[Search] [txt|pdf|bibtex] [Tracker] [Email] [Nits]

Versions: 00 01 02 03 04                                                
EAP Working Group                                       Jose Puthenkulam
INTERNET-DRAFT                                              Victor Lortz
Category: Informational                                Intel Corporation
<draft-puthenkulam-eap-binding-00.txt>                    Ashwin Palekar
27 October 2002                                                Dan Simon
                                                           Bernard Aboba

              The Compound Authentication Binding Problem

This document is an Internet-Draft and is in full conformance with all
provisions of Section 10 of RFC 2026.

Internet-Drafts are working documents of the Internet Engineering Task
Force (IETF), its areas, and its working groups.  Note that other groups
may also distribute working documents as Internet- Drafts.

Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time.  It is inappropriate to use Internet Drafts as reference material
or to cite them other than as "work in progress."

The list of current Internet-Drafts can be accessed at

The list of Internet-Draft Shadow Directories can be accessed at

Copyright Notice

Copyright (C) The Internet Society (2002).  All Rights Reserved.


This document describes man-in-the-middle attacks possible when compound
authentication methods are used without cryptographically binding the
methods together. Several protocols currently being proposed within the
IETF are vulnerable to these attacks, including IKE with XAUTH, PIC,
PANA over TLS, EAP TTLS, and PEAP. This document reviews potential
solutions to the problem, including solutions which can be implemented
as extensions to the EAP protocol.

Puthenkulam et al.            Informational                     [Page 1]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

Table of Contents

1.     Introduction ..........................................    3
   1.1       Specification of Requirements ...................    3
   1.2       Terminology .....................................    4
2.     Overview ..............................................    4
3.     Attack scenarios ......................................    7
4.     Potential solutions ...................................    8
   4.1       Solution requirements ...........................   10
   4.2       Solution mechanisms .............................   11
   4.3       Solution approaches .............................   13
   4.4       Solution scope ..................................   14
5.     Normative references ..................................   16
6.     Informative references ................................   17
ACKNOWLEDGMENTS ..............................................   19
AUTHORS' ADDRESSES ...........................................   19
Full Copyright Statement .....................................   20

Puthenkulam et al.            Informational                     [Page 2]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

1.  Introduction

This document describes man-in-the-middle attacks against protocols
supporting compound authentication methods.  Compound authentication
methods can occur in sequence, or more commonly, when authentication
method(s) are encapsulated within a tunnel which is itself

The vulnerability arises when the peers are not required to demonstrate
that they have participated in all of the authentication methods
occurring within the exchange. Where an authentication method sequence
is used, it is possible for a man-in-the-middle to intercede between the
client and server, fooling the client into believing that a single
endpoint acted as the server throughout the exchange. Where one or more
authentication methods in the sequence is one-way or is vulnerable to
dictionary attack, this can result in disclosure of client credentials
to untrusted peers.

Where a one-way authenticated tunnel setup is used to derive
authentication and/or encryption keys, and subsequent authentication
methods are encapsulated inside the tunnel, it is possible to launch
another man-in-the-middle attack. By shuttling authentication packets
between the client and server, the man-in-the-middle can authenticate
itself to the server and obtain the authentication and/or encryption
keys needed for subsequent access to the server.  For this attack to be
successful, it is necessary for the tunneled authentication methods to
also be enabled for use outside the tunnel, and for the same credentials
to be used for authentication inside and outside the tunnel.

A number of protocols currently proposed within the IETF are vulnerable
to these attacks. Vulnerable protocols include, but are not limited to
[XAUTH], an IKE extension widely deployed with IPsec VPNs; [PIC], a
protocol for certificate enrollment, proposed for use with IPsec VPNs;
PANA over TLS [PANATLS], a protocol proposed for use within wireless
networks; EAP TTLS [EAPTTLS], an EAP method which tunnels other EAP
mechanisms within a TLS tunnel; and Protected EAP [PEAP], a protocol
similar to EAP TTLS.

Given the wide scope of this vulnerability, a solution is desirable, and
this document describes the benefits and limitations of potential
solution approaches.

1.1.  Specification of requirements

In this document, several words are used to signify the requirements of
the specification.  These words are often capitalized.  The key words
NOT", "RECOMMENDED",  "MAY", and "OPTIONAL" in this document are to be

Puthenkulam et al.            Informational                     [Page 3]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

interpreted as described in [RFC2119].

1.2.  Terminology

This document frequently uses the following terms:

          The end of the link requiring the authentication.

Peer      The other end of the point-to-point link (PPP), point-to-point
          LAN segment (IEEE 802.1x) or 802.11 wireless link, which being
          authenticated by the Authenticator. In IEEE 802.1X, this end
          is known as the Supplicant.

