Re: [Emu] I-D Action: draft-ietf-emu-aka-pfs-06.txt
John Mattsson <john.mattsson@ericsson.com> Tue, 12 April 2022 11:25 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5035F3A1B57; Tue, 12 Apr 2022 04:25:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.11
X-Spam-Level:
X-Spam-Status: No, score=-2.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xNGlLyN365ZR; Tue, 12 Apr 2022 04:25:11 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-ve1eur01on0618.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1f::618]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BE213A1B55; Tue, 12 Apr 2022 04:25:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=MmmTuldNznJ34ikYDBQ3lMU4fXNsMUMKClsA1hB43u5LPgVO3l1l/qlNEEw9uE1nNquGybGO91vlcVY5tOoqhA7W09tcIp5giV4E+vnnLX47BEUcYNy2zxqUKDy/ZlZzIXVqpxDKtf4xWwrhWCRhERy6k326cqCEldQYl0NwVTQSLn8FgPr/iEagAv4lTqsN/zwQnqnxbdbSdObu25LDbkSIWyaLclyW15o2VVGS37RKGxd6C1KVF/Omap83vS6K9RuHjAZExObGhJux+Stf0LZaPawkaGeq2rT4MVIgWBj6QGhcWrAqccqFRkl3H5fMOsu9bcCEirhnBMUieYlMPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=WuUj+Ic5o1UCYm8dIc+ZlUzC/NajIwFE8yyVDnQGJvM=; b=WsSIq/J197mkIF00yogM/oE9jcZdV/8kZOp8z5FgblAr1Kr9NpfPYSx0+I3+XKohRJAiD6i/y1BxsTG74IjsWRzW89JwiBTb+ezZuyCai1akmWxmOi8LYDC8UHCnMSdjO+tAuNZF/on7OOdpRk3XGCiNbuu2jBS9MPoP2NVeEOCxrTVxLKTvis6b5G8NWUyWB9y16PkcFu4po8N+jn6hB2DnmNQ6eLTBHIZqZRMe2v6b6YxzVfTSYm6991KGWv1J8MBNvGNDiKWunxWz4Folgi452KMo3HlQP7lv/M53bbbBp9PworLnsNoxnwMiDXdWpDHKc4AC4xu9mixhaIG+UA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WuUj+Ic5o1UCYm8dIc+ZlUzC/NajIwFE8yyVDnQGJvM=; b=jypXvhIVG1jTVtsxryxgpvoAfsW4HOts5LwPaYSRK6nBSoLssKJsltKiP/D1WZ1SSZ6eU6d+F1zJVXz8W2MR/40bqKqG1CXkrEtcr7B1LoXdp95sAGLhgJllE2VYQClYsZcB49a38szB/Z8CqL8HPS3XHpCSI+LlJXF+nN6B3ic=
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) by VI1PR0701MB3038.eurprd07.prod.outlook.com (2603:10a6:800:88::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5164.18; Tue, 12 Apr 2022 11:25:05 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::4497:cc6f:ea36:f029]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::4497:cc6f:ea36:f029%12]) with mapi id 15.20.5164.018; Tue, 12 Apr 2022 11:25:04 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "emu@ietf.org" <emu@ietf.org>, "i-d-announce@ietf.org" <i-d-announce@ietf.org>
CC: "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] I-D Action: draft-ietf-emu-aka-pfs-06.txt
