IETF Logo Mail Archive

Re: [Emu] General EAP discussion of protected alternate indication of success, RFC 4137, and IEEE 802.1X

Rafa Marin-Lopez <rafa@um.es> Sun, 07 February 2021 01:08 UTC

Return-Path: <rafa@um.es>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D532F3A2DE7 for <emu@ietfa.amsl.com>; Sat, 6 Feb 2021 17:08:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.118
X-Spam-Level:
X-Spam-Status: No, score=-1.118 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_DOTEDU_ENTITY=1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=um.es
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0w2Xay_eSqoh for <emu@ietfa.amsl.com>; Sat, 6 Feb 2021 17:08:30 -0800 (PST)
Received: from mx01.puc.rediris.es (outbound4mad.lav.puc.rediris.es [130.206.19.145]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60F213A2DE5 for <emu@ietf.org>; Sat, 6 Feb 2021 17:08:30 -0800 (PST)
Received: from xenon42.um.es (xenon42.um.es [155.54.212.169]) by mx01.puc.rediris.es with ESMTP id 11718HbH000620-11718HbI000620; Sun, 7 Feb 2021 02:08:21 +0100
Received: from localhost (localhost [127.0.0.1]) by xenon42.um.es (Postfix) with ESMTP id 9E7C11FFD0; Sun, 7 Feb 2021 02:08:15 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon42.um.es
Received: from xenon42.um.es ([127.0.0.1]) by localhost (xenon42.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id cG858kl8Z5Kg; Sun, 7 Feb 2021 02:08:15 +0100 (CET)
Received: from [192.168.1.35] (149.red-88-17-15.dynamicip.rima-tde.net [88.17.15.149]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa@um.es) by xenon42.um.es (Postfix) with ESMTPSA id 74F521FE88; Sun, 7 Feb 2021 02:08:10 +0100 (CET)
From: Rafa Marin-Lopez <rafa@um.es>
Message-Id: <46B183FF-E2A5-4BFC-AA90-10EBF3DF2EBC@um.es>
Content-Type: multipart/alternative; boundary="Apple-Mail=_18F2726F-1E49-47D5-B12B-EDC02AF43BD0"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.1\))
Date: Sun, 07 Feb 2021 02:08:09 +0100
In-Reply-To: <1823CB2F-E930-4259-9D95-A73F8D322C45@ericsson.com>
Cc: Rafa Marin-Lopez <rafa@um.es>, EMU WG <emu@ietf.org>
To: John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org>
References: <1823CB2F-E930-4259-9D95-A73F8D322C45@ericsson.com>
X-Mailer: Apple Mail (2.3608.120.23.2.1)
X-FEAS-SPF: spf-result=pass, ip=155.54.212.169, helo=xenon42.um.es, mailFrom=rafa@um.es
Authentication-Results: mx01.puc.rediris.es; spf=pass (rediris.es: domain of rafa@um.es designates 155.54.212.169 as permitted sender) smtp.mailfrom=rafa@um.es
X-FE-Policy-ID: 2:15:0:SYSTEM
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=um.es; s=DKIM; c=relaxed/relaxed; h=from:message-id:content-type:mime-version:subject:date:cc:to:references; bh=ZyF2fkmbblayxTfmYJLTauREru7Jh6DSg2T1JJpo6f0=; b=rduDN+9/tRNoCdUczAB4VK3XJxBhJLmwSHRZgRbzxTBu3Wsd9UmMxzGubkv7LXyFZKLPspxSq08v fLALnsaEtlH0G9wOi8T5IL5Rdj43hER4VL7il6cWBruwo0NNz9h8uw33g718sFEN547ZpQIwdC5A XlzHydErq4uAIDyYb0HKoB7FIoBIZCasgcKcDW1369ifpErvw+TRkuSOZ97+6/g1x16jxMndYwNA u2RZ5h1FZcbiKQVEC8FTBrATUCsiNxTMfmLVLMzViB4Q2rJ7lFnUHUKeaS560DYrCGnvrq1DUa3x dgwZ6FJPotzCpsel2BnuS5y/nkTG6QPsH/MjlQ==
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/DfPyplWrDWq_FeHKgcehUpQXHN0>
Subject: Re: [Emu] General EAP discussion of protected alternate indication of success, RFC 4137, and IEEE 802.1X
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 07 Feb 2021 01:08:33 -0000

Hi John, all:

First of all my apoligies if some thoughts in my e-mail have been already discussed. Please see inline.

