IETF Logo Mail Archive

Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)

Mohit Sethi M <mohit.m.sethi@ericsson.com> Fri, 29 January 2021 19:34 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C42483A1266; Fri, 29 Jan 2021 11:34:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.351
X-Spam-Level:
X-Spam-Status: No, score=-2.351 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wi48qbHvw7me; Fri, 29 Jan 2021 11:34:47 -0800 (PST)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10066.outbound.protection.outlook.com [40.107.1.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C7BEF3A1256; Fri, 29 Jan 2021 11:34:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ICJEVJXGbyu+OFPAwclxWb7rSFz8uCIj8RT6/goLnmQ+dstlG5m1xXJs8AAPnPa+QPtKTsIXqA/WivK54uDUnMYqCxK9KgqdpYRLnQry7KyjV20ID122XuTKaM6Ay92v+6AGhxTdVf51zJt34/xHsZ007WA9CqX1XzeinNSatR5reVTu3c8kEnsniB9OT/Dtbm7hTcakPew9zAl+3+YBHII7dXMqalnC7dvMomuX+K8dZWvq7hz9xldMrKibvtlyOGHvvH+/NlOWjb/FraTeGAX7Kp0sO9kcl7W2/7Jemufyw8KvKDbIXbVlb0ptnZMp6gbmYjco5s3IdkXCZZ5gPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dlJb026YG4EU7mjyrZxFH64s4ePbSr2NU5FKVJdi7Hs=; b=lvYdGUjV1cniQVY/yQLJkst6mZ/vWAYtNCkaJ1fL12mVBGXzN6Jci+OHuWwl3Woc9mWvbpOd/UnZavWS5zsG4k6hsrQ2FZEkPEsHOSozOJv4LlxUgTji/BEB6DYb/lrNezNRAVZMq+8K8nrFvDW1lB1fCvOdHSU2sYo298hvorciUhGdMXIjL5v6w5eM3zI4vLWPHDSpljhyatjJf5gJSom5/IQoRWKd2/K/6v7sU2MG5U3e2RhaoK0shSlDjncVIDg1DLwO/nplnN24l3L46Rl+Hteuyky9aM4pU3p5JCtr3fsMrDlomcXddXBn9TNbaoGSd5B4qCdeXgZBan2/Wg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dlJb026YG4EU7mjyrZxFH64s4ePbSr2NU5FKVJdi7Hs=; b=ExrpCxv9O3kkjBUyCGJBbUYkYf9Jm0iKJ+qZm9X+4S5AoTv5dYaBUeKaXu6J8/Fz+7KYW3fo57RlEV8oV/mzbOQS8eR4H6b5kX2O6KEbZXkQmSdBbgwKs0565aoOuLacoGZ/Us1Ch9YpSr4jwPVTqA3DUk392ElW8KqddIDOlCA=
Received: from (2603:10a6:7:37::31) by HE1PR0701MB2732.eurprd07.prod.outlook.com (2603:10a6:3:99::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.8; Fri, 29 Jan 2021 19:34:43 +0000
Received: from HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::8495:3af0:7b21:e13e]) by HE1PR07MB3436.eurprd07.prod.outlook.com ([fe80::8495:3af0:7b21:e13e%4]) with mapi id 15.20.3805.014; Fri, 29 Jan 2021 19:34:43 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Benjamin Kaduk <kaduk@mit.edu>, Alan DeKok <aland@deployingradius.com>
CC: "tls@ietf.org" <tls@ietf.org>, Martin Thomson <mt@lowentropy.net>, EMU WG <emu@ietf.org>
Thread-Topic: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
Thread-Index: AQHW9nXKjAOFG529yEK6f+DFWzBjfw==
Date: Fri, 29 Jan 2021 19:34:42 +0000
Message-ID: <14073c6e-878b-0b29-5892-b66d9c53eba1@ericsson.com>
References: <e669002f-caff-1e6e-e28b-d09157eb0c07@ericsson.com> <6241F0B6-C722-449E-AC3A-183DE330E7B5@deployingradius.com> <9ddd1593-3131-f5cc-d0db-74bf3db697bf@ericsson.com> <3CB58153-8CCA-4B1E-B530-BA67A6035310@deployingradius.com> <CAOgPGoA3U+XpZMY7J+KGovNx6MtAdEzRaGW33xVJdQNWSi4LVg@mail.gmail.com> <770e6a49-52fc-4e8b-91af-48f85e581fbb@www.fastmail.com> <CAOgPGoBGOMXH-kMhQSujWxnACdmBL845u0ouE0fUYc4rWtUrZg@mail.gmail.com> <ca4c526e-79a0-4fa7-abda-2b626795f068@www.fastmail.com> <3409F71E-4CE4-46BB-8079-BFBE9BE83C9A@deployingradius.com> <66157321-55DC-4831-8EF2-D75934D9024C@deployingradius.com> <20210129183220.GI21@kduck.mit.edu>
In-Reply-To: <20210129183220.GI21@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
