IETF Logo Mail Archive

Re: [Emu] Potential Notes in EAP-FAST Documents

"Hao Zhou (hzhou)" <hzhou@cisco.com> Thu, 12 February 2009 03:05 UTC

Return-Path: <hzhou@cisco.com>
X-Original-To: emu@core3.amsl.com
Delivered-To: emu@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 220DE3A69F2; Wed, 11 Feb 2009 19:05:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uahYgjdf8dLY; Wed, 11 Feb 2009 19:05:54 -0800 (PST)
Received: from rtp-iport-2.cisco.com (rtp-iport-2.cisco.com [64.102.122.149]) by core3.amsl.com (Postfix) with ESMTP id 718423A69E4; Wed, 11 Feb 2009 19:05:54 -0800 (PST)
X-IronPort-AV: E=Sophos;i="4.38,194,1233532800"; d="scan'208";a="36771656"
Received: from rtp-dkim-1.cisco.com ([64.102.121.158]) by rtp-iport-2.cisco.com with ESMTP; 12 Feb 2009 03:05:58 +0000
Received: from rtp-core-2.cisco.com (rtp-core-2.cisco.com [64.102.124.13]) by rtp-dkim-1.cisco.com (8.12.11/8.12.11) with ESMTP id n1C35wUW016395; Wed, 11 Feb 2009 22:05:58 -0500
Received: from xbh-rtp-201.amer.cisco.com (xbh-rtp-201.cisco.com [64.102.31.12]) by rtp-core-2.cisco.com (8.13.8/8.13.8) with ESMTP id n1C35wbr000205; Thu, 12 Feb 2009 03:05:58 GMT
Received: from xmb-rtp-212.amer.cisco.com ([64.102.31.111]) by xbh-rtp-201.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.1830); Wed, 11 Feb 2009 22:05:58 -0500
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Wed, 11 Feb 2009 22:05:57 -0500
Message-ID: <9958B444368E884DBB215F3FEF36F5B708F4DD04@xmb-rtp-212.amer.cisco.com>
In-Reply-To: <20090211201320.GA22148@jm.kir.nu>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Emu] Potential Notes in EAP-FAST Documents
Thread-Index: AcmMhToZYb4ZoFogRIuG/S9/eQj6agANd42Q
References: <BLU137-W531ACB9BE00127DB8595D993C30@phx.gbl><808FD6E27AD4884E94820BC333B2DB7727E78F274C@NOK-EUMSG-01.mgdnok.nokia.com><006c01c98781$5d6b8bf0$1842a3d0$@net><808FD6E27AD4884E94820BC333B2DB7727E78F2B67@NOK-EUMSG-01.mgdnok.nokia.com><003201c9880d$e8160780$b8421680$@net><DF99D1BF-7A3A-41C6-B161-FD609410DE59@nist.gov> <20090211201320.GA22148@jm.kir.nu>
From: "Hao Zhou (hzhou)" <hzhou@cisco.com>
To: Jouni Malinen <j@w1.fi>, Tim Polk <tim.polk@nist.gov>
X-OriginalArrivalTime: 12 Feb 2009 03:05:58.0742 (UTC) FILETIME=[D421A760:01C98CBE]
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; l=6401; t=1234407959; x=1235271959; c=relaxed/simple; s=rtpdkim1001; h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version; d=cisco.com; i=hzhou@cisco.com; z=From:=20=22Hao=20Zhou=20(hzhou)=22=20<hzhou@cisco.com> |Subject:=20RE=3A=20[Emu]=20Potential=20Notes=20in=20EAP-FA ST=20Documents |Sender:=20 |To:=20=22Jouni=20Malinen=22=20<j@w1.fi>,=20=22Tim=20Polk=2 2=20<tim.polk@nist.gov>; bh=mScsY8kf4iuRLPABg7mNFyXwENWEnQHoyulss6Bahdw=; b=UpQANhgQBVEXJBM0jcQ9GChbdRomSVq6+P30UhLKBRG36zh7Ho4mZ8xeFu lyr59OeXqsVGIkvz/N1tmG2/9JaPJb4q2fxvrmg3I21pvdwW7Mb0/Rf5yr2W bkc3G3yKZB;
Authentication-Results: rtp-dkim-1; header.From=hzhou@cisco.com; dkim=pass ( sig from cisco.com/rtpdkim1001 verified; );
Cc: emu@ietf.org, iesg@ietf.org
Subject: Re: [Emu] Potential Notes in EAP-FAST Documents
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/emu>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2009 03:05:56 -0000

Jouni:

Thanks for the feedback.

To clarify, EAP-FAST-MSCHAPv2 is only being used during anonymous
provisioning mode, in other cases, the normal EAP-MSCHAPv2 is being
used. This is mentioned in draft-cam-winget-eap-fast-provisioning
Section 3.2.3 and reflects current implementations. The design is to
specifically minimize the risk associated with an anonymous tunnel,
which does not apply to an authenticated tunnel.  

As for the ISK derivation from EAP-MSCHAPv2, a further clarification is
probably helpful. As discussed, EAP-MSCHAPv2 documentation doesn't
really describe how MSK is generated, only referencing RFC3079. RFC3079
only describes how two 128-bit keys are generated, but leaves out how
these two keys are combined to form the MSK. This leaves it to be
defined in a tunnel method specific way. It seems that EAP-FAST may have
defined a combining algorithm different with the other method. 

