IETF Logo Mail Archive

Re: [Emu] General EAP discussion of protected alternate indication of success, RFC 4137, and IEEE 802.1X

Mohit Sethi M <mohit.m.sethi@ericsson.com> Sun, 07 February 2021 14:32 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81FF73A0E9F for <emu@ietfa.amsl.com>; Sun, 7 Feb 2021 06:32:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.353
X-Spam-Level:
X-Spam-Status: No, score=-0.353 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_DOTEDU=1.997] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tVM_Ge-iMNW9 for <emu@ietfa.amsl.com>; Sun, 7 Feb 2021 06:32:29 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on0611.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0d::611]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 89D3E3A0EF4 for <emu@ietf.org>; Sun, 7 Feb 2021 06:32:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=S4gocZjS7S8hGW1mA6KtNH+EEffDb3yu6ZjU7maiTHCFIYBu8bYJpJuOI4VcS3qXKy2DQIB6RlIT6Wf1sFd45boK1egNrBnDYpVZQ+/3scvh+oAl/j9JXHjVBImgjGh+Me81sYkvi1ppcD19yNcgKGsesEr/UqVrlIFeB7DhhM4PrJknrp5RmorOsDGt1qztlvr/hnz2E2dKEcP2fh/88qzCrztCXjYX0bnGuKGoq33CCE4Lmq1m7iMbRCwfuw0GXDp1DKjDChTyyq4sNpFdV/YPuDgiZYRmXpurWR747I+KLJGJ1Vf3xPKzFKm4ijFfgjjkewHR4RSCQS0WcFVofg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Eapahutgac9thRU5cjGj7xe2GwNvZoGut3q4ALHOXwo=; b=YUINH9VXajiuVRBQzV6TYqw+2/2Aw1n4jzg6TFptKQ9tA+d74Izfpk5US4cSJ+FGKZp9+UIWKPecphMu6ZbDsLiYOzxwp7MLOQKEHjtkUYPRxO9nNazpCDBe6aN6/cixFHWywqrmah8ZcQBfvIrEwMnbzwr5CyWU1ueXZM3dbFI1Enf0Mf6nsPo7qH3az2tH984OueN8oHxpqj0tZuUSSSojlmZMdbJCa1yd1IP9+EDctWOPbmIzHaCwq24oXe2OpJ+5IQV4vsFZWKjkDRqnD0jx3VzfL71+P9L1xavAebtoHYBA23zuajOU9+fECmIqA7XmIgfYz/lFNI2Pi/Xm1w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Eapahutgac9thRU5cjGj7xe2GwNvZoGut3q4ALHOXwo=; b=GiblJYutsuNcCycElpNjD/GqNSSFCc5Gty7yoyedY74n1GTN13Wc9/Qh54mz4I4ASGco7MMFlzgSqHhQnLhShEnqTBdVSvJ4t/MrmF3IMiPULNRvw9gTCBO0RM5gQO6IFlVVS8pPJC91v5fEiDgtq31qh5w8MVUIZOt/0kPSEuY=
Received: from (2603:10a6:7:37::31) by HE1PR0701MB2826.eurprd07.prod.outlook.com (2603:10a6:3:4a::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3846.15; Sun, 7 Feb 2021 14:32:23 +0000
Received: from HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::8495:3af0:7b21:e13e]) by HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::8495:3af0:7b21:e13e%4]) with mapi id 15.20.3805.014; Sun, 7 Feb 2021 14:32:23 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>, EMU WG <emu@ietf.org>
Thread-Topic: [Emu] General EAP discussion of protected alternate indication of success, RFC 4137, and IEEE 802.1X
Thread-Index: AQHW/V4L3TVVvwkko0C72mZCq8uerA==
Date: Sun, 07 Feb 2021 14:32:23 +0000
Message-ID: <15f01679-dcc6-1c4f-aa30-4eeda3063a65@ericsson.com>
References: <1823CB2F-E930-4259-9D95-A73F8D322C45@ericsson.com>
In-Reply-To: <1823CB2F-E930-4259-9D95-A73F8D322C45@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:14bb:180:1c9f:aa77:4567:3e60:221c]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9f5d4d91-e233-4e83-4ae2-08d8cb752f02
x-ms-traffictypediagnostic: HE1PR0701MB2826:
