Hi, I have problems with some of the cryptographic binding claims in the curent document (draft-ietf-emu-eaptunnel-req-00.txt) and would like to discuss them on the list. Basically it is about claiming cryptographic bindings for MitM protection even if the inner method(s) does not derive keys.
Section 3.1 Password Authentication "The tunnel method MUST meet this use case. However, it MUST NOT expose the username and password to untrusted parties and it MUST provide protection against man-in-the-middle and dictionary attacks." KH: How is the last MUST possible? The considered password authentication methods typically do not derive keying material. As result, the cryptographic binding key has only the tunnel key as input, i.e. no actual binding is provided. Consequently, MitM attacks are still feasible. The only way to ensure that MitM attacks are prevented for inner method that do NOT derive keys is to enforce a policy that does not allow those EAP methods to be executed outside a tunnel. However, this is a policy and cannot be ensured by a tunnel-based EAP method itself. Section 3.2 Protect Weak EAP Methods "The tunnel method MUST support protection of weak inner methods and protect against man-in-the-middle attacks associated with tunneled authentication." KH:Same comment as above. If the EAP methods does not derive a key -> no binding takes place. If the key exchange is weak and can be broken by an MitM during the protocol execution, the attack still succeeds. Again only enforcing a security policy can prevent these attacks. I don't know how to address this problem since a candidate tunnel method cannot enforce policies. However, the MUST statements cannot be met as stated in the current draft. Any thoughts??? Regards, Katrin _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu