eap Mailing List: EAP-SIM -- Protected Start/Notifybefore fast-ReAuth

[Uma Shankar Ch (umas]

Can any body answer this query -- from
"draft-haverinen-pppext-eap-sim-13.txt" 


As of now,the protected  Notification are valid only after
successful EAP-Request/SIM/Challenge round trip in full authentication or
successful  EAP-Request/SIM/Re-authentication round trip in fast
re-authentication. IF the draft won't mandate protected notifications
after successful authentication there is a possibility for session
closure by the peer because of an attacker as mentioned below.

Consider the case, when server is going for fast re-authentication and
for the same it has started with EAP-Request/SIM/Start and at that point
of time even if, EAP server wants to send a Notification it MUST send a
protected notify, otherwise an attacker can always force the peer to
close the connection just by sending a unprotected Notification Failure
followed by Failure.

In the similar lines, before the fast re-authentication, the
EAP-Request/SIM/Start MUST be protected, if not a man in the middle
attacker  can always force the peer to reveal the permanent Identity
by changing the actual the EAP-Request/SIM/Start from AT_ANY_ID to
AT_PERMENANT_ID_REQ. Where server is expecting a valid fast-re
authentication ID and for that peer would be responding with Permanent
Identity because of the Man-In-Middle attacker.

So, is it not advisable to send EAP-Request/SIM/Start or
EAP-Request/Identity under the protection of the K_auth key derived in
full-authentication, before going for fast re-authentication.

Thanks in advance.
Uma S

www.intoto.com