Hi Katrin, Yes, EAP-pwd uses the password for mutual authentication. If the server doesn't know the password the exchange will fail. The key differentiator (from, say, EAP-GPSK) is that it uses a zero knowledge proof and is resistant to off-line dictionary attack.
Dan. On Wed, March 3, 2010 2:33 pm, Hoeper Katrin-QWKN37 wrote: > Sorry Dan, > > Is EAP-pwd using the password for mutual authentication? > >> -----Original Message----- >> From: emu-boun...@ietf.org [mailto:emu-boun...@ietf.org] On Behalf Of >> Hoeper Katrin-QWKN37 >> Sent: Wednesday, March 03, 2010 4:28 PM >> To: Dan Harkins >> Cc: emu@ietf.org >> Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04 >> >> How does that authenticate the server if a user enters a password? >> >> If the server says, yes that was the right password? >> >> >> >> > -----Original Message----- >> > From: Dan Harkins [mailto:dhark...@lounge.org] >> > Sent: Wednesday, March 03, 2010 4:14 PM >> > To: Hoeper Katrin-QWKN37 >> > Cc: Dan Harkins; Joseph Salowey; emu@ietf.org >> > Subject: RE: [Emu] review of draft-ietf-emu-eaptunnel-req-04 >> > >> > >> > Since they both use the same low-entropy password to perform their >> > mutual authentication it is not, strictly speaking, just the peer's >> > credential. >> > >> > Dan. >> > >> > On Wed, March 3, 2010 1:45 pm, Hoeper Katrin-QWKN37 wrote: >> > > >> > > See inline. >> > >> -----Original Message----- >> > >> From: Dan Harkins [mailto:dhark...@lounge.org] >> > >> Sent: Wednesday, March 03, 2010 3:39 PM >> > >> To: Hoeper Katrin-QWKN37 >> > >> Cc: Dan Harkins; Joseph Salowey; emu@ietf.org >> > >> Subject: RE: [Emu] review of draft-ietf-emu-eaptunnel-req-04 >> > >> >> > >> >> > >> Hi Katrin, >> > >> >> > >> On Wed, March 3, 2010 12:31 pm, Hoeper Katrin-QWKN37 wrote: >> > >> > Dan, >> > >> > >> > >> > OK, I understand that the tunnel provides all these other > feats. >> > >> > >> > >> > But why can't the server authenticate during the tunnel > protocol? >> I >> > >> > still don't understand the use case for mutually anonymous >> tunnels. >> > >> >> > >> Because it doesn't have the right credential. >> > >> >> > >> > If the server has a certificate why can't it send it to the > peer >> > > before >> > >> > or during the tunnel establishment? >> > >> >> > >> If the server has a certificate then sending it to the peer >> > >> would not really solve any problem. The peer would still need to >> > >> have a reason to trust it and we're back to the problem of > putting >> > >> a trusted certificate in some certificate store. A global PKI to >> > >> solve all of our certificate issues still has not materialized. >> > >> >> > >> > If the peer and server share a secret, than this could be used > to >> > >> > establish the tunnel. >> > >> >> > >> If the peer and server share a secret they could use one of the >> PSK >> > >> ciphersuites for TLS but those are susceptible to a dictionary >> attack >> > >> and are therefore inappropriate. >> > >> >> > >> The tunnel is being established with EAP-TLS so we are limited > to >> > >> TLS ciphersuites and the authentication they provide. If a TLS >> > > ciphersuite >> > >> was appropriate always and everywhere then we would not need any >> other >> > >> EAP methods, we'd just do EAP-TLS. But that is not the case. Also >> it >> > > is >> > >> a requirement to tunnel additional EAP methods inside the tunnel > so >> > >> obviously there are EAP methods that provide something that a TLS >> > >> ciphersuite does not. >> > >> >> > >> > What I am saying is what kind of server authentication >> credentials >> > > could >> > >> > be used inside an anonymous tunnel that could not be used to >> > >> > authenticate the server in the tunnel protocol? (given that >> privacy >> > > is >> > >> > not the issue) >> > >> >> > >> A low-entropy password that can easily be remembered and > entered >> by >> > > a >> > >> human with low probability of error. >> > > [KH] I asked what kind of SERVER credentials not peer credentials. >> > >> >> > >> Dan. >> > >> >> > > >> > > >> > >> >> _______________________________________________ >> Emu mailing list >> Emu@ietf.org >> https://www.ietf.org/mailman/listinfo/emu > _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
