Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS


Chronological Thread 
  • From: Stefan Paetow <Stefan.Paetow AT jisc.ac.uk>
  • To: "cat-users AT lists.geant.org" <cat-users AT lists.geant.org>
  • Subject: Re: [[cat-users]] Specific CatInstaller for Android11 with EAP-TTLS
  • Date: Tue, 18 May 2021 21:56:36 +0000
  • Accept-language: en-GB, en-US
  • Arc-authentication-results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jisc.ac.uk; dmarc=pass action=none header.from=jisc.ac.uk; dkim=pass header.d=jisc.ac.uk; arc=none
  • Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SkI3RSs7erXKxiskfWFerJ3i9b6sOapT2+p2ESWQEsA=; b=k1Lx+6kZPK4nnZcVaVTG0zp0YrKOgyp/ngX89Kltu7Jcw+KKHanUo8y4RhSYtHIBw0q6u8TrQGY1UGURZGgn4NcADYxjHFhQu8SGxVfj4jce2a+KH3q+7Dxl3GuwxuXSaW415mDhvOwizEqGDsVr93YkoFxlQ+XIILb58NH6ID4Ek3i4vW3/vo9HfZLczmeOVQo3/H9Gye5Fz0NuqL2PTeKV9cSkwb/ZrzSbabUsrLRhwrDmP/C7QlFjgvGN3Qk7ssg6Kd1OG/1Msv15qdVVvxCKaHAT2zE+iVNQP/Co7lWCHi/QcLJvrqEtoCM9TSKKC+JrHlj3ixcH4f+vtaf1/g==
  • Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Kj/QXIRvsOKhJdG5YfRBcVueqAosvox91DEJL65zE2qF7n2cgeH3pv9nO7pFRvBd7EHMHur/TgJ3Fwf9dnoJX0G8lL2AW2eFocnq8Ir1ANu67szn9YpFPd7YTQLbm6yDmDTlhJi+glvVwlDEdslcQAcuuiqgHZmO1EuMTCJKyb4fArUw3U9qO6m1Go93aXe75ZOvmhYbfnA5OInfhFPSgKY+HwmZLy7XFAmD9fxkiToIo+zDAl4aOVWdn+MvqobCaybHwoz3na8iMveSBmcIBA9Ots9zlK2g5SjSpikpzbGv4jqx+d0ViCnBS6U8h9JamHF6LthBz0yNe7FviCo8Hw==
  • Authentication-results: lists.geant.org; dkim=none (message not signed) header.d=none;lists.geant.org; dmarc=none action=none header.from=jisc.ac.uk;

Hi Martin,

> Conclusion: Forcing your clients to use an anonymous outer ID will
> protect you from this trivial attack almost completely!

Which requires you to use an MDM profile (à la the CAT profile) on Apple. You
cannot specify an anonymous outer in a manual setup on iOS. When you simply
tap to join 'eduroam' on iOS, you are only prompted for your username (or
NAI, rather) and password, and the NAI is not anonymised.

> NB: Most of this could be avoided by methods like EAP-TLS in the first
> place, but this is future work for most of us.

Yes and no. EAP-TLS requires you to visit your organisation's site again to
get the profile that includes a private key and the cert for it. I had this
with SecureW2, in that I attempted to use one profile on two devices. That
was not allowed. Each device had to visit the SecureW2 site separately to
obtain keys and certs. Maybe it was a configuration on the server side, but
there we are.

But Aruba and others are in agreement that the only way we'll get around
issues of credential leakage is... EAP-TLS. (

> Sorry, the focus shift and additional work introduced by Covid hampered
> us to the point
> that we were hardly able to conduct the research at all.

The research is nonetheless fascinating, and it would be great to read it.
We'll wait until it's ready (

(

Stefan Paetow
Federated Roaming Technical Specialist

t: +44 (0)1235 822 125
gpg: 0x3FCE5142
xmpp: stefanp AT jabber.dev.ja.net
skype: stefan.paetow.janet


In line with government advice, at Jisc we’re now working from home and our
offices are currently closed. Read our statement on coronavirus
<https://www.jisc.ac.uk/about/corporate/coronavirus-statement>.

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT No.
GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill,
Bristol, BS2 0JA. T 0203 697 5800.


On 17/05/2021, 10:55, "Martin Pauly" <cat-users-request AT lists.geant.org on
behalf of pauly AT hrz.uni-marburg.de> wrote:

Conclusion: Forcing your clients to use an anonymous outer ID will
protect you from this trivial attack almost completely!
NB: Most of this could be avoided by methods like EAP-TLS in the first
place, but this is future work for most of us.
The vulnerability has been present all the way from the start of eduroam
until _now_.
And: EAP-PWD won't help either as the users have to configure it, just as
cert checking.
I promise to give a sensible write-up of the results some time this year.
Sorry, the focus shift and additional work introduced by Covid hampered
us to the point
that we were hardly able to conduct the research at all.

The need to require an anonymous outer ID brings us back to that big
Korean manufacturer ...
>> in most Samsung devices (with the notable exception of the
Galaxy S21).
> Is it possible that the S21 has already received a fix for this issue?
I have a Samsung device here that did display the problem
> when I upgraded to Android 11. I'll power it up and check whether it's
getting any updates.
I should be more precise here: Our specimen of a Galaxy S21 which is the
German/Germany version of
this model, did not exhibit the "Samsung Bug". It just worked.

Regards, Martin

--
Dr. Martin Pauly Phone: +49-6421-28-23527
HRZ Univ. Marburg Fax: +49-6421-28-26994
Hans-Meerwein-Str. E-Mail: pauly AT HRZ.Uni-Marburg.DE
D-35032 Marburg






Archive powered by MHonArc 2.6.19.

Top of Page