IETF Logo Mail Archive

Re: [Emu] Roman Danyliw's No Objection on draft-ietf-emu-tls-eap-types-12: (with COMMENT)

Joseph Salowey <joe@salowey.net> Thu, 16 February 2023 06:29 UTC

Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 727FDC17CE99 for <emu@ietfa.amsl.com>; Wed, 15 Feb 2023 22:29:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vlK2K3YYKEnd for <emu@ietfa.amsl.com>; Wed, 15 Feb 2023 22:29:08 -0800 (PST)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 890DDC1526FB for <emu@ietf.org>; Wed, 15 Feb 2023 22:29:08 -0800 (PST)
Received: by mail-lf1-x12a.google.com with SMTP id c20so1535561lfv.6 for <emu@ietf.org>; Wed, 15 Feb 2023 22:29:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=uFguJNPe7E6bIm+XJWg4aazcb1dBkVvlC4XQjTHPdps=; b=xWuGuChw62Na670wnzcmrlKOmuWHcsJerlZJOUJ9cpNlC1Iqde5of6J/PG/tjQR3Ru Pvz83d1KaTUhtkznKYJ2LDvV0dm+HT+VJp73xeqBRMMmh6T9o6xGc7Tok7oaeS4atewa unLOmiR415bVttblE4rkxHvSnOJm65LMLIbueBMz+tRgJkHDZGWGfL2HSkBe8FZQbady pNFUOz/eatEWrnDiet6B5sD23Ohcy/K+4H9hg1h6pbH8iVb4oRn+YlTbEdJfnWRs4XYP Wgi1RDZkl1Lv80FWgGNsNrzgHFHkc1YsKSUXwregsLALCelPk5LWHObmh2KdoO5eAB7x f+sA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uFguJNPe7E6bIm+XJWg4aazcb1dBkVvlC4XQjTHPdps=; b=tE+HIuC3bHAaXG1E2++97qRF9YOE3aFUgpQgTCA4iD3ywDsQaYWXkZ9HjghEfB3HzQ YQMHOrer1mAj7xf+n8mma+gxCXoYEb5+nbYSnLpzQqwxOB/ouIirXbeBn7EV9AgimTV8 jpj/8wIp4Zqs4A24U009WTLeQJ05sriQrMr/K3jQQwbD/vliY2TMfMpFdN8dCz95ac5f tWZaQSXI0T0uN6vdFtilQqNpb7HXSRq8Gq0mkL1CHQE4P2qhlmHvE9+MHd36ocCZRT0n 5FiigM8MUPffqLrzOwY7l4qiCl2Q3Ffk6t3tbjHbHiBt2BnIsAf+9aLKSRwSCxmfLdDv +icA==
X-Gm-Message-State: AO0yUKVI+BJbWhZBLwFnbAi5wdiSqdWDSu1zY1vXvx2bATWgUZIvr46K 8gvOLAWgBwQ4/Va8nD7rRG4I7ouSdSIdQ70N1Avpiw==
X-Google-Smtp-Source: AK7set/VSREjjUv8yFOY/vD+hrQfv9+hDpMR9alzXqsOUlXhITIPXvPYYJ6JxC4yuOsLXjNlv8r4BEePTvNB9tbEfKs=
X-Received: by 2002:ac2:5dca:0:b0:4db:17d2:8aea with SMTP id x10-20020ac25dca000000b004db17d28aeamr1311659lfq.11.1676528946111; Wed, 15 Feb 2023 22:29:06 -0800 (PST)
MIME-Version: 1.0
References: <167651598851.20540.7924623610620366927@ietfa.amsl.com> <B464FFE3-CC54-4D5F-862D-C8C8B4E96D0E@deployingradius.com>
In-Reply-To: <B464FFE3-CC54-4D5F-862D-C8C8B4E96D0E@deployingradius.com>
From: Joseph Salowey <joe@salowey.net>
Date: Wed, 15 Feb 2023 22:28:53 -0800
Message-ID: <CAOgPGoBOnGYBYthULztSHCQOJft8rfxky7tyC+ojq+R4WijT9Q@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, draft-ietf-emu-tls-eap-types@ietf.org, emu-chairs@ietf.org, EMU WG <emu@ietf.org>, jsalowey@gmail.com
Content-Type: multipart/alternative; boundary="00000000000049f75905f4cb50f0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/cvhm-J5y_tCYmpu8tkms8ComOGo>
Subject: Re: [Emu] Roman Danyliw's No Objection on draft-ietf-emu-tls-eap-types-12: (with COMMENT)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 Feb 2023 06:29:09 -0000

On Wed, Feb 15, 2023 at 7:29 PM Alan DeKok <aland@deployingradius.com>
wrote:

