Re: [Emu] Roman Danyliw's No Objection on draft-ietf-emu-tls-eap-types-12: (with COMMENT)
Joseph Salowey <joe@salowey.net> Fri, 17 February 2023 01:51 UTC
Return-Path: <joe@salowey.net>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B3C1C169528 for <emu@ietfa.amsl.com>; Thu, 16 Feb 2023 17:51:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDtv2VqI75-X for <emu@ietfa.amsl.com>; Thu, 16 Feb 2023 17:51:25 -0800 (PST)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B635C16953D for <emu@ietf.org>; Thu, 16 Feb 2023 17:51:25 -0800 (PST)
Received: by mail-lf1-x12b.google.com with SMTP id h38so3127177lfv.7 for <emu@ietf.org>; Thu, 16 Feb 2023 17:51:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20210112.gappssmtp.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=RMTyTrqSv4J/71l8lFsvXdGskCIcp+fcx3YRYkhZWyM=; b=x/iypGKElOvJMfWFeX7un+suDTB/jP+DTvfwPvloH+o8Le3KqcYfRE7LxNpKC50I+v vbJnqk/dr8Gzxfbt4nFZ7AIQaeIHFCa3GA06a4Xr9MldtsicdaddqitYmIyl+IITcr45 OYbIiuDahuSXjwuYUZu+nF1kghszeBaD/mIfndPtOtKwgaWc+U+86kKfDA/mZzV4ye/T pGIW1GJQsNs789BVQEUwXCak4YiDtc/i+iJMHTEai6G1pFVO1tCgl96bIVxiwrI1v3bF JiuaNMYUzJEGFB6xArCRepZudJ+pwnHyXtxGV+MQNy5ZtL2hSYVtT8HYK9QBbu9kUYWj ruxw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=RMTyTrqSv4J/71l8lFsvXdGskCIcp+fcx3YRYkhZWyM=; b=t194ZRitKS2nWHSfh8jZjCIh2SwNU/4p7hAOVbVCo0e8N4CoO+GXLsX6acCRXvvBxH w3JnFjUGnGMJ3QccX4+Tqv95csWQqKBiGGlaxrhpvGduVP7mMxMInxmFAFzHkq7JQJvs ZD0i4m4U7uQnrY6bmfChGEJJr7tUa57xPBiKlkxv843SVe7Z5MwmikMf1KS57SgeRqZv 6Sqi7AdP3w1CiabfTr3u646lvrUWYnNgwyl4PwoUdK6aFVEuT2IdlN0rI2xGCwybFwSS i9IuS4ZRgGULxCoNeK7I9OaZd6I+y0mrY/GsNDWSdrkSrSCOq6T9/jInZAhmblFEMxt6 ALQg==
X-Gm-Message-State: AO0yUKVRB/9WiBfN2d75kjIMYnz0eMpD6RabYxjqcQIVSsA59Y0HzGos Sogv4+8IN7axOddsXOimKPjI/fzW5igInNd6M7mBkw==
X-Google-Smtp-Source: AK7set9jW8oeggZUJgWqtJpCYZe8DUkZvsRn5ItQnz7Jp1fBGzIt/eOCbUfefpbCSBV4UjtD3pXU9PmD4GrEEcz5w0s=
X-Received: by 2002:ac2:46ef:0:b0:4db:eeb:3dea with SMTP id q15-20020ac246ef000000b004db0eeb3deamr2182460lfo.11.1676598682826; Thu, 16 Feb 2023 17:51:22 -0800 (PST)
MIME-Version: 1.0
References: <167651598851.20540.7924623610620366927@ietfa.amsl.com> <B464FFE3-CC54-4D5F-862D-C8C8B4E96D0E@deployingradius.com> <CAOgPGoBOnGYBYthULztSHCQOJft8rfxky7tyC+ojq+R4WijT9Q@mail.gmail.com> <343D60C0-6562-49A6-80B5-8AA4805596CD@deployingradius.com>
In-Reply-To: <343D60C0-6562-49A6-80B5-8AA4805596CD@deployingradius.com>
From: Joseph Salowey <joe@salowey.net>
Date: Thu, 16 Feb 2023 17:51:09 -0800
Message-ID: <CAOgPGoDwoNJ5eSVjSy-hg2ptxq3DaB6K8uxq93rjBFwPrckYZQ@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, draft-ietf-emu-tls-eap-types@ietf.org, emu-chairs@ietf.org, EMU WG <emu@ietf.org>, jsalowey@gmail.com
Content-Type: multipart/alternative; boundary="000000000000ebd0c505f4db8c7a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/fnFzD3GUw5ntFgZlId1ZCEYHBN8>
Subject: Re: [Emu] Roman Danyliw's No Objection on draft-ietf-emu-tls-eap-types-12: (with COMMENT)
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2023 01:51:26 -0000
Thanks Alan, your text looks good. On Thu, Feb 16, 2023 at 5:48 AM Alan DeKok <aland@deployingradius.com> wrote: > On Feb 16, 2023, at 1:28 AM, Joseph Salowey <joe@salowey.net> wrote: > > [Joe] I think having a separate section in the security considerations > for Session Resumption is a good idea. A few comments on the text below > since I think there is a potential difference between how TTLS recommends > overloading newSessionTicket as a protected result indicator and uses of > NesSessionTicket in other methods where it can be used for session > resumption of TLS while still executing an inner method. > > OK > > > This separation of data allows for a "time of use, time of check" > > security issue. Malicious clients can begin a session and receive a > > NewSessionTicket message. The malicious client can then abort the > > authentication session, and use the obtained NewSessionTicket to > > "resume" the previous session. The malicious client can then obtain > > network access without ever being authenticated. > > > > [Joe] I suggest changing the last sentence to: > > > > "If the server assumes the ticket was issued after the client was > authenticated then, > > the malicious client can then obtain network access without ever being > authenticated. " > > It's the "server" as whole, but really the TLS implementation. A naive > EAP implementation can "hand off" all TLS work to a TLS library. The > library then magically allows resumption and the EAP server has a security > issue. Perhaps change it to: > > If the server allows the session to > resume without verifying that the user had first been authenticated, > the malicious client can then obtain network access without