x-microsoft-antispam-prvs: <HE1PR0701MB282676046A48F40DD714F5A0D0B09@HE1PR0701MB2826.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: buhLwCTgQ7XyfhjSkge1PeC7DTu1LmsNw14Cr4/3mgdBCUAoiDs2NGi85JjXZPbHQjM9/HmFAuV5M7RgeZEToMhGXtzpndhPMKnLe0GYyTBSJ6IA+MXyAgEa5e7ilIIB6kadHKVDMT007tsFPMXyrVuPLce84QnmJAtFqwNn1wDzWLoKWS5sUKnVbZ8DTIcuT2DVytYmG35U4y/KeSRuON7jc1zkxMtbi/n8EL5Ijc82po2303YzRWpKJHEg2YyzI0sG2YsyN25oTtl8gSF/bG08Pic93MaZHVKnBUyRbkFIFyaFv2jnB96MBcEQSyj+I9uotd5vukRuKTlnrzlylSMtOEYSLTTOnypQaYtD4fS+mzeG2t169RaqjJxYCKq1XC7I5H5ddBM3/oDBmHebLL4X4TLH9sM6VcnXZSkJzGScY3KDI3NV9kz2gPZIgt66tKtkFTXELtV0y5ygXpN8HYSB2d+VO5dUG9mP6Y8FZ6rSmWvkiX1JJIlC2QmqNRpzmHAVgkcTft6mZsapoYXfEI/S/LzlBbHiaeuRIvCPGzzSXok/FleQhOu9I5vOxc/jouYsE/mmZwTRnhQjV1nARJp7V/2hpfOn4GGjvYGroGGVP7G77tBJtoRdMDpqJNMS+O+GmwNDxWgx2fmoSGDi+P/KdXlnUPHMk4UEtv0yAvwzzODB7AxNaIcTE+hbGHML
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3436.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(396003)(346002)(136003)(376002)(366004)(6512007)(966005)(53546011)(8936002)(478600001)(83380400001)(8676002)(166002)(66556008)(71200400001)(36756003)(86362001)(6486002)(64756008)(66446008)(66476007)(2616005)(31696002)(5660300002)(31686004)(76116006)(316002)(66946007)(110136005)(186003)(2906002)(6506007)(45980500001)(43740500002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Twu0yvO5maIDLiGtYIUtjb/GLibfbHdQ40oNvXI/sFuYPD+u4+ymPpmicOPL3CXw4B7edVH36TbHAQLCPFP3YkgvjAn8ih7QMjU4lmCJGShYd5xKabENfSsrwwjAUGsMMVeTH79Jsk4RfZA/7xQz/zuQZ5CpuIW4Q7JrMygVzLsuugQIKGbatKa3H9TkProaqTC/8Z0X/UK0d8EnxBBF6aFsYuEPnmSVTBUyqhySnsuBOrfPO66R4a3goSWROLAhnQf29H9eLG33zPQbYWNItpKRv6KWoV0nGZ74vhuP/YPlja1YnYNeQ63QJJMhy+5kKe6k7Y/2PzOblSGO55w8gxz4sGJLp2xdqHiZbRkol3NUzv8LEELbdVMx76wXWiupTz8T0ocPNnm8JD7Vh5OAXcdwTblVcw4zimZNL76UYMmyJhVh3lc9Rod0rKouwugCgz++wEGxf+qTwa1ozvPhmFu4QCSFSdoS43bH1kR6P59/C5xfkij83WBgDAxKmRfaiAZgqgis0GHRnlGUJtVZeR27phPxaLQFeei5gUAe+9aLvSkD8HpqeVfdrOinqOjabapvOVNEMKsUkOBpFUEsjinL5ffcW1PLRGs3sZCEaBuuz0F76OYA7CvL27LSncYnn85eQWaJJE9T6lsrCclMz6WXp3QozLwQYFM5r/27bd+1dSTbg8uuJaoyqjL2HyOF0DyoiFACyN+0oB+py6t6Msbiu7YihMp0IyltRJ4qdqtLs0ApcVasYpzDkxRkK4DCgHWweeU+BD9l9JqSxVoa1L5Y5I7tCOiJlTzJYg3MzxFZfFNmlAWvtc+93CfveeffnA2Q5AkygDLnGnDj3GE17iWk5tZw6lvTVBkz6fc5cr/S14VZlgyhB/l8tSPqpyOKpyXbWej3G3EHKSW/7GVPjc6721OeNas7IkaEMuXLBiOSDzm9fhil4QV90HCboZkakOd8qXckKC2CjFI6wFmuMz1QYjp9NRvQvxyCvYnn57xY0mD3/D2yMmtDUGhQwqDKeECvFHRm6B6oUN7t57Mix24o89M+cAFjjza8hDMinOcpP1kc9fg6KKeEprHgxg67Wz8um1iZ4nN0bzB7Ggr0qGtb/JZm2N/F6exFS3b1PSQByZioLTtBMp7sw+t7X520dbztVpBlWjryDPyq/XkhzNCLr8DH13VGFZlmf4IJ7Je/p6G5btEVQP/VROUKNHujm0jDib8EVcuM4OZMhcdoKBBGR/T9Qa0WuTD4IcYFFsdU8RC288E57YdchkuNhlQvrxpln4ml7oFiA4coaXiLR+NfDdvsuxmDHMhrz/ZQix9EJcyJU6V/mOiT1uYSMkFD3ozTh0pM5LbT/bprT7oGkIBmeNZRCacpMuazjmjfla59t91dLU9aB1eD40a/ApMz
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_15f01679dcc61c4faa304eeda3063a65ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3436.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9f5d4d91-e233-4e83-4ae2-08d8cb752f02
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Feb 2021 14:32:23.2487 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: biMsC4ToxbnKcfPoCsfPvQaU0WWKOxib5H2ZK2rLGtq3qS/uaNIWV4PVJ966VRDZORLk3QR+jEPOTPXkdGaa/wiUIbPRRFgay6DlcuWrY3o=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2826
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/7UM6piyrJMJ8vdm6bHEOkoEIgSw>
Subject: Re: [Emu] General EAP discussion of protected alternate indication of success, RFC 4137, and IEEE 802.1X
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2021 14:32:32 -0000