Thread-Index: AQHYMmkk8LbQNbGKZkawjxMEwt+aaazsT0JT
Date: Tue, 12 Apr 2022 11:25:04 +0000
Message-ID: <HE1PR0701MB3050D6679312CEB364BB325F89ED9@HE1PR0701MB3050.eurprd07.prod.outlook.com>
References: <164668796282.9939.7469210271014040672@ietfa.amsl.com>
In-Reply-To: <164668796282.9939.7469210271014040672@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 310d07cf-d016-4d42-0a26-08da1c7717a4
x-ms-traffictypediagnostic: VI1PR0701MB3038:EE_
x-microsoft-antispam-prvs: <VI1PR0701MB3038811DF8FE57CFED86EA0089ED9@VI1PR0701MB3038.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: aId4y8ckizK8YwYy36jKLV1gDdx9TdtCG+68qmOSqf8dWWbpZsaJpQXMoBfzjRDCZjzEEkEpazBAyvgA0DxvbBrDTthyHAMVXcd1tWL5rcUei+KlAMohl+eUBmN31wYLZXRa2Kgu2c6EkC8gJm9Rq6IrQlb6FGsTeMkGs4Zt/0AUVn7dPrG6pF7Vjq/e69Mxs0TUanldyLXNtP63TjWdZqyvX27KF8gWjsgMmgWsljDIe/V40vduG0W6pKj/1Pe8/Jgogg7knejfLKTn+di4kyUz3sHtELuOgURCQV+vDoGB1f1OyHa6E8pjzp3mSoUs6L09FoV923hLGYnW+gUrOrR8M1aIs6VQE8Tj+FF1c7DH19BZNEXNejPGB15mBfkSYTC+54sM2PMwsyZOjCO1YtuhNBvTb23zf/5OvBAdLLEFM7h0TGzqw/r908FSmNKo0tpjGqQgeRB+6rigEupwSms1HnBpFwEiw51qoBQjr9D1DMM0aop0gNfNcR1+KWvFRoRUe17Cba5gJQ43xXQmWfqv+c9APc3t3Mq2fBN96JirFGyRMRTRLsozfB4YDoaFlOFGoIztAcxC9N86gLPWmjwzHfejozWPryOU/7pvtC+gRyAz+o8DmFTstIG5+g20CobMJCPtvwjw6XNRGv7zzD/LbyVRpa+tc84D3SvrehVRy7A0A3qcCz45JW+hpNR0PzuVM4fNdJFHkSDoyfXDSgQH7Pr2MX3jeDw0lh6Cr828Mzir2ZGTJ18cRj2Ri9fuwcyLWnO5h4B/+5mTYiWRWufc4owzekWWOEvR0/Lhf81w3+7cVbKYmRJ2jKc1Yz2JJNBC7WAAp5Fk3yz3xcrCtgFbR5Uh7m3Cvt9Jx2pHxOx3I+JXL7I8RKyBuyeOCArk
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(5660300002)(53546011)(33656002)(44832011)(76116006)(55016003)(91956017)(7696005)(6506007)(2906002)(450100002)(38070700005)(71200400001)(83380400001)(110136005)(186003)(9686003)(66574015)(316002)(38100700002)(122000001)(166002)(82960400001)(508600001)(966005)(8936002)(86362001)(66946007)(52536014)(66556008)(66446008)(8676002)(64756008)(66476007)(4326008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 2
x-ms-exchange-antispam-messagedata-0: Dyrvvc8Mla+hcv5i6q5g8eSWCFu7evoMvSoZzjHnTXqYYU01KDoNL1/9guwJSTiz2yG3yPK7tC80p4ij/qtPtMqlpOGYYIrapBcetGogS3Ycjtn74EvAr5IXUAGr5yGan+zQJXh46TyjX0qkzzIJP1NwIfUMB+08jWv6sTUzLivyWXNba8pfeUvqLkdbaF5O18ELgEN7/B8Qsy+Ual/k7/0P0khxZRQLfFkEEWoxg5wrt0QgzlZxR49cSbcaTjk1igqyBc+99nSzYyJwI+TrxVWuuD7sx/J4ejca8KRiGQYf+ynl2izyIsUJCnh0NJY9ZuHFOmiLq+FLEcrU5i04l8OlsAx7eZiBCrYgH1wx04VwuJqqMGEIZP/V2wYFDUlMLwBGaDDrxpRbsXyHfEaxggAYA6ENXDUUG/8X1eW1Rj6SbhVzgP0i8zD8