IETF Logo Mail Archive

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

Alan DeKok <aland@deployingradius.com> Wed, 18 September 2019 13:39 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB38E120251; Wed, 18 Sep 2019 06:39:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4y96FDsPEtVX; Wed, 18 Sep 2019 06:39:37 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 096C8120113; Wed, 18 Sep 2019 06:39:36 -0700 (PDT)
Received: from [192.168.20.55] (ottawa.ca.networkradius.com [72.137.155.194]) by mail.networkradius.com (Postfix) with ESMTPSA id C08FE1775; Wed, 18 Sep 2019 13:39:34 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <1FD26215-86AF-4C64-83ED-AB1D67D1937B@ericsson.com>
Date: Wed, 18 Sep 2019 09:39:33 -0400
Cc: "Owen Friel (ofriel)" <ofriel@cisco.com>, "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>, EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <DB61AD67-77D5-4EF9-9207-4CD20C3B61C7@deployingradius.com>
References: <7828_1564869242_5D46027A_7828_348_1_02e001d54a45$e92ae900$bb80bb00$@augustcellars.com> <20b118932a4843b6b88e605799fafea8@aalto.fi> <211AD83C-D111-4EEB-AAF0-D9B5E521F4CF@deployingradius.com> <8F355C6F-DF1E-4E03-B75E-0F1D2508B9D4@ericsson.com> <246280B8-6E5C-484B-95BD-9C940C98C507@deployingradius.com> <CY4PR1101MB22781AB8C8982ACF99B61544DB8E0@CY4PR1101MB2278.namprd11.prod.outlook.com> <DAE24683-2B66-40F1-AFC6-77250113B204@deployingradius.com> <1FD26215-86AF-4C64-83ED-AB1D67D1937B@ericsson.com>
To: John Mattsson <john.mattsson@ericsson.com>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/CBnKsped_uNPXkVqxJ9RQB_0xz4>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2019 13:39:39 -0000


> On Sep 18, 2019, at 9:21 AM, John Mattsson <john.mattsson@ericsson.com> wrote:
> 
> If I understand you correctly Alan, your implementation would have different databases (one resumption DB and one external PSK DB) and you do not want to do two database lookups.

  It's more about what *can* be done.  RFC 8446 Section 8.1 and 8.2 talk about using multiple DBs, too.

> The format of the PSKidentities is free for the deployment to decide upon and the resumption PSKs can be completely be determined by the EAP-TLS implementation. Your implementation could for example put a message authentication code inside the PSK identity. The MAC would be calculated with a symmetric key the EAP server has randomly generated by itself. I think that would solve your problem.

  I suggest giving guidance to implementors.  Otherwise the issue is open to implementation-defined behaviour, which is problematic.

  If PSKs are used only for resumption, the the format doesn't matter.  If PSKs are used for both authentication *and* resumption, then I strongly recommend giving guidance.

  For example, RFC 8446 Section 4.1.2 says:

      struct {
          opaque identity<1..2^16-1>;
          uint32 obfuscated_ticket_age;
      } PskIdentity;

  i.e. the PSK identity is an opaque binary string.  How is the user supposed to enter a binary string into a "username" field in their GUI?  What are the recommended formats?

  If the ClientHello isn't encrypted, then the PSK is visible to anyone (I believe).  And the PSK *must not* be a user-manageable string such as the NAI.  On the other hand, if the PSK is sent after encryption begins, then the PSK *should* be a user-manageable string such as an NAI.

  I see it being useful for EAP-TLS to allow PSK authentication.  I just want to be sure I know what that means, and what the impacts are.

> I do not see how an attacker could do anything..... an attacker can definitely reuse any PSK identity, but would not have the corresponding PSK and the ClientHello would therefore not be accepted. The worst thing an attacker could do is to replay a ClientHello, then the handshake would fail then the EAP server verifies the Finished message.

  I agree.  My larger point was that in the absence of guidance, it's impossible to know what to do with a PSK identity.

> I don't see why this would be more of a problem in EAP-TLS with TLS 1.3 that in any other application of EAP-TLS.

  I agree.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email