IETF Logo Mail Archive

[Emu] draft-ietf-emu-tls-eap-types-06 comments

Heikki Vatiainen <hvn@radiatorsoftware.com> Mon, 20 June 2022 15:20 UTC

Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BFD08C15AAE5 for <emu@ietfa.amsl.com>; Mon, 20 Jun 2022 08:20:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gkn5aFJBZX3v for <emu@ietfa.amsl.com>; Mon, 20 Jun 2022 08:20:43 -0700 (PDT)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAB70C157901 for <emu@ietf.org>; Mon, 20 Jun 2022 08:20:43 -0700 (PDT)
Received: by mail-ed1-x530.google.com with SMTP id o10so15601843edi.1 for <emu@ietf.org>; Mon, 20 Jun 2022 08:20:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20210112.gappssmtp.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=XAGekI71B8KTc0Dk5GRhQKZ9luzWQbexXhvDBxMRwYo=; b=4HXycKlfPFy5j/aEoayuZITb6TpVNmRAk9pf10pKEUEZvoSh7dBeANNipGek1zMUEu 4Wmi+9hYJjFv+aqWLuZp/JkLnvGSURM5o6zYO7WpEauFYtw6U5RfgCIMFBVj/aWCZ5Uz Z7md/GljoGmSavIWeGnEuC0gUdg7axUYhlVfGP7EY2tNq2dPR43syqjR39bxzttIlk1x JtWb+lbEXTxADCuQ4NcLMvOCNgpJJnV/pfdiXZnqqExgupD3cAMJAwBW2HlHxUSEYeWa TBpESj9Cu0eLyiLNKuYzh6+CLgD799OyEItUdTLzSRrbAYpUwRk4UD8gq/TqhqccTN2o RuHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=XAGekI71B8KTc0Dk5GRhQKZ9luzWQbexXhvDBxMRwYo=; b=DYZN7OAevJ3hRVG2U4KyXgSAf2Ipg0WpXQFfbW2B+HkHSApRq/vNGbFSvYUacG1t+H CAO18EOwMle19G5ssnidiqfOs61POV2ndglKByLpZNslvD2pKnL/Q97Nf6DRvOi4ozC5 wjLn+Xgz/t7YkZ2KOZreKeiKyc9W8KmxlrNkBIe5Ok3IGdxqy6gCNn00mV+tNlWrWTSB BJuhkaoRtvS5yc99iZ47dnadk45YzM6l8T6TXK+VHeJI5kQDCZ052m3ge9Fj8SjmGxhj 9UgHdeBjXpuQHDUy33p2y8OT7Y6M7u19avchgRFk48mkD6cYnZAUU+El0LnhA07f6P50 M7+Q==
X-Gm-Message-State: AJIora/l0WjcgcbcAO3SxPWYMA5Fhh/i1MHCAt0i4MsitXQDoudlFBsf bcXkSJ1Mn5CYzejcl87zKm24aUv9x/CO6bliwZ8d+yfIN6McQA==
X-Google-Smtp-Source: AGRyM1sgUhIGSTxlBr8hK9DBpfGJsT+vKzQ4Ygc3FNEybJVWr7f7edWVlehR7i+QWloWQXiqrMlkwNCDFpJhuqy12bA=
X-Received: by 2002:a05:6402:354c:b0:431:51e2:eef9 with SMTP id f12-20020a056402354c00b0043151e2eef9mr30712191edd.344.1655738441277; Mon, 20 Jun 2022 08:20:41 -0700 (PDT)
MIME-Version: 1.0
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Mon, 20 Jun 2022 18:20:25 +0300
Message-ID: <CAA7Lko_C5sCWYOypic9QEvfewO38m=ZDUrG+4Uvywgh1LLGPAw@mail.gmail.com>
To: EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a238bf05e1e2a564"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/avSFC2JnmHc5Bh9WevXmcpPIfuM>
Subject: [Emu] draft-ietf-emu-tls-eap-types-06 comments
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Jun 2022 15:20:45 -0000

Please find below my comments. I think the draft can move forward. The
comments below are clarifications and minor fixes. The list is quite long
but I think there aren't any functional changes.


