Re: EAP-TLV: Earlier failure - force failed Phase 2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Jan 01, 2016 at 11:26:34AM -0800, Adam Jacobs wrote:
> BTW, I've been trying to understand cryptobinding.  I get that it is supposed to prevent MITM attacks, but doesn't TLS already take care of that?  What's the added benefit of cryptobinding/what do I lose by turning it off?

Well, sort of from the client view point. Though, there is
discouragingly common practice of not configuring TLS certificate
validation properly on the client and the server side cannot do much
about that. With MS-PEAP cryptobinding, this additional binding step can
at least be enforced to reduce the likelihood of the TLS phase and the
inner authentication step being performed between different entities. If
someone were to implement outer TLVs, those would also get protected by
the cryptobinding (but this seems to be more of a theoretical point for
now since no such outer TLV is apparently even defined today).

-- 
Jouni Malinen                                            PGP id EFC895FA

_______________________________________________
Hostap mailing list
Hostap@xxxxxxxxxxxxxxxxxxx
http://lists.infradead.org/mailman/listinfo/hostap



[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]

  Powered by Linux