authentication-results: mit.edu; dkim=none (message not signed) header.d=none;mit.edu; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:14bb:180:1c9f:aa77:4567:3e60:221c]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a82109c9-5c38-4030-4f40-08d8c48cedac
x-ms-traffictypediagnostic: HE1PR0701MB2732:
x-microsoft-antispam-prvs: <HE1PR0701MB27327DC7E4C63F5DFC7DA5D5D0B99@HE1PR0701MB2732.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vxjkB8hI4QmrHPNvJVWqVWcJh+ez2ZSR6eVLBCzjZGR4L8URgw7ixjPqCzDiYjjkCT9s+85iQWMgePfwp33LwNuPXaTKlNmjgYpIQ/ZEaCaPL0uiEKKp1F1hwB/As+Az69/UrO+9HeTLdmgv19pax33BKxWdpYKZO8bakAdfP1nLgCkvekJEZaIDvNJWEjFj520udEenqPLzaNBHdJqrhYtnjj2ZoTFdxDrPPxKGbEs25clEyOXizXSoasKHzIogGJqFxOjIIVED3xiT6GZJY2rM/T0AwK8Ca5O95bugS0fNVTxUBJdnmkOqT2xM3BvHdT6g2NGqYmXWkzJGQaB8cCVx4kT9MGBx1j7t5I87FJoxzdW0jT+4ilwNCDT00ZhfwRvjYoyZItjckGt9SI1rRsiSvPVviZ3klON9oxNrpTKHTJIs7EZcBK6G5YBswSvOlc6GQ02/fanEgQ7cN1FYW4v9HeZzqXqm+haAErHDm/Je+p1TTN1YvAgPEUgAmOXhxl8tYxCjhOZH60ljLURdvMpUK4zhJn6Ob74BdcS47R1+XgYvSBqgAKG1ooQR8ZShb8d8WUs5lKNk2pk35Na7ynVY+fQQvagDIokSGVFskTPjZniyVUPgtXYbaTUulVeeLn6+rygsMupdvYt3B4w4CGJYqYgE4qBIsGop4W94peVK3QjzMcm1RVWvz/Vl3giL
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR07MB3436.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(346002)(136003)(396003)(376002)(366004)(39860400002)(8936002)(31696002)(6506007)(4326008)(86362001)(6512007)(186003)(66476007)(166002)(66556008)(83380400001)(66446008)(76116006)(66946007)(8676002)(316002)(110136005)(54906003)(478600001)(6486002)(71200400001)(5660300002)(31686004)(2616005)(36756003)(64756008)(53546011)(966005)(2906002)(43740500002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: Z0lMKXwV0piBKXiNicp9+ljyVsU/CZq1e8ytZHzCyi6n2w9CGLvMp1j0cTDzWTDiiDJwDI/fBhPvpL7IIkuFOj7xvTOjALlvuN9N7s7x6mEMuAISGrUjS0FK+lUH5j5Daya01u8uHI+XPfhjfs3E4NXvvXGAuopNjQv5EvS98jmR5WeO7KCWfBCW9yKWAdUFiAP5YYMHn662HQB99zlT3kbaHtGDzEq8ruaRJrOezUGAK9BjaD43xDLZ5pnvCs2cNJzxmFF8S3sSfsEeYCJmli76YqjBdPJiccWBvOCh0eBYvSgoGCR/AzIqVKUCC1fHSVZhkibgBhthkOZnoBsgwNcXQhx6oHjIyL8rZinG8pIUcKA0cEDu7e0iaB9jdT35z5JQUGEpaaNpEfpUQ7VU4zaYuU7f/IBpBo7uUxyIBZFyQ3bpR6myNZrcFimk/xJbvgUxZH0Z6KbvfitCeTWbNK7D0++Di95OX0dtAqY8K5ior/urPT6rkGudwxJmDI3Vl76E8QkGFacQCBlhdrJ0zJoFJbkXc7rtRb4kTtj0eKXbzbLvwCNcaGpF4FPUkvEv8Yp19+FK0K8sJwXCrANpjWVV/oMRDO6Ti/KgpVtngpHCoNSKJVgKEnlsN7rsWifKXyAF8xrGxCvVe+SA9A4XPeNqa7czngE+2TKQE1cR6FIUXUyFeUul3UOIGlgGn8ifjBIZ9z/UDhXH6XB92H41dnyVKY0EcHNfRb5oyWWI5Ngu4zRpuE+fkgWgqZE7jB7yEvUDmjWGfVr6aD+YCAo601BLdpSXhnEC7OhJfZCgzkNboLy1k9tuRQqg/LoLg3DBGrONjPeroZZOVaihLi2NSGvRHbTWeDoL3xLaOGf9dH4nQKon1tto9P7H5zWspdPUWi1DAcfz5eZS2EmwUCBDyJTzOTBbq3g9vqD4zSV68Pq/JAcMZb2gq1oC9/+1mSCQvyRbdlNyGID3BdDY+kIlteNestu7jR/jbCHAesebg6FN6JjoPik0n7QEGZqK3YfdZsl4uUeuVnA2zqjHi3B09XOZjPzvERLQS33oLPgwEpdo0VZRC1EPi0QsMf3fJCqaxq1o0XRqoZSg6J4Oq6kyZqRKKuahD9zYjiBnB5KoCbzXXWCkpS97m3VrOXkyMden
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_14073c6e878b0b295892b66d9c53eba1ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR07MB3436.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a82109c9-5c38-4030-4f40-08d8c48cedac
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Jan 2021 19:34:43.0526 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Z8dxti6hfUSThQY9y87j0zVOZoNGBlxwjPgm6Ce/Z10qmerMcbtBbS+CUGXNNlzTAhJd6Tqi1IBRkhG41cmUS7RgZCX4na/wVmRguDnskT4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2732
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/RSPEVzHS13Mh2J3bXcNtyyunN8Y>
Subject: Re: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jan 2021 19:34:50 -0000