> El 6 feb 2021, a las 10:43, John Mattsson <john.mattsson=40ericsson.com@dmarc.ietf.org> escribió:
> 
> Hi,
> 
> Bernard brought up compability with RFC 4137 and the need for protected alternate indication of success in the context of EAP-TLS 1.3
> 
> https://mailarchive.ietf.org/arch/msg/emu/F-LcEX3UbAEX20Amk0xBBqfPQNQ/

If we take RFC 4137 as reference, altAccept and altReject are variables that are part of the interface defined from lower layer to EAP peer state machine (4.1.1. Variables (Lower Layer to Peer)). Therefore, I believe these variables are not related to the EAP method itself, unless I am missing something. These variables are more related with section 3.4 <https://tools.ietf.org/html/rfc3748#section-3.4>. Lower Layer Indications in RFC 3748. I mention this because these variables have been mentioned in relation to EAP-TLS. In any case, I think it would be important to clarify this because, as I said, I may be missing something.

Regarding eapKeyAvailable and eapKeyData, Figure 3 in RFC 4137 (https://tools.ietf.org/pdf/rfc4137.pdf <https://tools.ietf.org/pdf/rfc4137.pdf>) shows that the variable eapKeyAvailable is set to TRUE in the SUCCESS state, if key is available in eapKeyData. The SUCCESS state is reached in two cases: when an EAP Success is received or altAccept is set to TRUE. This variable altAccept is set by Lower Layer to EAP peer state machine. The same happens for altReject. However eapKeyData may have the key (see METHOD state) but the eapKeyAvailable variable will be FALSE until the EAP Success or altAccept is TRUE. It is completely certain that EAP Success is not protected and the message that enables the altAccept may be unprotected (e.g. first message of 4-way handshake in IEEE 802.11). 

Having said this, I think section 7.16 <https://tools.ietf.org/html/rfc3748#section-7.16>. Protected Result Indications in RFC 3748 is also relevant for the discussion.

In this sense, regarding draft-ingles-eap-edhoc please see below:


> 
> I think we need to discuss this in a general EAP setting as this in not EAP-TLS specific at all but also related to all other EAP methods including draft-ietf-emu-rfc5448bis, draft-ietf-emu-aka-pfs, draft-ietf-emu-eap-noob, and draft-ingles-eap-edhoc.
> 
> The need for anprotected alternate indication of success in IEEE 802.1X is as described in [1]
> 
>  "lack of per-packet authenticity and integrity in IEEE 802.11 frames (data and management) has been a key contributor in many of the protocol's security problems."
> 
>  "due to a series of flaws in the composition of protocols that make up RSN".
> 
> Regarding solutions [1] states
> 
>  "there are currently no plans by the IEEE to add integrity protection to management frames"
> 
>  "Fortunatly, however, our attacks can easily be prevented through the addition of message authenticity to EAP"
> 
> To summarize IEEE 802.1X has some design flaws that will not be fixed. Any EAP method must have a protected alternate indication of success to be secure in IEEE 802.1X.
> 
> The attack seems pretty bad. Without a protected alternate indication of success an attacker can easily hijack the whole connection. I do not have a deep understanding of modern IEEE 802.1X, so I cannot say if anything has changed since 2002.
> 
> Looking at the other active documents in the EMU WG:
> 
> draft-ietf-emu-rfc5448bis
> draft-ietf-emu-aka-pfs
> draft-ietf-emu-eap-noob
> and draft-ingles-eap-edhoc
> 
> None of them has a protected alternate indication of success and they would to my understanding be completely unsecure to use in IEEE 802.1X as it looked like in 2002.
> 
> Not having a protected alternate indication of success and pushing out keys before success is secure in general, otherwise TLS 1.3 itself would be insecure. I think all of these protocols would be secure when used in 3GPP 5G, but I think basically all EAP protocols want to function with IEEE 802.1X.
> 
> I think EMU need to verify that protected alternate indication of success is still needed in IEEE 802.1X. If it is I think draft-ietf-emu-rfc5448bis, draft-ietf-emu-aka-pfs, draft-ietf-emu-eap-noob, and draft-ingles-eap-edhoc need to be updated, or state that they cannot be used in IEEE 802.1X.
> 
> draft-ingles-eap-edhoc would be very easy to fix by just adding EDHOC message_4 which is desgined for use cases like this.