Authentication Server
          An Authentication Server is an entity that provides an
          Authentication Service to an Authenticator. This service
          verifies from the credentials provided by the Peer, the claim
          of identity made by the Peer.

Silently Discard
          This means the implementation discards the packet without
          further processing.  The implementation SHOULD provide the
          capability of logging the error, including the contents of the
          silently discarded packet, and SHOULD record the event in a
          statistics counter.

Sequenced Methods
          Authentication methods which are used in sequence one after an
          another where each completes and the other one starts. The
          authentication is complete after the final method in the
          sequence is completed.

Tunneled Methods
          The first method sets up a tunnel and subsequent method(s) run
          within the tunnel.

2.  Overview

The attacks described in this document can be mounted against a number
of protocols currently proposed for authenticated network access,
including [XAUTH],[PIC],[PANATLS], [EAPTTLS], and [PEAP]. The attacks
are enabled when compound authentication techniques are used, allowing
clients and servers to authenticate each other with a sequence of
methods, or one or more methods encapsulated within an authenticated
tunnel. The most common attacks occur when the tunnel is authenticated
only from the server to the client, so that the client does not prove
its identity to the server, and where authentication techniques are

Puthenkulam et al.            Informational                     [Page 4]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

permitted both inside and outside a tunnel.

In order to enable secure access using legacy authentiation methods,
protocols such as XAUTH, PIC, PANA over TLS, EAP TTLS and PEAP first
create a security association, using well analyzed techniques such as
ISAKMP [RFC2408] and TLS [RFC2246]. They then tunnel authentication
methods within the security association. The intent is to utilize dual
authentication techniques so as to provide mutual authentication, as
well as to allow the derivation of keys used to provide subsequent per-
packet authentication and encryption.

However, because the initial authentication only authenticates the
server to the client, or provides only an indication of group membership
(where group pre-shared keys are used within IKE), and because the keys
derived within ISAKMP and TLS are not subsequently included within the
tunneled authentication computations, there is no demonstration that the
ISAKMP/TLS endpoints are the same as the tunneled authentication
endpoints. Where authentication techniques are enabled both inside and
outside the tunnel, such as when they are in use for multiple purposes
(e.g. dialup or web authentication) then an attacker can induce an
unsuspecting client to authenticate, then tunnel the authentication

Thus it is the lack of client authentication within the initial security
association, along with a dependency of key derivation solely on the
initial one-way authentication, the deployment of untunneled
authentication methods, and the lack of "cryptographic binding" between
the security association and the tunneled authentication method, that
enables the vulnerability. Note that in addition to these
vulnerabilities, authentication tunneling also provides a number of
security benefits, including well understood key derivation, replay and
dictionary attack protection and privacy support. These benefits explain
why tunneling has been so frequently proposed for legacy authentication
methods with known security vulnerabilities.

For the purposes of the attack, it makes no difference whether the
authentication technique used inside the tunnel provides for mutual
authentication or not. As long as the tunneled authentication method
does not require that both sides demonstrate participation in the
previous "tunnel authentication" as well as subsequent authentications,
and as long as keys derived during the exchange are not dependent on
material from *all* of the authentications, the vulnerability exists.
The tunnel client, having not proved its identity, can act as a man-in-
the-middle, luring unsuspecting clients to authenticate to it using any
authentication method suitable for use inside the tunnel.

Despite the prevalence of man-in-the-middle vulnerabilities within IETF
protocol proposals, it should be noted that these attacks are not the

Puthenkulam et al.            Informational                     [Page 5]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

result of design flaws within IKE [RFC2409] or EAP [RFC2284].

IPsec VPN implementations which require strong mutual authentication
within the tunnel prior to permitting subsequent authentication are not
vulnerable to this attack.  For example, when L2TP over IPsec [RFC3193]
or IPsec tunnel mode [DHCPIPsec], are used with certificate
authentication or unique pre-shared keys, the attack is not possible. By
requiring strong mutual authentication via certificates or a unique pre-
shared key, the tunnel server obtains the ability to verify the identity
of the tunnel client, and vice versa. The tunnel server may then
subsequently apply access control in order to limit authentication
within the established tunnel.

However, where group pre-shared keys are used (as is common in IKE Main
Mode implementations that support clients with dynamically allocated IP
addresses), followed by one-way authentication mechanisms such as CHAP
[RFC1994], the vulnerability is exposed.  Since group pre-shared keys
only determine group membership but authenticate neither the client nor
the server, it is not possible for the server to enforce access controls
on members of the group individually. Since CHAP is a widely used
authentication method, an attacker can gain access to a client willing
to engage in CHAP authentication in a variety of ways.  This allows any
client with knowledge of the group pre-shared key to act as a man-in-
the-middle for another member of the group.

