IETF Logo Mail Archive

Re: [Emu] System level forward secrecy for EAP+AAA

Karl Norrman <karl.norrman@ericsson.com> Sun, 09 April 2023 19:51 UTC

Return-Path: <karl.norrman@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEA65C17B326 for <emu@ietfa.amsl.com>; Sun, 9 Apr 2023 12:51:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lzMUoW7KjLY5 for <emu@ietfa.amsl.com>; Sun, 9 Apr 2023 12:51:34 -0700 (PDT)
Received: from EUR03-AM7-obe.outbound.protection.outlook.com (mail-am7eur03on2062d.outbound.protection.outlook.com [IPv6:2a01:111:f400:7eaf::62d]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 481CCC17B324 for <emu@ietf.org>; Sun, 9 Apr 2023 12:51:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=g35GQIMgE06iuVQi+8obgf51qdFAWleo3dqm6tb09umy/cY0NdGIfCIToQkDMdP6/9Z4sY4kkLYCsqVfOLbRkcg351rIgUA/dBxWa0WkLUjB6ecfYQxu0rl0eYI9FZDEaXCTQ+px7TkNEn4JGyUnpKu+TLa7AeQqooT1FlKND8z29IntitCVUltiPN16fBCe8A8EKP98EZ0TCtg/QCtNuv8Lb2QO6tFcqeB24TdiIY/7ZKMM4fP27w4udQhyUQfXoDl4RYzgFvExM/0uP7aBk/h8IItrmy8I8tfeB3SVmmfyldilXp40A409RHZ8oZzYrpc6XlJ7t0wm44J9e+qDMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iiNd5ofk4Sanrv+m//s0xD6okKXARpbVLdRGv5CdHMQ=; b=d8EG7npwBP61ifGsoRIO915vvvCgHamySoCBcPKWB73eEQ7F5xvsgZ56d4E0FD5iKCIb7Oj2ywLhWxjLmEdm8+vVLVR9qCnP9jttJwf1s6XdTS4hMQcVWJYe3k0lYex97leadbskEzzEQTwtun9lBtmO5mif27HZecU1OQ9fJlEqL8OdLnJquU9PWSJ4E04hrReKppiPs87a4jSE8+mogUlZWCSC6g0K/U8uGSgo2+sjNOC1R2t+1QFt7PZQgP96quzlmCpNo9sziBPFSm6yv21C8lL/V8qOBcNm8x/lPhaBTUELvRQzab6BiQTitRcUpn/4ziluBObqcDmLTxGyDQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=iiNd5ofk4Sanrv+m//s0xD6okKXARpbVLdRGv5CdHMQ=; b=Uncy8vQOb2AxuUa0hTxWrjYc3Y8tLSGFg6fMsHHFL0cR24hx8Y/oFKy85nFtLRnefA4RMRDSfgfn7Fo0oz8DHqcviWZHJaUSBDjDgf4dvGVFB8HbPLtSQGcedhUhKizGpUItHth+4HDblbbU9v/mJCKGYaTPkzpuJLX7aOINHj4=
Received: from AS5PR07MB9693.eurprd07.prod.outlook.com (2603:10a6:20b:679::6) by PAXPR07MB8340.eurprd07.prod.outlook.com (2603:10a6:102:223::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6277.38; Sun, 9 Apr 2023 19:51:29 +0000
Received: from AS5PR07MB9693.eurprd07.prod.outlook.com ([fe80::6fcd:6180:453c:1cf2]) by AS5PR07MB9693.eurprd07.prod.outlook.com ([fe80::6fcd:6180:453c:1cf2%5]) with mapi id 15.20.6277.038; Sun, 9 Apr 2023 19:51:29 +0000
From: Karl Norrman <karl.norrman@ericsson.com>
To: "aland@deployingradius.com" <aland@deployingradius.com>
CC: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] System level forward secrecy for EAP+AAA
Thread-Index: AdlrDfV4W/nscJTYQBa29j5jB+jAZAABwiWAAABeeNA=
Date: Sun, 09 Apr 2023 19:51:28 +0000
Message-ID: <AS5PR07MB9693CA68509C8FAEE7A46FDFF0949@AS5PR07MB9693.eurprd07.prod.outlook.com>
References: <AS5PR07MB96931A38EECF28228F4A29EAF0949@AS5PR07MB9693.eurprd07.prod.outlook.com> <F75119F7-35BB-4117-AD59-50E74924DB31@deployingradius.com>
In-Reply-To: <F75119F7-35BB-4117-AD59-50E74924DB31@deployingradius.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AS5PR07MB9693:EE_|PAXPR07MB8340:EE_
x-ms-office365-filtering-correlation-id: 6611d6b6-c385-4e64-cd9d-08db3933cf7b