> On Feb 15, 2023, at 9:53 PM, Roman Danyliw via Datatracker <
> noreply@ietf.org> wrote:
> > ** Section 2.4
> >   It is therefore RECOMMENDED that EAP servers always send a TLS
> >   NewSessionTicket message, even if resumption is not configured.  When
> >   the EAP peer attempts to use the ticket, the EAP server can instead
> >   request a full authentication.  Implementations SHOULD NOT send
> >   NewSessionTicket messages until the "inner tunnel" authentication has
> >   completed, in order to take full advantage of the message as a
> >   protected success indication.
> >
> > It is my understanding that this SHOULD NOT is based in implementation
> > realities.  Can text be added to establish the basis for this not being
> “MUST
> > NOT”.  Please also add cross-references as appropriate into the document
> on the
> > same topic.
>
>   The issue is discussed in more detail in the Security Considerations
> section.  I'll add some text here which references RFC 8446 Section 4.6.1.
>
>   In short, TLS 1.3 allows for NewSessionTicket to be sent from the
> server, even before the application data has been processed.  This means
> that a client could connect, get a ticket, disconnect, and then immediately
> "resume" the session, without ever being fully authenticated.
>
>   As a result, EAP implementations have to either reject session tickets
> which were sent before the user was authenticated, or delay sending
> NewSessionTicket until after the user has been authenticated.
>
>   On closer examination, the text about NewSessionTicket is in the "TTLS"
> section, but is really applicable to all TLS-based EAP methods.  I'll move
> the text from the Security Considerations section to a new section
> discussing TLS NewSessionTicket messages in more detail.  Here's some new
> text:
>
>
[Joe] I think having a separate section in the security considerations for
Session Resumption is a good idea.   A few comments on the text below since
I think there is a potential difference between how TTLS  recommends
overloading newSessionTicket as a protected result indicator and uses of
NesSessionTicket in other methods where it can be used for session
resumption of TLS while still executing an inner method.


> Section "Handling of TLS NewSessionTicket Messages"
>
> In some cases, client certificates are not used for TLS-based EAP
> methods.  In those cases, the user is authenticated only after
> successful completion of the inner tunnel authentication.  However,
> [RFC84346] Section 4.6.1 allows that "At any time after the server has
> received the client Finished message, it MAY send a NewSessionTicket
> message."  This message is sent by the server before the inner
> authentication method has been run, and therefore before the user has
> been authenticated.
>
> This separation of data allows for a "time of use, time of check"
> security issue.  Malicious clients can begin a session and receive a
> NewSessionTicket message.  The malicious client can then abort the
> authentication session, and use the obtained NewSessionTicket to
> "resume" the previous session.  The malicious client can then obtain
> network access without ever being authenticated.
>
>
[Joe]  I suggest changing the last sentence to:

"If the server assumes the ticket was issued after the client was
authenticated then,
the malicious client can then obtain network access without ever being
authenticated. "


> As a result, EAP servers MUST NOT permit sessions to be resumed until
> after authentication has successfully completed.  This requirement may
> be met in a number of ways.  Where possible, implementations SHOULD
> NOT send TLS NewSessionTicket messages until the "inner tunnel"
> authentication has completed successfully.  However, the interaction
> between EAP implementations and any underlying TLS library may be
> complex, and this behavior may not always be possible.
>
>
[Joe] How about the following.

"The interaction between EAP implementations and any underlying TLS library
may be
complex, and the server may not be able to guarantee when a session is
cached
or what information is associated with the cached session.  It is up to the
EAP
server to ensure that it does not allow for insecure uses of EAP. In these
cases the server MUST assume that inner authentication has not completed
and it MUST run the inner authentication methods in the resumed tunnel
before granting
access.  If the server is able to include the state of the client's
authentication in the cached
session state or if the server can guarantee that the newSessionTicket
message is only sent
after successful authentication, then it MAY have a policy that uses this
information to skip
inner methods."



> Is is up to the EAP server to ensure that it does not allow for
> insecure uses of EAP.  It may not be possible to delay the TLS
> NewSessionTicket messages until the "inner tunnel" authentication has
> completed successfully.  In that case, the EAP server MUST NOT allow
> the session ticket to be valid (or validated) until after the "inner
> tunnel" authentication has completed.
>
>
[Joe] I think we can remove the above paragraph.


> For example, if the ticket is cached on the server, the server coudl
> skip caching the session ticket until after authentication has
> completed.  Alternatively, the server could mark up the session ticket
> with a flag stating whether or not authentication has completed.
>
>
[Joe] How about:

"For example, if the server has a flag in its server side cache to indicate
successful client authentication, it would not set this flag until inner
authentication
completes.  Alternatively, if the server is generating a client side ticket
to indicate
successful client authentication then it MUST defer sending the
newSessionTicket
message until client authentication has completed."


> This issue is not relevant for EAP-TLS, which uses client certificates
> for authentication.  It is only relevant for TLS-based EAP methods
> which do not use the TLS layer to authenticate
>
>
[Joe]  SInce TLS 1.3 allows for client authentication at anytime, but
EAP-TLS only allows it during the initial handshake change the first
sentence to:

This issue is not relevant for EAP-TLS, which only uses client certificates
for authentication
in the TLS handshake.

v2.23.0 | Report a Bug | By Email