Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges

Bernard Aboba <> Thu, 25 August 2005 15:06 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1E8JJL-0005Yk-Hs; Thu, 25 Aug 2005 11:06:35 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1E8BBq-0001UH-53 for; Thu, 25 Aug 2005 02:26:18 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id CAA01839 for <>; Thu, 25 Aug 2005 02:26:17 -0400 (EDT)
Received: from ([] ident=mailnull) by with esmtp (Exim 4.43) id 1E8BCJ-0007zY-8V for; Thu, 25 Aug 2005 02:26:47 -0400
Received: from ([] by with esmtpa (Exim 4.51) id 1E8BBo-000CvE-OO; Thu, 25 Aug 2005 02:26:17 -0400
Received: by (Postfix, from userid 1000) id 1042060DDD; Wed, 24 Aug 2005 23:26:16 -0700 (PDT)
Received: from localhost (localhost []) by (Postfix) with ESMTP id 037E760DDC; Wed, 24 Aug 2005 23:26:16 -0700 (PDT)
X-Mail-Handler: MailHop Outbound by
X-Report-Abuse-To: (see for abuse reporting information)
X-MHO-User: aboba
Date: Wed, 24 Aug 2005 23:26:15 -0700 (PDT)
From: Bernard Aboba <>
To: Nicolas Williams <>
Subject: Re: [SECMECH] Framework Bindings Vs. Mechanism Bridges
In-Reply-To: <20050825042105.GW10174@binky.Central.Sun.COM>
Message-ID: <>
References: <Pine.GSO.4.60.0508220801430.1114@ismene> <35850EE42DFD2824F0DDBBC8@cumulus> <Pine.GSO.4.60.0508221008260.1174@ismene> <1DCACCAC04655B3AFE9733A8@cumulus> <Pine.GSO.4.60.0508221047001.1307@ismene> <20050822154044.GE7789@binky.Central.Sun.COM> <> <> <20050824213010.GO10174@binky.Central.Sun.COM> <> <20050825042105.GW10174@binky.Central.Sun.COM>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Score: 0.1 (/)
X-Scan-Signature: 73734d43604d52d23b3eba644a169745
X-Mailman-Approved-At: Thu, 25 Aug 2005 11:06:33 -0400
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Security mechanisms BOF <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

> No, I used "weak" to mean mechanisms that are subject to off-line
> dictionary attacks by eavesdroppers or MITMs.

If the EAP method generates a key and the tunneling mechanism supports 
cryptographic binding and satisfies the other RFC 4017 
requirements (e.g. key strength, etc.) then I don't think that offline 
dictionary or MITM attack should be possible.   Here is a brief summary of 
RFC 4017 requirements:


   [1]  Key derivation. 
   [2]  Effective Key strength of at least 128-bits. 
   [3]  Mutual authentication.
   [4]  Shared state equivalence.  See RFC 4017 for details. 
   [5]  Resistance to dictionary attacks.  
   [6]  Protection against man-in-the-middle attacks.  
   [7]  Protected ciphersuite negotiation.  


   [8]  Fragmentation.  
   [9]  End-user identity hiding.  


   [10] Channel binding.  
   [11] Fast reconnect.  

My guess is that Kerberos tunneled in TLS should be able to satisfy most 
if not all of these, assuming that cryptobinding is used. 

> Summary: IAKERB and EAP-GSS are dead at this time, mostly for lack of
> people willing to do the work, not for any political or technical
> reasons.

>From a technical perspective, there are some challenges
to securely providing authentication simultaneously with fast handoff.  

One issue is how the EAP peer figures out what Kerberos principals 
it needs to request a ticket for.  Remember that EAP operates of a layer 2 
protocol such as 802.11, and since the peer doesn't yet have IP connectivity, 
it may not know the IP Address or name of the NAS it is trying to connect to.  
In 802.11i, all the station knows is the BSSID of the AP; it doesn't know what NAS 
that BSSID is associated with, let alone the IP address, service name, 

In the original IEEE 802.11i documents, it was assumed that the peer 
would request a ticket to the "Network Access Service" but this required 
all NAS devices to share a secret with the KDC so that a ticket, 
once granted, could be reused with any NAS.  While this was very 
convenient for handoff, it was not so great from a shared secret hygene 
point of view.  

To enable the peer to figure out what tickets it needs, it seems like the 
AP would need to advertise its Kerberos Service Name, which might 
or might not be the same as the NAS-Identifier sent to the AAA server. 

Also, having to request a new ticket for each NAS, with a roundtrip to the 
KDC for each attempt, may not meet the stringent timing requirements of 
VOIP applications (handoff times <50 ms).  So I think you'd need to figure 
out how to optimize the exchange, such as allowing an EAP peer to 
simultaneously request tickets to multiple NAS devices. 

However, if you can figure all this out, there could be some tangible 
benefits -- in particular with Kerberos it is possible to ensure proper 
key binding, which is not easy to do with current approaches.  For 
example, a Kerberos ticket cannot easily be used by a NAS device other 
than the one it was created for. 

> I.e., I'm pretty sure there'd be no opposition from the IETF, the
> Internet Security Area Directors or the IESG as a whole to a revival of
> IAKERB and/or EAP-GSS, provided someone does the work.  See below.

Remember that at one time Kerberos was mandatory to implement in IEEE
802.11i.  During that period there were lots of people will to work on
Kerberos network access issues.  However after it became clear that
Kerberos by itself could not meet the 802.11 security requirements, and
also that work in the IETF was not moving forward at a reasonable pace,
IEEE 802.11i voted to remove Kerberos as the mandatory to implement 

At this point, I doubt you will find much interest within the 802.11 
vendor community in revisiting Kerberos unless it can be demonstrated that 
Kerberos can provide some tangible benefit that isn't available 
with the fast handoff schemes being investigated in IEEE 802.11r.  

SECMECH mailing list