On Nov 14, 2025, at 4:55 PM, Oleg Pekar <[email protected]> wrote: > 1) To explain Crypto-Binding TLV advantages: > > This is how the attack we are talking about works (let's take one > specific scenario):
Thanks for the explanation. The full details are in https://eprint.iacr.org/2002/163.pdf The $0.02 version is that Crypto-Binding has doesn't protect against a TLS layer attack. It protects against someone who forwards the inner methods. i.e. the attacker pretends to be another access point, receives the inner method data from it, and then forwards that conversation over TEAP, as inner methods. If the outer MSK is independent of the inner MSK, the attacker can get access without having any credentials. The attack is stopped, therefore, by tying the outer MSK to the inner MSK. Since the attacker doesn't have the inner MSK, it's not possible to derive the outer MSK, and network access is prevented. > In HTTPS if the user authentication method inside the tunnel is just > form logins (i.e. username/password inside the TLS tunnel) - there's > no need for a binding. But for more complex user authentication > methods there are some analogs to prove that this application-layer > authentication or token is bound to this specific TLS channel. I think the issue is still present in HTTPS. I could present a form over HTTP, and then forward that data to the "real" server over HTTPS. But due to the way HTTP is used, the attacks there are much less likely. > 2) Currently it looks that the Initial-Binding TLV that is exchanged > right after the TLS tunnel establishment, before exchanging with any > inner EAP authentication method that derives keys - seems that such > Initial-Binding TLV has just a small advantage on just the TLS tunnel > key materials by including TEAP version and outer TLVs. It doesn't > prevent tunnel MITM attack. Can you please explain your vision on it? Initial-Binding doesn't prevent a tunnel MITM attack. So I think it's best to keep Crypto-Binding TLV. But we should simplify it. But Crypto-Binding doesn't prevent a tunnel MITM attack when passwords are used, and it doesn't prevent an attack when PKCS#7 TLVs are used. As a result, I think we should add explicit signalling as to whether Crypto-Binding is used or not. Alan DeKok. _______________________________________________ Emu mailing list -- [email protected] To unsubscribe send an email to [email protected]