ever being > authenticated network access without ever being authenticated. > > > As a result, EAP servers MUST NOT permit sessions to be resumed until > > after authentication has successfully completed. This requirement may > > be met in a number of ways. Where possible, implementations SHOULD > > NOT send TLS NewSessionTicket messages until the "inner tunnel" > > authentication has completed successfully. However, the interaction > > between EAP implementations and any underlying TLS library may be > > complex, and this behavior may not always be possible. > > > > > > [Joe] How about the following. > > I find the suggested text a bit harder to read. For me, there is a > clear distinction between the EAP application, and the underlying TLS > library it uses. Microsoft has a common TLS library used by multiple > applications. OpenSSL plays a similar role elsewhere. > > It's a good idea to suggest re-running the inner method on resumption > where session tickets cannot be validated. And also that policies can > control whether resumed sessions are resumed, or the inner methods are > run. This is how my software works, and it's good to explain those issues > in this document. > > After some major rework, how about the following text. For me, it goes > through all possibilities in excruciating detail. I can say this is what > implementors need, because I've run into pretty much all of these issues. > > As a result, EAP servers MUST NOT assume that a user has been > authenticated simply because a TLS session is being resumed. Even if > a session is being resumed, an EAP server MAY have policies which > still force the inner authentication methods to be run. For example, > the users password may have expired in the time interval between first > authenticaction, and session resumption. > > The guidelines given here therefore describe situations where an EAP > server is permitted to allow session resumption, not where it is > required to allow session resumption. An EAP server could simply > refuse to issue session tickets, or could run the full inner > authentication even if a session was resumed. > > Where session tickets are used, the EAP server SHOULD track the > successful completion of an inner authentication, and associate that > status with any session tickets issued for that session. This > requirement can be met in a number of different ways. > > One way is for the EAP server to simply not send any TLS > NewSessionTicket messages until the inner authentication has completed > successfully. The EAP server then knows that the existence of a > session ticket is proof that a user was authenticated, and the session > can be resumed. > > Another way is for the EAP server to simple discard or invalidate any > session tickets until after the inner authentication has > completed successfully. When the user is authenticated, a new TLS > NewSessionTicket message can be sent to the client, and the new ticket > cached and/or validated. > > Another way is for the EAP server to associate the inner > authentication status with each session ticket. When a session ticket > is used, the authentication status is checked. When a session ticket > shows that the inner authentication did not succeed, the EAP > server MUST run the inner authentication method(s) in the resumed > tunnel, and grant only access based on the success or failure of those > inner methods/ > > However, the interaction between EAP implementations and any > underlying TLS library may be complex, and the EAP server may not be > able to make the above guarantees. Where the EAP server is unable to > determine the users authentication status from the session ticket, it > MUST assume that inner authentication has not completed and it MUST > run the inner authentication methods in the resumed tunnel before > granting access. > > > This issue is not relevant for EAP-TLS, which uses client certificates > > for authentication. It is only relevant for TLS-based EAP methods > > which do not use the TLS layer to authenticate > > > > > > [Joe] SInce TLS 1.3 allows for client authentication at anytime, but > EAP-TLS only allows it during the initial handshake change the first > sentence to: > > > > This issue is not relevant for EAP-TLS, which only uses client > certificates for authentication > > in the TLS handshake. > > Sure. > > Alan DeKok. > >
- [Emu] Roman Danyliw's No Objection on draft-ietf-… Roman Danyliw via Datatracker
- Re: [Emu] Roman Danyliw's No Objection on draft-i… Alan DeKok
- Re: [Emu] Roman Danyliw's No Objection on draft-i… Joseph Salowey
- Re: [Emu] Roman Danyliw's No Objection on draft-i… Alan DeKok
- Re: [Emu] Roman Danyliw's No Objection on draft-i… Joseph Salowey