IETF Logo Mail Archive

Re: [Emu] Roman Danyliw's No Objection on draft-ietf-emu-tls-eap-types-12: (with COMMENT)

Joseph Salowey <joe@salowey.net> Fri, 17 February 2023 01:51 UTC

Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B3C1C169528 for <emu@ietfa.amsl.com>; Thu, 16 Feb 2023 17:51:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDtv2VqI75-X for <emu@ietfa.amsl.com>; Thu, 16 Feb 2023 17:51:25 -0800 (PST)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B635C16953D for <emu@ietf.org>; Thu, 16 Feb 2023 17:51:25 -0800 (PST)
Received: by mail-lf1-x12b.google.com with SMTP id h38so3127177lfv.7 for <emu@ietf.org>; Thu, 16 Feb 2023 17:51:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=RMTyTrqSv4J/71l8lFsvXdGskCIcp+fcx3YRYkhZWyM=; b=x/iypGKElOvJMfWFeX7un+suDTB/jP+DTvfwPvloH+o8Le3KqcYfRE7LxNpKC50I+v vbJnqk/dr8Gzxfbt4nFZ7AIQaeIHFCa3GA06a4Xr9MldtsicdaddqitYmIyl+IITcr45 OYbIiuDahuSXjwuYUZu+nF1kghszeBaD/mIfndPtOtKwgaWc+U+86kKfDA/mZzV4ye/T pGIW1GJQsNs789BVQEUwXCak4YiDtc/i+iJMHTEai6G1pFVO1tCgl96bIVxiwrI1v3bF JiuaNMYUzJEGFB6xArCRepZudJ+pwnHyXtxGV+MQNy5ZtL2hSYVtT8HYK9QBbu9kUYWj ruxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=RMTyTrqSv4J/71l8lFsvXdGskCIcp+fcx3YRYkhZWyM=; b=t194ZRitKS2nWHSfh8jZjCIh2SwNU/4p7hAOVbVCo0e8N4CoO+GXLsX6acCRXvvBxH w3JnFjUGnGMJ3QccX4+Tqv95csWQqKBiGGlaxrhpvGduVP7mMxMInxmFAFzHkq7JQJvs ZD0i4m4U7uQnrY6bmfChGEJJr7tUa57xPBiKlkxv843SVe7Z5MwmikMf1KS57SgeRqZv 6Sqi7AdP3w1CiabfTr3u646lvrUWYnNgwyl4PwoUdK6aFVEuT2IdlN0rI2xGCwybFwSS i9IuS4ZRgGULxCoNeK7I9OaZd6I+y0mrY/GsNDWSdrkSrSCOq6T9/jInZAhmblFEMxt6 ALQg==
X-Gm-Message-State: AO0yUKVRB/9WiBfN2d75kjIMYnz0eMpD6RabYxjqcQIVSsA59Y0HzGos Sogv4+8IN7axOddsXOimKPjI/fzW5igInNd6M7mBkw==
X-Google-Smtp-Source: AK7set9jW8oeggZUJgWqtJpCYZe8DUkZvsRn5ItQnz7Jp1fBGzIt/eOCbUfefpbCSBV4UjtD3pXU9PmD4GrEEcz5w0s=
X-Received: by 2002:ac2:46ef:0:b0:4db:eeb:3dea with SMTP id q15-20020ac246ef000000b004db0eeb3deamr2182460lfo.11.1676598682826; Thu, 16 Feb 2023 17:51:22 -0800 (PST)
MIME-Version: 1.0
References: <167651598851.20540.7924623610620366927@ietfa.amsl.com> <B464FFE3-CC54-4D5F-862D-C8C8B4E96D0E@deployingradius.com> <CAOgPGoBOnGYBYthULztSHCQOJft8rfxky7tyC+ojq+R4WijT9Q@mail.gmail.com> <343D60C0-6562-49A6-80B5-8AA4805596CD@deployingradius.com>
In-Reply-To: <343D60C0-6562-49A6-80B5-8AA4805596CD@deployingradius.com>
From: Joseph Salowey <joe@salowey.net>
Date: Thu, 16 Feb 2023 17:51:09 -0800
Message-ID: <CAOgPGoDwoNJ5eSVjSy-hg2ptxq3DaB6K8uxq93rjBFwPrckYZQ@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, draft-ietf-emu-tls-eap-types@ietf.org, emu-chairs@ietf.org, EMU WG <emu@ietf.org>, jsalowey@gmail.com
Content-Type: multipart/alternative; boundary="000000000000ebd0c505f4db8c7a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/fnFzD3GUw5ntFgZlId1ZCEYHBN8>
Subject: Re: [Emu] Roman Danyliw's No Objection on draft-ietf-emu-tls-eap-types-12: (with COMMENT)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2023 01:51:26 -0000

Thanks Alan, your text looks good.

