RE: 802.1x and PEAP

From: Camillo Bucciarelli (camillobucciarelli_at_yahoo.it)
Date: 03/03/04

Next message: Ansgar -59cobalt- Wiechers: "Re: Linux Distribution Recomendation"

Previous message: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: security based on IP address"
Maybe in reply to: Camillo Bucciarelli: "802.1x and PEAP"
Next in thread: Camillo Bucciarelli: "RE: 802.1x and PEAP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 3 Mar 2004 11:02:35 +0100 (CET)
To: security-basics@securityfocus.com

Thanks,
this is what I need to know.

I have another question: I need to use 802.1x in order
to enable the "broadcast key rotation"?

Camillo

--- shankarnarayan.d@netsol.co.in ha scritto: > The
Lines below have been pulled straight from the
> PEAP working draft. This
> clearly defines that the initial negotiation of the
> PEAP is as in the TLS -
> thus providing the necessary security.
> Hope this answers your question OR have I got it
> wrong - If you believe this
> is not the information that you were looking for
> request you to please
> rephrase your question
>
> Shankar
>
> Protected EAP (PEAP) Version 2 is comprised of a
> two-part
> conversation:
>
> [1] In Part 1, a TLS session is negotiated, with
> server authenticating
> to the client and optionally the client to the
> server. The
> negotiated key is then used to encrypt the rest
> of the
> conversation.
>
> [2] In Part 2, within the TLS session, zero or more
> EAP methods are
> carried out. Part 2 completes with a
> success/failure indication
> protected by the TLS session or a protected
> error (TLS alert).
>
> The PEAP conversation typically begins with an
> optional identity
> exchange. The initial identity exchange is used
> primarily to route the
> EAP
> conversation to the EAP server. Since the
> initial identity exchange
> is in the clear, the peer MAY decide to place a
> routing realm instead
> of its real name in the EAP-Response/Identity.
>
> In short, the first exchange is based on TLS where
> certificates are used
> much in the same way as that used in the EAP-TLS.
> The remaining information
> of identity etc is then pumped through the TLS
> tunnel. Hence, EAP-TLS may be
> one of the methods (actually the most common method)
> used to establish the
> tunnel (using certificates)
>
> Shankar
>
> -----Original Message-----
> From: Camillo Bucciarelli
> [mailto:camillobucciarelli@yahoo.it]
> Sent: Tuesday, March 02, 2004 3:46 PM
> To: security-basics@securityfocus.com
> Subject: 802.1x and PEAP
>
> Good morning,
> I'm looking for detailed information about the
> Protected EAP. I can't understand what the
> supplicant
> and Access Server use to establish the TLS tunnel.
> Here's an example:
>
> Authenticating Peer Authenticator
> ------------------- -------------
> <- EAP-Request/
> Identity
> EAP-Response/
> Identity (MyID) ->
> <- EAP-Request/
> EAP-Type=PEAP, V=0
> (PEAP Start, S bit set)
>
> EAP-Response/
> EAP-Type=PEAP, V=0
> (TLS client_hello)->
> <- EAP-Request/
> EAP-Type=PEAP, V=0
> (TLS server_hello,
> TLS certificate,
> [TLS server_key_exchange,]
> [TLS certificate_request,]
> TLS server_hello_done)
> EAP-Response/
> EAP-Type=PEAP, V=0
> ([TLS certificate,]
> TLS client_key_exchange,
> [TLS certificate_verify,]
> TLS change_cipher_spec,
> TLS finished) ->
> <- EAP-Request/
> EAP-Type=PEAP, V=0
> (TLS change_cipher_spec,
> TLS finished)
> EAP-Response/
> EAP-Type=PEAP ->
>
> TLS channel established
> (messages sent within the TLS channel)
>
> They exchange a server_key_exchange and a
> client_key_exchange used to derive the session key.
>
>
> It seems to me that the key exchange between the
> client and the server is done in clear text, but
> this
> means that I can actually sniff this exchange. Now,
> this seems not logical to me. Anyone here has any
> idea about "where" I am wrong ? Do the two elements
> hash in some way the keys ? Or, another
> possibility,
> do we actually have the client key encrypted with
> the
> public key that belongs to the server - that is of
> course available - and we have the server key *only*
> that is transmitted in clear text ? In the TLS
> protocol of course the two key are encrypted with
> the
> ublic key of the "other end". But in PEAP ?
>
> Thanks in advance,
> Camillo
>
> =====
> Camillo Bucciarelli
>
>
>
>
>
______________________________________________________________________
> Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi
> allegati, l'antivirus,
> il filtro Anti-spam
>
http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/
>
>
---------------------------------------------------------------------------
> Free 30-day trial: firewall with virus/spam
> protection, URL filtering, VPN,
> wireless security
>
> Protect your network against hackers, viruses, spam
> and other risks with
> Astaro
> Security Linux, the comprehensive security solution
> that combines six
> applications in one software solution for ease of
> use and lower total cost
> of
> ownership.
>
> Download your free trial at
>
http://www.securityfocus.com/sponsor/Astaro_security-basics_040301
>
----------------------------------------------------------------------------

=====
Camillo Bucciarelli

______________________________________________________________________
Yahoo! Mail: 6MB di spazio gratuito, 30MB per i tuoi allegati, l'antivirus, il filtro Anti-spam
http://it.yahoo.com/mail_it/foot/?http://it.mail.yahoo.com/

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.securityfocus.com/sponsor/InfoSecInstitute_security-basics_040303
----------------------------------------------------------------------------

Next message: Ansgar -59cobalt- Wiechers: "Re: Linux Distribution Recomendation"

Previous message: Aditya, ALD [Aditya Lalit Deshmukh]: "RE: security based on IP address"
Maybe in reply to: Camillo Bucciarelli: "802.1x and PEAP"
Next in thread: Camillo Bucciarelli: "RE: 802.1x and PEAP"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Disable StartTLS on EX2007 Send Connectors
... I notice it only occurs when Exchange makes a connection to another server ... You can however change the FQDN on the send connector however to match ... Everytime it hits another server that offers TLS ... Ensure the built-in self cert that Exchange ...
(microsoft.public.exchange.admin)
Re: Using TLS to Secure Email
... done a bit of testing with TLS at my current job. ... same cert on the SMTP Virtual Server as well. ... "Kevin Bachelder" wrote in message ... > I will be migrating to Exchange 2003 in the next few weeks. ...
(microsoft.public.exchange.admin)
Re: Receive Connector authentication and Permission
... TLS is opportunistic I ... certificates installed (on the Exchange 2003 virtual server and the Exchange ... connector setup incorrectly, as the Exchange 2003 server recieves mail ...
(microsoft.public.exchange.admin)
Re: TLS on exchange 2003
... MVP - Exchange ... server as per the KB article in your other reply. ... Correct - just as you're configuring a Connector for outbound mail to their ... get mail without TLS ...
(microsoft.public.exchange.admin)
Re: Calendar on Companyweb
... I guess I am just trying to add a layer of protection around my server by not ... change to keep the virus from my server through the anti virus on the server. ... If I use exchange, and my anit-virus fails, my server is infected. ...
(microsoft.public.windows.server.sbs)