Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04
"Dan Harkins" <dharkins@lounge.org> Wed, 03 March 2010 23:30 UTC
Return-Path: <dharkins@lounge.org>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 0E1F528C1E1 for <emu@core3.amsl.com>; Wed, 3 Mar 2010 15:30:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.159
X-Spam-Level:
X-Spam-Status: No, score=-6.159 tagged_above=-999 required=5 tests=[AWL=0.106, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D-l7n3h1lUAG for <emu@core3.amsl.com>; Wed, 3 Mar 2010 15:30:05 -0800 (PST)
Received: from colo.trepanning.net (colo.trepanning.net [69.55.226.174]) by core3.amsl.com (Postfix) with ESMTP id D9BF228C1C5 for <emu@ietf.org>; Wed, 3 Mar 2010 15:30:02 -0800 (PST)
Received: from www.trepanning.net (localhost [127.0.0.1]) by colo.trepanning.net (Postfix) with ESMTP id 5BF98200B2; Wed, 3 Mar 2010 15:30:04 -0800 (PST)
Received: from 69.12.173.8 (SquirrelMail authenticated user dharkins@lounge.org) by www.trepanning.net with HTTP; Wed, 3 Mar 2010 15:30:04 -0800 (PST)
Message-ID: <7272955a16fc9e774c63f05f5265d37b.squirrel@www.trepanning.net>
In-Reply-To: <3A241A6B234BE948B8B474D261FEBC2F07295724@de01exm68.ds.mot.com>
References: <70e5fb878f73a83d4ba7702e4dc46132.squirrel@www.trepanning.net><AC1CFD94F59A264488DC2BEC3E890DE509BD34A6@xmb-sjc-225.amer.cisco.com><3A241A6B234BE948B8B474D261FEBC2F07239D21@de01exm68.ds.mot.com><a244565651e7f03494eda680a4ae636b.squirrel@www.trepanning.net><3A241A6B234BE948B8B474D261FEBC2F0729536E@de01exm68.ds.mot.com><30a512425eb4f0e1140dca0cc92eea30.squirrel@www.trepanning.net><3A241A6B234BE948B8B474D261FEBC2F0729555F@de01exm68.ds.mot.com><f78c0ed514c29c3e3cadd46d28731eb5.squirrel@www.trepanning.net><3A241A6B234BE948B8B474D261FEBC2F0729562D@de01exm68.ds.mot.com><61dde562d3f969274cb5cb5aabafa68b.squirrel@www.trepanning.net><3A241A6B234BE948B8B474D261FEBC2F072956BA@de01exm68.ds.mot.com><6735e38c9874524655a4bbe39ffaab5b.squirrel@www.trepanning.net> <3A241A6B234BE948B8B474D261FEBC2F0729571A@de01exm68.ds.mot.com> <3A241A6B234BE948B8B474D261FEBC2F07295724@de01exm68.ds.mot.com>
Date: Wed, 03 Mar 2010 15:30:04 -0800
From: Dan Harkins <dharkins@lounge.org>
To: Hoeper Katrin-QWKN37 <khoeper@motorola.com>
User-Agent: SquirrelMail/1.4.14 [SVN]
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3 (Normal)
Importance: Normal
Cc: emu@ietf.org
Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Mar 2010 23:30:07 -0000
Hi Katrin, Yes, EAP-pwd uses the password for mutual authentication. If the server doesn't know the password the exchange will fail. The key differentiator (from, say, EAP-GPSK) is that it uses a zero knowledge proof and is resistant to off-line dictionary attack. Dan. On Wed, March 3, 2010 2:33 pm, Hoeper Katrin-QWKN37 wrote: > Sorry Dan, > > Is EAP-pwd using the password for mutual authentication? > >> -----Original Message----- >> From: emu-bounces@ietf.org [mailto:emu-bounces@ietf.org] On Behalf Of >> Hoeper Katrin-QWKN37 >> Sent: Wednesday, March 03, 2010 4:28 PM >> To: Dan Harkins >> Cc: emu@ietf.org >> Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04 >> >> How does that authenticate the server if a user enters a password? >> >> If the server says, yes that was the right password? >> >> >> >> > -----Original Message----- >> > From: Dan Harkins [mailto:dharkins@lounge.org] >> > Sent: Wednesday, March 03, 2010 4:14 PM >> > To: Hoeper Katrin-QWKN37 >> > Cc: Dan Harkins; Joseph Salowey; emu@ietf.org >> > Subject: RE: [Emu] review of draft-ietf-emu-eaptunnel-req-04 >> > >> > >> > Since they both use the same low-entropy password to perform their >> > mutual authentication it is not, strictly speaking, just the peer's >> > credential. >> > >> > Dan. >> > >> > On Wed, March 3, 2010 1:45 pm, Hoeper