[Emu] Implementation report for EAP-TLS 1.3: OK, with nits
Alan DeKok <aland@deployingradius.com> Sun, 27 January 2019 17:20 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47E39130E81 for <emu@ietfa.amsl.com>; Sun, 27 Jan 2019 09:20:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QKb9VUPEK7ci for <emu@ietfa.amsl.com>; Sun, 27 Jan 2019 09:20:26 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) by ietfa.amsl.com (Postfix) with ESMTP id AC202130E00 for <emu@ietf.org>; Sun, 27 Jan 2019 09:20:26 -0800 (PST)
Received: from [192.168.46.58] (198-84-237-221.cpe.teksavvy.com [198.84.237.221]) by mail.networkradius.com (Postfix) with ESMTPSA id AC114333 for <emu@ietf.org>; Sun, 27 Jan 2019 17:20:24 +0000 (UTC)
From: Alan DeKok <aland@deployingradius.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.0 \(3445.100.39\))
Message-Id: <F93913D4-A15F-4F12-9023-44DDBBBB605E@deployingradius.com>
Date: Sun, 27 Jan 2019 12:20:23 -0500
To: emu@ietf.org
X-Mailer: Apple Mail (2.3445.100.39)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/fTnE46aKnAxhfx38Od-7carTKjI>
Subject: [Emu] Implementation report for EAP-TLS 1.3: OK, with nits
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Jan 2019 17:20:29 -0000
We've been doing interoperability testing of EAP-TLS 1.3, and have some comments. The testing was made more difficult by issues in different software. We've been using OpenSSL, FreeRADIUS, and wpa_supplicant. In short, it mostly works, or it should work by the end of next week. But you will likely have to use the most recent source from revision control. Older versions of the software either don't support TLS 1.3, or have implementation issues which break interoperability.
One major issue which isn't highlighted in the -03 draft is derived from RFC 5216 Section 2.3:
MSK = Key_Material(0,63)
EMSK = Key_Material(64,127)
If an implementation does not use EMSK, then the temptation would be to ask for 63 octets, not 128. This worked for TLS 1.2 and earlier. It does not work in TLS 1.3.
In TLS 1.3, the output text explicitly depends on the amount of data requested. RFC 8446 Section 7.1 says:
HKDF-Expand-Label(Secret, Label, Context, Length) =
HKDF-Expand(Secret, HkdfLabel, Length)
Which means that implementations cannot truncate the output by asking for less data.
We've seen this in practice where a number of EAP types worked, but some didn't. On working through the issues, the client software didn't use EMSK, and therefore only asked for 64 octets. We're filing a bug with the implementors, but it's important enough that it should also be noted here.
The -03 draft is correct, in that it has the lengths given as inputs to the KDF in Section 2.3:
Key_Material = TLS-Exporter("EXPORTER_EAP_TLS_Key_Material", "", 128)
IV = TLS-Exporter("EXPORTER_EAP_TLS_IV", "", 64)
Method-Id = TLS-Exporter("EXPORTER_EAP_TLS_Method-Id", "", 64)
Session-Id = 0x0D || Method-Id
However, I think it's worth adding a note here for implementors. Something like:
--
We note that the key derivation MUST use the length values given above. Where in TLS 1.2 and earlier it was possible to truncate the output by requesting less data from the TLS-Exporter function, this practice is not possible with TLS 1.3. If an implementation intends to use only part of the output of the TLS-Exporter function, then it MUST ask for the full output, and then only use part of that output. Failure to do so will result in incorrect values being calculated for the above keying material.
--
Alan DeKok.
- [Emu] Implementation report for EAP-TLS 1.3: OK, … Alan DeKok
- Re: [Emu] Implementation report for EAP-TLS 1.3: … John Mattsson
- Re: [Emu] Implementation report for EAP-TLS 1.3: … Alan DeKok
- Re: [Emu] Implementation report for EAP-TLS 1.3: … John Mattsson
- Re: [Emu] Implementation report for EAP-TLS 1.3: … Alan DeKok
- Re: [Emu] Implementation report for EAP-TLS 1.3: … John Mattsson