IETF Logo Mail Archive

Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

John Mattsson <john.mattsson@ericsson.com> Thu, 19 September 2019 10:04 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59B5C120018; Thu, 19 Sep 2019 03:04:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5BKAFdNwxFke; Thu, 19 Sep 2019 03:04:21 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50080.outbound.protection.outlook.com [40.107.5.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 905A11200F4; Thu, 19 Sep 2019 03:04:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VD3q4X7GoEMsIY/VXZxi67KkrpEuNFPZcJte/UmyHVAfW834ijyHNgWke8S4xIxL5YTbKh5Ek3946vOI3FMRIBYRN83SdwVt8WOhri+eSzTwfTTLLhjMDk1BLKw/1VGGvSi+50vxeXNo2mGt/JMcdKbJIlaDbGN+/0qiddCUqdeHsNcduzmOB/cMSL2JdZ45kVQSaQbs4K8yOeMP0rtldUyw21VmTceAZOBuXpCm6wdOMfZkNbyGDOREwyZgF9+PvL098Vzbf9CTY55jfp1g/bjEBHtQszTR7WcxqftgKWJ+HQ+iTXJEvgBcdI4EacQkVN+8sIVekMlalgvcX988/w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1ZuMf9ZSZ2ovbbF467Zx5gXsPqrDEYTnMBorZn1VQrQ=; b=gQeVNlarg70g7Xdy4tdDAeapYB9bijFEH+xmLQOhMJw7yFMchu5l0Y8PRgZxocsCShxlWIvgljRDl497X7NEIqWAuQvwHs8RG4sx/mYCVu6jnwo4oo5KZRTlu7ep4PapfamsQwyUQsWjIhzSVyGZHViMf1UDH7AmNC6mQX5MhJSAzRggHrAVUjbEc1v2UWGqa7/zNG2xkx3Oglk5IrSSq0gvQX/+AP1QM2gGjzH6w1bqZBOpFDV6RDUwhH6mToXGpwiZjQCdoI1r8p2GzfNGfsLiQ+ZIHRYGtFedqZmIZ1xmFBm37iCiyDavC2KVS1+f1QTDtfXuvua2edcmrd/J+g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1ZuMf9ZSZ2ovbbF467Zx5gXsPqrDEYTnMBorZn1VQrQ=; b=TSw6uk3ccKyAqBTatwtiBr7e224x5T56bIq9qeJ7QwA2K73UNoDXdB5R2Cjk1bhCQK7eUs8mOq+RiWWKUOMwb63zdH1HECirfYTJlaOfiiChcxAG47ko7Fys6mTlzCN1gPE5TT37BAWMqDQDfZtieiCDTPsCNEHm6yKjcVXSmqQ=
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com (20.176.165.153) by HE1PR07MB3498.eurprd07.prod.outlook.com (10.170.244.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2284.10; Thu, 19 Sep 2019 10:04:17 +0000
Received: from HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef]) by HE1PR07MB4169.eurprd07.prod.outlook.com ([fe80::c8fb:acc1:b00e:84ef%6]) with mapi id 15.20.2284.009; Thu, 19 Sep 2019 10:04:17 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>, Jim Schaad <ietf@augustcellars.com>, 'Alan DeKok' <aland@deployingradius.com>
CC: "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>, 'EMU WG' <emu@ietf.org>
Thread-Topic: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
Thread-Index: AdVKJoKyKr1G5+9hQuKLAEK5rLYqPgfSdnOQAABeFAAABkCJgP//55mA//bAJjCAEoZ6AIAAJXeA///jpID//4j+YAAgT+oAABHGqoD//9GSsP//c42A
Date: Thu, 19 Sep 2019 10:04:17 +0000
Message-ID: <80E3DD70-C335-4D63-A6B7-E74DEFD69EDF@ericsson.com>
