IETF Logo Mail Archive

Re: [Emu] Idea: New X509 Extension for securing EAP-TLS

Jan-Frederik Rieckers <rieckers@uni-bremen.de> Tue, 12 November 2019 10:47 UTC

Return-Path: <rieckers@uni-bremen.de>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C687112003E for <emu@ietfa.amsl.com>; Tue, 12 Nov 2019 02:47:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uni-bremen.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S91eTTJOmTzM for <emu@ietfa.amsl.com>; Tue, 12 Nov 2019 02:47:07 -0800 (PST)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08F7C12001A for <emu@ietf.org>; Tue, 12 Nov 2019 02:46:30 -0800 (PST)
Received: from [134.102.218.221] (dynamic-218-v.informatik.uni-bremen.de [134.102.218.221]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 47C4DN3XBfz17gG for <emu@ietf.org>; Tue, 12 Nov 2019 11:46:28 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=uni-bremen.de; s=2019; t=1573555588; bh=LRAnN0IKl0KuqsGyRE7ffxT0Hho+upebp3tXEFeA8/A=; h=To:References:From:Date:In-Reply-To; b=RpQ9rrcVvRwXcGF7wOuRYJ5ZTBl4NKENQ3nDaGz++ol3nzkQeOa+Uar8zcOFPGh0Z njSXZZYroG+p68l63kUqrzNFTMD4lnuHwe4IyxXQCgMjko8xZMZAk5NeJes3QAbv6c HYlDH2CmiiYiSuhsgz0SjXmZPileQnUZx22C4tfA3uSJ9kGfadThgPs2l95858ISvK 6Y+m3mKTaO10HCcRLOxdoMuNi1oENnXXHVRv2qovMtUjN6kuUp5mzIwNnNXgEdibAD YTcCjd3DIHgcurEjwfnb3i5QzarxOKxKlThl0Oa8hpg0CmdakEeapfEnv9I4nedO1w Sn2bCoZmOsqwg==
To: emu@ietf.org
References: <102dd850-b1ae-3426-8189-45876b7b419d@uni-bremen.de> <04E2AEF5-F1EE-4B74-B5BB-DFE099543C92@vigilsec.com> <D735A4DB-1CFB-4DF4-ACB7-BC6EFDBC6CDE@deployingradius.com> <E0B8DAA7-8C7C-455F-B5BE-128670A093D3@vigilsec.com> <BD30A64D-539C-422D-9413-880AF8D6A16F@deployingradius.com> <8147b718-23d6-07de-a565-08bcc8148095@uni-bremen.de> <MN2PR11MB3901077F38165EE241D30BC5DB740@MN2PR11MB3901.namprd11.prod.outlook.com> <08da27e5-518e-b6a4-a97a-b4ae9c32ed00@uni-bremen.de> <7d7609a5-ab18-7296-719e-11b2296f3d07@sandelman.ca>
From: Jan-Frederik Rieckers <rieckers@uni-bremen.de>
Openpgp: preference=signencrypt
Message-ID: <dfd03d9c-8a87-bea0-4eb5-39ecefb4bb31@uni-bremen.de>
Date: Tue, 12 Nov 2019 11:46:24 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <7d7609a5-ab18-7296-719e-11b2296f3d07@sandelman.ca>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="Vkd6RS5DtFSiwjQ10UwQUlWuR3Tj0ZkRG"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/a17rcyWaTC7SSxrTmtspsxGRCq0>
Subject: Re: [Emu] Idea: New X509 Extension for securing EAP-TLS
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2019 10:47:10 -0000

On 12.11.19 10:28, Michael Richardson wrote:
> You were trying to do a CSR with some extra attributes with a CA (using
> ACME? Using LetsEncrypt?) and the CA ignored the things that it couldn't
> verify?

No, it was a direct request to the CA of our research network. The
problem here was, that the CA itself would have had to clarify this with
their CA (Telekom Trust Center), because it would mean to set up a new
certificate profile. And that wasn't possible for this one usecase.

> So, as I understand it, the enrollment process for laptops/phones into
> WPA-Enterprise does not include retrieving a set of anchors for that
> connection.  Or that it is just too hard to do.   It works fine if the
> devices are compelled by their corporate masters, but this fails for
> BYOD, and it fails for cross-realm (which eduroam is).

It doesn't. In eduroam this has lead to cat.eduroam.org, where the
installers can be downloaded. As Carsten Borman and I already have
written in a submission for the IAB DEDR workshop[1], with the need of
this tool we also could have used client certificates instead of
username/password combinations.

For a long time it was easy to connect to eduroam without certificate
checking. Especially Android had a very insecure default setting and
most of our users just typed in their username and password and
connected to eduroam without any certificate check. And if the inner
authentication then defaults to PAP an attacker could get many
credentials just by setting up a rogue access point in a crowded place.
And many universities in Germany use PAP because they don't want a
NT-Hashed password in their database.

With the expiry of the old Root CA all clients had to change their
configuration, because (if set up correctly) the root ca was in fact pinned.
We used this rollover to force all our users to use a specific outer
identity, to encourage the use of the CAT.
Since the expiry we also deny all requests with any other outer identity
before the EAP-TLS handshake, to prevent certificate warnings on the
user devices.

Jan-Frederik

---
1: https://www.iab.org/wp-content/IAB-uploads/2019/05/p16-bormann-wifi.txt

v2.23.0 | Report a Bug | By Email