Re: [secdir] Secdir review of draft-hollenbeck-rfc4930bis-02
"Hollenbeck, Scott" <shollenbeck@verisign.com> Wed, 15 July 2009 00:08 UTC
Return-Path: <shollenbeck@verisign.com>
X-Original-To: secdir@core3.amsl.com
Delivered-To: secdir@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 2BE6B3A6AC2; Tue, 14 Jul 2009 17:08:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.598
X-Spam-Level:
X-Spam-Status: No, score=-6.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3yBTz4K40e3b; Tue, 14 Jul 2009 17:08:23 -0700 (PDT)
Received: from osprey.verisign.com (osprey.verisign.com [216.168.239.75]) by core3.amsl.com (Postfix) with ESMTP id B16FE3A6803; Tue, 14 Jul 2009 17:08:23 -0700 (PDT)
Received: from dul1wnexcn02.vcorp.ad.vrsn.com (dul1wnexcn02.vcorp.ad.vrsn.com [10.170.12.139]) by osprey.verisign.com (8.13.6/8.13.4) with ESMTP id n6ENuKg5005796; Tue, 14 Jul 2009 19:56:20 -0400
Received: from dul1wnexmb01.vcorp.ad.vrsn.com ([10.170.12.134]) by dul1wnexcn02.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.3959); Tue, 14 Jul 2009 20:08:32 -0400
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CA04E0.636F613E"
Date: Tue, 14 Jul 2009 20:08:32 -0400
Message-ID: <046F43A8D79C794FA4733814869CDF07025CD275@dul1wnexmb01.vcorp.ad.vrsn.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [secdir] Secdir review of draft-hollenbeck-rfc4930bis-02
Thread-Index: AcoE2PY4qvMvIm8PTsmXGv86b8EDXgAB205s
From: "Hollenbeck, Scott" <shollenbeck@verisign.com>
To: Sandy Murphy <sandy@tislabs.com>, catherine.meadows@nrl.navy.mil, iesg@ietf.org, secdir@ietf.org
X-OriginalArrivalTime: 15 Jul 2009 00:08:32.0905 (UTC) FILETIME=[63EB9790:01CA04E0]
Subject: Re: [secdir] Secdir review of draft-hollenbeck-rfc4930bis-02
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jul 2009 00:08:25 -0000
Doesn't TLS provide protections for this issue? -Scott- -----Original Message----- From: Sandy Murphy [mailto:sandy@tislabs.com] Sent: Tuesday, July 14, 2009 07:15 PM Eastern Standard Time To: catherine.meadows@nrl.navy.mil; iesg@ietf.org; sandy@tislabs.com; secdir@ietf.org; Hollenbeck, Scott Subject: Re: [secdir] Secdir review of draft-hollenbeck-rfc4930bis-02 >A secure authenticThe tie is what is called channel binding. OK, obvious blip here. A secure authenticated transport connection is established between 10.1.0.0 to the other end where the login is being attempted, say 10.2.0.0. The trouble is that that 10.2.0.0 might be a man in the middle. The MITM has another secure authenticated transport connection to Bob's host, 10.3.0.0. Bob sends the "login Bob bobscleartextpassword" over its secure transport connection, which ends at the MITM at 10.2.0.0. The MITM retransmits the "login Bob bobscleartextpassword" over the secure transport connection to 10.1.0.0, impersonating Bob. This is possible because there is no tie between the EPP ID of "Bob" and the secure transport id of 10.2.0.0. The tie is what is called channel binding. You can look at RFC5056 for more information or at http://www.saunalahti.fi/~asokan/research/mitm.html for another discussion with a rather detailed example for PEAP. It might be worth pointing out that draft-ietf-sasl-gs2-14 talks about Using GSS-API Mechanisms in SASL, and supports channel binding. --Sandy
- [secdir] Secdir review of draft-hollenbeck-rfc493… Catherine Meadows
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Hollenbeck, Scott
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Catherine Meadows
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Hollenbeck, Scott
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Sandra Murphy
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Sandra Murphy
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Sandra Murphy
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Alexey Melnikov
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Hollenbeck, Scott
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Nicolas Williams
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Nicolas Williams
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Hollenbeck, Scott
- Re: [secdir] Secdir review of draft-hollenbeck-rf… Hollenbeck, Scott