Hi Ben,

On 1/29/21 8:32 PM, Benjamin Kaduk wrote:

Hi Alan,

I see that the thread is continuing and that perhaps my reply will even
become stale as I write it, but I'm replying to your note instead of the
tip of the thread because it has good context for making some broader
points that I would like to make.

On Sat, Jan 23, 2021 at 05:28:10PM -0500, Alan DeKok wrote:


  We're approaching 2 weeks since the last discussion of this topic.  This document has been in development for 3 years.  We desperately need to finish it.  IMHO waiting another 6 months is not an option.  Even 3 would be worrying.



My understanding of the discussions involving the TLS WG are that we forked
off into two sub-threads: one about the use of TLS Exporters for key
derivation (the one this is a reply to), that largely concluded with
agreement on a simple change to make, and the other sub-thread about the
protocol element known in -13 as the "commitment message".

With respect to the exporter usage, I do see you had asked about using the
type-code as the exporter context value that Martin didn't see much value
in, but I am willing to accept that as a boon for safety of portability to
other TLS-using EAP mechanisms.  (I do note that the current editor's copy
shows calls to TLS-Exporter() with only two arguments, but three are
required; the construction there also seems to include a propspect for
violation of the requirement that "one label is not a prefix of any other
label" when both regular one-byte and extended type codes are used, but if
the type code is meant to be the context argument I believe that risk goes
away.)

RFC 5705 says:

   If no context is provided, it then computes:

           PRF(SecurityParameters.master_secret, label,
               SecurityParameters.client_random +
               SecurityParameters.server_random
               )[length]

   If context is provided, it computes:

           PRF(SecurityParameters.master_secret, label,
               SecurityParameters.client_random +
               SecurityParameters.server_random +
               context_value_length + context_value
               )[length]


We use only two arguments and say "No context data is used in the TLS exporter interface.". We could show the context argument as empty in the calls to make things clearer. By the way, this is what is done by TEAP also. RFC 7170 says "TEAPv1 makes use of the TLS Keying Material Exporters defined in [RFC5705] to derive the session_key_seed.  The label used in the derivation is "EXPORTER: teap session key seed".  The length of the session key seed material is 40 octets.  No context data is used in the export process."

