Section 9.2
Additional network entities (such as proxies) might be on the
communication path between peer and server and may attempt to
manipulate the channel binding protocol. If these entities do not
possess the keying material used for integrity protection of the
channel binding messages, the same threat analysis applies as for the
dishonest authenticators. Hence, such entities can neither
manipulate single channel binding messages nor the outcome. On the
other hand, entities with access to the keying material must be
treated like a server in a threat analysis. Hence such entities are
able to manipulate the channel binding protocol without being
detected. However, the required knowledge of keying material is
unlikely since channel binding is executed before the EAP method is
completed, and thus before keying material is typically transported
to other entities.
[BA] Unless the transient EAP keys used for integrity protection are derivable
from the
MSK, possession of the MSK would not be sufficient to enable an authenticator
to modify
the channel bindings. As a result, the only entities relevant to the threat
analysis
are those that possess the TEKs, not just those that possess the MSK or other
derived keys.
_______________________________________________
Emu mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/emu
