IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-hollenbeck-rfc4930bis-02

Sandra Murphy <sandy@sparta.com> Wed, 15 July 2009 15:13 UTC

Return-Path: <Sandra.Murphy@cobham.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 173A23A6EA3; Wed, 15 Jul 2009 08:13:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.512
X-Spam-Level:
X-Spam-Status: No, score=-2.512 tagged_above=-999 required=5 tests=[AWL=0.087, BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AxsUqiBfh6ab; Wed, 15 Jul 2009 08:13:26 -0700 (PDT)
Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by core3.amsl.com (Postfix) with ESMTP id B82423A6C86; Wed, 15 Jul 2009 08:13:26 -0700 (PDT)
Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id n6FFDUQZ022408; Wed, 15 Jul 2009 10:13:30 -0500
Received: from nemo.columbia.ads.sparta.com (nemo.columbia.sparta.com [157.185.80.75]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id n6FFDUO0002712; Wed, 15 Jul 2009 10:13:30 -0500
Received: from SANDYM-LT.columbia.ads.sparta.com ([157.185.81.126]) by nemo.columbia.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Wed, 15 Jul 2009 11:13:29 -0400
Date: Wed, 15 Jul 2009 11:13:29 -0400
From: Sandra Murphy <sandy@sparta.com>
To: "Hollenbeck, Scott" <shollenbeck@verisign.com>
In-Reply-To: <046F43A8D79C794FA4733814869CDF07025CD275@dul1wnexmb01.vcorp.ad.vrsn.com>
Message-ID: <Pine.WNT.4.64.0907151110550.4872@SANDYM-LT.columbia.ads.sparta.com>
References: <046F43A8D79C794FA4733814869CDF07025CD275@dul1wnexmb01.vcorp.ad.vrsn.com>
X-X-Sender: sandy@nemo.columbia.sparta.com
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-OriginalArrivalTime: 15 Jul 2009 15:13:29.0749 (UTC) FILETIME=[CF5C7C50:01CA055E]
Cc: secdir@ietf.org, iesg@ietf.org
Subject: Re: [secdir] Secdir review of draft-hollenbeck-rfc4930bis-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2009 15:13:28 -0000

(I sent multiple secdir related messages yesterday that were mangled or 
failed to deliver to the secdir and iesg lists.  You could see an example 
in Scott's reply to one of the mangled messages.  Here is the unmangled 
message, to keep us all in sync.  My apologies to the recipients who are 
seeing this again.)



>By Transport ID, I would assume the  identifer(s)  associated with the
>transport level authentication key.
>For EPP ID I would assume whatever identification is associated with
>an EPP instance.

In EPP, you do a simple login with user name and password:
login Bob bobscleartextpassword

The other end checks the password and says "Great to see you, Bob!"

Underneath you have a stronger authentication system running.
This is based on some transport id, like the ip addr/protocol/port
or whatever id the secure transport uses.  Lets say the transport
id is ip addr, say 10.1.0.0 at the end doing the login authentication.


A secure authenticated transport connection is established between
10.1.0.0 to the other end where the login is being attempted, say
10.2.0.0.

The trouble is that that 10.2.0.0 might be a man in the middle.
The MITM has another secure authenticated transport connection to
Bob's host, 10.3.0.0.

Bob sends the "login Bob bobscleartextpassword" over its secure
transport connection, which ends at the MITM at 10.2.0.0.

The MITM retransmits the "login Bob bobscleartextpassword" over the
secure transport connection to 10.1.0.0, impersonating Bob.

This is possible because there is no tie between the EPP ID of "Bob"
and the secure transport id of 10.2.0.0.

The tie is what is called channel binding.

You can look at RFC5056 for more information or at
http://www.saunalahti.fi/~asokan/research/mitm.html for another
discussion with a rather detailed example for PEAP.

It might be worth pointing out that draft-ietf-sasl-gs2-14 talks
about Using GSS-API Mechanisms in SASL, and supports channel binding.

--Sandy

v2.23.0 | Report a Bug | By Email