Security Basics mailing list archives
RE: 802.1x and PEAP
From: Camillo Bucciarelli <camillobucciarelli () yahoo it>
Date: Wed, 3 Mar 2004 11:02:35 +0100 (CET)
Thanks, this is what I need to know. I have another question: I need to use 802.1x in order to enable the "broadcast key rotation"? Camillo --- shankarnarayan.d () netsol co in ha scritto: > The Lines below have been pulled straight from the
PEAP working draft. This clearly defines that the initial negotiation of the PEAP is as in the TLS - thus providing the necessary security. Hope this answers your question OR have I got it wrong - If you believe this is not the information that you were looking for request you to please rephrase your question Shankar Protected EAP (PEAP) Version 2 is comprised of a two-part conversation: [1] In Part 1, a TLS session is negotiated, with server authenticating to the client and optionally the client to the server. The negotiated key is then used to encrypt the rest of the conversation. [2] In Part 2, within the TLS session, zero or more EAP methods are carried out. Part 2 completes with a success/failure indication protected by the TLS session or a protected error (TLS alert). The PEAP conversation typically begins with an optional identity exchange. The initial identity exchange is used primarily to route the EAP conversation to the EAP server. Since the initial identity exchange is in the clear, the peer MAY decide to place a routing realm instead of its real name in the EAP-Response/Identity. In short, the first exchange is based on TLS where certificates are used much in the same way as that used in the EAP-TLS. The remaining information of identity etc is then pumped through the TLS tunnel. Hence, EAP-TLS may be one of the methods (actually the most common method) used to establish the tunnel (using certificates) Shankar -----Original Message----- From: Camillo Bucciarelli [mailto:camillobucciarelli () yahoo it] Sent: Tuesday, March 02, 2004 3:46 PM To: security-basics () securityfocus com Subject: 802.1x and PEAP Good morning, I'm looking for detailed information about the Protected EAP. I can't understand what the supplicant and Access Server use to establish the TLS tunnel. Here's an example: Authenticating Peer Authenticator ------------------- ------------- <- EAP-Request/ Identity EAP-Response/ Identity (MyID) -> <- EAP-Request/ EAP-Type=PEAP, V=0 (PEAP Start, S bit set) EAP-Response/ EAP-Type=PEAP, V=0 (TLS client_hello)-> <- EAP-Request/ EAP-Type=PEAP, V=0 (TLS server_hello, TLS certificate, [TLS server_key_exchange,] [TLS certificate_request,] TLS server_hello_done) EAP-Response/ EAP-Type=PEAP, V=0 ([TLS certificate,] TLS client_key_exchange, [TLS certificate_verify,] TLS change_cipher_spec, TLS finished) -> <- EAP-Request/ EAP-Type=PEAP, V=0 (TLS change_cipher_spec, TLS finished) EAP-Response/ EAP-Type=PEAP -> TLS channel established (messages sent within the TLS channel) They exchange a server_key_exchange and a client_key_exchange used to derive the session key. It seems to me that the key exchange between the client and the server is done in clear text, but this means that I can actually sniff this exchange. Now, this seems not logical to me. Anyone here has any idea about "where" I am wrong ? Do the two elements hash in some way the keys ? Or, another possibility, do we actually have the client key encrypted with the public key that belongs to the server - that is of course available - and we have the server key *only* that is transmitted in clear text ? In the TLS protocol of course the two key are encrypted with the ublic key of the "other end". But in PEAP ? Thanks in advance, Camillo ===== Camillo Bucciarelli
______________________________________________________________________
Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi allegati, l'antivirus, il filtro Anti-spam
http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/
---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_security-basics_040301
---------------------------------------------------------------------------- ===== Camillo Bucciarelli ______________________________________________________________________ Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi allegati, l'antivirus, il filtro Anti-spam http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/ --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.securityfocus.com/sponsor/InfoSecInstitute_security-basics_040303 ----------------------------------------------------------------------------
Current thread:
- 802.1x and PEAP Camillo Bucciarelli (Mar 02)
- <Possible follow-ups>
- RE: 802.1x and PEAP shankarnarayan . d (Mar 03)
- RE: 802.1x and PEAP Camillo Bucciarelli (Mar 03)
- RE: 802.1x and PEAP Camillo Bucciarelli (Mar 04)
- RE: 802.1x and PEAP Rosenhan, David (Mar 04)
- RE: 802.1x and PEAP Rosado, Rafael (Rafael) (Mar 08)
- RE: 802.1x and PEAP shankarnarayan . d (Mar 08)
- RE: 802.1x and PEAP Rosenhan, David (Mar 08)
- RE: 802.1x and PEAP Camillo Bucciarelli (Mar 08)
- RE: 802.1x and PEAP Rosenhan, David (Mar 08)
- RE: 802.1x and PEAP shankarnarayan . d (Mar 08)
- RE: 802.1x and PEAP Jason Humes (Mar 08)
- Re: 802.1x and PEAP balinsky (Mar 29)