does not allow those EAP methods to be executed outside > > a tunnel. However, this is a policy and cannot be ensured by > > a tunnel-based EAP method itself. > > > [Joe] What we want to say is that the tunnel itself MUST provide MitM > protection and MUST not weaken any MitM protection provided by an inner > method. > [Katrin]: How can a tunnel in which only the authentication server is authenticated provide MitM protection? > > > > Section 3.2 Protect Weak EAP Methods > > "The tunnel method MUST support protection of weak inner > > methods and protect against man-in-the-middle attacks > > associated with tunneled authentication." > > > > KH:Same comment as above. If the EAP methods does not derive > > a key -> no binding takes place. If the key exchange is weak > > and can be broken by an MitM during the protocol execution, > > the attack still succeeds. > > Again only enforcing a security policy can prevent these attacks. > > > [Joe] Same text as above. Protection from MitM offered by the tunnel > method combined with an inner method MUST NOT be worse than the inner method > run outside the tunnel. > > > I don't know how to address this problem since a candidate > > tunnel method cannot enforce policies. > > However, the MUST statements cannot be met as stated in the > > current draft. > > > > Any thoughts??? > > > > Regards, > > Katrin > > _______________________________________________ > > Emu mailing list > > Emu@ietf.org > > https://www.ietf.org/mailman/listinfo/emu > > >
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
