Compound Authentication Binding Problem (EAP Binding Draft)

Agenda

• Compound Methods

• Motivation

• Problem Summary

• Solutions

• Conclusion/Next Steps

Compound Methods

• Definition: Multiple authentication methods used in concert for a single purpose

• Tunneled methods
• Sequenced methods

• Typical Purposes

• Network access authentication & authorization
• Security Association establishment for protecting data traffic
• Service access authentication & authorization
• …

Motivation for Compound Methods using Tunnels

• Securing legacy methods in new environments

• Ease of deployment for securing legacy methods

• Providing consistent security properties and other features for different methods

• Securing multiple credentials in sequences

Problem = Man-in-the-Middle Attacks

• Focus is on Compound Tunneled Methods that support

• single inner method
• sequence of inner methods

• Non-tunneled Compound Sequences are also potentially vulnerable but not addressed

• problem space unbounded? further study needed

Problem Conditions

• Dual role man-in-the-middle attacker (rogue authenticator + rogue supplicant)

• Credential and authentication method re-use with and without tunnels

• Use of one-way server authenticated tunnel

• Use of tunnel session keys alone and no inner method session keys

Solution Requirements

• Fixes to existing EAP methods not ok

• Fixes to new EAP methods maybe ok

• Fixes to Tunnel methods ok

• Should work for different tunnel termination models

• Should not bring new requirements for other protocols (eg. RADIUS )

• Forward Evolution for protocols with fix

• Backwards compatibility for fixed protocols

• Simplicity for fix (low compute costs & roundtrips)

• Upgraded EAP Base protocol maybe ok

Solution Concepts

• All methods

• Use separate credentials inside and outside tunnels
• Use methods inside tunnels always

• Key deriving methods

• Can use cryptographic binding
• Binding can provide stronger authentication & session keys
• Avoids policy synchronization issues
• Preserves deployment convenience of one-way authenticated tunnels

Solution Mechanisms Recommended

• Policy restrictions

• For non-key deriving methods client & server policy
• Use separate credentials inside/outside tunnels
• Use methods inside tunnels always

• Cryptographic Binding

• Compound Keyed MACs
• Keyed MACs computed from safe one-way derivation from keys of all inner methods and tunnel method
• Additional mutual authentication round trip (binding phase exchange) with keyed MACs
• Compound Session Keys
• Bound Key derived using safe one-way derivation from keys of all inner methods and tunnel method

Binding Phase Exchange with Compound Keyed MACs

Solution Approaches

• Add Binding Phase to EAP base protocol or Tunnel Protocol

• Already need for protected success/failure indication identified
• Binding Phase exchange can also include the protected success/failure indication
• Method Key export interface available
• Cryptographic binding can give stronger keys

• Add Policy rules to Client and Server

• Provides fix for non-key deriving methods

Conclusion/Next Steps

• Conclusion

• Request approval for draft as EAP working group item

• Next Steps

• Close on some of the outstanding Issues on EAP Issues list
• Catalog new issues from comments on mailing list

References

• “Compound Authentication Binding Problem”, Puthenkulam, J., Lortz, V., Palekar, A., Simon, D., http://www.ietf.org/internet-drafts/draft-puthenkulam-eap-binding-02.txt

• “Man-in-the-Middle in Tunnelled Authentication Protocols”, Asokan, N.,Niemi, V., Nyberg, K., http://eprint.iacr.org/2002/163/

Backup

Tunneled Methods Generic Model

Sequenced Methods Generic Model