Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

An Inconvenient Truth About Tunneled Authentications

Published

Author(s)

Katrin Hoeper, Lidong Chen

Abstract

In recent years, it has been a common practice to execute client authentications for network access inside a protective tunnel. Man-in-the-middle (MitM) attacks on such tunneled authentications have been discovered early on and cryptographic bindings are widely adopted to mitigate these attacks. In this paper, we shake the false sense of security given by these so-called protective tunnels by demonstrating that most tunneled authentications are still susceptible to MitM attacks despite the use of cryptographic bindings and other proposed countermeasures. Our results affect widely deployed protocols, such as EAP-FAST and PEAP.
Conference Dates
October 10-14, 2010
Conference Location
Denver, CO, US
Conference Title
35th IEEE Conference on Local Computer Networks (LCN)

Keywords

Protective tunnel, authentication, tunnel-based EAP method, man-in-the-middle attack, cryptographic binding

Citation

Hoeper, K. and Chen, L. (2010), An Inconvenient Truth About Tunneled Authentications, 35th IEEE Conference on Local Computer Networks (LCN) , Denver, CO, US, [online], https://doi.org/10.1109/LCN.2010.5735754, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=906200 (Accessed March 28, 2024)
Created October 9, 2010, Updated October 12, 2021