FYI
Lily Chen from NIST and I co-authored a paper on the (in)security of tunneled authentications, including tunnel-based EAP methods. Unfortunately, it seems to be too late to reference the analysis in the tunnel requirement draft, but I hope that some people still might find it interesting. "An Inconvenient Truth about Tunneled Authentications" Katrin Hoeper and Lily Chen, to appear in the proceedings of 35th Annual IEEE Conference on Local Computer Networks (LCN 2010) http://techpubs.motorola.com/IPCOM/187779 ABSTRACT In recent years, it has been a common practice to execute legacy authentication protocols inside a protective tunnel. Soon after their introduction, man-in-the-middle (MitM) attacks on tunneled authentications were revealed and cryptographic bindings have been applied as a countermeasure. In this paper, we demonstrate that tunneled password-based and other types of authentication methods are still susceptible to MitM attacks despite the use of cryptographic bindings or other proof of binding methods. Here, so-called protective tunnels do not protect from all attacks, and even worse yet, give users a false sense of security. In fact, cryptographic bindings can only thwart the attacks if the tunneled method provides strong authentication and strong key establishment. However, such methods can be securely executed without a tunnel. Our analysis shows that there can be no 'universal" countermeasure because the effectiveness of a proof of binding method depends on the properties of the authentication protocol executed inside the tunnel. This result is unsettling, because commonly used tunneled authentication methods, such as EAP-FAST and PEAP, do just that, i.e., apply one countermeasure (cryptographic bindings) and allow any type of authentication protocol to be executed inside the tunnel. As additional results, we show that 1) the secure derivation of traffic protection keys depends on the type of tunneled authentication method and the applied MitM countermeasures, and 2) security policies intended to thwart attacks depend on the configuration of the client device and are not practical in many environments. Regards, Katrin
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