References: <7828_1564869242_5D46027A_7828_348_1_02e001d54a45$e92ae900$bb80bb00$@augustcellars.com> <20b118932a4843b6b88e605799fafea8@aalto.fi> <211AD83C-D111-4EEB-AAF0-D9B5E521F4CF@deployingradius.com> <8F355C6F-DF1E-4E03-B75E-0F1D2508B9D4@ericsson.com> <246280B8-6E5C-484B-95BD-9C940C98C507@deployingradius.com> <CY4PR1101MB22781AB8C8982ACF99B61544DB8E0@CY4PR1101MB2278.namprd11.prod.outlook.com> <DAE24683-2B66-40F1-AFC6-77250113B204@deployingradius.com> <1FD26215-86AF-4C64-83ED-AB1D67D1937B@ericsson.com> <DB61AD67-77D5-4EF9-9207-4CD20C3B61C7@deployingradius.com> <CY4PR1101MB2278103D6B59896837905DC2DB8E0@CY4PR1101MB2278.namprd11.prod.outlook.com> <BC8ACA1E-D2BE-4E0D-B39A-C105806CA38E@deployingradius.com> <008b01d56eb3$5c51e550$14f5aff0$@augustcellars.com> <CY4PR1101MB22788A2FD4A3C3EFC9280BA5DB890@CY4PR1101MB2278.namprd11.prod.outlook.com>
In-Reply-To: <CY4PR1101MB22788A2FD4A3C3EFC9280BA5DB890@CY4PR1101MB2278.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [82.214.46.143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 89a79a05-95fc-4f24-d81b-08d73ce8bbdf
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:HE1PR07MB3498;
x-ms-traffictypediagnostic: HE1PR07MB3498:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <HE1PR07MB3498CC0DF986401B0465786189890@HE1PR07MB3498.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 016572D96D
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(366004)(396003)(346002)(39860400002)(136003)(13464003)(51444003)(199004)(189003)(186003)(99286004)(76176011)(478600001)(26005)(256004)(58126008)(54906003)(6512007)(110136005)(14444005)(33656002)(44832011)(486006)(4326008)(76116006)(6306002)(11346002)(66476007)(7736002)(64756008)(66556008)(305945005)(2616005)(66946007)(66446008)(476003)(14454004)(25786009)(5660300002)(8676002)(81166006)(966005)(81156014)(71190400001)(8936002)(6246003)(2906002)(66066001)(446003)(316002)(6486002)(71200400001)(229853002)(102836004)(86362001)(53546011)(6116002)(3846002)(6436002)(36756003)(6506007); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3498; H:HE1PR07MB4169.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: WR/Zj7oJcmKLZWMQyUBNyvzUaU/P4KET+rn0cqwVY/x4fUnHOlgHPU2GZ1F06fDK8lQu5/NUyZewitCkc4BLRBumcEpQfPols9WxiI8PO/hEpFRcKDYFsU0FCp3DM1Js5iVKt/6csqwVhCCcngypWqM0btPFFOe/rgky9UC5Vt+mfIHMSmOqKpptCr3IxxRDWyfrdvTNpJKn4yKFj6nFCCh7obiDezWEt640w6087uPSQ5MbfEscU2eFVsIwCBDG70J+wrBHI5xVceg2sCdSjhQ5HMPqScj1MGJsKiLDTqpSwxf5GLptI2wSbehySLr9ZpHzukfM6WpJqLCDaKfnnLqeWLvGMH/i8BD2oLY5+b5i+hRTZXPG4O9cLzU7umGun8wREvMuz56rxpkU1kOgePKrnSYo7Wjw5cUINydFJG4=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <3D00D78B170EF84D9CBC1E2E4ECF2CBB@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 89a79a05-95fc-4f24-d81b-08d73ce8bbdf
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Sep 2019 10:04:17.6603 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: E+46GOHdz1S3YNRBJ1maUFV2ggKZcnIVIlFeRuE3fJtjzsnIPV0y4fKVKg/4J/RLnFCuRaWJmuhvpf/nR5XsAFRpbR+bnpxcm5mt+HxaI8A=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3498
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/fUlxO5Ed8b-yA4swoTXDt0FtNio>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Sep 2019 10:04:25 -0000

