Re: [Emu] draft-dekok-emu-tls-eap-types discussion
Joseph Salowey <joe@salowey.net> Tue, 23 June 2020 03:53 UTC
Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCB3D3A171E for <emu@ietfa.amsl.com>; Mon, 22 Jun 2020 20:53:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03VYxSG9wXX9 for <emu@ietfa.amsl.com>; Mon, 22 Jun 2020 20:53:31 -0700 (PDT)
Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDF593A171A for <emu@ietf.org>; Mon, 22 Jun 2020 20:53:30 -0700 (PDT)
Received: by mail-qk1-x72b.google.com with SMTP id f18so17690875qkh.1 for <emu@ietf.org>; Mon, 22 Jun 2020 20:53:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5D5/lLwTAidGZIik/ZdSlZcM/naYcj/QcqZ3uawT7TQ=; b=KmoXebE1UFgFBXLw09I4buUbu2XA9m5luTesA09RIDQ0Wejk5WVRfrYPGjvG2k79Fg 6F1y0M3Hd4bi1fjzC0aXpfka2hVhh8xT9nfb/wql74Zh8O/0F8SJcpd+pBX0+rAvxCeX Go+tevk6oLb9mIg4OabnvCsNECFiMys+ZBockwI2NwgIHgnQbNKLeAvXdauFZbCFpzez AD6euxhyIewgDZ3tUt4CHMgL/w5H/DT6Oy0bKFtoi4nmNm38iMGw+18/Dq8ao+c5b788 EOHh5y4gBjW7gV1VryPI109xxVeElndTNnWO5sNcjaizsL2zc8ZEwqa3B0dTmVSSYdSx ZZ4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5D5/lLwTAidGZIik/ZdSlZcM/naYcj/QcqZ3uawT7TQ=; b=pT4IbcOUDZ1Wcmq4WP2vMokNX9+f4IeIQLRsyPrxdQRehaD+eNhF82uM7Qhko5GPGB u139VKJnVY6ObuOy++l3DkYGp++90M5iX5qynz9xpCsaWXfkDVTVoeiSyifoBCOtr+ui 8A00TLA28I3N3DN8hg8GhIy0oyl0czxK6ifJhtdGFnPjHcGiCi+34BvGeHJMqLVJpE7J Lo+Q8ngYXf6VLBu2GA3IKpulj8GReY84zQm/bwwePVW7qpQbLankNtpfqdA8WnNwuk4G OclWaT9KrhbuAbf97ZwnZo5KzxE5ORlFuUq9Zir+3iUeq4jjXQKUVUwbZw9MFRPf+KcP H+qA==
X-Gm-Message-State: AOAM531YCvEZ9vTWS5pBiyEAskwtK0qJe16XZi0MgxmSIam8YiQ3ppcb HH4MOpCAS5/ywSaM9+PcORg3bSEjInQlrtHsi6LZxg==
X-Google-Smtp-Source: ABdhPJwU84HJWeM9FwRtkj0gpJ1yco0LbKlEi+n/HbuKERzkR6F4whaXNmWwlhvQaIuT6Bm69Z+QSL7HJjCXUD+6hbo=
X-Received: by 2002:a37:aec4:: with SMTP id x187mr19246179qke.332.1592884409915; Mon, 22 Jun 2020 20:53:29 -0700 (PDT)
MIME-Version: 1.0
References: <B6DEC01B-E5D0-4CC1-B9DC-CDEB567F1C53@deployingradius.com> <CH2PR21MB13815FE61D6FEE18DADA9AF0D1C30@CH2PR21MB1381.namprd21.prod.outlook.com> <CABXxEz9=ReWcB79yEZjdDcLqzYmC50+yZyqgtRvpV4vQmFEuDg@mail.gmail.com> <20200416102445.GA8757@w1.fi> <CH2PR21MB1381451B1FC4A680A37A22EFD1D40@CH2PR21MB1381.namprd21.prod.outlook.com> <CABXxEz8_2Deq90xApM_6_c-sT+m5Bvu8R=+txc5JysM-O+mSzA@mail.gmail.com>
In-Reply-To: <CABXxEz8_2Deq90xApM_6_c-sT+m5Bvu8R=+txc5JysM-O+mSzA@mail.gmail.com>
From: Joseph Salowey <joe@salowey.net>
Date: Mon, 22 Jun 2020 20:53:18 -0700
Message-ID: <CAOgPGoCT=uTAT=WaZCM3b_nhzxqywiMcUHyuZoo3tKzc2k5QKA@mail.gmail.com>
To: Oleg Pekar <oleg.pekar.2017@gmail.com>
Cc: Jorge Vergara <jovergar@microsoft.com>, Jouni Malinen <j@w1.fi>, EMU WG <emu@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006bf04705a8b84dbf"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/fRKWBFfLBIV9pU7bjKkhBu_gVKs>
Subject: Re: [Emu] draft-dekok-emu-tls-eap-types discussion
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2020 03:53:34 -0000
On Tue, Apr 21, 2020 at 11:02 AM Oleg Pekar <oleg.pekar.2017@gmail.com> wrote: > >And focusing on that "what to do here.." part and the unused IMCK-zero[j] >> in the previous paragraph.. >> >How is this supposed to work when an inner EAP authentication method >> does not derive either MSK or EMSK? >> >Intermediate result indication of success needs to be done and that >> implies there needs to be Crypto-Binding TLV. >> >But that TLV does not have option of indicating that neither EMSK >> Compound MAC nor MSK Compound MAC are present (Flags field has no value 0 >> defined to do so). >> I agree the 0 value should be explicitly listed for this purpose. Given >> the design of the flags I think it is clear this was the intended usage and >> its omission was likely an oversight. >> >So what are those fields (or one of them) supposed to be set to? >> >And how is that selected for an inner EAP authentication method j? >> >Does this depends on what happened with method j-1 (if one was present)? >> >How would the correct IMCK[j] be determined by the peer and the server >> if one of them derived MSK/EMSK but the other one did not derive either for >> inner EAP method j? >> Assuming we use the value 0 to indicate the state where one of the peers >> did not derive either MSK or EMSK, then I believe the RFC addresses this as >> MSKi = 32 octets of 0x00s. So if one side calculated neither MSK nor EMSK, >> and both sides decided to continue the conversion, then both sides would >> use the zero-MSK for that IMSK[j], >> > Jorge, Jouni, agree with the approach. > > Jorge, please note that the same problem exists in PEAP Crypto-Binding TLV > as specified in its documentation > <https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-peap/ebb2b12b-cd53-4f3a-afed-36588566c7c2> > - when one side has an inner method that provided MSK and another side has > this inner method that didn't provide MSK. > > [Joe] (catching up) With respect to the case that the method is an MSK generating mechanism and and MSK is not generated/used. I think the original intention was that this case would be a protocol violation, ie if a method generates an MSK it should be available for crypto-binding. I'm concerned that allowing the fallback to 0 MSK actually will cause a security vulnerability in compound binding. Do we know if this method mismatch is a problem in practice? > There is also a case where no inner method is executed. For example, when > client certificate was received during TEAP outer tunnel establishment. In > this case we also need to use zero-MSK. For such case both values of the > flag work - "0 for zero-MSK" and "2 for MSK". This creates unnecessary > ambiguity and thus would be better to request using flag's value "0" for > zero MSK in such case (today we use value "2" and it doesn't create > ambiguity). However there's a question here: in case of TEAP certificate > based authentication that is typically done by running inner method > EAP-TLS, should we allow in sending client certificate during TEAP tunnel > establishment or inside the tunnel and this way skipping EAP-TLS inner > method? On one hand it makes authentication shorter. On the other hand it > causes switching from MSK/EMSK exported by the inner method EAP-TLS to > zero-MSK. > > If we do allow skipping any inner method then we need explicitly say that > zero-MSK should be used in such case. > > I've started rebuilding section "5.2 > <https://tools.ietf.org/html/rfc7170#section-5.2>. Intermediate Compound > Key Derivations" of the RFC according to the proposal on this thread and > will post it here shortly. > > ~ Oleg > > > > > On Mon, Apr 20, 2020 at 3:57 AM Jorge Vergara <jovergar@microsoft.com> > wrote: > >> >And focusing on that "what to do here.." part and the unused >> IMCK-zero[j] in the previous paragraph.. >> >How is this supposed to work when an inner EAP authentication method >> does not derive either MSK or EMSK? >> >Intermediate result indication of success needs to be done and that >> implies there needs to be Crypto-Binding