![Page 1: Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper](https://reader036.vdocuments.us/reader036/viewer/2022082415/5a4d1b777f8b9ab0599b7b36/html5/thumbnails/1.jpg)
Channel Binding Support for EAP Methods
Charles Clancy, Katrin Hoeper
<draft-clancy-emu-aaapay-00><draft-clancy-emu-chbind-00>
![Page 2: Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper](https://reader036.vdocuments.us/reader036/viewer/2022082415/5a4d1b777f8b9ab0599b7b36/html5/thumbnails/2.jpg)
Definition
• EAP channel bindings (c.b.) (as defined in the drafts) provide a consistency check of information advertized to peer and known by the authentication server from an authenticator acting as a pass-through device during an EAP session.
![Page 3: Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper](https://reader036.vdocuments.us/reader036/viewer/2022082415/5a4d1b777f8b9ab0599b7b36/html5/thumbnails/3.jpg)
Goals
• Bind information advertized by an authenticator to the channel and verify its consistency to prevent attacks by rogue authenticators.– E.g. prevent “lying NAS attacks”
![Page 4: Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper](https://reader036.vdocuments.us/reader036/viewer/2022082415/5a4d1b777f8b9ab0599b7b36/html5/thumbnails/4.jpg)
Proposed Method
Phase 1. Information exchange– Peer sends info1 to server– [Server sends info2 to peer]
Phase 2. Consistency check– Server verifies consistency and sends result
to peer– [Peer verifies consistency and fails if
inconsistent]
![Page 5: Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper](https://reader036.vdocuments.us/reader036/viewer/2022082415/5a4d1b777f8b9ab0599b7b36/html5/thumbnails/5.jpg)
Data Exchange• I-D.clancy-emu-aaapay
– Defines way to encapsulate arbitrary Diameter AVPs in the protected channels of existing EAP methods
– Includes GPSK, PSK, PAX, TTLS, FAST• Channel binding information encoded in
Diameter AVPs (or RADIUS TLVs using backward compatibility)
• Data exchanged as part of EAP messages in end-to-end integrity-protected channel
![Page 6: Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper](https://reader036.vdocuments.us/reader036/viewer/2022082415/5a4d1b777f8b9ab0599b7b36/html5/thumbnails/6.jpg)
Design Choices• Server performs consistency check• Explicit data exchange and verification
– As opposed to implicit, e.g. by hashing identity and other information directly into keys
• Benefits:1. Enterprise: server more likely to be capable of recognizing
whether different addresses belong to same device 2. Service Provider: more likely to know details of contractual
roaming agreements3. Easy add-on solution for EAP methods: no modifying EAP key
derivations, message flow or state machine nor adding new algorithms or messages
4. Allows for fuzzy comparisons
![Page 7: Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper](https://reader036.vdocuments.us/reader036/viewer/2022082415/5a4d1b777f8b9ab0599b7b36/html5/thumbnails/7.jpg)
Binding Information
• Exact parameters to bind are open to discussion
• Document provides placeholders for some EAP lower layers– IEEE 802.11
• SSID, BSSID, RSN IE (if present)– IKEv2, IEEE 802.16 and other EAP lower
layers• TBD
![Page 8: Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper](https://reader036.vdocuments.us/reader036/viewer/2022082415/5a4d1b777f8b9ab0599b7b36/html5/thumbnails/8.jpg)
Our Trust Model• Honest peer & authentication server; may be dishonest
authenticator
• Trust relationships1. server trusts that info1 = info1’2. peer trusts result3. server trusts stored info2
EAP peer AuthenticationServerAuthenticator
info1
(NAS)
info1'[info2], result
info2
![Page 9: Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper](https://reader036.vdocuments.us/reader036/viewer/2022082415/5a4d1b777f8b9ab0599b7b36/html5/thumbnails/9.jpg)
EAP Method Requirements
• Peer ↔ AS trust relationship can be established by any EAP method with the following properties:– mutual authentication between peer and server– derivation of keying material including an integrity key– info1 sent from peer to server over end-to-end
integrity-protected channel– result (and optionally info2) sent from server to peer
over end-to-end integrity-protected channel
![Page 10: Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper](https://reader036.vdocuments.us/reader036/viewer/2022082415/5a4d1b777f8b9ab0599b7b36/html5/thumbnails/10.jpg)
System Assumptions
• Assume server maintains protected database of info2
• Consistency check requires server to be capable of comparing provided information– Enterprise: validate information on a per-
authenticator basis– Service Provider: validate information on a
per-network basis• Both must be ensured outside EAP
![Page 11: Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper](https://reader036.vdocuments.us/reader036/viewer/2022082415/5a4d1b777f8b9ab0599b7b36/html5/thumbnails/11.jpg)
Future Work
• It’s a start, but much works remains to be done:– message flow, incl. EAP-success/failure cases– example attacks– binding information– security considerations– …
![Page 12: Channel Binding Support for EAP Methods Charles Clancy, Katrin Hoeper](https://reader036.vdocuments.us/reader036/viewer/2022082415/5a4d1b777f8b9ab0599b7b36/html5/thumbnails/12.jpg)
Questions?
Comments?