IETF Logo Mail Archive

Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04

"Joseph Salowey (jsalowey)" <jsalowey@cisco.com> Thu, 04 March 2010 04:05 UTC

Return-Path: <jsalowey@cisco.com>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7E79628C1C7 for <emu@core3.amsl.com>; Wed, 3 Mar 2010 20:05:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.599
X-Spam-Level:
X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 68ZTfVa3OzlG for <emu@core3.amsl.com>; Wed, 3 Mar 2010 20:05:11 -0800 (PST)
Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id CB41828C150 for <emu@ietf.org>; Wed, 3 Mar 2010 20:05:10 -0800 (PST)
Authentication-Results: rtp-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AvsEAP+/jkurR7Hu/2dsb2JhbACbEnOddYp/jViCcYILBIMX
X-IronPort-AV: E=Sophos;i="4.49,578,1262563200"; d="scan'208";a="90320931"
Received: from sj-core-5.cisco.com ([171.71.177.238]) by rtp-iport-1.cisco.com with ESMTP; 04 Mar 2010 04:05:11 +0000
Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-5.cisco.com (8.13.8/8.14.3) with ESMTP id o2445B4a011278; Thu, 4 Mar 2010 04:05:11 GMT
Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Wed, 3 Mar 2010 20:05:11 -0800
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 03 Mar 2010 20:05:09 -0800
Message-ID: <AC1CFD94F59A264488DC2BEC3E890DE509BD3EBA@xmb-sjc-225.amer.cisco.com>
In-Reply-To: <7272955a16fc9e774c63f05f5265d37b.squirrel@www.trepanning.net>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Emu] review of draft-ietf-emu-eaptunnel-req-04
Thread-Index: Acq7KXkACRh2Bk4BSiamwd+0WbjBywAJQDvg
References: <70e5fb878f73a83d4ba7702e4dc46132.squirrel@www.trepanning.net><AC1CFD94F59A264488DC2BEC3E890DE509BD34A6@xmb-sjc-225.amer.cisco.com><3A241A6B234BE948B8B474D261FEBC2F07239D21@de01exm68.ds.mot.com><a244565651e7f03494eda680a4ae636b.squirrel@www.trepanning.net><3A241A6B234BE948B8B474D261FEBC2F0729536E@de01exm68.ds.mot.com><30a512425eb4f0e1140dca0cc92eea30.squirrel@www.trepanning.net><3A241A6B234BE948B8B474D261FEBC2F0729555F@de01exm68.ds.mot.com><f78c0ed514c29c3e3cadd46d28731eb5.squirrel@www.trepanning.net><3A241A6B234BE948B8B474D261FEBC2F0729562D@de01exm68.ds.mot.com><61dde562d3f969274cb5cb5aabafa68b.squirrel@www.trepanning.net><3A241A6B234BE948B8B474D261FEBC2F072956BA@de01exm68.ds.mot.com><6735e38c9874524655a4bbe39ffaab5b.squirrel@www.trepanning.net><3A241A6B234BE948B8B474D261FEBC2F0729571A@de01exm68.ds.mot.com><3A241A6B234BE948B8B474D261FEBC2F07295724@de01exm68.ds.mot.com> <7272955a16fc9e774c63f05f5265d37b.squirrel@www.trepanning.net>
From: "Joseph Salowey (jsalowey)" <jsalowey@cisco.com>
To: Dan Harkins <dharkins@lounge.org>, Hoeper Katrin-QWKN37 <khoeper@motorola.com>
X-OriginalArrivalTime: 04 Mar 2010 04:05:11.0301 (UTC) FILETIME=[E2A8E350:01CABB4F]
Cc: emu@ietf.org
Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Mar 2010 04:05:12 -0000

Hi Dan,

The document currently states anonymous cipher suites MUST NOT be
mandatory to implement for the tunnel method.  I think the is the
appropriate stance for the document to take for the base tunnel method.
I also do not think this prevents a follow-on specification defining how
to use anonymous tunnel securely.