pn4ClOtKRbhOAGDTh6OTFGAl8bnzC32BjJJVaMOw2at7hlaoq43EaUwqUITQQXh2+ugyx3hB6CvkT/XBu/HfUlAnOwnHC4RMZ8uZ2vymMBMMiYPCY5ccocoSwjlkob6ngnJ7MNg+DqmkaA8XmNMYae/S/0rClSJpegqqD3+iEsAl07DUZad62d830sSt7f6C10fpcTsdWrW7CU1khsPLviWUwqWEEBl4oSqDn3f3HgAXd/C0LIor2vAV+5LtxezOzk1lGjjvqJ1fqyaik9KzqYBD11QnEQpwRsTINBGHJkSejIjH7SGZ0cu3uFFNSpaQ/0rSIGFUbJLkD3k6B6qTVnpKh4DIMf/scWgVSQXg5evyPAf4u+52eSVewyhGIbxt1JhhOB+a9HOtZZ9msCHmuc37EG8kM55CqrNTefFcdPk04qLTuIS/ndRi3WdCzF7m9jXiMqVae8ILJ97+N8/C7OXgpowL6MpZJRB1vNv8K1+kShjyUTdsBLGwus9jMuRM9B0EecuEleJ+pA51I4LI5kgfIUcrCvYASz5It4O386nlCtK4OqBYXR9I072KiDwlcJVaFA5z8ILv3Ly1pPYLl0guTLT3MO71CxCT6gqIgtzpGYqKDSolOyRPnZuBDoP1jufGLJ/9UFHqZiLPVotC73MsRaogmC1r2wwvnq92mew6og8XhbSLArD4TBMBf3XUT4zcqXpO7qSYzGxHTbYzlfrWtqguyG5NBYAXokE3PVRAPV+J5cc+Oe8jWiA2U+zuYU2Wd2U5RPEvSHDHc7qrcJ5roFwIjPVIBpTlrPO53xo/EEYx0FXMQK2dd6K7YYDYq7VJvxCqtYdbVR9QA+zdgNlSRBv77jKAxwB8/WGpD1nPrFGP4sEHLrXwUJ86tAkNm7OdbOMqZ7VYChTgEHy9n0la5AQ7R51YvGNKgdO9rUhSGUCzwi5o1gGFFA21p0OqJi+ocX4cefLQkaB37R1lCGDQA5UbQWuHll5XOobMZFPOD2Bjh0MYozqeUtjYmHWLHi805hgApl1ywB65VyGAwAKHz1pGAgvwoNOI9QmbjT5Jco0ZLpCFljZ10Ugzuupr4CeaWHYzEF47Qmpx3OU7kRYo8W7vMPCux6IR99w3rirFjmNY8RnONRpGi35C2VWOmMqwtT+LzOBhXKyo1hNoeNOOXiwVs9LeU37q2d30V8PfSR94GTdSc0pH8kct78AHMDnYVNEE+2V4IcnlBH8IzMGlYkByWvgr8we+qQ+Isn5ImjZJ25CuiDvj8LeIhiJvl9fKBjHFHM41GglYThTsG05R9BftEQGrJcRAhuWjuIaOR8MwQZnLCnHVftV1dIyZ3eQ3UxaI6nLcXX4J
x-ms-exchange-antispam-messagedata-1: 2+LMv+1MgIHh5rcsKWxZY3dfEJbJqXM3cpJ7ZPsfxxwvmm5tSeO3Dipc
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB3050D6679312CEB364BB325F89ED9HE1PR0701MB3050_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 310d07cf-d016-4d42-0a26-08da1c7717a4
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Apr 2022 11:25:04.3878 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: IwGEpRqsSkK7DVdYkoPP+2mZUBO2iB8W5M9QBUhUXy0ABSkdTnEANoKlZ590RTktLk7nXuP+ggjxgIAtAa9Nna0d1pK3ZtVznU9/xj86Rm4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB3038
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/kb5w7PV13WWHKJ99oiOYNG_enus>
Subject: Re: [Emu] I-D Action: draft-ietf-emu-aka-pfs-06.txt
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2022 11:25:16 -0000
Hi,
I read through the high level parts of the draft and have following comments:
- "compromising smart cards"
Not sure the attacks actually attacked the smart cards. I suggest reformulating this as
"compromising the smart card supply chain".
