Man-in-the-middle attacks in tunneled authentication protocols

In September 2002, we discovered a rather obvious flaw that shows up when a remote authentication protocol is tunneled within a server-authenticated channel. Surprisingly this approach is used in many existing or proposed protocols. Here is the paper: Here are some slides to go with it:
asokan AT
Last modified: Mon Sep 29 18:46:54 EEST 2003