Naming things
+++++++++++
Should the EAP type names named consistently? For example, always use
EAP-FAST and EAP-TTLS because those are the IANA registered names. PEAP and
TEAP already use just one form.

Using 'EAP peer', and when unambiguous, 'peer', as much as possible: now
the draft uses also 'client' and 'supplicant' sometimes. Client should
remain when the discussion is about general TLS client behaviour, though.

Similarly 'EAP server' could be used sometimes to clarify which server is
discussed.


2.3 FAST (change to EAP-FAST)
+++++++++++++++++++++++++
Typo: resumptuion


2.4 TTLS (change to EAP-TTLS)
+++++++++++++++++++++++++
Paragraph 2: Incorrect case: 'Ms-CHAP'

Paragraph 3 starts with 'When PAP or CHAP are used ..'. I think this should
also include MS-CHAP because it works similarly to CHAP. MS-CHAP-V2 has an
extra round trip because of -V2 part, but I don't think MS-CHAP differs
from CHAP apart from password change. I'd say the typical case is that
MS-CHAP and CHAP get terminated similarly. Their definitions in EAP-TTLS
RFC are very similar too.

Paragraph 3: first instance of 'server' is clearer as 'EAP server'. Change
to '... opportunity for the EAP server to send ...'.

Paragraph 3: '... response from the EAP peer MUST ...'. Change 'EAP peer'
to 'EAP server'.

Paragraph 4 starts as 'Where TLS session tickets are enabled, the response
from the EAP peer ...'. The response is from 'EAP server', not 'EAP peer'.

Paragraph 5, first sentence: '.. EAP peers always send ...'. Change 'EAP
peers' to 'EAP servers'.

Paragraph 5: The second sentence in the draft is shwn below with my
suggested text following:
'When the supplicant attempts to use the ticket, the peer can simply
request a full reauthentication.'
'When the EAP peer attempts to use the ticket, the EAP server can simply
request a full authentication.'
This clarifies naming, roles and simply says 'authentication' because it's
not going to be reauthentication any longer.

Paragraph 6 starts with 'Supplicants MUST continue ...'. Change
'Supplicants' to 'EAP peers'.

Paragraph 6, second sentence: change 'PAP or CHAP' to 'PAP, CHAP or
MS-CHAP'. Same reason as with paragraph 3.


2.5 PEAP
+++++++
Paragraphs 1 and 2 in the draft are shown below followed by suggested
version:

   When PEAP uses crypto binding, it uses a different key calculation
   defined in [PEAP-MPPE] which consumes inner method keying material.
   The pseudo-random function (PRF+) used here is not taken from the TLS
   exporter, but is instead calculated via a different method which is
   given in [PEAP-PRF].  That derivation remains unchanged in this
   specification.

   However, the key calculation uses a PEAP Tunnel Key [PEAP-TK] which
   is defined as:


   When PEAP uses crypto binding, it uses a PEAP-specific key derivation
   defined in [PEAP-MPPE] which consumes inner EAP method keying material.
   The pseudo-random function (PRF+) used in [PEAP-MPPE] is not TLS
   exporter, but it is a different function which is
   given in [PEAP-PRF].  That function remains unchanged in this
   specification.

   The pseudo-random function (PRF+) uses a PEAP Tunnel Key [PEAP-TK] which
   is defined as:

The idea is to clarify what 'here' refers to (PEAP-MPPE) and to use
'derivation' instead of 'calculation' for matching terminology. My
understanding that 'different' means 'different than what is specified
section 2.1 in this draft', therefore it was switched to PEAP-specific to
be clear what it refers to. Attempt is also made to clarify that what
remains unchanged is 'PRF+' function. Term 'method' is used just once so
that PRF calculation method won't be confused by 'inner EAP method'.

Paragraph 3 starts with "We note that this text does not define
Key_Material". Change 'this text' to '[PEAP-TK]' to clarify that 'this
text' does not refer to this draft.


