Issue 368: Threat Model Assumptions

Issue 368: Threat Model Assumptions
Submitter name: Bernard Aboba
Submitter email address: abobainternaut.com
Date Submitted: May 4, 2006
Reference: http://lists.frascone.com/pipermail/eap/msg04231.html
Document: KEYING-12
Comment type: 'T'echnical
Priority: '1' Should fix
Section: 5
Rationale/Explanation of issue:

The assumptions about the attacker are not discussed as part
of the
threat model.

Recommendation is to change the first three paragraphs of
Section 5
to the following:

" The EAP threat model is described in [RFC3748]
Section 7.1. The
security properties of EAP methods (known as "security
claims") are
described in [RFC3748] Section 7.2.1. EAP method
requirements for
applications such as Wireless LAN authentication are
described in
[RFC4017]. The RADIUS threat model is described in [RFC3579]
Section
4.1, and responses to these threats are described in
[RFC3579]
Sections 4.2 and 4.3.

However, in addition to threats against EAP and AAA, there
are other
system level threats. In developing the threat model, it is
assumed
that:

All traffic is visible to the attacker.
The attacker can alter, forge or replay messages.
The attacker can reroute messages to another principal.
The attacker may be a principal or an outsider.
The attacker can compromise any key that is sufficiently
old.

Threats arising from these assumptions include:"


____________________________________________________________
_____
To unsubscribe or modify your subscription options, please
visit:
http:/
/lists.frascone.com/mailman/listinfo/eap

Arhives: http://lists.
frascone.com/pipermail/eap