EAP, as defined in [RFC2284], enables a single authentication mechanism
to be negotiated and carried out, but does not describe sequences of
methods or tunnels. Most existing EAP implementations do not support
authentication sequences, and since EAP does not support a version
number, a server cannot easily determine whether an EAP client supports
sequences. For backward compatibility, it is therefore necessary for the
server to assume that authentication sequences are not supported by

The concept of tunneling has been introduced by recent work-in-progress
such as [PIC], [PANATLS], [EAPTTLS], and [PEAP]. However, these
proposals have not yet been published as RFCs, and are not yet widely

Note that man-in-the-middle vulnerabilities are not a necessary
consequence of "credential reuse". For example, they need not
necessarily occur where the same authentication credentials are used in
accessing the network via multiple media. For example, L2TP [RFC2661]
when used in "compulsory tunneling", assumes that the same credentials
are used for both PPP and VPN access, and permits a PPP dialin user to
access a VPN by tunneling PPP packets from the network access server
(NAS) to the VPN server.

Puthenkulam et al.            Informational                     [Page 6]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

Where L2TP over IPsec [RFC3193] is deployed using certificate
authentication or a unique pre-shared key, the L2TP Network Server (LNS
or VPN server) can choose to authorize an authenticated tunnel client to
act as an L2TP Access Concentrator (LAC), tunneling PPP dialin users to
the L2TP Network Server (LNS). Alternatively, it can disallow this,
permitting only a restricted set of users to authenticate within a
tunnel established with given machine credentials.

3.  Attack scenarios

This section describes a how man-in-the-middle vulnerabilities can be
exploited, as well as discussing the underlying causes of the attacks.
Given the man possible attack variations, we do not attempt to describe
every potential variant.

The major scenario for the attack is a one-way authenticated tunnel.  In
this scenario, the client and server first establish a tunnel, then
include within the tunnel an authentication method which derives keys
and provides strong mutual authentication.  The attacker first poses as
a valid client to the server and establishes a tunnel that is
authenticated only on the server end. Although the attacker that sets up
the tunnel has not been authenticated, it obtains the tunnel key derived
as part of the tunnel establishment. Since these keys protect a
conversation between an attacker and a server, the strength of the key
derivation is not relevant.

For the purposes of exploiting the vulnerability, it does not matter
whether the tunneling protocol is IKE [RFC2409] authenticated via a
group pre-shared key; PIC [PIC], which uses ISAKMP [RFC2408] with one-
way authentication; or TLS [RFC2246] with server-only authentication, as
used with [PANATLS], [EAPTTLS] or [PEAP]. The effect is the same - a
tunnel that does not provide unique mutual authentication of the tunnel

Once the attacker has established a tunnel to the server, it seeks to
induce clients to connect to it. This can be accomplished by having the
attacker masquerade as a legitimate 802.11 access point (AP) or Ethernet
switch implementing [IEEE8021X], a PPP Network Access Server (NAS), a
SIP server supporting CHAP, or a VPN server using a protocol such as
PPTP [RFC2637].  For the purposes of the attack, the important
characteristic is that the protocol used by the client enables an
authentication method which is also permitted within the tunneling
mechanism, without first requiring that the attacker authenticate
itself. For example, an attacker setting up a rogue L2TP over IPsec
[RFC3193] server would not be successful since clients would first
require mutual authentication within IKE prior to connecting to the
rogue server.

Puthenkulam et al.            Informational                     [Page 7]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

It is also necessary that the credentials used for the client protocol
and the tunneled authentication protocol are the same.  Without this, it
would not be possible for the authentication conversation between the
client and server to conclude successfully.

Figure 1 on the next page illustrates the attack, for the case where the
attacker acts as a rogue NAS or Access Point. In step 1, the attacker
creates a tunnel with the authentication server. This can occur directly
in [PIC] or [XAUTH] or through a NAS using EAP [RFC2284]. In step 2,
tunnel keys are derived, using server-only authentication using
protocols such as ISAKMP [RFC2408], IKE [RFC2409] or TLS [RFC2246].
Since the tunnel is between the attacker and the authentication server,
both the authentication server and attacker possess the keys.

In the third step, the client connects to the rogue NAS or AP, and the
attacker tunnels the authentication  method between the client and
authentication server. The method may or may not derive keys, but if it
does, then in the fourth step, the method keys are derived on the client
and the authentication server.  Since the attacker does not obtain the
method keys, it is not able to decrypt traffic sent between client and
authentication server. However, while the client may use the method
keys, the authentication server will typically use only tunnel keys,
which have been obtained by the attacker.