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: SQbT/TEDL2XLpNSuLE9ZfaRjMh8HPfl9Rlxl69YPxOdvBr0UHKvqGC6p2btXnHeTmInqet+wQeOmV8ohBRKfwhQm068J5TF6uibuKlBo/5GtmcgzOfCfpkHrm4GG6lsQYDLbtWn/Nqjg0T8kICNUs5SL+xjoFfpSQavgGurXBBcclV0QXzj9OGfsoOaKX4C+8ZJUkXEhqIbWPdmBCpl/e8ZBITVqs08bb0fUYgGRcpslLTxmQHaTI4aTdwJGs4B4p4JR69l/WrvahlhkBQIRWcMmR/bG0OMAj7dz7NCcfhw0kVhWMwATvn3P8JFdRmTqGuyZHVQfjQszq/EUtYRqshwii8o0RsEuiS84R2PT2uJHW/aXFsy1zL+p3X9YhjA6vnA2pXx4UfJAW0YyTia3x8BqWNib26N+3gYmZkEMQCqyRM8bYRJZJ0+UxlYpw/oynpl+o31nF9C3Y6UVwmDHdsAyZjWUPzX/U96VlXQvsUhcJhob9lZ7T6JeF9/t1v2M7xCuINFAPN2DS4kFUmo15yD9l/C5frMaK/h75NQdoJ+aUNCffVH2aoU4ov4Zs6UAdVjTeFYrPs1fuQesNoRWuuSCJV7FWiVTYixQkgVZS/I=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AS5PR07MB9693.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(346002)(366004)(136003)(396003)(39860400002)(376002)(451199021)(478600001)(7696005)(71200400001)(316002)(53546011)(9686003)(26005)(6506007)(186003)(44832011)(966005)(2906002)(4326008)(76116006)(66946007)(5660300002)(64756008)(8676002)(6916009)(41300700001)(66446008)(8936002)(66476007)(52536014)(66556008)(38070700005)(122000001)(82960400001)(38100700002)(55016003)(86362001)(33656002)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: oqwjmMexVeTo5ode4QSk28j0InHivLjugIfWCr+ZXhDY7bm4iCvNHyy3NZ1R0XIpw71zOWm6K1eAWmgnznNvxzu1oh7YBTuNRShfnDrnCWD7tBTfexQfs8/+xHfdN4wRhTrLS1ie/mSDAkPrIIeJJhh6ZSgdLipDewbbxtQXyC3kZA9w8umCjmTtgjeyuQ30y7qIQtbHHcH2m2Z8yToIsfXXWZNobfnRjOdfn/Gt4Rpe9DDPNYnb/Xb6fnTjlEe8s58jhQR1xXMb/kJXvKdVUSFruV3eI1ePF5wor/lWvX30H9iOyVEgCSmmrdwRoHxAwLYdm9VKxnGzATwse3LOciJj9Lg43ypEDJgmpppP1VXyKXVof0N4hsOGmOcVMeDufN+XfwB9rbq1/+N55+0fjCOLC7/KPnklgQCgL2VhLAwAFH5yH+LRe8lynxPql0PjvGmgfppneaAAdXFPUzpgoqIJ9biuWu/m/3KKszs1KAt3U10drXq6y/osWWDw4OAZ+iPwpH/W0WypU7Hmtc5qdINiJmWFAf1xB5weiXDlLchsLAYj2OaLbYnqK31MQcIJrsfRCi/hKYNvjjGdr2JYuQCfzYt8qyWkAzsItOGujvVtixCuFb7bNR6h5oJY6EKTEInhJXe6SBGe6Yux4jkC2PGlCDWpGYpEjxOBjc1gNFNjX0kt8/JVUcULxBUSeObTkPaYurKzBjX2dMoNdP13a91KHSpdAgyVG+uF2gt87jeL5fh9JWTSBLbKQDks/bVQTapxMhmKT3Dwv5XFFtQIbMWglWCXDPu5dvzV8ZJCMvoU6/dhYGq/QOSIZkMObjv4pWbWeAw31LWyk04WwuVjGdrG8jrSHhIUMkC1sGNae8YeiKymrum1270SCDvyU80rgdeyxu99jiAio51wQoLtx6WfdMY3gCdirFHi/ltTbt3p9+JN7mS0p7d5goqptODqE2MS+5uv1qcosbqWABEGp5zrpIaTHNzPnUdaGtsj0dmU+DtupngJrFnBK56hNVHsK9tmeFy5u+AdIBVDm1eTVeXZeOPQxfTGH47a7+TP+L0O4mQe0kad/vNnEjvlk+oZhhfmsK75606shHZqQKUnjT+9UWN7Pk9uiqVZ0Z3EZ6hnug+z6Qi2p4F/pdwKVPULuYVcT6voZ2MgT60ey0woWFLnCg5KU+Q0SF3KxN89ZMXjB3/1Mnex2N/LWx10WPjzm6kCbmbNAGua2EutU7bTeSvDRVTr8TaMgoHVjQB6F+yFWSVmo3QKDdAARf5AblQdNe/r0mhdDEDXlsxkQQCfbfydrPxcC+hYH9sKMrOvOhemWdTrzogs66i26bptM/EZQpqsWISuVQepaQftM9jpCOBLy1Br6+LsrvK5UvJWF5g0iCOFKYq81hZF7DUnrB/Odz9+mRB1vY7j18L0ODu06+rb9s5UjGsRA+HCES2W4yi+IrV5jMJjyncd7YShoibKP4SnFHlzxn5jGRp4MZoO1FFafQLkjMAkVCwpTeMBK7weE3Y/F4aakppt9Y6hXCRzTtHHop6vytDetazriy5T+C7PPc+7/DlO5hyatjKNDIzZX6Pb44OlzlIqxUAxE9wO
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AS5PR07MB9693.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6611d6b6-c385-4e64-cd9d-08db3933cf7b
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2023 19:51:28.9708 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MBAECs5/1JSTWoQlcfeVbT6mkh2bnSlNjq3oZk/40fmnawG9Wmy8xigs2QQgfU8FG/tKqU6EwxfX695ZRMTNAkM9dYafozPgE/TjRUveIo4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR07MB8340
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/f9elX_yFnWSxihleiTE-I6Faay4>
Subject: Re: [Emu] System level forward secrecy for EAP+AAA
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Apr 2023 19:51:38 -0000

