Wireless Security
Re: EAP-TTLS Question Aug 27 2008 02:52AM
Christopher (vooduhal gmail com) (2 replies)
Re: EAP-TTLS Question Aug 27 2008 05:36PM
Joshua Wright (jwright hasborg com)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher wrote:
> I guess a follow up to my question would be does this RFC excerpt mean
> that the TTLS server cert is exchanged during phase 1 of the
> authentication, and if so, is it susceptible to the same MitM that
> PEAP is?
> As part of the TLS handshake protocol, the TTLS server will send its
> certificate along with a chain of certificates leading to the
> certificate of a trusted CA. The client will need to be configured
> with the certificate of the trusted CA in order to perform the
> authentication.
>
> Am I back to the wonderful user being able to accept a self signed
> cert and compromising the whole authentication transaction? Is it
> also safe to assume that the behavior is solely based on the
> supplicant?

Yes, without a doubt, on both questions. Each supplicant is a little
different in how it responds to a previously unrecognized certificate,
but in the case of Odyssey and TTLS there is no default CA trust list
(unlike WZC). This is an issue because there is no way for the
supplicant to reject a certificate based on an unrecognized signing
authority, and because (at least on a default install), it teaches the
user that sometimes they need to click Ok at the certificate trust prompt.

In Odyssey's defense, they do have the permission editor feature where
the administrator can forbid accepting new CA's, however, I've never
seen this used in normal deployments.

- -Josh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (Darwin)

iQIVAwUBSLWQkTWX3FIa1TkuAQJO/A/+KTFy7xVvdP7H0gR6B/I6/Me0x5PmPBVA
fPfe9r37lw/szOU8s5IS6PKiPXkyGSMNplspxXAXtdaXdpXrwkrhvaZBzV7w5U+0
wZqWvwZcVdJuBvGE1AWWejj2vwfS3/iAUv7a2jtjDnTIUaQHMUCy0oPhYAVgOgJp
mlYtMyKQavVB4ammh5pMPHScaoMsi1jGFqOxMqhQndECVoy8KBI1y2hbECZKVzSZ
L6FIhz64f65MxKH19Ryv7qcrXPOE+1ovEm6ajS9Gq3ZBRz+mcBLuy//BTc7mhLPd
K5imlAi5CeOrTe0xdtAKUY2CQ2NEc1vYIQkkSWkCIRBt/89UxXwPd+0l0CXca+YZ
boibhfRqAfBknzlFgWUlvopbwrQhlpkpOstl0BPjOWUuRemWuvgRnLHHJYKtxNOU
32eh26JWjyTvqlxyWYy3byfz7k6FhUz2BxMYO0aSgTDaLv17wJ7qXZ5E9mtAwFQB
IRZCHusOoBl/bEGf9zoPxvX2enZCqScZUaaZWv+hSMYIDgk+owEG+WUb4PAP8Y6z
bQPRfxh+Kgwe6zoSN4sEMaevBE9D5McBVbVYuo6rzfrlyVnKGvsqd4QviNAdSxgb
RZ/fLvQbIav7sCdV8FWRi8t1WlbpaU3SElTz0x+yqTiIz5ECdJwU3ebA+0ViINuS
mMDOArK0+Wo=
=CBKc
-----END PGP SIGNATURE-----

[ reply ]
Re: EAP-TTLS Question Aug 27 2008 02:52PM
Christopher (vooduhal gmail com) (1 replies)
Re: EAP-TTLS Question Aug 28 2008 01:20PM
Joshua Wright (jwright hasborg com)


 

Privacy Statement
Copyright 2010, SecurityFocus