Katrin-QWKN37 wrote: >> > > >> > > See inline. >> > >> -----Original Message----- >> > >> From: Dan Harkins [mailto:dharkins@lounge.org] >> > >> Sent: Wednesday, March 03, 2010 3:39 PM >> > >> To: Hoeper Katrin-QWKN37 >> > >> Cc: Dan Harkins; Joseph Salowey; emu@ietf.org >> > >> Subject: RE: [Emu] review of draft-ietf-emu-eaptunnel-req-04 >> > >> >> > >> >> > >> Hi Katrin, >> > >> >> > >> On Wed, March 3, 2010 12:31 pm, Hoeper Katrin-QWKN37 wrote: >> > >> > Dan, >> > >> > >> > >> > OK, I understand that the tunnel provides all these other > feats. >> > >> > >> > >> > But why can't the server authenticate during the tunnel > protocol? >> I >> > >> > still don't understand the use case for mutually anonymous >> tunnels. >> > >> >> > >> Because it doesn't have the right credential. >> > >> >> > >> > If the server has a certificate why can't it send it to the > peer >> > > before >> > >> > or during the tunnel establishment? >> > >> >> > >> If the server has a certificate then sending it to the peer >> > >> would not really solve any problem. The peer would still need to >> > >> have a reason to trust it and we're back to the problem of > putting >> > >> a trusted certificate in some certificate store. A global PKI to >> > >> solve all of our certificate issues still has not materialized. >> > >> >> > >> > If the peer and server share a secret, than this could be used > to >> > >> > establish the tunnel. >> > >> >> > >> If the peer and server share a secret they could use one of the >> PSK >> > >> ciphersuites for TLS but those are susceptible to a dictionary >> attack >> > >> and are therefore inappropriate. >> > >> >> > >> The tunnel is being established with EAP-TLS so we are limited > to >> > >> TLS ciphersuites and the authentication they provide. If a TLS >> > > ciphersuite >> > >> was appropriate always and everywhere then we would not need any >> other >> > >> EAP methods, we'd just do EAP-TLS. But that is not the case. Also >> it >> > > is >> > >> a requirement to tunnel additional EAP methods inside the tunnel > so >> > >> obviously there are EAP methods that provide something that a TLS >> > >> ciphersuite does not. >> > >> >> > >> > What I am saying is what kind of server authentication >> credentials >> > > could >> > >> > be used inside an anonymous tunnel that could not be used to >> > >> > authenticate the server in the tunnel protocol? (given that >> privacy >> > > is >> > >> > not the issue) >> > >> >> > >> A low-entropy password that can easily be remembered and > entered >> by >> > > a >> > >> human with low probability of error. >> > > [KH] I asked what kind of SERVER credentials not peer credentials. >> > >> >> > >> Dan. >> > >> >> > > >> > > >> > >> >> _______________________________________________ >> Emu mailing list >> Emu@ietf.org >> https://www.ietf.org/mailman/listinfo/emu >
- [Emu] review of draft-ietf-emu-eaptunnel-req-04 Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Joseph Salowey (jsalowey)
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Joseph Salowey (jsalowey)
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Yaron Sheffer
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Alan DeKok
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Yaron Sheffer
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Alan DeKok
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Joseph Salowey (jsalowey)
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Joseph Salowey (jsalowey)
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Yaron Sheffer
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Joseph Salowey (jsalowey)
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Dan Harkins
- Re: [Emu] review of draft-ietf-emu-eaptunnel-req-… Hoeper Katrin-QWKN37