Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

An Inconvenient Truth About Tunneled Authentications



Katrin Hoeper, Lidong Chen


In recent years, it has been a common practice to execute client authentications for network access inside a protective tunnel. Man-in-the-middle (MitM) attacks on such tunneled authentications have been discovered early on and cryptographic bindings are widely adopted to mitigate these attacks. In this paper, we shake the false sense of security given by these so-called protective tunnels by demonstrating that most tunneled authentications are still susceptible to MitM attacks despite the use of cryptographic bindings and other proposed countermeasures. Our results affect widely deployed protocols, such as EAP-FAST and PEAP.
Conference Dates
October 10-14, 2010
Conference Location
Denver, CO, US
Conference Title
35th IEEE Conference on Local Computer Networks (LCN)


Protective tunnel, authentication, tunnel-based EAP method, man-in-the-middle attack, cryptographic binding


Hoeper, K. and Chen, L. (2010), An Inconvenient Truth About Tunneled Authentications, 35th IEEE Conference on Local Computer Networks (LCN) , Denver, CO, US, [online],, (Accessed June 19, 2024)


If you have any questions about this publication or are having problems accessing it, please contact

Created October 9, 2010, Updated October 12, 2021