In the last step, this allows the attacker to obtain access to the
network, using the successfully tunneled authentication and the tunnel
keys.  The attacker does not have access to the client data, since it is
encrypted with the method keys, so that it will typically discard the
data sent by the client, who will eventually disconnect due to a lack of
response.  However, the attacker has accomplished its mission so that
continued interaction with the client is not necessary unless
reauthentication is required.

4.  Potential solutions

This section describes potential solutions to the man-in-the-middle
attacks described within this document. This includes a description of
solution requirements as well as identification of potential solution

Puthenkulam et al.            Informational                     [Page 8]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

    Client            <-|Rogue NAS   |        NAS                  Auth Server
                        | Attacker   |->
       |                     |                 |                        |
       |                     |                 |                        |
       |                     |         Tunnel establishment w/          |
       |                     |         Server Authentication (1)        |
       |                     |<========================================>|
       |                     |                 |                        |
       |              (Non-Authenticated       |               (Authenticated
       |               end of tunnel)          |                end of tunnel)
       |                     |                 |                        |
       |              +--------------+         |               +--------------+
       |              | Tunnel       | (2)     |               | Tunnel       |
       |              | Keys Derived |         |               | Keys Derived |
       |              +--------------+         |               +--------------+
       |                     |                 |                        |
       |                     |..........................................|
       |                     |              Tunnel                      |
       |                     |..........................................|
       |                     |      (Encrypted using Tunnel keys)       |
       |                     |                 |                        |
       |                     |                 |                        |
       |                 Tunneled authentication method (3)             |
       |                     |                 |                        |
       |                     |                 |                        |
  +--------------+           |                 |              +--------------+
  | Method       |           |                 |              | Method       |
  | Keys Derived | (4)       |                 |              | Keys Derived |
  | and used.    |           |                 |              | Not Used.    |
  +--------------+           |                 |              +--------------+
       |                     |                 |                        |
       |                     |                 |<===tunnel keys=========|
       |                     |                 |                        |
       |                     | Client's session|                        |
       |                     | stolen          |                        |
       |====================+|<===============>|                        |
       |            Data    ||                 |                        |
       |            dropped v|                 |                        |

Figure 1 - Man-in-the-middle attack on one-way authenticated tunnel

Puthenkulam et al.            Informational                     [Page 9]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

4.1.  Solution Requirements

The following are some of the criteria for a potential solution:

Backwards compatibility
               A solution MUST NOT require modification of existing
               authentication methods. Since tunneling is used in order
               to prolong the life of legacy authentication techniques,
               requiring replacement of existing methods across the
               board is likely to be unacceptable.

Simplicity     A solution SHOULD add minimal round trips to the
               authentication exchange and be modest in its
               computational complexity.

Protocol compatibility
               Given that tunneling techniques are used with well-
               established security protocols such as IKE [RFC2409],
               ISAKMP [RFC2408], TLS [RFC2246], and RADIUS [RFC2865], a
               solution MUST NOT require changes to these protocols.

Forward evolution
               The solution SHOULD be compatible with authentication
               methods supporting mutual authentication and key
               derivation. It is acceptable if the solution cannot
               provide security for tunneling of one-way authentication
               methods that do not derive keys, such as CHAP, EAP-MD5,
               OTP, or Generic Token Card.  As described earlier, these
               methods are vulnerable to connection hijacking attacks,
               and are therefore inherently insecure.

Architectural compatibility
               Solutions MUST NOT require fundamental architectural
               changes to established technologies such as network
               access authentication. Since these technologies are
               already widely deployed, such changes would be likely to
               be unacceptable.

Tunneling protocol independence
               While a solution MAY introduce changes to tunneling
               protocols such as [XAUTH],[PIC], [PANATLS], [EAPTTLS], or
               [PEAP], it is preferable that a single solution be
               applicable to all of these protocols. This is desirable
               both because such a solution will require the least
               effort deploy, as well as to enable the security
               community to focus on a single proposed solution so as to
               be able to determine that it is secure.

Puthenkulam et al.            Informational                    [Page 10]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

4.2.  Solution mechanisms

Several mechanisms are available to solving the problem:

[1]  Compound MACs. This solution uses Message Authentication Codes
     (MACs) computed using keying material from each of the
     authentication methods, by adding a final mutual authenticating
     round-trip. In order to make sure that both sides are aware of the
     outcome of the authentication, the compound MAC MUST include
     coverage of the authentication result (success/failure) sent by
     each side. This ensures that the server cannot be tricked into
     using the tunnel key in the attacker's posession in order to
     authenticate and encrypt data.

[2]  Compound keys. this solution combines keying material from all the
     methods in order to derive the keys used for encrypting and
     authenticating data.

