| Re: Re: Clarifications on "Domino Effect" | <– Date –> <– Thread –> |
From: Jari Arkko (jari.arkko piuha.net)
|
|
| Date: Mon, 1 Aug 2005 11:41:31 -0400 (EDT) | |
Bernard Aboba wrote:
--Jari
Right.Well, yes, but I think the main reason for this requirement
is physical access. If you grab an access point from a coffee
shop wall, this should not lead to an uncontained compromise
of the whole system.
This problem statement is somewhat more concrete (and easier to analyze).
For example, if you grab the access point off the wall, do you:
a. Obtain a RADIUS shared secret used by another AP? If good RADIUS
secret hygene is being used, then the answer is no.
b. Obtain keys useful in compromising another AP? If the EAP methodRight.
provides "session independence" I think that obtaining one MSK provides
no useful information to compromise another MSK. Also if the EMSK is
cryptographically independent from the MSK, you can't compromise the EMSK
if the MSK is compromised.
c. Obtain keys useful in compromisng an EAP peer or the backend server?Right.
Assuming that the EAP method is sufficiently robust (e.g. satisfies the
RFC 4017 requirements) I think the answer is "no" to this one too. For
example, the attacker can't do an offline or online dictionary attack,
can't do a brute force attack on the key (assuming the key strength is
sert high enough), etc.
an RFC with WG consensus behind it, it might be an idea
to define the issue in the keying framework itself. In this particular
case what we need to do is to go from a general statement "must
not compromise other nodes" to a set of more specific statements
that talk about what exact quantities in what exact other nodes
must not be compromised. While we are at it, we might also state
that we do not have a requirement on the compromise of the radius
server being recoverable...
Yes, it would be good to have a plan for getting this (and other requirements issues) settled. The exact nature of the "domino effect" requirement is important to a number of lower layer attempting to utilize EAP.
And the EAP WG is probably as good a place to discuss this as anywhere...
I'm not necessarily saying that we need to have a long list of requirements imported from Russ'es document. Or a requirements section for that matter.
But it would be useful to have a discussion of the compromise issue and other aspects of the system level security model in the doc. Of course, we should not cover the extensions or anything really beyond existing usage.
--Jari
- RE: Clarifications on "Domino effect", (continued)
- RE: Clarifications on "Domino effect" Alper Yegin, July 31 2005
-
Re: Clarifications on "Domino Effect" Bernard Aboba, July 31 2005
-
Re: Re: Clarifications on "Domino Effect" Jari Arkko, July 31 2005
- Re: Re: Clarifications on "Domino Effect" Bernard Aboba, July 31 2005
- Re: Re: Clarifications on "Domino Effect" Jari Arkko, August 1 2005
- Re: Re: Clarifications on "Domino Effect" Bernard Aboba, August 1 2005
-
Re: Re: Clarifications on "Domino Effect" Jari Arkko, July 31 2005
- RE: Re: Clarifications on "Domino Effect" Alper Yegin, August 2 2005
Results generated by Tiger Technologies using MHonArc.