TLV. >> >But that TLV does not have option of indicating that neither EMSK >> Compound MAC nor MSK Compound MAC are present (Flags field has no value 0 >> defined to do so). >> >> I agree the 0 value should be explicitly listed for this purpose. Given >> the design of the flags I think it is clear this was the intended usage and >> its omission was likely an oversight. >> >> >So what are those fields (or one of them) supposed to be set to? >> >And how is that selected for an inner EAP authentication method j? >> >Does this depends on what happened with method j-1 (if one was present)? >> >How would the correct IMCK[j] be determined by the peer and the server >> if one of them derived MSK/EMSK but the other one did not derive either for >> inner EAP method j? >> >> Assuming we use the value 0 to indicate the state where one of the peers >> did not derive either MSK or EMSK, then I believe the RFC addresses this as >> MSKi = 32 octets of 0x00s. So if one side calculated neither MSK nor EMSK, >> and both sides decided to continue the conversion, then both sides would >> use the zero-MSK for that IMSK[j], >> >> Jorge Vergara >> >> -----Original Message----- >> From: Jouni Malinen <j@w1.fi> >> Sent: Thursday, April 16, 2020 3:25 AM >> To: Oleg Pekar <oleg.pekar.2017@gmail.com> >> Cc: Jorge Vergara <jovergar@microsoft.com>; EMU WG <emu@ietf.org> >> Subject: Re: [Emu] draft-dekok-emu-tls-eap-types discussion >> >> On Wed, Apr 15, 2020 at 07:25:08PM +0300, Oleg Pekar wrote: >> > For TEAP errata 5770: >> > Technically TEAP RFC suggests the implicit method of taking the >> > correct IMSK[j] and all the subsequent keys after each inner method >> > via negotiation taking place in Crypto-Binding TLV exchange. >> >> What is "the correct IMSK[j]" and where is this defined? >> >> > Let's say we are on the inner method number j that supports both MSK >> > and EMSK and we are server which implementation generates both MSK and >> > EMSK for this inner method. We generated keys according to the rules >> > below - two sets, for IMSK[j] derived from inner method EMSK and for >> > IMSK[j] equal to inner method MSK. Because we don't know whether >> > client implementation supports both MSK and EMSK. >> > >> > S-IMCK[0] = session_key_seed >> > For j = 1 to n-1 do >> > IMCK[j] = TLS-PRF(S-IMCK[j-1], "Inner Methods Compound Keys", >> > IMSK[j], 60) >> > S-IMCK[j] = first 40 octets of IMCK[j] >> > CMK[j] = last 20 octets of IMCK[j] >> > >> > >> > So we have two CMK[j] and we create Crypto-Binding TLV with both >> > Compound MAC for MSK and EMSK. The client sends Crypto-Binding TLV in >> > response and we can understand from it whether it supports EMSK for >> > this inner method or not. And here we can decide which version of >> > IMCK[j] to take for this inner method - derived from EMSK or MSK. This >> > is just not explicitly specified in the RFC. >> >> Is this the proposed definition of "the correct IMSK[J]"? In other words, >> is this to be understood to have two (or three since we have the no >> MSK/EMSK case as well) variants of IMSK[j] during an execution of an >> internal AP authentication method and a single one of those variants is >> selected as _the correct_ IMSK[j] at the successful conclusion of this >> inner authentication method? >> >> Would this single "correct IMSK[j]" then be used for deriving the >> different variants of IMSK[j+1] instead of using EMSK-based-IMSK[j] when >> deriving EMSK-based-IMSK[j+1]? In other words, is this to work