Hi all,

I am catching up on all the discussion of protected indication of success. I think it is important to note that protected indication of success can be exchanged in both directions (i.e. peer to server and server to peer). For example, RFC 3748 says:

   For example, within EAP-TLS [RFC2716<https://tools.ietf.org/html/rfc2716>], in the client authentication
   handshake, the server authenticates the peer, but does not receive a
   protected indication of whether the peer has authenticated it.  In
   contrast, the peer authenticates the server and is aware of whether
   the server has authenticated it.  In the session resumption
   handshake, the peer authenticates the server, but does not receive a
   protected indication of whether the server has authenticated it.  In
   this mode, the server authenticates the peer and is aware of whether
   the peer has authenticated it.


The discussion thus far has mostly focused on protected indication of success from the server to peer. I think in EAP-TLS 1.3 it is useful to have a protected indication of success from the server to the peer. Whether this is close_notify or one byte of application data can be discussed. The reason for having such a protected indication of success from the server to peer is because it also indicates that no more post handshake messages will be sent.

But I disagree that such protected indication of success is needed for all EAP methods. Note RFC 3748 says:

Result indications improve resilience to loss
   of Success and Failure packets when EAP is run over lower layers
   which do not support retransmission or synchronization of the
   authentication state.  In media such as IEEE 802.11, which provides
   for retransmission, as well as synchronization of authentication
   state via the 4-way handshake defined in [IEEE-802.11i<https://tools.ietf.org/html/rfc3748#ref-IEEE-802.11i>], additional
   resilience is typically of marginal benefit.

   Depending on the method and circumstances, result indications can be
   spoofable by an attacker.  A method is said to provide protected
   result indications if it supports result indications, as well as the
   "integrity protection" and "replay protection" claims.  A method
   supporting protected result indications MUST indicate which result
   indications are protected, and which are not.