Hi!

Thanks for the quick reply.

Please see [K] inline.

> -----Original Message-----
> From: Alan DeKok <aland@deployingradius.com>
> Sent: Sunday, 9 April 2023 20:56
> To: Karl Norrman <karl.norrman@ericsson.com>
> Cc: emu@ietf.org
> Subject: Re: [Emu] System level forward secrecy for EAP+AAA
>
> On Apr 9, 2023, at 2:06 PM, Karl Norrman
> <karl.norrman=40ericsson.com@dmarc.ietf.org> wrote:
> > Is there any RFC to reference for forward secrecy for the EAP+AAA framework,
> which gives recommendations for preventing the attack below?
> >
> > Many RFCs for EAP methods and AAA contain various recommendations
> regarding forward secrecy, but I did not find any that gives concrete guidance to
> prevent the following attack on forward secrecy for the established session key.
> The attack seems applicable regardless of EAP method used.
> >
> > 1. Adversary records all traffic between EAP server S and pass-through
> authenticator A even though it is protected by IPsec or TLS. In particular, the
> adversary records the traffic containing the session key sk that is passed from S
> to A after successful completion of the EAP run.
>
>   If the AAA transport isn't secured, then anyone can observe EAP traffic, or the
> location, "obfuscated" passwords, etc.  The attacks are described in some detail
> in https://datatracker.ietf.org/doc/draft-dekok-radext-deprecating-radius/.
>

[K]: Correct. The assumption in 1 is that the traffic is protected with IPsec or TLS.
Thanks for the reference. I read it, but it does not seem to consider the forward secrecy
aspects I try to describe here.

>   If the AAA traffic is protected by IPSec or TLS (as is commonly done), then the
> EAP traffic can only be observed by (a) radio-level sniffing of supplicant to AP
> traffic, or (b) trusted parties in the AAA framework.

[K]: What I mean with 1 is that the adversary records the encrypted traffic.
The adversary cannot decrypt it at this point in time. It only stores the encrypted data.