On Thu, Feb 16, 2023 at 5:48 AM Alan DeKok <aland@deployingradius.com>
wrote:

> On Feb 16, 2023, at 1:28 AM, Joseph Salowey <joe@salowey.net> wrote:
> > [Joe] I think having a separate section in the security considerations
> for Session Resumption is a good idea.   A few comments on the text below
> since I think there is a potential difference between how TTLS  recommends
> overloading newSessionTicket as a protected result indicator and uses of
> NesSessionTicket in other methods where it can be used for session
> resumption of TLS while still executing an inner method.
>
>   OK
>
> > This separation of data allows for a "time of use, time of check"
> > security issue.  Malicious clients can begin a session and receive a
> > NewSessionTicket message.  The malicious client can then abort the
> > authentication session, and use the obtained NewSessionTicket to
> > "resume" the previous session.  The malicious client can then obtain
> > network access without ever being authenticated.
> >
> > [Joe]  I suggest changing the last sentence to:
> >
> > "If the server assumes the ticket was issued after the client was
> authenticated then,
> > the malicious client can then obtain network access without ever being
> authenticated. "
>
>   It's the "server" as whole, but really the TLS implementation.  A naive
> EAP implementation can "hand off" all TLS work to a TLS library.  The
> library then magically allows resumption and the EAP server has a security
> issue.   Perhaps change it to:
>
> If the server allows the session to
> resume without verifying that the user had first been authenticated,
> the malicious client can then obtain network access without ever being
> authenticated network access without ever being authenticated.
>
> > As a result, EAP servers MUST NOT permit sessions to be resumed until
> > after authentication has successfully completed.  This requirement may
> > be met in a number of ways.  Where possible, implementations SHOULD
> > NOT send TLS NewSessionTicket messages until the "inner tunnel"
> > authentication has completed successfully.  However, the interaction
> > between EAP implementations and any underlying TLS library may be
> > complex, and this behavior may not always be possible.
> >
> >
> > [Joe] How about the following.
>
>   I find the suggested text a bit harder to read.  For me, there is a
> clear distinction between the EAP application, and the underlying TLS
> library it uses.  Microsoft has a common TLS library used by multiple
> applications.  OpenSSL plays a similar role elsewhere.
>
>   It's a good idea to suggest re-running the inner method on resumption
> where session tickets cannot be validated.  And also that policies can
> control whether resumed sessions are resumed, or the inner methods are
> run.  This is how my software works, and it's good to explain those issues
> in this document.
>
>   After some major rework, how about the following text.  For me, it goes
> through all possibilities in excruciating detail.  I can say this is what
> implementors need, because I've run into pretty much all of these issues.
>
> As a result, EAP servers MUST NOT assume that a user has been
> authenticated simply because a TLS session is being resumed.  Even if
> a session is being resumed, an EAP server MAY have policies which
> still force the inner authentication methods to be run.  For example,
> the users password may have expired in the time interval between first
> authenticaction, and session resumption.
>
> The guidelines given here therefore describe situations where an EAP
> server is permitted to allow session resumption, not where it is
> required to allow session resumption.  An EAP server could simply
> refuse to issue session tickets, or could run the full inner
> authentication even if a session was resumed.
>
> Where session tickets are used, the EAP server SHOULD track the
> successful completion of an inner authentication, and associate that
> status with any session tickets issued for that session.  This
> requirement can be met in a number of different ways.
>
> One way is for the EAP server to simply not send any TLS
> NewSessionTicket messages until the inner authentication has completed
> successfully.  The EAP server then knows that the existence of a
> session ticket is proof that a user was authenticated, and the session
> can be resumed.
>
> Another way is for the EAP server to simple discard or invalidate any
> session tickets until after the inner authentication has
> completed successfully.  When the user is authenticated, a new TLS
> NewSessionTicket message can be sent to the client, and the new ticket
> cached and/or validated.
>
> Another way is for the EAP server to associate the inner
> authentication status with each session ticket.  When a session ticket
> is used, the authentication status is checked.  When a session ticket
> shows that the inner authentication did not succeed, the EAP
> server MUST run the inner authentication method(s) in the resumed
> tunnel, and grant only access based on the success or failure of those
> inner methods/
>
> However, the interaction between EAP implementations and any
> underlying TLS library may be complex, and the EAP server may not be
> able to make the above guarantees.  Where the EAP server is unable to
> determine the users authentication status from the session ticket, it
> MUST assume that inner authentication has not completed and it MUST
> run the inner authentication methods in the resumed tunnel before
> granting access.
>
> > This issue is not relevant for EAP-TLS, which uses client certificates
> > for authentication.  It is only relevant for TLS-based EAP methods
> > which do not use the TLS layer to authenticate
> >
> >
> > [Joe]  SInce TLS 1.3 allows for client authentication at anytime, but
> EAP-TLS only allows it during the initial handshake change the first
> sentence to:
> >
> > This issue is not relevant for EAP-TLS, which only uses client
> certificates for authentication
> > in the TLS handshake.
>
>   Sure.
>
>   Alan DeKok.
>
>

v2.23.0 | Report a Bug | By Email