> -----Original Message----- > From: Katrin Höper [mailto:[EMAIL PROTECTED] > Sent: Monday, November 03, 2008 8:05 AM > To: Joseph Salowey (jsalowey) > Cc: emu@ietf.org > Subject: Re: [Emu] Review of Requirements for a Tunnel Based > EAP Method > > On Sun, Nov 2, 2008 at 11:00 PM, Joseph Salowey (jsalowey) > <[EMAIL PROTECTED]> wrote: > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > > Behalf Of Katrin Höper > > Sent: Friday, October 31, 2008 8:22 AM > > To: emu@ietf.org > > Subject: [Emu] Review of Requirements for a Tunnel > Based EAP Method > > > > Hi, > > > > I have problems with some of the cryptographic binding claims > > in the curent document (draft-ietf-emu-eaptunnel-req-00.txt) > > and would like to discuss them on the list. > > Basically it is about claiming cryptographic bindings for > > MitM protection even if the inner method(s) does not > derive keys. > > > > Section 3.1 Password Authentication > > "The tunnel method MUST meet this use case. However, it MUST > > NOT expose the username and password to untrusted parties and > > it MUST provide protection against man-in-the-middle and > > dictionary attacks." > > > > KH: How is the last MUST possible? The considered password > > authentication methods typically do not derive keying > > material. As result, the cryptographic binding key has only > > the tunnel key as input, i.e. no actual binding is provided. > > Consequently, MitM attacks are still feasible. > > The only way to ensure that MitM attacks are prevented for > > inner method that do NOT derive keys is to enforce a policy > > that does not allow those EAP methods to be executed outside > > a tunnel. However, this is a policy and cannot be ensured by > > a tunnel-based EAP method itself. > > > > [Joe] What we want to say is that the tunnel itself > MUST provide MitM protection and MUST not weaken any MitM > protection provided by an inner method. > > > > [Katrin]: How can a tunnel in which only the authentication > server is authenticated provide MitM protection? > [Joe] If the client authenticates the server then it has protection from MitM. If there is no client authentication then the server does not know if there is a MitM.
> > > > Section 3.2 Protect Weak EAP Methods > > "The tunnel method MUST support protection of weak inner > > methods and protect against man-in-the-middle attacks > > associated with tunneled authentication." > > > > KH:Same comment as above. If the EAP methods does not derive > > a key -> no binding takes place. If the key exchange is weak > > and can be broken by an MitM during the protocol execution, > > the attack still succeeds. > > Again only enforcing a security policy can prevent > these attacks. > > > > [Joe] Same text as above. Protection from MitM offered > by the tunnel method combined with an inner method MUST NOT > be worse than the inner method run outside the tunnel. > > > > I don't know how to address this problem since a candidate > > tunnel method cannot enforce policies. > > However, the MUST statements cannot be met as stated in the > > current draft. > > > > Any thoughts??? > > > > Regards, > > Katrin > > > _______________________________________________ > > Emu mailing list > > Emu@ietf.org > > https://www.ietf.org/mailman/listinfo/emu > > > > > > _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
