Re: [Emu] Issue 47 Certificate identity checks
Joseph Salowey <joe@salowey.net> Mon, 12 April 2021 16:23 UTC
Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C894C3A0062 for <emu@ietfa.amsl.com>; Mon, 12 Apr 2021 09:23:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KVfcUlnQwidX for <emu@ietfa.amsl.com>; Mon, 12 Apr 2021 09:23:14 -0700 (PDT)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C29D13A003E for <emu@ietf.org>; Mon, 12 Apr 2021 09:22:40 -0700 (PDT)
Received: by mail-lf1-x134.google.com with SMTP id j18so22384881lfg.5 for <emu@ietf.org>; Mon, 12 Apr 2021 09:22:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eDGAXNyYmAdmQm2SzeuBpneWtSeH26R4Q1x2ktbQtC8=; b=Y8X9Y+DiayK1SzAC2z0YjIexm+fSv6T5cnF/U4CDYGtSWyh2eqzF3CVzVi3ixUc+b0 PV2aOld7RihTOdpKqdc4nQF4wR440Af2o0+pQle8Cfp1cnxPDMpK+H62qQ9kSD3nDfUb VbdKjjKKwWkHqZTYmrvKfSVHlz+686WG6k/DNfdjGGubseIvEzbqZTX9GaU1UBCrGh+t gsupWhXWH28k1N0a1Zp92YaYmZ814/cZepX+Bz7ocjuyebLDNcAVNL4GTl2gmZdgD5Hd FGoRAlWX3PaDDmA1lljcyxRp7Y/xuqC36zhwDs1cwaseZ1SzsHm3LlK45VvO66WevSab xwKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eDGAXNyYmAdmQm2SzeuBpneWtSeH26R4Q1x2ktbQtC8=; b=itpYRNlNC9qUwr29MlXsvVCP/GQjvL05vAbOB+ipFJeMKqu1qMDmGRdhO8wk55Ux4S g2ktvebIUObuZH8g44Ub+NtKKH6V0eY56hS9qro9oFj+N0M/SgnMR0LYGkxDMfb6+Gyr Nvb8D1fpkOBABCOeYP/IFxS1HTzcQKzLKSHLb32DcrV7Si0FRrAN4MGAy0HSNo4/JBoS dhaBt50MWgqJT4mbR6qotR3zOy+sIRLaVGCHNPAKOINyfYR00EY94z4DYPLIij8bpl9t 0Q5IW1ILDbCp/tZRy5U6IVrP9FRKZ9wI7FfgS4qVgvAKw1UNkh4M8e4XM3i/Ih6apqra Cg4A==
X-Gm-Message-State: AOAM531fgiq/DUw0WEC4u9wGA+QVV1GGP1HzERUoP31Kyi3Ayu03A3ug B02tlFkjtAFA3fSXUMeDuhPrf7JwjGH+AkTHUkT3jm4Uv0A=
X-Google-Smtp-Source: ABdhPJxAPClkncdm37/dNJAdYxiYCQVxlgIBVH3ytq6xWXzFobtTHDfKkqxvelnkGKEhyLuqCp1uEvUb2EvdKZPmxOY=
X-Received: by 2002:ac2:5eca:: with SMTP id d10mr17791228lfq.525.1618244558838; Mon, 12 Apr 2021 09:22:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoArm2RdEN4V-L9XEUvOeG0Vs+58Zj_p3Y2yRY0aYsVV_A@mail.gmail.com> <950CF2A7-2C9A-4BAE-8EA2-0FC2DE3C740C@deployingradius.com>
In-Reply-To: <950CF2A7-2C9A-4BAE-8EA2-0FC2DE3C740C@deployingradius.com>
From: Joseph Salowey <joe@salowey.net>
Date: Mon, 12 Apr 2021 09:22:27 -0700
Message-ID: <CAOgPGoBm7pas9i6n-y8g1yqP+ea68=_8DueHqywDQLBcMGEJ9g@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000016ecef05bfc8ec12"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/-29vDNdxLFNlL8OEOeDjP7GNOTg>
Subject: Re: [Emu] Issue 47 Certificate identity checks
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 16:23:21 -0000
On Mon, Apr 12, 2021 at 5:48 AM Alan DeKok <aland@deployingradius.com> wrote: > On Apr 11, 2021, at 11:19 PM, Joseph Salowey <joe@salowey.net> wrote: > > RFC 5216 lacks guidance on how to validate the EAP server's certificate > especially with respect to identities. > > Yes. :) > > > RFC 5216 recommends validating the certificate path is valid and that > the extended key usage attributes are either not present, allow for any > usage or allow for TLS server usage. This creates an issue that if the > same truest root is used for EAP TLS and for other TLS server usage that > any TLS server will be able to extend its privilege and behave as an EAP > server. The following recommendations are made for implementations and > deployments to avoid this problem. > > One of my colleagues, Arran Cudbard-Bell wrote a cute tool a few years > ago. It would pretend to be a WiFI hotspot. Then when systems tried to do > EAP, it would strip the realm from the EAP identity. It