In Section 2 draft-hartman-emu-mutual-crypto-bind-00, "The print server offers a tunnel method towards the peer. The print server extracts the inner method from the tunnel and sends it on towards the AAA server. Channel binding happens at the tunnel method though. So, the print server is happy to confirm that it is the financial application. After the inner method completes, the EAP server sends the MSK to the print server over the AAA protocol. If only the MSK is needed for cryptographic binding then the print server can successfully perform cryptographic binding and may be able to impersonate the financial application to the peer."
The print server offers a tunnel method towards the peer, and channel binding is adopted. According to section 4.2 in draft-ietf-emu-chbind-14, "The channel bindings MUST be transported with integrity protection based on a key known only to the peer and EAP server." section 6 in draft-ietf-emu-chbind-14: "The channel binding protocol defined in this document must be transported after keying material has been derived between the EAP peer and server, and before the peer would suffer adverse affects from joining an adversarial network." To my understanding, right prior to finishing tunnel establishement, EAP peer and EAP Server(print server in the server insertion attack case) should have exchanged channel binding with integrity protection by key only known to EAP peer and EAP server (MSK in this case), but print server does not know MSK yet, so channel binding could not pass verification by EAP peer, then peer should not continue with the inner method, and print server chould not use non-tunneled innder method without cooperation of peer, and print server chould not get MSK from EAP Server, and server insertion attack fails even though peer does not check print server or EAP server's cert. Have I missed something? Regards~~~ -Sujing Zhou
_______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