Option 1 prevents a man-in-the-middle from gaining authenticated access,
and therefore prevents false authenticated states which could result in
a Denial of Service attack (possible in Option 2). This makes this
approach relatively straightforward to implement, although it does
require an additional round-trip. While it is believed that this
approach may be sufficient in some cases, further study is required in
order confirm this.

Option 2 does not require additional round trips, but it enables the
man-in-the-middle to authenticate, although not to obtain keys used for
subsequent authentication and encryption of data. This implies that the
client will only discover an attack when it discovers that it is unable
to decipher the incoming data stream. This enables a form of Denial of
Service attack. As a result, Option 2 is probably not sufficient by

In order to provide the highest level of assurance against man-in-the-
middle attacks it is recommended that a potential solution utilize both
options 1 and 2, so that a man-in-the-middle will not be able to
authenticate, spoof an authentication result or derive keys used to
authenticate and encrypt traffic between the legitimate client and
server.  When both solution options applied, potential man-in-the-middle
attacks are thwarted, as shown in Figure 2 on the next page.

Puthenkulam et al.            Informational                    [Page 11]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

    Client            <-|Rogue NAS   |        NAS                  Auth Server
                        | Attacker   |->
       |                     |                 |                        |
       |                     |                 |                        |
       |                     |         Tunnel establishment w/          |
       |                     |         Server Authentication (1)        |
       |                     |<========================================>|
       |                     |                 |                        |
       |              (Non-Authenticated       |               (Authenticated
       |               end of tunnel)          |                end of tunnel)
       |                     |                 |                        |
       |              +--------------+         |               +--------------+
       |              | Tunnel       | (2)     |               | Tunnel       |
       |              | Keys Derived |         |               | Keys Derived |
       |              +--------------+         |               +--------------+
       |                     |                 |                        |
       |                     |..........................................|
       |                     |              Tunnel                      |
       |                     |..........................................|
       |                     |      (Encrypted using Tunnel keys)       |
       |                     |                 |                        |
       |                     |                 |                        |
       |             Tunneled mutual authentication method (3)          |
       |                     | w/key derivation|                        |
       |                     |                 |                        |
       |                     |                 |                        |
  +--------------+           |                 |              +--------------+
  | Compound     |           |                 |              | Compound     |
  | Keys Derived | (4)       |                 |              | Keys Derived |
  +--------------+           |                 |              +--------------+
       |                     |                 |                        |
       |                     | Compound MAC(5)/|                        |
       |                     | Success         |                        |
       |                     |                 |                        |
       |                     | Compound MAC(6)/|                        |
       |                     | Failure         |                        |
       |                     |                 |                        |
       |                     |                 |    Attack detected     |
       |                     |                 |     No keys sent       |
       |                     |                 |                        |
       |                     |                 |        Failure         |
       |                     |                 | <======================|
       |                     |                 |                        |

Figure 2 - Man-in-the-middle attack thwarted by compound MAC and keys

Puthenkulam et al.            Informational                    [Page 12]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

As before, the man-in-the-middle can establish a one-way authenticated
tunnel, obtain tunnel keys, lure an unsuspecting client to authenticate
with it, and encapsulate the authentication exchange within the tunnel.
However, after the authentication method is complete compound keys are
derived, requiring knowledge of both the tunnel keys and the keys
derived during each of the authentication methods. The compound keys are
then used in formulation of a compound MAC covering an acknowledged
result indication sent from server to client. Since the server is not
aware of the man-in-the-middle attack in progress, it indicates that
from its perspective the authentication has been successful.

However, since the client did not participate in establishment of the
tunnel, it does not possess the tunnel keys, and will not be able to
verify the compound MAC sent by the server. As a result, it will compute
its own compound key and compound MAC which will include a result
indicating authentication failure. On receiving the client's reply, the
server will be unable to verify the client's compound MAC, and the
authentication will fail. As a result, no compound keys are sent to the
NAS, and the attacker is neither authenticated nor gains access to the

4.3.  Solution approaches

Options 1 or 2 can be implemented in different ways:

EAP       In this approach the exchange of a compound MAC is supported
          within EAP, by implementing the exchange as a new EAP method
          occuring after authentication is complete. In this approach,
          the tunneling key material is provided to the EAP layer in
          order to enable computation of a compound MAC and compound
          keys. Since existing EAP implementations already enable EAP
          methods to provide keying material to the EAP layer, such an
          interface typically already exists. Since this approach
          applies to any tunneling technique it is the most general

Tunneling method
          In this approach, the tunneling method acquires keying
          material derived by the underlying authentication methods in
          order to enable computation of the compound MAC and compound
          keys.  Since existing tunneling techniques typically do not
          provide an interface for receiving keying material from
          authentication methods, this approach will typically require
          some re-architecture of existing implementations. It also has
          the disadvantage of requiring changes to each tunneling
          method, and as a result is not as general as an EAP-based
          solution. Given the prevalence of the attacks described within
          this document, it would represent a considerable burden on the

Puthenkulam et al.            Informational                    [Page 13]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

          security community to individually review changes to each
          tunneling approach. However, such an approach may be able to
          take advantage of properties of the underlying tunnel
          technology, such as the ability to have more than one packet
          in transit at a time.