>    The one remaining attack is if the AAA systems use TLS without a method
> providing PFS.  In which case anyone capable of recording all of the traffic on
> the net can do so, and then crack the session keys at their leisure.

[K]: There is another attack even if TLS uses a PFS (the one I describe here),
which works if one does not establish a new TLS connection or does a key update after
each EAP run. Similarly for IPsec.

> > > 2. Session using sk expires and all involved parties delete sk.
> >
> > 3. Adversary now compromises S and obtains its long-term key. If the EAP
> method provides forward secrecy, this does not help the adversary get to sk. So,
> there is forward secrecy w.r.t. the long-term key. However, it is not
> inconceivable that the adversary at the compromise also gets hold of the
> session keys for IPsec/TLS, at least for some deployments. If IPsec/TLS has not
> been rekeyed since step 2, then the adversary can use the IPsec/TLS session key
> to decrypt the traffic recorded in step 1 and obtain sk. That is, the sk is not
> forward secure in practice on a system level.
>
>   i.e. if TLS doesn't use PFS, and EAP methods don't use PFS, then sessions can be
> compromised.
>
> > To protect against the attack, one can for example update the keys for long-
> termed IPsec/TLS sessions after every EAP handshake,
>
>   Is that for AAA sessions?

[K]: Yes.

>   I'd agree that EAP methods should provide PFS.  TLS does this for TLS-based
> EAP methods via RFC7525, etc.
>
>   My confusion is that EAP doesn't use IPSec.  Connections between AAA systems
> might use IPSec or TLS, but those connections are 100% independent of the data
> which they transport.  AAA servers will not change the status of inter-AAA
> connections based on snooping the contents of AAA traffic.

[K]: Let me give a concrete example. We have server S and pass-through authenticator A,
which is a WiFi access point. They use an IPsec tunnel to protect the traffic between them.
Say the IPsec tunnel is rekeyed every hour. Say there is an EAP session run and an MSK established
between S and a client. S sends the MSK to A over the IPsec tunnel. A and the client use the MSK
to secure the WiFi air-link. The air-link protection session terminates after 1 minute. At this point,
everything needed to derive the MSK shall be deleted.

However, because the IPsec tunnel is only rekeyed after 59 more minutes, the MSK will
not be forward secret. The adversary compromising S could get the IPsec keys, and
decrypt the stored IPsec packets that contain the message transporting the MSK from S to A.
That is, the channel between S and A is a form of storage for the MSK which remains even after it
should be deleted.

The attack here is against the PFS property of the MSK. Once the WiFi air-link session using MSK
is terminated, it should not be possible to retrieve the MSK if it is forward secure. Here it seems to be possible
to obtain MSK after the WiFi session has terminated even if the EAP methods have PFS and AAA is protected
with TLS/IPsec using a PFS handshake.

Note that it doesn't help that IKE has PFS as long as the IPsec session state remains
in S and A for 59 more minutes.  Neither does it seem to help that the EAP method has PFS, since the
MSK is sent over the AAA protocol and gets "stored" in the channel.

The only thing that seems to help is to rekey the IPsec connection and delete the previous key material.

BR Karl

>
> >  or for TLS maybe even run a new handshake for every EAP run. For a more
> relaxed version of forward secrecy, one can do key updates at regular intervals.
> The AKE establishing keys for IPsec/TLS must also be forward secure w.r.t. its
> long-term keys.
> >
> > I plan to add such recommendations to draft-ietf-emu-aka-pfs, but it seems
> wrong that such recommendations should be in individual EAP methods RFCs. It
> seems a better fit for a more general EAP/AAA document that implementors of
> any EAP method would read.
>
>   I'm trying to understand the attack here.  I'm not sure how EAP has anything to
> do with IPSec or AAA transport.  EAP doesn't use IPSec, and AAA transports
> aren't affected by EAP.
>
>   What I understand as as the problem is:
>
> a) people snooping supplicant -> AP traffic can attack an EAP session
>
> b) AAA systems can snoop all EAP traffic that they forward
>
>   this is pretty much by design, as AAA does not provide for end-to-end security.
>
> c) AAA systems not using PFS are vulnerable to an attacker who can snoop the
> traffic, and crack it at their leisure.
>
>   TLS/IPSec makes this a bit harder against an attacker with few resources.
> UDP/TCP transport is not recommended when AAA traffic sent across insecure
> networks.
>
>   Alan DeKok.

v2.23.0 | Report a Bug | By Email