3 Application data
++++++++++++++
The draft says:

   The NewSessionTicket message SHOULD also be sent along with other
   application data, if possible.  Sending that message alone prolongs
   the packet exchange to no benefit.

I fully agree with the above. Experimenting shows that, for example,
eapol_test from wpa_supplicant supports a lone NewSessionTicket message by
sending back an PEAP ack when it receives just the tickets instead of
EAP-Identity/Request+keys after TLS handshake completion. However, another
EAP peer implementation responds nothing and stops the authentication
process when it receives just a NewSessionTicket message without the
expected EAP-Identity/Request.

To summarise, in addition to prolonging the packet exchange, it can also
lead to non-interoperable implementations. Seems that the smallest number
of messages allowed by the TLS and EAP method specifications is the way to
go. Not just with PEAP but with other EAP methods too.


3.1 Identities
++++++++++
Paragraph 5 'Implementation MUST NOT ...' has lower case 'eap'. Change to
'EAP'.

Paragraph 7 'In general, routing identifiers' has repeated a 'with with'.
Change to 'with'.


4. Resumption
+++++++++++
The paragraph in the draft could benefit from a small sentence reordering
and rewording. The original is followed by the suggested version:

   Note that if resumption is performed, then the EAP server MUST send
   the protected success result indicator (one octet of 0x00) inside the
   TLS tunnel as per [RFC9190].  If either peer or server instead
   initiates an inner tunnel method, then that method MUST be followed,
   and resumption MUST NOT be used.  The EAP peer MUST in turn check for
   the existence the protected success result indicator (one octet of
   0x00), and cause authentication to fail if that octet is not
   received.

   Note that if resumption is performed, then the EAP server MUST send
   the protected success result indicator (one octet of 0x00) inside the
   TLS tunnel as per [RFC9190].  The EAP peer MUST in turn check for
   the existence the protected success result indicator (one octet of
   0x00), and cause authentication to fail if that octet is not
   received.  If either peer or server instead
   initiates an inner tunnel method, then that method MUST be followed,
   and inner authentication MUST NOT be skipped.

The rewording changes 'resumption MUST NOT be used' to what's shown above.
My understanding is that if TLS resumption is done, then the choice is
either to:
- use protected success result indication 0x00; or
- do full inner authentication; but not both


6. Security Considerations
++++++++++++++++++++
The last sentence of paragraph 3 is shown below with the suggested change
following:

   However, the TLS protocol may send one or more NewSessionTicket after
   receiving the TLS Finished message from the client, and therefore
   before the user is authenticated.

   However, the TLS protocol may send one or more NewSessionTicket messages
after
   receiving the TLS Finished message from the EAP peer, and therefore
   before the user is authenticated.

The changes add 'messages' and change 'client' to 'EAP peer'.

The next paragraph ends with these two sentences. The suggested sentences
follow:

   Malicious clients can begin a session and receive a
   NewSessionTicket.  The malicious client can then abort the
   authentication session, and the obtained NewSessionTicket to "resume"
   the previous session.

   Malicious EAP peers can begin a session and receive a
   NewSessionTicket.  The malicious EAP peer can then abort the
   authentication session, and use the obtained NewSessionTicket to "resume"
   the previous session.

The changes use 'EAP peer' instead of 'clients' and add missing verb 'use'.


6.1 Protected Success and Failure indicators
++++++++++++++++++++++++++++++++++
Paragraph 5 says '... TTLS with inner PAP or CHAP.'. I'd change the inner
protocols to 'PAP, CHAP or MS-CHAP'.

Paragraph 7 says '... do not provided protected ...'. Change 'provided' to
'provide'.

Paragraph 7 also suggests replacements for PAP and CHAP to ensure protected
indicators can be used. A replacement for MS-CHAP could be EAP-MSCHAP-V2 or
possibly EAP-MD5?


8. References
+++++++++++
[PEAP-MPPE], [PEAP-PRF] and [PEAP-TK] point to different parts of [MSPEAP].
It might be useful to clarify that this is the case in order to minimise
the problem with broken links.


--
Heikki Vatiainen
hvn@radiatorsoftware.com

v2.23.0 | Report a Bug | By Email