Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Charles Clancy <clancy@cs.umd.edu> Thu, 25 August 2005 00:14 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E85Ng-00063a-5g; Wed, 24 Aug 2005 20:14:08 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1E85Nd-00060J-Ux for secmech@megatron.ietf.org; Wed, 24 Aug 2005 20:14:05 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA05129 for <secmech@ietf.org>; Wed, 24 Aug 2005 20:13:40 -0400 (EDT)
Received: from sccrmhc13.comcast.net ([204.127.202.64]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1E85Ne-0006oi-Mh for secmech@ietf.org; Wed, 24 Aug 2005 20:14:07 -0400
Received: from [192.168.0.2] (pcp04510339pcs.gambrl01.md.comcast.net[68.49.199.146]) by comcast.net (sccrmhc13) with ESMTP id <20050825001330013005er85e>; Thu, 25 Aug 2005 00:13:31 +0000
Message-ID: <430D0D2B.8050405@cs.umd.edu>
Date: Wed, 24 Aug 2005 20:13:31 -0400
From: Charles Clancy <clancy@cs.umd.edu>
User-Agent: Mozilla Thunderbird 1.0 (Windows/20041206)
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Bernard Aboba <aboba@internaut.com>
Subject: Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges
References: <43074F76.8000604@cs.umd.edu> <20050822044255.GC27685@isc.upenn.edu> <Pine.GSO.4.60.0508220801430.1114@ismene> <35850EE42DFD2824F0DDBBC8@cumulus> <Pine.GSO.4.60.0508221008260.1174@ismene> <1DCACCAC04655B3AFE9733A8@cumulus> <Pine.GSO.4.60.0508221047001.1307@ismene> <20050822154044.GE7789@binky.Central.Sun.COM> <430CA545.3020109@uni-tuebingen.de> <Pine.LNX.4.61.0508241113420.16086@internaut.com> <20050824213010.GO10174@binky.Central.Sun.COM> <Pine.LNX.4.61.0508241436250.21720@internaut.com>
In-Reply-To: <Pine.LNX.4.61.0508241436250.21720@internaut.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Spam-Score: 0.1 (/)
X-Scan-Signature: e5ba305d0e64821bf3d8bc5d3bb07228
Content-Transfer-Encoding: 7bit
Cc: secmech@ietf.org
X-BeenThere: secmech@lists.ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <secmech.lists.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/secmech>
List-Post: <mailto:secmech@lists.ietf.org>
List-Help: <mailto:secmech-request@lists.ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/secmech>, <mailto:secmech-request@lists.ietf.org?subject=subscribe>
Sender: secmech-bounces@lists.ietf.org
Errors-To: secmech-bounces@lists.ietf.org

Bernard Aboba wrote:
 >>Does tunnelling various other weak mechanisms over TLS meet said
 >>criteria?
 >
 >
 > If "weak" means mechanisms that do not generate a key (e.g.
 > MD5-Challenge), then these would violate RFC 4017 mandatory
 > requirement 6:
 >
 >    [6]  Protection against man-in-the-middle attacks.  This
 >         corresponds
 >         to the "Cryptographic binding", "Integrity protection",
 >         "Replay protection", and "Session independence" security
 >         claims defined in [RFC3748], Section 7.2.1.

I guess there are two points of view -- one where the AP is the service, 
and one where the EAP server is the service.

If the EAP server is the service, then it can do a passthrough Kerberos 
authentication for the EAP client.  The client can obtain a TGT and a 
service ticket for the EAP server, and then authenticate to the EAP 
server using the service ticket.  The key contained within that service 
ticket is known only by the client and the EAP server, so it could 
theoretically then be used to bootstrap an EAP key derivation, including 
the info needed by TTLS to do the crypto binding.  TTLS would then 
augment the security of these keys using its own entropy, and poof.

... or am I missing something?

[ t. charles clancy ]--[ tcc@umd.edu ]--[ www.cs.umd.edu/~clancy ]
[ computer science ]-----[ university of maryland | college park ]

_______________________________________________
SECMECH mailing list
SECMECH@lists.ietf.org
https://www1.ietf.org/mailman/listinfo/secmech