EAP methods
          In this approach, keys derived from previous EAP methods are
          incorporated into the authentication calculations of
          subsequent methods. Since existing interfaces only support the
          export of keys by EAP methods, not importation, some
          rearchitecture is required in this approach. In addition, this
          approach requires modification of existing EAP methods, which
          will create deployment barriers.  However, this approach may
          be applied even to methods which support only one-way
          authentication and do not generate keys.

Based on the pros and cons of the above techniques, we recommend a
solution that applies to all EAP methods. Since EAP is supported within
[PIC], [PANATLS], [EAPTTLS] and [PEAP], though not within [XAUTH], this
approach covers most of the vulnerable protocols, though not all of
them. Assuming that changes to individual EAP methods are not permitted,
this approach is only applicable to tunneling of authentication methods
that support mutual authentication and derive keys. It is therefore not
authentication methods.

Without requiring changes to established methods, secure use of these
protocols within sequences or tunnels is not feasible. If an
authentication method does not generate keys, then keying material is
not available with which to compute a compound MAC or compound key. As a
result, the compound authentication sequence cannot be bound together,
enabling the man-in-the-middle vulnerability to remain.

4.4.  Solution scope

While options 1 and 2 address many of the attack scenarios, they do not
cope with all of them.  If every authentication method within a sequence
generates keys,  then a compound MAC can be used to verify that each
endpoint participated in each of the authentication methods within the
compound authentication. There are some exceptions:

[1]  Anonymous or one-way authentication methods. Some authentication
     methods use anonymous or one-way authentication. In this case, as
     long as a combination of authentication methods support mutual
     authentication, the combined keys could be used to verify both

Puthenkulam et al.            Informational                    [Page 14]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

[2]  Methods that do not generate keys.  If one or more authentication
     method(s) that do not generate keys are allowed to run with and
     without tunneling, then a man-in-the-middle attack is enabled.

[3]  Lack of data integrity/encryption. Where per-packet authentication,
     integrity and encryption is not used, there is no binding between
     the results of the authentication and subsequent data traffic. This
     enables connection hijacking.

In order to verify that the peers acted as end-points in a compound
authentication, the peers can exchange compound MACs. However,
authentication schemes which do not derive keys cannot contribute to
calculation of a compound MAC or a compound key.  Such mechanisms
include popular one-way authentication mechanisms such as CHAP
[RFC1994], EAP-MD5 [RFC2284], One-Time-Password [RFC1938], Generic Token
Card [RFC2284], and [SECURID]. These mechanisms authenticate the client
to the server, but do not authenticate the server to the client. They
also do not derive keys which can be used in constructing a compound MAC
or providing authentication and/or encryption of a subsequent data
stream via a compound key.  As a result, without modifications these
methods cannot be bound to the underlying tunnel authentiation and also
do not provide a binding between the one-way authentication and
subsequent data authentication, thereby creating a connection hijacking

In order to enable a solution for these methods, existing one-way
authentication methods may be modified so as to enable key derivation,
or to incorporate key material derived during the initial tunnel
authentication. However, since the motivation for continued use of
legacy technologies is to minimize the deployment of new technology,
such upgrades are typically impractical. In situations where deployment
of a modified legacy method would be feasible, it would also typically
be feasible to consider a wide range of alternatives, such as deployment
of a new method supporting mutual authentication and key derivation, or
deployment of alternative technologies such as certificates.

Given these constraints, it appears difficult for authentication
tunneling to provide a long-term solution to the security
vulnerabilities inherent in one-way authentication methods such as CHAP,
EAP-MD5, OTP, and Generic Token Card. Where protocols such as [PIC] are
used to transition from these technologies to certificate-based
authentication, it may be possible to restrict the transition to a short
time period, as well as to turn off use of the techniques outside of

These counter-measures may reduce the risk sufficiently to enable
certificate deployment to proceed. However, where [PIC] is used to
provide short- term certificates, and long-term use of password or

Puthenkulam et al.            Informational                    [Page 15]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

token-card based authentication technology is contemplated, improved
security will not be possible without a willingness to replace legacy
authentication methods with more secure technology.

