>>>>> "Josh" == Josh Howlett <[log in to unmask]> writes:
Josh> Sam, Isn't this a variant of the compound authentication
Josh> binding problem?
Josh> Modern tunnelled methods generally address this by
Josh> cryptographically binding residue from the outer tunnel to the
Josh> inner exchange. C can terminate the outer tunnel, but the EAP
Josh> server will detect that.
Cryptographic binding is one of those EAP myths like channel binding:-)
Unlike channel binding I don't think there is any spec for cryptographic
Yes if a particular EAP method supports cryptographic binding and
happens to do so in a manner that defends against this attack we can
take advantage of that.
We'll certainly look into FreeRADIUS and libeap's support for eap-ttls
and eap-mschapv2 cryptographic binding.
Josh> So we could combine that with leap-of-faith. I think libeap
Josh> support crypto binding for some EAP methods; I'm not sure
Josh> about FreeRADIUS.
There's also a catch in what cryptographic binding buys you that I ran
into the last time I discussed it with Joe. Ah, hmm, some parts of that
discussion made their way into the paragraph just before section 4.1 in
draft-ietf-emu-chbind. According to that text, cryptographic binding
operates at the outer method level, so an inner method can be extracted
from cryptographic binding by a MITM. So, no, I don't think
cryptographic binding would allow the EAP server to detect this.