would then, use > HTTPS to connect to a web server for that realm, and download that HTTPS > server cert. That cert would then be cloned under a new "self signed" CA, > and the cloned cert presented to the user. > > The only real difference between the "real" and "fake" certs was the > root CA / trust anchor. > > So yes, this is a real issue. Even in a trusted environment, a web > server admin can set up a WiFi hotspot using the HTTPS server cert. This > seems wrong. > > > 1. EAP TLS Peer implementations SHOULD allow for configuration of names > to match against SANs of type DNS name that are authorized to act as > EAP-TLS servers. > > Given the above attacks, I'm not sure that this helps. > > [Joe] You would need to use the name matching in conjunction with validation to a trusted root. > > 2. CAs MAY issue certs to EAP Servers that specify the id-kp-eapOverLAN > EKU specified in RFC 3770. EAP TLS peer implementations SHOULD allow for > the configuration to require the id-kp-eapOverLAN EKU for validation of EAP > server certificates. > > That's good, but as discussed previously on this list, it's essentially > impossible to get those certs from public CAs. Claims of "just start your > own public CA" notwithstanding, the only practical way to do it is with a > private CA. > > [Joe] without some sort of name matching using certs from a public CA is unwise. > > 3. If the above options are not available then separate trust roots need > to be used to issue certificates for EAP-TLS server and for TLS servers. > EAP TLS peer implementations MUST allow for configuration of a unique trust > root to validate the server's certificate. > > > > EAP-TLS peer implementations SHOULD provide ways to automate the > configuration of the information necessary for the validation of the > certificate. > > After looking into this in some depth, the only real thing you can > depend on is the CA. If the CA is trusted, nothing else matters. If the > CA is not trusted, then nothing else matters. > > [Joe] In this case we would have to rule out CAs that are not under the organizations control (public CAs) > i.e. for any kind of increased security you'd like to add to EAP-TLS, > you can almost always find a scenario where that security forbids > real-world use-cases we'd like to support Alan DeKok. > >
- [Emu] Issue 47 Certificate identity checks Joseph Salowey
- Re: [Emu] Issue 47 Certificate identity checks Eliot Lear
- Re: [Emu] Issue 47 Certificate identity checks Alan DeKok
- Re: [Emu] Issue 47 Certificate identity checks Alan DeKok
- Re: [Emu] Issue 47 Certificate identity checks Eliot Lear
- Re: [Emu] Issue 47 Certificate identity checks Alan DeKok
- Re: [Emu] Issue 47 Certificate identity checks Joseph Salowey
- Re: [Emu] Issue 47 Certificate identity checks Joseph Salowey
- Re: [Emu] Issue 47 Certificate identity checks Alan DeKok
- Re: [Emu] Issue 47 Certificate identity checks Eliot Lear
- Re: [Emu] Issue 47 Certificate identity checks Tim Cappalli
- Re: [Emu] Issue 47 Certificate identity checks Alan DeKok
- Re: [Emu] Issue 47 Certificate identity checks Eliot Lear
- Re: [Emu] Issue 47 Certificate identity checks Michael Richardson
- Re: [Emu] Issue 47 Certificate identity checks Alan DeKok
- Re: [Emu] Issue 47 Certificate identity checks Tim Cappalli
- Re: [Emu] Issue 47 Certificate identity checks Alan DeKok
- Re: [Emu] Issue 47 Certificate identity checks Tim Cappalli
- Re: [Emu] Issue 47 Certificate identity checks Alan DeKok