I am starting to come down on the side the EAP-TLS PSK should be specified.

- I think EAP-PSK should be phased out like all other methods not giving PFS.
- The security of the Dragonfly handshake used in EAP-PWD (and WPA3) seems quite shaky ( https://eprint.iacr.org/2019/383 ), but I have not looked into the details.

- An EAP password method for the future should likely use the PAKE that CFRG will soon standardize.
- EAP methods should in the future support some PQC key exchange.

TLS will very likely get support for both the CFRG PAKE and PQC key exchange algorithms. I am not sure the EAP group want to spend time updating either EAP-PSK or ESP-PWD. Unless there are other benefits with EAP-PSK or EAP-PWD, I think standardizing EAP-TLS PSK makes a lot of sense.

I also note that, EAP-PSK is experimental and EAP-PWD is informal. Unless IETF thinks PSK and passwords should not be used (which does certainly not seem to be the case as TLS 1.3 is including PSK and CFRG is standardizing password based AKE) I think that EMU should make some PSK and password based method Standards Track. At the moment EAP-TLS 1.3 looks like the best choice.

Jim wrote:
> and more to do with the security properties of the EAP method.

If that is seen as a problem, standardizing a separate Type-Code for EAP-TLS with PSK authentication would solve the problem.

/John

-----Original Message-----
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
Date: Thursday, 19 September 2019 at 11:17
To: Jim Schaad <ietf@augustcellars.com>, 'Alan DeKok' <aland@deployingradius.com>
Cc: "draft-ietf-emu-eap-tls13@ietf.org" <draft-ietf-emu-eap-tls13@ietf.org>, 'EMU WG' <emu@ietf.org>
Subject: RE: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
Resent from: <alias-bounces@ietf.org>
Resent to: John Mattsson <john.mattsson@ericsson.com>, <mohit@piuha.net>
Resent date: Thursday, 19 September 2019 at 11:17

    
    
    > -----Original Message-----
    > From: Jim Schaad <ietf@augustcellars.com>
    > Sent: 19 September 2019 07:28
    > To: 'Alan DeKok' <aland@deployingradius.com>; Owen Friel (ofriel)
    > <ofriel@cisco.com>
    > Cc: draft-ietf-emu-eap-tls13@ietf.org; 'EMU WG' <emu@ietf.org>
    > Subject: RE: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
    > 
    > I am going to come down on the side of no PSK should not be supported.
    > However my issues have nothing to do with how things are implemented
    > and more to do with the security properties of the EAP method.
    > 
    > When you use certificates, there is no leakage of who the client is as this is
    > encrypted by TLS.  When you use a restore session ticket, it is possible to limit
    > the number of times that the ticket can be used (for example once).
    > The PSK identity is public and unprotected so it can be used to track.  If one is
    > using PSK for the purpose of authentication then that value will always be
    > visible to intermediate parties for the purpose of tracking.
    > This can be slightly mitigated by using restore session tickets with PSK, but
    > you are going to send that PSK identifier over the wire many times.
    
    The IoT use case is to use the PSK one time for authentication during bootstrapping, then get credentialed, and thereafter use a certificate for subsequent EAP authentications. The bootstrap PSK enables proof of possession i.e. the thing will only bootstrap against a network that knows its PSK.
    
