Re: [Emu] Minor PR on eap-tls13

Joseph Salowey <joe@salowey.net> Thu, 24 June 2021 23:43 UTC

Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DED623A2FA9 for <emu@ietfa.amsl.com>; Thu, 24 Jun 2021 16:43:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WeTkdMcNqVDX for <emu@ietfa.amsl.com>; Thu, 24 Jun 2021 16:43:18 -0700 (PDT)
Received: from mail-lj1-x22d.google.com (mail-lj1-x22d.google.com [IPv6:2a00:1450:4864:20::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DCFE23A2FA6 for <emu@ietf.org>; Thu, 24 Jun 2021 16:43:17 -0700 (PDT)
Received: by mail-lj1-x22d.google.com with SMTP id r16so10051396ljk.9 for <emu@ietf.org>; Thu, 24 Jun 2021 16:43:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=g8Eq13MmJj2qc7ibNYRdpXDjsl5qMmdVhTLJ/KICvz0=; b=0DJ1MwqveLu9zri9n4VIqyAvQLqWzKxdqDR4UQ8jRshbMpSTGZCKe69bMEDciuk/Sp PVRBQ767uVAMjend7YuPyQ+btZ1MnZFHriVsJtQ9zAPFQ43zqe1VL46c1dXE8HPfr3kw MdOqQULwInN3GmQv/LuPpUcpIU3N6iwBzJWnPcl5W9CKxXDgboluAxUDU/LxId78P8lD KbOupklxEE7MLVzTfGD+KEh9ati6UxKPEQWw0shQcTsiyqWp2W5Uk0KsOS7lfeRpiVGm wOqTKP5zDPMwcAszITYu4e4V0W8mmhRcLZs/6CYGbGJetp0/LuY0aKMw9Ot+5dHdlCnv IXMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=g8Eq13MmJj2qc7ibNYRdpXDjsl5qMmdVhTLJ/KICvz0=; b=pgsO/qC0kmc7D6BNg/X/Gn3kH9r6vBn+xSzCid3CqP7NrwpONTWJpGguxnxMVlM3m7 r2RujVpHovffjHDnGTh1/HLe/5Qo7ImEd6xq/+8/pb2eAmc6FfQKdyaSWb+Z/6mrYbwm execVvrd7eQ9ebVt+8qnTRlZgstYhQvzdBITS5smfT2DwTJr1taqgbiEu3G9TaebRlJw 08+7rwkS6wulwrDXrXEVR6Qzg77FLPq7j36k5NnQ+aQ+e0vxaIBHvDwKCn+axpOd/aCe ZaxHFcPagXqEJlqcA64HE7muSovZj0MyZF+uNng1xwEPQAUS2t7uB+qiuRqEMhiA9Vdy rwlg==
X-Gm-Message-State: AOAM530tzwfLd8PZ+sgslYeYg09JzFXKMcvULHbNIqoNGFJAset9kZx5 JYChDDzmYekue+TjOz84jXGt3pBoEWD8JKxh1SLqVA==
X-Google-Smtp-Source: ABdhPJxBRZuYbXN+mLGnir9gswDtuUmP3O6ph6GXN8OiignEyARsIkeaSy2VI7HkbA/kTWZRUnt6t0SzsmpPtmoYNU4=
X-Received: by 2002:a05:651c:1a6:: with SMTP id c6mr5970331ljn.444.1624578194630; Thu, 24 Jun 2021 16:43:14 -0700 (PDT)
MIME-Version: 1.0
References: <784048A1-DFF5-4D84-8468-9A8C97C0DEA7@deployingradius.com>
In-Reply-To: <784048A1-DFF5-4D84-8468-9A8C97C0DEA7@deployingradius.com>
From: Joseph Salowey <joe@salowey.net>
Date: Thu, 24 Jun 2021 16:43:03 -0700
Message-ID: <CAOgPGoAdTc6FW9Zg17WpckpSY-EBaCkZT_Pd--WKXb4nQ56BvA@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000003379fd05c58b969b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/JluPYp3fn2SZAtyYEkXOCJEj_Us>
Subject: Re: [Emu] Minor PR on eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jun 2021 23:43:23 -0000

On Tue, Jun 22, 2021 at 6:02 AM Alan DeKok <aland@deployingradius.com>
wrote:

> https://github.com/emu-wg/draft-ietf-emu-eap-tls13/issues/86
>
>   I didn't see anything on cross-protocol use of certs.
>
>   i.e. Section 2.2 suggests that the certs contain an FQDN.  But it's
> likely bad practice to allow the same cert to be used for EAP, and for WWW.
>
>   There's some suggested text forbidding this behavior.
>
>   I would have expected similar text to be part of RFC 8446, but I
> couldn't find anything relevant.
>
> ---
>
> 5.11 Certificate Reuse
>
> Certificates used for EAP-TLS MUST NOT be used in any other protocol
> besides EAP. Section 2.2 above suggests that certificates typically have
> one or more FQDNs in the SAN extension. However, those fields are for EAP
> validation only, and do not indicate that the certificates are suitable for
> use on WWW (or other) protocol server on the named host.
>
> Allowing the same certificate to be used in multiple protocols would
> possibly allow for an attacker to authenticate via one protocol, and then
> "resume" that session in another protocol. Section 5.7 above suggests that
> authorization rules should be re-applied on resumption, but does not
> mandate this behavior. As a result, this cross-protocol resumption could
> allow the attacker to bypass authorization policies, and toobtain undesired
> access to secured systems. The simplest way to prevent this attack is to
> forbid the use of the same certificate across multiple protocols.
>

My comment is that we should mark this as cross protocol attacks.  We
should consider a separate work item to define ALPN for EAP-TLS.  Here is a
revision to Alan's suggestion as section "5.11 Cross-Protocol attacks" or
perhaps an addition to 5.7

"Section 2.2  suggests that certificates typically have one or more FQDNs
in the SAN extension. However, those fields are for EAP validation only,
and do not indicate whether the certificates are suitable for use with
another protocol server on the named host. If the same certificate and the
resumption cache is usable in EAP-TLS and another protocol an attacker
could authenticate via one protocol, and then "resume" that session in
another protocol.

Section 5.7 above suggests that authorization rules should be re-applied on
resumption, but does not mandate this behavior. As a result, this
cross-protocol resumption could allow the attacker to bypass authorization
policies, and to obtain undesired access to secured systems. Along with
making sure that appropriate authorization information is available and
used during resumption, using different certificates and resumption caches
for different protocols is RECOMMENDED to help keep different protocol
usages separate."





> _______________________________________________
> Emu mailing list
> Emu@ietf.org
> https://www.ietf.org/mailman/listinfo/emu
>