Extensible Authentication Protocol (EAP) Mutual Cryptographic Binding

Wasserman, Margaret; Hartman, Sam; Zhang, Dacheng

doi:10.17487/rfc7029

Cited by 4 publications

(5 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…The TEAP encrypting/decrypting gateway MUST, at a minimum, provide support for IPsec, TLS, or similar protection in order to provide confidentiality for the portion of the conversation between the gateway and the EAP server. In addition, separation of the inner and outer method servers allows for crypto-binding based on the inner method MSK to be thwarted as described in [RFC7029]. Implementation and deployment SHOULD adopt various mitigation strategies described in [RFC7029].…”

Section: Methods Negotiationmentioning

confidence: 99%

“…In addition, separation of the inner and outer method servers allows for crypto-binding based on the inner method MSK to be thwarted as described in [RFC7029]. Implementation and deployment SHOULD adopt various mitigation strategies described in [RFC7029].…”

Section: Methods Negotiationmentioning

confidence: 99%

“…If the inner method is deriving EMSK, then this threat is mitigated as TEAP utilizes the mutual crypto-binding based on EMSK as described in [RFC7029]. It should be noted that in TEAP, as in many other authentication protocols, a denial-of-service attack can be mounted by adversaries sending erroneous traffic to disrupt the protocol.…”

Section: Methods Negotiationmentioning

confidence: 99%

See 2 more Smart Citations

Tunnel Extensible Authentication Protocol (TEAP) Version 1

Cam-Winget¹,

Hanna²,

Zhou³

et al. 2014

View full text Add to dashboard Cite

show abstract

Section: Methods Negotiationmentioning

confidence: 99%

Section: Methods Negotiationmentioning

confidence: 99%

Section: Methods Negotiationmentioning

confidence: 99%

See 1 more Smart Citation

Tunnel Extensible Authentication Protocol (TEAP) Version 1

Cam-Winget¹,

Hanna²,

Zhou³

et al. 2014

View full text Add to dashboard Cite

show abstract

“…From our experiments we determined that other devices, for example Android devices, do not employ certificate pinning by default. If the victim user did not configure a server certificate, we believe a more generic MITM attack may be executed as described in RFC 7029 [10]. Note that in this case, the preconditions are stricter: it is required that server certificates are not used by the Android device, which was not the case for Apple devices.…”

Section: Future Workmentioning

confidence: 99%

Short paper

Robyns

Bonné

Quax

et al. 2014

Proceedings of the 2014 ACM Conference on Security and Privacy in Wireless &Amp; Mobile Networks

View full text Add to dashboard Cite

Many of today's enterprise-scale wireless networks are protected by the WPA2-Enterprise Protected Extensible Authentication Protocol (PEAP). In this paper it is demonstrated how an attacker can steal a user's credentials and gain unauthorized access to such networks, by utilizing a class of vulnerable devices as MSCHAPv2 challenge response oracles. More specifically this paper explains how on these devices, Lightweight EAP (LEAP) MSCHAPv1 credentials can be captured and converted to PEAP MSCHAPv2 credentials by using a rogue Access Point. This man-in-themiddle vulnerability was found to be present in all current versions of Apple's iOS and OS X operating systems, and may impact other devices as well. A proof-of-concept implementation is available that shows how Authentication Server certificate validation and certificate pinning mechanisms may be bypassed. Mitigation strategies for the attack and protective actions which can be undertaken by end-users are also described in this paper.

show abstract

“…Some deployments may allow for weak server authentication that is then validated with an additional existing exchange that provides mutual authentication. In order to fully mitigate the risk of NAS impersonation when these mechanisms are used, it is RECOMMENDED that mutual channel bindings be used to bind the authentications together as described in [RFC7029]. When doing channel binding it is REQUIRED that the authenticator is not able to modify the channel binding data passed between the peer to the authenticator as part of the authentication process.…”

Section: Security Considerationsmentioning

confidence: 99%

Update to the Extensible Authentication Protocol (EAP) Applicability Statement for Application Bridging for Federated Access Beyond Web (ABFAB)

Winter¹,

Salowey²

2013

View full text Add to dashboard Cite

This document updates the Extensible Authentication Protocol (EAP) applicability statement from RFC 3748 to reflect recent usage of the EAP protocol in the Application Bridging for Federated Access Beyond web (ABFAB) architecture. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7057.

show abstract

Extensible Authentication Protocol (EAP) Mutual Cryptographic Binding

Cited by 4 publications

References 5 publications

Tunnel Extensible Authentication Protocol (TEAP) Version 1

Tunnel Extensible Authentication Protocol (TEAP) Version 1

Short paper

Update to the Extensible Authentication Protocol (EAP) Applicability Statement for Application Bridging for Federated Access Beyond Web (ABFAB)

Contact Info

Product

Resources

About