The change of moving the type-code from the context to the label was made based on your review (comments from Martin) and the fact that some libraries such as wolfssl don't support passing a context (so far). See: https://w1.fi/cgit/hostap/tree/src/crypto/tls_wolfssl.c#n1996



With respect to the "commitment message", I thought we had a discussion
that revealed that the mechanism in the -13 could not fulfil its stated
purpose, and that also called into question whether that stated purpose was
actually the right thing that the protocol needed.  My understanding,
therefore, was that the TLS WG could not contribute further insight until
there was a revised proposal from people who understand the needs of the
EAP-TLS protocol from TLS that would both satisfy the needs of EAP and
actually be achievable.



  We have multiple inter-operable implementations which have implemented draft-13.  That work over the last few months have resulted in implementors making plans to do beta testing in the next few weeks.  Those plans have been put on indefinite hold, due to the recent request for changes.

  I understand getting feedback from the TLS WG is useful.  But I would prefer to have consensus on a *solution*. Right now, we just have a series of proposed changes, with little to no discussion.



I think this is becaues the TLS WG members (in aggregate) do not have a
clear picture of what property or properties EAP-TLS will require from TLS
that led to the need for an additional message when using TLS 1.3 as
opposed to the RFC 5216 case with TLS 1.2.  The prospect of an
"authenticated signal from TLS to EAP-TLS that the authentication completed
successfully" was mentioned, but I did not have the sense that there was
universal agreement of that as the sole relevant property.

I think there was a misunderstanding that an authenticated signal of authentication completed was needed. Only a signal of no more post handshake messages was needed. I think Alan's summary might also explain the situation better.

--Mohit





  We're getting to the point where we have to ship code as promised to customers soon (weeks, not months).  We therefore need consensus, as soon as possible.

  My preference is to implement draft-13.  We know the code works.  People are ready to ship it.  Any changes will add not just more months of standard discussion, but more months of interoperability testing.

  If there is no progress in EMU, we're looking at September for first betas.  With no guarantee that there won't be further changes made after that.

  So the question is:

* are the draft-13 0x00 byte and exporter *terrible* enough to delay the standard another 6 months?



Well, the text of the -13 contains a protocol mechanism that cannot deliver
its stated purpose, so I will continue to hold a Discuss position if that
remains.  One Discuss ballot does not have to block the work indefinitely
(the shepherding AD can request a different IESG balloting procedure be
used), and I leave it between the WG and Roman whether to attempt that
route.  It is perhaps possible that (as John noted downthread) the text
about the commitment message was badly written, and that just changing the
surrounding description could work, but that gets back to the question I
mentioned above of what properties EAP-TLS actually requires from TLS.

-Ben



* if the answer is "no", then we can ship now.

* if the answer is 'yes", then the next question is "when can we get this finalized?"  "March" would be late.  "July" is a major problem.



On Jan 12, 2021, at 10:22 AM, Alan DeKok <aland@deployingradius.com><mailto:aland@deployingradius.com> wrote:

On Jan 11, 2021, at 7:08 PM, Martin Thomson <mt@lowentropy.net><mailto:mt@lowentropy.net> wrote:


I was not exactly.  I was thinking that EAP-TLS uses the unadorned string and other usages (that need a different MSK) define their own string as needed.



 Which is largely what was done for <= TLS 1.2.

 That choice made implementations more difficult.  Not impossible, but annoying.  The other TLS-based EAP types are generally implemented as variants of EAP-TLS.  They re-use much of the EAP-TLS code.  So every difference is more code, and more things to test.



Though what you describe would scale more, if the ordinality of that scale is bounded by RFC numbers, defining the extra strings would not be that hard.  You could provide some sort of infrastructure in the form of a recommended label prefix if you are concerned about misuse.



 I'm not sure EAP-TLS is the place to make recommendations for other EAP types.  There is a draft to deal with other EAP types:

https://urldefense.com/v3/__https://tools.ietf.org/html/draft-dekok-emu-tls-eap-types-00__;!!GjvTz_vk!BN9rm7SoWGOKFjfY7fFgpHjeV58wJeRS31O8qeE3B4tZbNy-zWi1yMwNRryTgg$

 It's pretty trivial.  Adding more complexity is annoying, but not much worse than that.

 My preference is to remain with the EAP type as the context.  The code is simple, and it's easy to understand.  But if it causes issues with TLS review, we can change it.

 Alan DeKok.




_______________________________________________
TLS mailing list
TLS@ietf.org<mailto:TLS@ietf.org>
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/tls__;!!GjvTz_vk!BN9rm7SoWGOKFjfY7fFgpHjeV58wJeRS31O8qeE3B4tZbNy-zWi1yMwitxxMCA$



_______________________________________________
Emu mailing list
Emu@ietf.org<mailto:Emu@ietf.org>
https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email