<zhou.sujing <at> zte.com.cn>
2012-04-17 09:51:54 GMT
In Section 2 draft-hartman-emu-mutual-crypto-bind-00，
"The print server offers a tunnel
method towards the peer. The print
server extracts the inner
method from the tunnel and sends it on
towards the AAA server.
Channel binding happens at the tunnel method
though. So, the print
server is happy to confirm that it is the
After the inner method completes, the EAP
server sends the MSK to
the print server over the AAA protocol. If
only the MSK is needed
for cryptographic binding then the print
server can successfully
perform cryptographic binding and may be able
to impersonate the financial
application to the peer."
The print server offers a tunnel method
towards the peer, and channel binding is adopted.
According to section 4.2 in draft-ietf-emu-chbind-14,
"The channel bindings MUST be transported
with integrity protection based on a key known only to the peer and
section 6 in draft-ietf-emu-chbind-14：
"The channel binding protocol defined
in this document must be transported after keying material has been derived
between the EAP
peer and server, and before the peer
would suffer adverse affects from joining an adversarial network."
To my understanding, right prior to
finishing tunnel establishement, EAP peer and EAP Server(print server in
the server insertion attack case) should have
exchanged channel binding with integrity
protection by key only known to EAP peer and EAP server (MSK in this case),
but print server does not know MSK yet,
so channel binding could not pass verification by EAP peer, then
peer should not continue with the inner
method, and print server chould not use non-tunneled innder method without
cooperation of peer,
and print server chould not get MSK
from EAP Server, and server insertion attack fails even though peer does
not check print server or EAP server's cert.
Have I missed something?
Emu mailing list
Emu <at> ietf.org