Cheers,

Joe

> -----Original Message-----
> From: emu-bounces@ietf.org [mailto:emu-bounces@ietf.org] On Behalf Of
Dan
> Harkins
> Sent: Wednesday, March 03, 2010 3:30 PM
> To: Hoeper Katrin-QWKN37
> Cc: emu@ietf.org
> Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04
> 
> 
>   Hi Katrin,
> 
>   Yes, EAP-pwd uses the password for mutual authentication. If the
> server doesn't know the password the exchange will fail. The key
> differentiator (from, say, EAP-GPSK) is that it uses a zero knowledge
> proof and is resistant to off-line dictionary attack.
> 
>   Dan.
> 
> On Wed, March 3, 2010 2:33 pm, Hoeper Katrin-QWKN37 wrote:
> > Sorry Dan,
> >
> > Is EAP-pwd using the password for mutual authentication?
> >
> >> -----Original Message-----
> >> From: emu-bounces@ietf.org [mailto:emu-bounces@ietf.org] On Behalf
Of
> >> Hoeper Katrin-QWKN37
> >> Sent: Wednesday, March 03, 2010 4:28 PM
> >> To: Dan Harkins
> >> Cc: emu@ietf.org
> >> Subject: Re: [Emu] review of draft-ietf-emu-eaptunnel-req-04
> >>
> >> How does that authenticate the server if a user enters a password?
> >>
> >> If the server says, yes that was the right password?
> >>
> >>
> >>
> >> > -----Original Message-----
> >> > From: Dan Harkins [mailto:dharkins@lounge.org]
> >> > Sent: Wednesday, March 03, 2010 4:14 PM
> >> > To: Hoeper Katrin-QWKN37
> >> > Cc: Dan Harkins; Joseph Salowey; emu@ietf.org
> >> > Subject: RE: [Emu] review of draft-ietf-emu-eaptunnel-req-04
> >> >
> >> >
> >> >   Since they both use the same low-entropy password to perform
their
> >> > mutual authentication it is not, strictly speaking, just the
peer's
> >> > credential.
> >> >
> >> >   Dan.
> >> >
> >> > On Wed, March 3, 2010 1:45 pm, Hoeper Katrin-QWKN37 wrote:
> >> > >
> >> > > See inline.
> >> > >> -----Original Message-----
> >> > >> From: Dan Harkins [mailto:dharkins@lounge.org]
> >> > >> Sent: Wednesday, March 03, 2010 3:39 PM
> >> > >> To: Hoeper Katrin-QWKN37
> >> > >> Cc: Dan Harkins; Joseph Salowey; emu@ietf.org
> >> > >> Subject: RE: [Emu] review of draft-ietf-emu-eaptunnel-req-04
> >> > >>
> >> > >>
> >> > >>   Hi Katrin,
> >> > >>
> >> > >> On Wed, March 3, 2010 12:31 pm, Hoeper Katrin-QWKN37 wrote:
> >> > >> > Dan,
> >> > >> >
> >> > >> > OK, I understand that the tunnel provides all these other
> > feats.
> >> > >> >
> >> > >> > But why can't the server authenticate during the tunnel
> > protocol?
> >> I
> >> > >> > still don't understand the use case for mutually anonymous
> >> tunnels.
> >> > >>
> >> > >>   Because it doesn't have the right credential.
> >> > >>
> >> > >> > If the server has a certificate why can't it send it to the
> > peer
> >> > > before
> >> > >> > or during the tunnel establishment?
> >> > >>
> >> > >>   If the server has a certificate then sending it to the peer
> >> > >> would not really solve any problem. The peer would still need
to
> >> > >> have a reason to trust it and we're back to the problem of
> > putting
> >> > >> a trusted certificate in some certificate store. A global PKI
to
> >> > >> solve all of our certificate issues still has not
materialized.
> >> > >>
> >> > >> > If the peer and server share a secret, than this could be
used
> > to
> >> > >> > establish the tunnel.
> >> > >>
> >> > >>   If the peer and server share a secret they could use one of
the
> >> PSK
> >> > >> ciphersuites for TLS but those are susceptible to a dictionary
> >> attack
> >> > >> and are therefore inappropriate.
> >> > >>
> >> > >>   The tunnel is being established with EAP-TLS so we are
limited
> > to
> >> > >> TLS ciphersuites and the authentication they provide. If a TLS
> >> > > ciphersuite
> >> > >> was appropriate always and everywhere then we would not need
any
> >> other
> >> > >> EAP methods, we'd just do EAP-TLS. But that is not the case.
Also
> >> it
> >> > > is
> >> > >> a requirement to tunnel additional EAP methods inside the
tunnel
> > so
> >> > >> obviously there are EAP methods that provide something that a
TLS
> >> > >> ciphersuite does not.
> >> > >>
> >> > >> > What I am saying is what kind of server authentication
> >> credentials
> >> > > could
> >> > >> > be used inside an anonymous tunnel that could not be used to
> >> > >> > authenticate the server in the tunnel protocol? (given that
> >> privacy
> >> > > is
> >> > >> > not the issue)
> >> > >>
> >> > >>   A low-entropy password that can easily be remembered and
> > entered
> >> by
> >> > > a
> >> > >> human with low probability of error.
> >> > > [KH] I asked what kind of SERVER credentials not peer
credentials.
> >> > >>
> >> > >>   Dan.
> >> > >>
> >> > >
> >> > >
> >> >
> >>
> >> _______________________________________________
> >> Emu mailing list
> >> Emu@ietf.org
> >> https://www.ietf.org/mailman/listinfo/emu
> >
> 
> 
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email