| Re: channel binding consensus call | <– Date –> <– Thread –> |
From: Jari Arkko (jari.arkko piuha.net)
|
|
| Date: Fri, 26 Aug 2005 03:52:53 -0400 (EDT) | |
Salowey, Joe wrote:
--Jari
This is a good classification, thanks!I think there are three different approaches that have been discussed as "channel bindings"
1. both parties pass data into the EAP method. The data is bound to the authentication exchange so it can't be modified. If the data input by both parties matches then the method succeeds, else the method fails. This approach is similar to "channel bindings" used in the GSS-API.
2. Both parties pass data into the method that is bound to the
authentication exchange so it can't be modified and can be output on the
other side. Each party takes the exported data from the method and
validates it to determine if there is success or failure.
3. Both parties input data independent of EAP that gets mixed into the
key material that is output from EAP. If the data matches the keys
match, if the keys don't match then keys don't match.
Type 1 and 2 require support from EAP methods. Type 1 and 3 fail if
there is any mismatch in data where type 2 allows for some flexibility.
Type 3 requires that you use go through the process of using the derived
key material before you discover a problem, whereas type 1 fails in the
method. Type 3 probably requires the most AAA work, although they
probably could all benefit from it.
--Jari
- Re: channel binding consensus call, (continued)
- Re: channel binding consensus call Yoshihiro Ohba, August 26 2005
-
Re: Channel binding consensus call Bernard Aboba, August 25 2005
- Re: Re: Channel binding consensus call Jari Arkko, August 26 2005
-
RE: channel binding consensus call Salowey, Joe, August 25 2005
- Re: channel binding consensus call Jari Arkko, August 26 2005
Results generated by Tiger Technologies using MHonArc.