Skip to main content

NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

An Inconvenient Truth About Tunneled Authentications

Published

Author(s)

Katrin Hoeper, Lidong Chen

Abstract

In recent years, it has been a common practice to execute client authentications for network access inside a protective tunnel. Man-in-the-middle (MitM) attacks on such tunneled authentications have been discovered early on and cryptographic bindings are widely adopted to mitigate these attacks. In this paper, we shake the false sense of security given by these so-called protective tunnels by demonstrating that most tunneled authentications are still susceptible to MitM attacks despite the use of cryptographic bindings and other proposed countermeasures. Our results affect widely deployed protocols, such as EAP-FAST and PEAP.
Conference Dates
October 10-14, 2010
Conference Location
Denver, CO, US
Conference Title
35th IEEE Conference on Local Computer Networks (LCN)

Keywords

Protective tunnel, authentication, tunnel-based EAP method, man-in-the-middle attack, cryptographic binding

Citation

Hoeper, K. and Chen, L. (2010), An Inconvenient Truth About Tunneled Authentications, 35th IEEE Conference on Local Computer Networks (LCN) , Denver, CO, US, [online], https://doi.org/10.1109/LCN.2010.5735754, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=906200 (Accessed October 13, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created October 9, 2010, Updated October 12, 2021
Was this page helpful?