[Emu] draft-ietf-emu-tls-eap-types-06 comments
Heikki Vatiainen <hvn@radiatorsoftware.com> Mon, 20 June 2022 15:20 UTC
Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFD08C15AAE5 for <emu@ietfa.amsl.com>; Mon, 20 Jun 2022 08:20:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gkn5aFJBZX3v for <emu@ietfa.amsl.com>; Mon, 20 Jun 2022 08:20:43 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAB70C157901 for <emu@ietf.org>; Mon, 20 Jun 2022 08:20:43 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id o10so15601843edi.1 for <emu@ietf.org>; Mon, 20 Jun 2022 08:20:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20210112.gappssmtp.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=XAGekI71B8KTc0Dk5GRhQKZ9luzWQbexXhvDBxMRwYo=; b=4HXycKlfPFy5j/aEoayuZITb6TpVNmRAk9pf10pKEUEZvoSh7dBeANNipGek1zMUEu 4Wmi+9hYJjFv+aqWLuZp/JkLnvGSURM5o6zYO7WpEauFYtw6U5RfgCIMFBVj/aWCZ5Uz Z7md/GljoGmSavIWeGnEuC0gUdg7axUYhlVfGP7EY2tNq2dPR43syqjR39bxzttIlk1x JtWb+lbEXTxADCuQ4NcLMvOCNgpJJnV/pfdiXZnqqExgupD3cAMJAwBW2HlHxUSEYeWa TBpESj9Cu0eLyiLNKuYzh6+CLgD799OyEItUdTLzSRrbAYpUwRk4UD8gq/TqhqccTN2o RuHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=XAGekI71B8KTc0Dk5GRhQKZ9luzWQbexXhvDBxMRwYo=; b=DYZN7OAevJ3hRVG2U4KyXgSAf2Ipg0WpXQFfbW2B+HkHSApRq/vNGbFSvYUacG1t+H CAO18EOwMle19G5ssnidiqfOs61POV2ndglKByLpZNslvD2pKnL/Q97Nf6DRvOi4ozC5 wjLn+Xgz/t7YkZ2KOZreKeiKyc9W8KmxlrNkBIe5Ok3IGdxqy6gCNn00mV+tNlWrWTSB BJuhkaoRtvS5yc99iZ47dnadk45YzM6l8T6TXK+VHeJI5kQDCZ052m3ge9Fj8SjmGxhj 9UgHdeBjXpuQHDUy33p2y8OT7Y6M7u19avchgRFk48mkD6cYnZAUU+El0LnhA07f6P50 M7+Q==
X-Gm-Message-State: AJIora/l0WjcgcbcAO3SxPWYMA5Fhh/i1MHCAt0i4MsitXQDoudlFBsf bcXkSJ1Mn5CYzejcl87zKm24aUv9x/CO6bliwZ8d+yfIN6McQA==
X-Google-Smtp-Source: AGRyM1sgUhIGSTxlBr8hK9DBpfGJsT+vKzQ4Ygc3FNEybJVWr7f7edWVlehR7i+QWloWQXiqrMlkwNCDFpJhuqy12bA=
X-Received: by 2002:a05:6402:354c:b0:431:51e2:eef9 with SMTP id f12-20020a056402354c00b0043151e2eef9mr30712191edd.344.1655738441277; Mon, 20 Jun 2022 08:20:41 -0700 (PDT)
MIME-Version: 1.0
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Mon, 20 Jun 2022 18:20:25 +0300
Message-ID: <CAA7Lko_C5sCWYOypic9QEvfewO38m=ZDUrG+4Uvywgh1LLGPAw@mail.gmail.com>
To: EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a238bf05e1e2a564"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/avSFC2JnmHc5Bh9WevXmcpPIfuM>
Subject: [Emu] draft-ietf-emu-tls-eap-types-06 comments
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2022 15:20:45 -0000
Please find below my comments. I think the draft can move forward. The comments below are clarifications and minor fixes. The list is quite long but I think there aren't any functional changes. Naming things +++++++++++ Should the EAP type names named consistently? For example, always use EAP-FAST and EAP-TTLS because those are the IANA registered names. PEAP and TEAP already use just one form. Using 'EAP peer', and when unambiguous, 'peer', as much as possible: now the draft uses also 'client' and 'supplicant' sometimes. Client should remain when the discussion is about general TLS client behaviour, though. Similarly 'EAP server' could be used sometimes to clarify which server is discussed. 2.3 FAST (change to EAP-FAST) +++++++++++++++++++++++++ Typo: resumptuion 2.4 TTLS (change to EAP-TTLS) +++++++++++++++++++++++++ Paragraph 2: Incorrect case: 'Ms-CHAP' Paragraph 3 starts with 'When PAP or CHAP are used ..'. I think this should also include MS-CHAP because it works similarly to CHAP. MS-CHAP-V2 has an extra round trip because of -V2 part, but I don't think MS-CHAP differs from CHAP apart from password change. I'd say the typical case is that MS-CHAP and CHAP get terminated similarly. Their definitions in EAP-TTLS RFC are very similar too. Paragraph 3: first instance of 'server' is clearer as 'EAP server'. Change to '... opportunity for the EAP server to send ...'