eap Mailing List: RE: RFC 3748 Review of EAP SIM

[Bernard Aboba (aboba]

> For simplicity, I think we can delete this sentence from the introduction.

That's what I'd recommend.

> OK. The new text would be "The pre-shared symmetric secret stored on
> the SIM card is not a passphrase, or derived from a passphrase."

Great.

> The draft spells out the consequences of sharing, as they are at the time
> of writing. As Jari already commented, new improvements are being speficied
> at 3GPP.

OK.  You might reference those developments.

> OK -- I believe we cannot do anything about this right now, especially
> as the keying issues are work in progress, but we may need to reconsider
> this later.

It's entirely speculative since 802.11r is probably 24 months away at
least.  But it's something to keep an eye on (and document in the keying
draft).

> How about this revised text:
>
>    There are man-in-the-middle attacks associated with the use of any
>    EAP method within a tunneled protocol such as PEAP. This specification
>    does not address these attacks. If EAP-SIM is used with a tunneling
>    protocol, there should be cryptographic binding provided between the 
> protocol
>    and EAP-SIM to prevent man-in-the-middle attacks through rogue
>    authenticators being able to setup one-way authenticated tunnels. The
>    EAP-SIM Master Session Key MAY be used to provide the cryptographic 
> binding.
>    However the mechanism how the binding is provided depends on the
>    tunneling protocol and is beyond the scope of this
>    document.

That's fine.  You might include a reference to the PEAP
specification that included the vulnerability (-02 I believe).

> Maybe we should request a common register for EAP-SIM and EAP-AKA
> protocol values. That would ensure that numbers are non-overlapping.

Yes, that's what I'd recommend.