Here is what we propose to add to draft-cam-winget-eap-fast-provisioning
Section 3.2.3 to clarify the issue. 

"The inner session key (ISK) generation for EAP-FAST-MSCHAPv2 and
EAP-MSCHAPv2 used inside EAP-FAST MUST follow the steps below. Two 128
bit master keys MasterSendKey and MasterReceiveKey are generated
according to the RFC3079. They are combined to form the ISK, with
MasterSendKey taking the first 16 octets and MasterReceiveKey taking the
last 16 octets. "

As for the GTC comment, you are right that EAP-FAST-GTC is being used in
all cases inside EAP-FAST. So your suggestion of removing "during
authentication" or changing it to "always" is fine.  

> -----Original Message-----
> From: emu-bounces@ietf.org [mailto:emu-bounces@ietf.org] On 
> Behalf Of Jouni Malinen
> Sent: Wednesday, February 11, 2009 3:13 PM
> To: Tim Polk
> Cc: emu@ietf.org; iesg@ietf.org IESG
> Subject: Re: [Emu] Potential Notes in EAP-FAST Documents
> 
> On Wed, Feb 11, 2009 at 09:26:14AM -0500, Tim Polk wrote:
> 
> > Second, I will be offering the following text for IESG 
> notes on both 
> > documents.  The notes clearly state the drawbacks for EAP type code 
> > reuse and define an acceptable path for future protocol developers.
> 
> This looks like an appropriate text to add. However, I would 
> request a small clarification on the exact scope of the 
> different EAP-MSCHAPv2 and EAP-GTC behavior. As far as 
> EAP-FAST-MSCHAPv2 vs. EAP-MSCHAPv2 is concerned, I would 
> expect that EAP-FAST-MSCHAPv2 is actually used both for 
> unauthenticated (anonymous) and server-authenticated 
> provisioning while the proposed note seemed to indicate that 
> the different behavior is implied by the use of an anonymous 
> tunnel. See below for suggested changes to resolve this.
> 
> I'm assuming that the implicit challenges derived from the 
> TLS handshake are not used in the EAP-FAST authentication, 
> i.e., normal authentication would be using something that is 
> closer to EAP-MSCHAPv2, not EAP-FAST-MSCHAPv2. However, I 
> think that even that use of EAP-MSCHAPv2 differs a bit from 
> the way it is used in other protocols, e.g., as far as key 
> derivation is concerned, but this would have been more of a 
> comment for RFC 4851 than these two drafts that are now discussed.
> Anyway, since the key derivation from inner method is used 
> also during provisioning, it would be useful to specify the 
> exact process used to derive ISK from EAP-FAST-MSCHAPv2 
> (especially the order of send/recv MS-MPPE keys which seems 
> to differ from the way this is used in PEAPv0 with cryptobinding).
> 
> > ------ draft-cam-winget-eap-fast-provisioning -----
> >     The EAP method EAP-FAST-MSCHAPv2 reuses the EAP type 
> code assigned to
> >     EAP-MSCHAPv2 (26) for authentication within an 
> anonymous TLS tunnel.  
> 
> s/an anonymous TLS tunnel/the EAP-FAST tunnel during provisioning/
> 
> > In
> >     order to minimize the risk associated with an anonymous tunnel, 
> > changes
> >     to the method were made that are not interoperable with EAP- 
> > MSCHAPv2.
> 
> This use of "anonymous tunnel" sounds fine.
> 
> >     Since EAP-MSCHAPv2 does not support method-specific version 
> > negotiation,
> >     the use of EAP-FAST-MSCHAPv2 is implied by the use of 
> an anonymous
> >     EAP-FAST tunnel.
> 
> s/of an anonymous EAP-FAST tunnel/inside the EAP-FAST tunnel 
> during provisioning/
> 
> >  This behavior may cause problems in implementations
> >     where the use of unaltered EAP-MSCHAPv2 is needed inside an 
> > anonymous
> >     EAP-FAST tunnel.  Since such support requires special case 
> > execution of
> >     a method within a  tunnel, it also complicates implementations 
> > that use
> >     the same method code both within and outside of the tunnel
> >     method.
> 
> That "anonymous" should likely be replaced, too, but I don't 
> have a good proposal for this one. Maybe s/an anonymous/the/
> 
> The implementation complexity comes both from different 
> tunneling methods using different versions of EAP-MSCHAPv2 
> and from the different use within EAP-FAST depending on state 
> (provisioning vs.
> authentication).
> 
> 
> > ----  draft-zhou-emu-fast-gtc  ------
> 
> > Since
> >     EAP-GTC does not support method-specific version 
> negotiation,  the 
> > use of
> >     EAP-FAST-GTC is implied when used inside the EAP-FAST 
> tunnel during
> >     authentication.
> 
> s/ during authentication//
> 
> I'm not sure whether this "during authentication" was 
> referring to the case where EAP-FAST provisioning is not used 
> (i.e., normal authentication after PAC has been previously 
> provisioned). Anyway, it is probably clearer to just specify 
> that EAP-FAST-GTC is used in all cases inside EAP-FAST tunnel 
> since the draft seems to indicate that this is indeed the 
> case (just note that EAP-FAST-GTC is not allowed in 
> unauthenticated/anonymous provisioning, but it is allowed in 
> server-authenticated provisioning).
> 
> -- 
> Jouni Malinen                                            PGP 
> id EFC895FA
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu
>

v2.23.0 | Report a Bug | By Email