| Re: Re: [802.1] Re: 802.1X interface variable | <– Date –> <– Thread –> |
From: Yoshihiro Ohba (yohba tari.toshiba.com)
|
|
| Date: Tue, 13 Jan 2004 12:18:27 -0500 (EST) | |
On Tue, Jan 13, 2004 at 11:31:36AM -0500, John Vollbrecht wrote: > >>I think a stardard case would be to have the user authenticate the > >>server using TLS, then authenticate some other way over the protected > >>connection into the walled garden. For example one might setup a VPN > >>from the client to an edge device leaving the walled garden. In this > >>case I don't think it is necessary to do mutual authentication > >>initially. > > > >As long as two one-way authentications in different directions are > >cryptographically bound, it is ok. But it actually forms a mutual > >authentication if we view the combined authentications as a unified > >mechanism (e.g., the EAP usage in IKEv2). > > > I am not sure of your meaning. Are you agreeing that the EAP > authentication does not have to be mutual? Or are you thinking the second > authentication would be in the same method? My thinking is that if the > second authentication is done after the first has allowed attaching to the > network at the walled garden, then (in this example) the first (EAP) method > is not mutual. > > In fact, if the user does not want to leave the walled garden, then the > second authentication may never be done. The walled garden provider does > not care who the user is, and the user knows who the walled garden is. I would agree that the EAP authentication does not have to be mutual in the considered case if the following conditions are met: o The key that is established as a result of the first (EAP) method (which is server-only, one-way authentication) should be used ONLY for protecting the (optional) second authentication signaling traffic, and NOT for protecting data traffic. (As I mentioned already, giving a key to an anonymous user for protecting data traffic can be dangerous for authenticated users in the same network and not much useful.) AND o When the second authentication (which is host-only, one-way authentication) is performed, the first and second authentications are cryptographically bound in order to prevent the known man-in-the-middle attack against compound authentication methods. > > I think this is ok - do you agree? I conditionally agree, as described above. Yoshihiro Ohba
- Re: Re: [802.1] Re: 802.1X interface variable, (continued)
- Re: Re: [802.1] Re: 802.1X interface variable Yoshihiro Ohba, January 12 2004
- Re: Re: [802.1] Re: 802.1X interface variable John Vollbrecht, January 12 2004
- Re: Re: [802.1] Re: 802.1X interface variable Yoshihiro Ohba, January 12 2004
- Re: Re: [802.1] Re: 802.1X interface variable John Vollbrecht, January 13 2004
- Re: Re: [802.1] Re: 802.1X interface variable Yoshihiro Ohba, January 13 2004
- Resolution of 802.1X/EAP-SM issue Bernard Aboba, January 13 2004
Results generated by Tiger Technologies using MHonArc.