If a transition to certificate-based authentication is not possible,
then at the least, one-way authentication technology can be replaced by
techniques supporting mutual authentication and key derivation. For
example, CHAP may be replaced by Kerberos [RFC1510] or MS-CHAP-V2
[RFC2759] and Generic Token Card may be replaced by token cards
supporting key derivation.

5.  Normative references

[RFC1661]      Simpson, W., "The Point-to-Point Protocol (PPP)", STD 51,
               RFC 1661, July 1994.

[RFC1938]      Haller, N. and C. Metz, "A One-Time Password System", RFC
               1938, May 1996.

[RFC1994]      Simpson, W., "PPP Challenge Handshake Authentication
               Protocol (CHAP)", RFC 1994, August 1996.

[RFC2119]      Bradner, S., "Key words for use in RFCs to Indicate
               Requirement Levels", RFC 2119, March 1997.]

[RFC2284]      Blunk, L., Vollbrecht, J., "PPP Extensible Authentication
               Protocol (EAP)", RFC 2284, March 1998.

[RFC2865]      Rigney, C., Rubens, A., Simpson, W., Willens, S.,
               "Remote Authentication Dial In User Service (RADIUS)",
               RFC 2865, June 2000.

[RFC3193]      Patel, B., et al., "Securing L2TP Using IPsec", RFC 3193,
               November 2001.

[EAPTTLS]      Funk, P., Blake-Wilson, S., "EAP Tunneled TLS
               Authentication Protocol", Internet draft (work in
               progress), February 2002.

[DHCPIpsec]    Patel, B., et al., "DHCPv4 Configuration of IPsec Tunnel
               Mode", Internet draft (work in progress), draft-ietf-
               ipsec-dhcp-13.txt, June 2001.

[PEAP]         Andersson, H., et al., "Protected EAP Protocol (PEAP)",
               Internet draft (work in progress), draft-josefsson-
               pppext-eap-tls-eap-05.txt, September 2002.

Puthenkulam et al.            Informational                    [Page 16]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

[PIC]          Sheffer, Y., Krawczyk, H., Aboba, B., "PIC, A Pre-IKE
               Credential Provisioning Protocol", Internet draft (work
               in progress), draft-ietf-ipsra-pic-06.txt, September

[IPSRAREQ]     Kelly, S., Ramamoorthi, S., "Requirements for IPsec
               Remote Access Scenarios", Internet draft (work in
               progress), draft-ietf-ipsra- reqmts-05.txt, September

[GETCERT]      Bellovin, S., and Moskowitz, B., "Client Certificate and
               Key Retrieval for IKE", Internet draft (work in
               progress), draft-bellovin-ipsra-getcert-00.txt, June

[SECURID]      Josefsson, S., "The EAP SecurID(r) Mechanism", Internet
               draft (work in progress), draft-josefsson-eap-
               securid-01.txt, February 2002.

[PANATLS]      Ohba, Y., et al., "PANA over TLS", Internet draft (work
               in progress), draft-ohba-pana-potls-00.txt, September

[XAUTH]        Pereira, R., Beaulieu, S., "Extended Authentication
               within ISAKMP/Oakley", Internet-draft (work in progress),
               draft-beaulieu-ike-xauth-02.txt, September, 2000.

[IEEE802]      IEEE Standards for Local and Metropolitan Area Networks:
               Overview and Architecture, ANSI/IEEE Std 802, 1990.

[IEEE8021X]    IEEE Standards for Local and Metropolitan Area Networks:
               Port based Network Access Control, IEEE Std 802.1X-2001,
               June 2001.

[IEEE80211]    Information technology - Telecommunications and
               information exchange between systems - Local and
               metropolitan area networks - Specific Requirements Part
               11:  Wireless LAN Medium Access Control (MAC) and
               Physical Layer (PHY) Specifications, IEEE Std.
               802.11-1997, 1997.

6.  Informative references

[RFC1510]      Kohl, J., Neuman, C., "The Kerberos Network
               Authentication Service (V5)", RFC 1510, September 1993.

[RFC2246]      Dierks, T. and  C. Allen, "The TLS Protocol Version 1.0",
               RFC 2246, November 1998.

Puthenkulam et al.            Informational                    [Page 17]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

[RFC2486]      Beadles, M., Aboba, B., "The Network Access Identifier",
               RFC 2486, January 1999.

[RFC2401]      Atkinson, R., Kent, S., "Security Architecture for the
               Internet Protocol", RFC 2401, November 1998.

[RFC2402]      Kent,S., Atkinson, R., "IP Authentication Header", RFC
               2402, November 1998.

[RFC2406]      Kent,S., Atkinson, R., "IP Encapsulating Security Payload
               (ESP)", RFC 2406, November 1998.

[RFC2407]      Piper, D., "The Internet IP Security Domain of
               Interpretation of ISAKMP", RFC 2407, November 1998.