    > 
    > 
    > This is just informational and can be ignored:
    > 
    > My current favorite way to deal with PSK/ticket identifiers is with
    > encryption:
    > 
    > 32 bytes of index into table
    > 32 bytes of date information
    > 32 bytes of SIV (synthetic IV)
    > 
    > Encrypt the first two items using the SIV.  You can then have multiple keys for
    > decryption.  One for PSKs and a resolving one for session tickets.  If the
    > identifier does not decrypt then you reject.  Otherwise you look at the date
    > information and the index in the table for the secret information.
    > 
    > It is even possible to play games with AAD to do things like scope the tickets
    > up front - if you put in the name/address of the NAS then you have a
    > prescreen on where the ticket can be used.
    > 
    > Jim
    > 
    > 
    > 
    > 
    > -----Original Message-----
    > From: Emu <emu-bounces@ietf.org> On Behalf Of Alan DeKok
    > Sent: Wednesday, September 18, 2019 2:59 PM
    > To: Owen Friel (ofriel) <ofriel@cisco.com>
    > Cc: draft-ietf-emu-eap-tls13@ietf.org; EMU WG <emu@ietf.org>
    > Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13
    > 
    > On Sep 18, 2019, at 5:42 PM, Owen Friel (ofriel) <ofriel@cisco.com> wrote:
    > > Giving some implementation guidance seems appropriate here. Naively,
    > > one
    > could envisage the implementation simply having a DB table for extern PSKs
    > and a table that holds NewSessionTickets. An implementation could simply
    > check the extern PSK table using the PskIdentity.identity, and if no match is
    > found then check the NewSessionTickets table.
    > 
    >   Which works, but should be called out in the draft.
    > 
    >   And what is to prevent the system from generating conflicting PSK
    > identities?  i.e. I don't control OpenSSL.  From what I see, TLS 1.3 resumption
    > means that OpenSSLL will choose whatever PSK identity it deems fit.
    > 
    >   As an implementor and/or admin, how do I choose *pre-provisioned* PSK
    > identities which won't conflict with the ones OpenSSL choose?
    > 
    > > The default OpenSSL NSK ticketId is 32 bytes long
    > https://protect2.fireeye.com/url?k=fa7cdbfa-a6f60f3b-fa7c9b61-863d9bcb726f-0570ce4a3462cb4b&q=1&u=https%3A%2F%2Fgithub.com%2Fopenssl%2Fopenssl%2Fblob%2F558ea84743918f7a93bfbfc259f86a
    > d1fa4c
    > 8de9/include/openssl/ssl3.h#L127 so something has gone seriously wrong if
    > there is a clash (poor randoms, etc.).
    > 
    >   i.e. "pick a long string and that should be good enough".
    > 
    >   If that really is the guidance, then this should also be called out in the draft.
    > PSK identities MUST be long (ideally 32 octets or more), and MUST be
    > generated from a CSPRNG.
    > 
    >   Which then leads to the question of what will the poor user enter in a UI?
    > If "end users" shouldn't be doing this, the draft also needs to call that out.
    > 
    > > Well, more precisely, the PSK identity is visible in the ClientHello,
    > > not
    > the actual PSK of course.
    > 
    >   Sure.
    > 
    > > And the PSK *must not* be a user-manageable string such as the
    > >> NAI.  On the other hand, if the PSK is sent after encryption begins,
    > >> then the PSK *should* be a user-manageable string such as an NAI.
    > >
    > > https://tools.ietf.org/html/rfc8446#section-2.2 also states:
    > > ...
    > > so TLS-PSK is not suitable for a user entered low entropy password. We
    > > need a PAKE for that (c.f. the ongoing CFRG PAKE assessment)
    > 
    >   Sure.
    > 
    > > There are some use cases Eliot and I are looking at related to IoT
    > onboarding where a TLS-PSK authentication has definite value, and we really
    > don't want to see this avenue closed off in EAP.
    > 
    >   I don't know the exact use-case, but TBH I'd suggest EAP-PWD for that.
    > I'm not sure that EAP-TLS with PSK adds any value here.
    > 
    >   Allowing PSK means that the draft should likely say "end users MUST NOT
    > be using TLS-PSK".  Or maybe "TLS-PSK MUST be used only where systems
    > can be automatically provisioned with long binary data for both PSK identity
    > and PSK itself".  Or even "PSK identities and/or passwords that are composed
    > solely of printable ASCII characters are likely to be humanly entered, and
    > thus insecure".
    > 
    >   Which means, of course, that people will ignore that and demand simple
    > user names / passwords for EAP-TLS with PSK.  Because that's ever so much
    > easier than using nasty certs.
    > 
    >   That isn't something we should encourage.  It may be worth just forbidding
    > it.
    > 
    >   Alan DeKok.
    > 
    > _______________________________________________
    > Emu mailing list
    > Emu@ietf.org
    > https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email