. Paragraph 3: '... response from the EAP peer MUST ...'. Change 'EAP peer' to 'EAP server'. Paragraph 4 starts as 'Where TLS session tickets are enabled, the response from the EAP peer ...'. The response is from 'EAP server', not 'EAP peer'. Paragraph 5, first sentence: '.. EAP peers always send ...'. Change 'EAP peers' to 'EAP servers'. Paragraph 5: The second sentence in the draft is shwn below with my suggested text following: 'When the supplicant attempts to use the ticket, the peer can simply request a full reauthentication.' 'When the EAP peer attempts to use the ticket, the EAP server can simply request a full authentication.' This clarifies naming, roles and simply says 'authentication' because it's not going to be reauthentication any longer. Paragraph 6 starts with 'Supplicants MUST continue ...'. Change 'Supplicants' to 'EAP peers'. Paragraph 6, second sentence: change 'PAP or CHAP' to 'PAP, CHAP or MS-CHAP'. Same reason as with paragraph 3. 2.5 PEAP +++++++ Paragraphs 1 and 2 in the draft are shown below followed by suggested version: When PEAP uses crypto binding, it uses a different key calculation defined in [PEAP-MPPE] which consumes inner method keying material. The pseudo-random function (PRF+) used here is not taken from the TLS exporter, but is instead calculated via a different method which is given in [PEAP-PRF]. That derivation remains unchanged in this specification. However, the key calculation uses a PEAP Tunnel Key [PEAP-TK] which is defined as: When PEAP uses crypto binding, it uses a PEAP-specific key derivation defined in [PEAP-MPPE] which consumes inner EAP method keying material. The pseudo-random function (PRF+) used in [PEAP-MPPE] is not TLS exporter, but it is a different function which is given in [PEAP-PRF]. That function remains unchanged in this specification. The pseudo-random function (PRF+) uses a PEAP Tunnel Key [PEAP-TK] which is defined as: The idea is to clarify what 'here' refers to (PEAP-MPPE) and to use 'derivation' instead of 'calculation' for matching terminology. My understanding that 'different' means 'different than what is specified section 2.1 in this draft', therefore it was switched to PEAP-specific to be clear what it refers to. Attempt is also made to clarify that what remains unchanged is 'PRF+' function. Term 'method' is used just once so that PRF calculation method won't be confused by 'inner EAP method'. Paragraph 3 starts with "We note that this text does not define Key_Material". Change 'this text' to '[PEAP-TK]' to clarify that 'this text' does not refer to this draft. 3 Application data ++++++++++++++ The draft says: The NewSessionTicket message SHOULD also be sent along with other application data, if possible. Sending that message alone prolongs the packet exchange to no benefit. I fully agree with the above. Experimenting shows that, for example, eapol_test from wpa_supplicant supports a lone NewSessionTicket message by sending back an PEAP ack when it receives just the tickets instead of EAP-Identity/Request+keys after TLS handshake completion. However, another EAP peer implementation responds nothing and stops the authentication process when it receives just a NewSessionTicket message without the expected EAP-Identity/Request. To summarise, in addition to prolonging the packet exchange, it can also lead to non-interoperable implementations. Seems that the smallest number of messages allowed by the TLS and EAP method specifications is the way to go. Not just with PEAP but with other EAP methods too. 3.1 Identities ++++++++++ Paragraph 5 'Implementation MUST NOT ...' has lower case 'eap'. Change to 'EAP'. Paragraph 7 'In general, routing identifiers' has repeated a 'with with'. Change to 'with'. 