[RFC2408]      Maughhan, D., Schertler, M., Schneider, M., and Turner,
               J., "Internet Security Association and Key Management
               Protocol (ISAKMP)", RFC 2408, November 1998.

[RFC2409]      Harkins, D., Carrel, D., "The Internet Key Exchange
               (IKE)", RFC 2409, November 1998.

[RFC2412]      Orman, H., "The Oakley Key Determination Protocol", RFC
               2412, Nov. 1998.

[RFC2433]      Zorn, G., Cobb, S., "Microsoft PPP CHAP Extensions", RFC
               2433, October 1998.

[RFC2637]      Hamzeh, K., et al., "Point-to-Point Tunneling Protocol
               (PPTP)", RFC 2637, July 1999.

[RFC2661]      Townsley, W., Valencia, A., Rubens, A., Pall, G., Zorn,
               G., and Palter, B., "Layer Two Tunneling Protocol L2TP",
               RFC 2661, August 1999.

[RFC2716]      Aboba, B., Simon, D.,"PPP EAP TLS Authentication
               Protocol", RFC 2716, October 1999.

[RFC2759]      Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", RFC
               2759, January 2000.

[RFC2866]      Rigney, C., "RADIUS  Accounting", RFC 2866, June 2000.

[DECEPTION]    Slatalla, M., and  Quittner, J., "Masters of Deception."
               HarperCollins, New York, 1995.

[KRBATTACK]    Wu, T., "A Real-World Analysis of Kerberos Password
               Security", Stanford University Computer Science

Puthenkulam et al.            Informational                    [Page 18]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

               Department, http://theory.stanford.edu/~tjw/krbpass.html

[KRBLIM]       Bellovin, S.M., Merritt, M., "Limitations of the kerberos
               authentication system", Proceedings of the 1991 Winter
               USENIX Conference, pp. 253-267, 1991.

[KERB4WEAK]    Dole, B., Lodin, S., and Spafford, E., "Misplaced trust:
               Kerberos 4 session keys", Proceedings of the Internet
               Society Network and Distributed System Security
               Symposium, pp. 60-70, March 1997.

[PPTPv1]       Schneier, B, Mudge, "Cryptanalysis of Microsoft's Point-
               to- Point Tunneling Protocol", Proceedings of the 5th ACM
               Conference on Communications and Computer Security, ACM
               Press, November 1998.

[IEEE8023]     ISO/IEC 8802-3 Information technology -
               Telecommunications and information exchange between
               systems - Local and metropolitan area networks - Common
               specifications - Part 3:  Carrier Sense Multiple Access
               with Collision Detection (CSMA/CD) Access Method and
               Physical Layer Specifications, (also ANSI/IEEE Std 802.3-
               1996), 1996.


Thanks to Bernard Aboba for editorial assistance and discussions
relevant to this problem space.

Authors' Addresses

Jose Puthenkulam
Intel Corporation
2111 NE 25th Avenue, JF2-58
Hillsboro, OR 97124

EMail: jose.p.puthenkulam@intel.com
Phone: +1 503 264 6121
Fax:   +1 503 264 8154

Victor Lortz
Intel Corporation
2111 NE 25th Avenue, JF3-206
Hillsboro, OR 97124

EMail: viktor.lortz@intel.com
Phone: +1 503 264 3253
Fax:   +1 503 626 0396

Puthenkulam et al.            Informational                    [Page 19]

INTERNET-DRAFT          Compound Binding Problem         27 October 2002

Ashwin Palekar
Dan Simon
Bernard Aboba
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052

EMail: {ashwinp, dansimon, bernarda}@microsoft.com
Phone: +1 425 882 8080
Fax:   +1 425 936 7329

Full Copyright Statement

Copyright (C) The Internet Society (2002).  All Rights Reserved.
This document and translations of it may be copied and furnished to
others, and derivative works that comment on or otherwise explain it or
assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind,
provided that the above copyright notice and this paragraph are included
on all such copies and derivative works.  However, this document itself
may not be modified in any way, such as by removing the copyright notice
or references to the Internet Society or other Internet organizations,
except as needed for the purpose of developing Internet standards in
which case the procedures for copyrights defined in the Internet
Standards process must be followed, or as required to translate it into
languages other than English.  The limited permissions granted above are
perpetual and will not be revoked by the Internet Society or its
successors or assigns.  This document and the information contained
herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE

EAP Issues

Open issues relating to EAP, including the issues described in this
document, are tracked on the following web site:


Expiration Date

This memo is filed as <draft-puthenkulam-eap-binding-00.txt>,  and
expires April 24, 2003.

Puthenkulam et al.            Informational                    [Page 20]