IETF Logo Mail Archive

Re: [Emu] Issue 47 Certificate identity checks

Joseph Salowey <joe@salowey.net> Mon, 12 April 2021 16:23 UTC

Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C894C3A0062 for <emu@ietfa.amsl.com>; Mon, 12 Apr 2021 09:23:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KVfcUlnQwidX for <emu@ietfa.amsl.com>; Mon, 12 Apr 2021 09:23:14 -0700 (PDT)
Received: from mail-lf1-x134.google.com (mail-lf1-x134.google.com [IPv6:2a00:1450:4864:20::134]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C29D13A003E for <emu@ietf.org>; Mon, 12 Apr 2021 09:22:40 -0700 (PDT)
Received: by mail-lf1-x134.google.com with SMTP id j18so22384881lfg.5 for <emu@ietf.org>; Mon, 12 Apr 2021 09:22:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=eDGAXNyYmAdmQm2SzeuBpneWtSeH26R4Q1x2ktbQtC8=; b=Y8X9Y+DiayK1SzAC2z0YjIexm+fSv6T5cnF/U4CDYGtSWyh2eqzF3CVzVi3ixUc+b0 PV2aOld7RihTOdpKqdc4nQF4wR440Af2o0+pQle8Cfp1cnxPDMpK+H62qQ9kSD3nDfUb VbdKjjKKwWkHqZTYmrvKfSVHlz+686WG6k/DNfdjGGubseIvEzbqZTX9GaU1UBCrGh+t gsupWhXWH28k1N0a1Zp92YaYmZ814/cZepX+Bz7ocjuyebLDNcAVNL4GTl2gmZdgD5Hd FGoRAlWX3PaDDmA1lljcyxRp7Y/xuqC36zhwDs1cwaseZ1SzsHm3LlK45VvO66WevSab xwKg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=eDGAXNyYmAdmQm2SzeuBpneWtSeH26R4Q1x2ktbQtC8=; b=itpYRNlNC9qUwr29MlXsvVCP/GQjvL05vAbOB+ipFJeMKqu1qMDmGRdhO8wk55Ux4S g2ktvebIUObuZH8g44Ub+NtKKH6V0eY56hS9qro9oFj+N0M/SgnMR0LYGkxDMfb6+Gyr Nvb8D1fpkOBABCOeYP/IFxS1HTzcQKzLKSHLb32DcrV7Si0FRrAN4MGAy0HSNo4/JBoS dhaBt50MWgqJT4mbR6qotR3zOy+sIRLaVGCHNPAKOINyfYR00EY94z4DYPLIij8bpl9t 0Q5IW1ILDbCp/tZRy5U6IVrP9FRKZ9wI7FfgS4qVgvAKw1UNkh4M8e4XM3i/Ih6apqra Cg4A==
X-Gm-Message-State: AOAM531fgiq/DUw0WEC4u9wGA+QVV1GGP1HzERUoP31Kyi3Ayu03A3ug B02tlFkjtAFA3fSXUMeDuhPrf7JwjGH+AkTHUkT3jm4Uv0A=
X-Google-Smtp-Source: ABdhPJxAPClkncdm37/dNJAdYxiYCQVxlgIBVH3ytq6xWXzFobtTHDfKkqxvelnkGKEhyLuqCp1uEvUb2EvdKZPmxOY=
X-Received: by 2002:ac2:5eca:: with SMTP id d10mr17791228lfq.525.1618244558838; Mon, 12 Apr 2021 09:22:38 -0700 (PDT)
MIME-Version: 1.0
References: <CAOgPGoArm2RdEN4V-L9XEUvOeG0Vs+58Zj_p3Y2yRY0aYsVV_A@mail.gmail.com> <950CF2A7-2C9A-4BAE-8EA2-0FC2DE3C740C@deployingradius.com>
In-Reply-To: <950CF2A7-2C9A-4BAE-8EA2-0FC2DE3C740C@deployingradius.com>
From: Joseph Salowey <joe@salowey.net>
Date: Mon, 12 Apr 2021 09:22:27 -0700
Message-ID: <CAOgPGoBm7pas9i6n-y8g1yqP+ea68=_8DueHqywDQLBcMGEJ9g@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000016ecef05bfc8ec12"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/-29vDNdxLFNlL8OEOeDjP7GNOTg>
Subject: Re: [Emu] Issue 47 Certificate identity checks
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 16:23:21 -0000

On Mon, Apr 12, 2021 at 5:48 AM Alan DeKok <aland@deployingradius.com>
wrote:

> On Apr 11, 2021, at 11:19 PM, Joseph Salowey <joe@salowey.net> wrote:
> > RFC 5216 lacks guidance on how to validate the EAP server's certificate
> especially with respect to identities.
>
>   Yes.  :)
>
> > RFC 5216 recommends validating the certificate path is valid and that
> the extended key usage attributes are either not present, allow for any
> usage or allow for TLS server usage.   This creates an issue that if the
> same truest root is used for EAP TLS and for other TLS server usage that
> any TLS server will be able to extend its privilege and behave as an EAP
> server.   The following recommendations are made for implementations and
> deployments to avoid this problem.
>
>   One of my colleagues, Arran Cudbard-Bell wrote a cute tool a few years
> ago.  It would pretend to be a WiFI hotspot.  Then when systems tried to do
> EAP, it would strip the realm from the EAP identity.  It would then, use
> HTTPS to connect to a web server for that realm, and download that HTTPS
> server cert.  That cert would then be cloned under a new "self signed" CA,
> and the cloned cert presented to the user.
>
>   The only real difference between the "real" and "fake" certs was the
> root CA / trust anchor.
>
>   So yes, this is a real issue.  Even in a trusted environment, a web
> server admin can set up a WiFi hotspot using the HTTPS server cert.  This
> seems wrong.
>
> > 1. EAP TLS Peer implementations SHOULD allow for configuration of names
> to match against SANs of type DNS name that are authorized to act as
> EAP-TLS servers.
>
>   Given the above attacks, I'm not sure that this helps.
>
>
[Joe] You would need to use the name matching in conjunction with
validation to a trusted root.


> > 2. CAs MAY issue certs to EAP Servers that specify the id-kp-eapOverLAN
> EKU specified in RFC 3770.  EAP TLS peer implementations SHOULD allow for
> the configuration to require the id-kp-eapOverLAN EKU for validation of EAP
> server certificates.
>
>   That's good, but as discussed previously on this list, it's essentially
> impossible to get those certs from public CAs.  Claims of "just start your
> own public CA" notwithstanding, the only practical way to do it is with a
> private CA.
>
>
[Joe]  without some sort of name matching using certs from a public CA is
unwise.


> > 3. If the above options are not available then separate trust roots need
> to be used to issue certificates for EAP-TLS server and for TLS servers.
> EAP TLS peer implementations MUST allow for configuration of a unique trust
> root to validate the server's certificate.
> >
> > EAP-TLS peer implementations SHOULD provide ways to automate the
> configuration of the information necessary for the validation of the
> certificate.
>
>   After looking into this in some depth, the only real thing you can
> depend on is the CA.  If the CA is trusted, nothing else matters.  If the
> CA is not trusted, then nothing else matters.
>
> [Joe] In this case we would have to rule out CAs that are not under the
organizations control (public CAs)


>   i.e. for any kind of increased security you'd like to add to EAP-TLS,
> you can almost always find a scenario where that security forbids
> real-world use-cases we'd like to support

  Alan DeKok.
>
>

v2.23.0 | Report a Bug | By Email