by having >> all following inner authentication rounds and MSK/EMSK derivation to behave >> as if the other variants of IMSK[j] never really existed? >> >> > Could this method work? Should we make it more clearly specified? Or >> > should we change the protocol to arrive explicitly to the >> > understanding which type >> > (MSK/EMSK) of IMSK[j] to use? >> >> Regardless of what is done for the design, it will absolutely need to be >> specified more clearly. >> >> If I understood the proposed design correctly, this should be defined >> with something like following: >> >> For each successful inner EAP authentication method, derive IMCK-MSK[j] >> (if MSK was derived by the inner method), derive IMCK-EMSK[j] (if EMSK was >> derived by the inner method), derive IMSK-zero[j] (for all cases). Derive >> CMK-MSK[j] from IMCK-MSK[j] and CMK-EMSK[j] from IMCK-EMSK[j] (both: if >> available). Generate Crypto-Binding TLV with all available Compound MAC >> values. Also verify Crypto-Binding TLV with all available Compound MAC >> values. After both ends have transmitted and received Crypto-Binding TLV, >> set IMSK[j] to be IMCK-EMSK[j] if both ends included EMSK Compound MAC, or >> set IMSK[j] to be IMCK-MSK[j] if both ends included MSK Compound MAC but >> either end did not include EMSK Compound MAC, or <what to do here or can >> this even happen?>. Set S-IMCK[j] based on this IMSK[j]. This results in >> there being only a single S-IMCK[j] and MSK/EMSK derivation being well >> defined. >> >> And focusing on that "what to do here.." part and the unused IMCK-zero[j] >> in the previous paragraph.. How is this supposed to work when an inner EAP >> authentication method does not derive either MSK or EMSK? Intermediate >> result indication of success needs to be done and that implies there needs >> to be Crypto-Binding TLV. But that TLV does not have option of indicating >> that neither EMSK Compound MAC nor MSK Compound MAC are present (Flags >> field has no value 0 defined to do so). >> So what are those fields (or one of them) supposed to be set to? And how >> is that selected for an inner EAP authentication method j? Does this >> depends on what happened with method j-1 (if one was present)? How would >> the correct IMCK[j] be determined by the peer and the server if one of them >> derived MSK/EMSK but the other one did not derive either for inner EAP >> method j? >> >> -- >> Jouni Malinen PGP id EFC895FA >> > _______________________________________________ > Emu mailing list > Emu@ietf.org > https://www.ietf.org/mailman/listinfo/emu >
- [Emu] draft-dekok-emu-tls-eap-types discussion Alan DeKok
- Re: [Emu] draft-dekok-emu-tls-eap-types discussion Jorge Vergara
- Re: [Emu] draft-dekok-emu-tls-eap-types discussion Oleg Pekar
- Re: [Emu] draft-dekok-emu-tls-eap-types discussion Jorge Vergara
- Re: [Emu] draft-dekok-emu-tls-eap-types discussion Oleg Pekar
- Re: [Emu] draft-dekok-emu-tls-eap-types discussion Jouni Malinen
- Re: [Emu] draft-dekok-emu-tls-eap-types discussion Alan DeKok
- Re: [Emu] draft-dekok-emu-tls-eap-types discussion Mohit Sethi M
- Re: [Emu] draft-dekok-emu-tls-eap-types discussion Jorge Vergara
- Re: [Emu] draft-dekok-emu-tls-eap-types discussion Jorge Vergara
- Re: [Emu] draft-dekok-emu-tls-eap-types discussion Oleg Pekar
- Re: [Emu] draft-dekok-emu-tls-eap-types discussion Joseph Salowey
- Re: [Emu] draft-dekok-emu-tls-eap-types discussion Jorge Vergara
- Re: [Emu] draft-dekok-emu-tls-eap-types discussion Joseph Salowey