802.1x and PEAP

From: Camillo Bucciarelli (camillobucciarelli_at_yahoo.it)
Date: 03/02/04

Next message: Giddens, Robert: "RE: help with exchange"

Previous message: Ramsinghani, Aashish (EM, GECIS): "SHA Encryption"
Next in thread: shankarnarayan.d_at_netsol.co.in: "RE: 802.1x and PEAP"
Maybe reply: Camillo Bucciarelli: "RE: 802.1x and PEAP"
Maybe reply: shankarnarayan.d_at_netsol.co.in: "RE: 802.1x and PEAP"
Maybe reply: Camillo Bucciarelli: "RE: 802.1x and PEAP"
Maybe reply: Rosenhan, David: "RE: 802.1x and PEAP"
Maybe reply: Rosado, Rafael (Rafael): "RE: 802.1x and PEAP"
Maybe reply: shankarnarayan.d_at_netsol.co.in: "RE: 802.1x and PEAP"
Maybe reply: Rosenhan, David: "RE: 802.1x and PEAP"
Maybe reply: Rosenhan, David: "RE: 802.1x and PEAP"
Maybe reply: shankarnarayan.d_at_netsol.co.in: "RE: 802.1x and PEAP"
Maybe reply: Jason Humes: "RE: 802.1x and PEAP"
Maybe reply: balinsky_at_cisco.com: "Re: 802.1x and PEAP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 2 Mar 2004 11:15:55 +0100 (CET)
To: security-basics@securityfocus.com

Good morning,
  I’m looking for detailed information about the
Protected EAP. I can’t understand what the supplicant
and Access Server use to establish the TLS tunnel.
Here's an example:

Authenticating Peer Authenticator
------------------- -------------
                        <- EAP-Request/
                        Identity
EAP-Response/
Identity (MyID) ->
                        <- EAP-Request/
                        EAP-Type=PEAP, V=0
                        (PEAP Start, S bit set)

EAP-Response/
EAP-Type=PEAP, V=0
(TLS client_hello)->
                        <- EAP-Request/
                        EAP-Type=PEAP, V=0
                        (TLS server_hello,
                         TLS certificate,
                 [TLS server_key_exchange,]
                 [TLS certificate_request,]
                     TLS server_hello_done)
EAP-Response/
EAP-Type=PEAP, V=0
([TLS certificate,]
TLS client_key_exchange,
[TLS certificate_verify,]
TLS change_cipher_spec,
TLS finished) ->
                        <- EAP-Request/
                        EAP-Type=PEAP, V=0
                        (TLS change_cipher_spec,
                         TLS finished)
EAP-Response/
EAP-Type=PEAP ->

TLS channel established
(messages sent within the TLS channel)

They exchange a server_key_exchange and a
client_key_exchange used to derive the session key.

It seems to me that the key exchange between the
client and the server is done in clear text, but this
means that I can actually sniff this exchange. Now,
this seems not logical to me. Anyone here has any
idea about "where" I am wrong ? Do the two elements
hash in some way the keys ? Or, another possibility,
do we actually have the client key encrypted with the
public key that belongs to the server - that is of
course available - and we have the server key *only*
that is transmitted in clear text ? In the TLS
protocol of course the two key are encrypted with the
ublic key of the "other end". But in PEAP ?

Thanks in advance,
Camillo

=====
Camillo Bucciarelli

______________________________________________________________________
Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi allegati, l'antivirus, il filtro Anti-spam
http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_security-basics_040301
----------------------------------------------------------------------------

Next message: Giddens, Robert: "RE: help with exchange"

Previous message: Ramsinghani, Aashish (EM, GECIS): "SHA Encryption"
Next in thread: shankarnarayan.d_at_netsol.co.in: "RE: 802.1x and PEAP"
Maybe reply: Camillo Bucciarelli: "RE: 802.1x and PEAP"
Maybe reply: shankarnarayan.d_at_netsol.co.in: "RE: 802.1x and PEAP"
Maybe reply: Camillo Bucciarelli: "RE: 802.1x and PEAP"
Maybe reply: Rosenhan, David: "RE: 802.1x and PEAP"
Maybe reply: Rosado, Rafael (Rafael): "RE: 802.1x and PEAP"
Maybe reply: shankarnarayan.d_at_netsol.co.in: "RE: 802.1x and PEAP"
Maybe reply: Rosenhan, David: "RE: 802.1x and PEAP"
Maybe reply: Rosenhan, David: "RE: 802.1x and PEAP"
Maybe reply: shankarnarayan.d_at_netsol.co.in: "RE: 802.1x and PEAP"
Maybe reply: Jason Humes: "RE: 802.1x and PEAP"
Maybe reply: balinsky_at_cisco.com: "Re: 802.1x and PEAP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: 802.1x and PEAP
... > server authenticating ... > protected by the TLS session or a protected ... The initial identity exchange is used ... > protection, URL filtering, VPN, ...
(Security-Basics)
RE: 802.1x and PEAP
... I disagree with your comment about TKIP and MIC being proprietary. ... Broadcast key rotation can only be done with an authentication server. ... > the TLS - thus providing the necessary security. ... > protected by the TLS session or a protected error. ...
(Security-Basics)
RE: 802.1x and PEAP
... Broadcast key rotation can only be done with an authentication server. ... IOS a different vendors card will not work with TKIP and MIC, ... > protected by the TLS session or a protected error ...
(Security-Basics)
Re: radtest ok, xsupplicant fails (was : Problem compiling Freeradius on RH 9.0)
... The radius server compiles and installs now, ... tls: rsa_key_exchange = no ... Module: Loaded preprocess ... Module: Loaded radutmp ...
(comp.os.linux.misc)
OWA works, RPC over HTTP does not
... we have an Exchange 2003 server running as front end and back end server at once. ... The server is behind NAT and port 443 is forwarded to the Exchange server. ... 194.35.207.125 TLS Client Hello ...
(microsoft.public.exchange.admin)