EDHOC message_4 would help, however if you merely include this in the current flow in Figure 1 in draft-ingles-eap-edhoc  you will need an extra message_5 because EDHOC message_4 would be contained in a EAP Request so you need an EAP Response. To avoid this, my proposal is to change the roles (initiator, responder) so that the EDHOC exchanges would be as follows:

        Responder                                               Initiator
      +--------+                                               +-------+
      |   EAP  |                                               |  EAP  |
      |  Peer  |                                               | AuthN |
      +--------+                                               +-------+
        |                           EAP-Request/Identity        |
        | <---------------------------------------------------+ |
        |                                                       |
        |   EAP-Response/Identity (ID)                          |
        | +---------------------------------------------------> |
        |                                      EAP-Request/     |
        |                                EAP-Type=EAP-EDHOC     |
        |                                 (EDHOC message 1)     |
        | <---------------------------------------------------+ |
        |   EAP-Response/                                       |
        |   EAP-Type=EAP-EDHOC                                  |
        |   (EDHOC message 2)                                   |
        | +---------------------------------------------------> |
                                                              peer authenticated
        |                                      EAP-Request/     |
        |                                EAP-Type=EAP-EDHOC     |
        |                                  (EDHOC message 3)    |
        | <---------------------------------------------------+ |
    server authenticated
    eapKeyData = m.getKey()                                     |
        |                                                       |
        |   EAP-Response/                                       |
        |   EAP-Type=EAP-EDHOC                                  |
        |   (EDHOC message 4)                                   |
        | +---------------------------------------------------> |
        |                                                       | eapKeyData = m.getKey()
        |                                        EAP-Success    |
        | <---------------------------------------------------+ |
        +                                                       +

With EDHOC message 2 the peer is authenticated; with EDHOC message 3 the server can be authenticated by the peer and it is an protected indication to the peer that the server authenticated it. In that moment, the key can be pushed to eapKeyData in the EAP peer state machine (see METHOD state in RFC 4137 in Fig. 3). EDHOC message 4 is used for key confirmation and as an protected indication the peer has authenticated the server. The server after verifying EDHOC message 4 makes the key available to eapKeyData.

In this model, the EDHOC initiator is the server and the responder, the peer. If this is acceptable to solve the issue in EAP-EDHOC, we can update the document with this change. At least, it would cover the following text in 7.16 <https://tools.ietf.org/html/rfc3748#section-7.16>. Protected Result Indications in RFC 3748:

"In a method supporting result indications, a peer that has
   authenticated the server does not consider the authentication
   successful until it receives an indication that the server
   successfully authenticated it.  Similarly, a server that has
   successfully authenticated the peer does not consider the
   authentication successful until it receives an indication that the
   peer has authenticated the server.”

Any opinion?

Best Regards.


> EDHOC exported already derived keys from the client's second flight as recently discussed might be good to add to TLS 1.3.
> 
> [1] http://www.cs.cornell.edu/people/egs/615/mishra-arbaugh.pdf
> 
> Cheers,
> John
> 
> 
> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu

------------------------------------------------------- Rafa Marin-Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------

v2.23.0 | Report a Bug | By Email