Man-in-the-Middle in Tunnelled Authentication Protocols

Abstract

John Ioannidis: I have to interrupt here and be even more offensive than usual. But you are using the worst rackets in industry as a justification for what you’re doing. There are all sorts of people just generating garbage protocols, a couple of which you have already mentioned here. We’re trying to reverse their work, whereas you’re trying to advocate we use all these garbage protocols.

Reply: I’m not saying that. I’m saying that something is wrong here. You are trying to do the right thing but you are going about it the wrong way. The reality is that people are going to use existing credentials because they obtained them at great expense, and they want to reuse them. I’m not justifying it.

Bruce Christianson: I think he’s going to come up with a very good new reason why this is a bad thing to do, in which case it’s more ammunition for you JI, or he’s going to show that the reasons for which we usually think it’s bad are wrong, in which case we’re going to have to change our position anyway. Either way you should let him go on for a bit.

Reply: The most common use of this kind of authentication through the tunnel is essentially to guide the application inside. I guess actually the authentication was not intended as a general framework but it’s being used as one. So the PAP was supposed to be used running EAP, AKA inside that, while sending a random challenge. Since this is an authenticator tunnel, anybody could make that, including the man in the middle. The man in the middle is sent a random challenge and authenticated, he could turn around, pretend to be a server network and get the client to send a response. Notice that the client thinks that it’s his own network server, and instead he does mutual authentication. And at this point he goes back and the client has been authenticated to send these keys to the NAS and that would leave the man in the middle with a stolen key.

Ross Anderson: But surely this attack would not work if the certificates that people use from TLS actually worked?

Reply: The man in the middle is not pretending to be a TLS server, he’s pretending to be a server network. So the server network has it’s own usual authentication but this is effectively defeating that.