RE: Key Identification RE: [LinkSec] Requirements
Paul:
There is a very good paper on the tunneled authentication issues that were
discussed at the last IETF.
Russ
= = = = = = = = =
"Man-in-the-Middle in Tunnelled Authentication", N. Asokan, Valtteri Niemi,
Kaisa Nyberg
From the Abstract:
Recently new protocols have been proposed in IETF for protecting remote client
authentication protoocols by running them within a secure tunnel. Examples of
such protocols are PIC, PEAP and EAP-TTLS. One goal of these new protocols
is to
enable the migration from legacy client authentication protocols to more secure
protocols, e.g., from plain EAP type to, say, PEAP. In these protocols, the
security of the subsequent session credentials is based only on keys derived
during the unilateral authen-
tication where the network server is authenticated to the client. Client
authentication is mentioned as an option in PEAP and EAP-TTLS, but is not
mandated. The PIC protocol does not even offer this option. In this paper we
show that these recent approaches to protect legacy client authentication
protocols open up in practical situations the possibility to run a
man-in-the-middle attack for impersonating the legitimate client. For those
well-designed client authentication protocols that already have a sufficient
level of security, the use of tunnelling in the proposed form is a step
backwards because they introduce a new vulnerability.
http://eprint.iacr.org/2002/163.pdf
At 01:25 PM 12/16/2002 -0800, Paul Lambert wrote:
> > We need to be
> > careful not to repeat the tunneled authentication issues that
> > were a major
> > discussion topic at the last IETF, but we can authenticate
> > the user after
> > authenticating the device, binding the two together for the
> > duration of the
> > session.
>
>Hum, let's repeat it :-) We're at a different layer, with a different set
>of requirements. Plus I missed that meeting and doubt that it is
>adiquately documented.