Hi all,
Anyone discussed the implications of the TLS renegotiation vulnerability to EAP-TLS?
From my little understanding, it seems like EAP-TLS is not vulnerable.
- There is no application layer protocol involved when EAP-TLS is executed [Please correct me if I'm wrong].
- If client certificate authentication is required (it should), the server will always request for client certificates.
- After a successful EAP-TLS exchange, the TLS tunnel is not used; only the keying material is exported [Although the tunnel is not used, is it still present and can be used in some way? Or is there no state information stored for the EAP method after a successful EAP exchange?).
- EAP re-authentication is a new EAP exchange which is independent of the previous exchange. It is not the same as TLS renegotiation which is executed in the previous TLS tunnel.
Any comments? Thanks.
- kh
New Windows 7: Find th
e right PC for you. Learn more.
|