   Protected result indications are not required to protect against
   rogue authenticators.  Within a mutually authenticating method,
   requiring that the server authenticate to the peer before the peer
   will accept a Success packet prevents an attacker from acting as a
   rogue authenticator.

Also note that spoofing an EAP-Success will still not force the peer to transition to the SUCCESS state. As shown in appendix A.1 of RFC 4137:

  rxSuccess &&      |
                    |  (reqId == lastId) &&  |       SUCCESS
                    |   (decision != FAIL)

The peer cannot simply transition to SUCCESS state as the decision will still be set to FAIL. The decision is set to COND_SUCC or UNCOND_SUCC only after the peer decides that the server has sufficiently been authenticated (for EAP methods with mutual authentication).

Additionally, the protected indication of success can help with synchronization of authentication result as noted in RFC 3748:

   While result indications may enable synchronization of the
   authentication result between the peer and server, this does not
   guarantee that the peer and authenticator will be synchronized

EAP-NOOB even models an attacker which can selectively drop the last message to cause a synchronization failure and has a mechanism to recover, see: https://tools.ietf.org/html/draft-ietf-emu-eap-noob-03#section-6.7

Finally, as noted in RFC 3748:

   Success indications may be explicit or implicit.

So in some cases, receipt of a message from the server is sufficient to indicate that the peer was authenticated.

To summarize, we should have a protected success indication for EAP-TLS but there is no reason to panic and modify all other specifications.

--Mohit
On 2/6/21 11:43 AM, John Mattsson wrote:

Hi,

Bernard brought up compability with RFC 4137 and the need for protected alternate indication of success in the context of EAP-TLS 1.3

https://mailarchive.ietf.org/arch/msg/emu/F-LcEX3UbAEX20Amk0xBBqfPQNQ/

I think we need to discuss this in a general EAP setting as this in not EAP-TLS specific at all but also related to all other EAP methods including draft-ietf-emu-rfc5448bis, draft-ietf-emu-aka-pfs, draft-ietf-emu-eap-noob, and draft-ingles-eap-edhoc.

The need for anprotected alternate indication of success in IEEE 802.1X is as described in [1]

  "lack of per-packet authenticity and integrity in IEEE 802.11 frames (data and management) has been a key contributor in many of the protocol's security problems."

  "due to a series of flaws in the composition of protocols that make up RSN".

Regarding solutions [1] states

  "there are currently no plans by the IEEE to add integrity protection to management frames"

  "Fortunatly, however, our attacks can easily be prevented through the addition of message authenticity to EAP"

To summarize IEEE 802.1X has some design flaws that will not be fixed. Any EAP method must have a protected alternate indication of success to be secure in IEEE 802.1X.

The attack seems pretty bad. Without a protected alternate indication of success an attacker can easily hijack the whole connection. I do not have a deep understanding of modern IEEE 802.1X, so I cannot say if anything has changed since 2002.

Looking at the other active documents in the EMU WG:

draft-ietf-emu-rfc5448bis
draft-ietf-emu-aka-pfs
draft-ietf-emu-eap-noob
and draft-ingles-eap-edhoc

None of them has a protected alternate indication of success and they would to my understanding be completely unsecure to use in IEEE 802.1X as it looked like in 2002.

Not having a protected alternate indication of success and pushing out keys before success is secure in general, otherwise TLS 1.3 itself would be insecure. I think all of these protocols would be secure when used in 3GPP 5G, but I think basically all EAP protocols want to function with IEEE 802.1X.

I think EMU need to verify that protected alternate indication of success is still needed in IEEE 802.1X. If it is I think draft-ietf-emu-rfc5448bis, draft-ietf-emu-aka-pfs, draft-ietf-emu-eap-noob, and draft-ingles-eap-edhoc need to be updated, or state that they cannot be used in IEEE 802.1X.

draft-ingles-eap-edhoc would be very easy to fix by just adding EDHOC message_4 which is desgined for use cases like this. EDHOC exported already derived keys from the client's second flight as recently discussed might be good to add to TLS 1.3.

[1] http://www.cs.cornell.edu/people/egs/615/mishra-arbaugh.pdf

Cheers,
John


_______________________________________________
Emu mailing list
Emu@ietf.org<mailto:Emu@ietf.org>
https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email