4. Resumption +++++++++++ The paragraph in the draft could benefit from a small sentence reordering and rewording. The original is followed by the suggested version: Note that if resumption is performed, then the EAP server MUST send the protected success result indicator (one octet of 0x00) inside the TLS tunnel as per [RFC9190]. If either peer or server instead initiates an inner tunnel method, then that method MUST be followed, and resumption MUST NOT be used. The EAP peer MUST in turn check for the existence the protected success result indicator (one octet of 0x00), and cause authentication to fail if that octet is not received. Note that if resumption is performed, then the EAP server MUST send the protected success result indicator (one octet of 0x00) inside the TLS tunnel as per [RFC9190]. The EAP peer MUST in turn check for the existence the protected success result indicator (one octet of 0x00), and cause authentication to fail if that octet is not received. If either peer or server instead initiates an inner tunnel method, then that method MUST be followed, and inner authentication MUST NOT be skipped. The rewording changes 'resumption MUST NOT be used' to what's shown above. My understanding is that if TLS resumption is done, then the choice is either to: - use protected success result indication 0x00; or - do full inner authentication; but not both 6. Security Considerations ++++++++++++++++++++ The last sentence of paragraph 3 is shown below with the suggested change following: However, the TLS protocol may send one or more NewSessionTicket after receiving the TLS Finished message from the client, and therefore before the user is authenticated. However, the TLS protocol may send one or more NewSessionTicket messages after receiving the TLS Finished message from the EAP peer, and therefore before the user is authenticated. The changes add 'messages' and change 'client' to 'EAP peer'. The next paragraph ends with these two sentences. The suggested sentences follow: Malicious clients can begin a session and receive a NewSessionTicket. The malicious client can then abort the authentication session, and the obtained NewSessionTicket to "resume" the previous session. Malicious EAP peers can begin a session and receive a NewSessionTicket. The malicious EAP peer can then abort the authentication session, and use the obtained NewSessionTicket to "resume" the previous session. The changes use 'EAP peer' instead of 'clients' and add missing verb 'use'. 6.1 Protected Success and Failure indicators ++++++++++++++++++++++++++++++++++ Paragraph 5 says '... TTLS with inner PAP or CHAP.'. I'd change the inner protocols to 'PAP, CHAP or MS-CHAP'. Paragraph 7 says '... do not provided protected ...'. Change 'provided' to 'provide'. Paragraph 7 also suggests replacements for PAP and CHAP to ensure protected indicators can be used. A replacement for MS-CHAP could be EAP-MSCHAP-V2 or possibly EAP-MD5? 8. References +++++++++++ [PEAP-MPPE], [PEAP-PRF] and [PEAP-TK] point to different parts of [MSPEAP]. It might be useful to clarify that this is the case in order to minimise the problem with broken links. -- Heikki Vatiainen hvn@radiatorsoftware.com
- [Emu] draft-ietf-emu-tls-eap-types-06 comments Heikki Vatiainen
- Re: [Emu] draft-ietf-emu-tls-eap-types-06 comments Alan DeKok