- I think the draft should mention zero-trust. Suggestion to add the following text:
"Always assuming breach such as key compromise and minimizing the impact of breach are essential zero-trust principles. Forward secrecy is therefore a requirement for zero-trust"
- I think the draft should add mandatory client identity protection. EAP-TLS 1.3 (RFC 9190) has the following requirement, which makes a lot of sense:
"A client supporting TLS 1.3 MUST NOT send its username
(or any other permanent identifiers) in cleartext in the Identity
Response (or any message used instead of the Identity Response)."
I think mandatory to use client identity protection should be a requirement in all
future EAP methods. I suggest adding similar text:
"A client supporting EAP-AKA' FS MUST NOT send its username
(or any other permanent identifiers) in cleartext in the Identity
Response (or any message used instead of the Identity Response)."
- "or turn off FS."
I think the draft should have a recommendation to long term completely phase out AKA without FS. Best practice security today is very clearly to mandate FS for this type of access authentication (as is done in WPA3, EAP-TLS 1.3, EAP-TTLS 1.3, etc).
- I think the description of consequences of key compromise can be improved. My summary would be:
"If a mechanism without forward secrecy (5G-AKA, EAP-AKA’) is used the effects of key compromise are devastating. The serious consequences of breach somewhere in the supply chain or after delivery that are possible when 5G-AKA or EAP-AKA' is used but not when something with forward secrecy like EAP-AKA-FS is used are:
1. A passive attacker can eavesdrop (decrypt) all future 5G communication (control and user plane both directions).
2. A passive attacker can decrypt 5G communication that they previously recorded in the past (control and user plane both directions).
3. An active attacker can impersonate UE and Network and inject messages in an ongoing 5G connection between the real UE and the real network (control and user plane both directions).
4. An active attacker modify messages (block real message and send new modified message) in an ongoing 5G connection between the real UE and the real network (control and user plane both directions)."
I think only 1. is described in detail. At least 2. And 3. deserves a detailed explanation.
- I think the draft should have security considerations on the limits of forward secrecy and why frequent use of Diffie-Hellman (i.e. frequently rerunning EAP-AKA' FS) provides even better security and privacy against key compromise. The following text written by me was just added to RFC8446bis. Could be a basis for
text added to EAP-AKA' FS.
"Forward secrecy limits the effect of key leakage in one direction (compromise of a key at time T2 does not compromise some key at time T1 where T1 < T2). Protection in the other direction (compromise at time T1 does not compromise keys at time T2) can be achieved by rerunning EC(DHE). If a long-term authentication key has been compromised, a full handshake with EC(DHE) gives protection against passive attackers. If the resumption_master_secret has been compromised, a resumption handshake with EC(DHE) gives protection against passive attackers and a full handshake with EC(DHE) gives protection against active attackers. If a traffic secret has been compromised, any handshake with EC(DHE) gives protection against active attackers. Using the terms in {{RFC7624}}, forward secrecy without rerunning EC(DHE) does not stop an attacker from doing static key exfiltration. After key exfiltration of application_traffic_secret_N, an attacker can e.g., passively eavesdrop on all future data sent on the connection including data encrypted with application_traffic_secret_N+1, application_traffic_secret_N+2, etc. Frequently rerunning EC(DHE) forces an attacker to do dynamic key exfiltration (or content exfiltration)."
Cheers,
John
From: Emu <emu-bounces@ietf.org> on behalf of internet-drafts@ietf.org <internet-drafts@ietf.org>
Date: Monday, 7 March 2022 at 22:20
To: i-d-announce@ietf.org <i-d-announce@ietf.org>
Cc: emu@ietf.org <emu@ietf.org>
Subject: [Emu] I-D Action: draft-ietf-emu-aka-pfs-06.txt
A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the EAP Method Update WG of the IETF.
Title : Forward Secrecy for the Extensible Authentication Protocol Method for Authentication and Key Agreement (EAP-AKA' FS)
Authors : Jari Arkko
Karl Norrman
Vesa Torvinen
Filename : draft-ietf-emu-aka-pfs-06.txt
Pages : 26
Date : 2022-03-07
Abstract:
Many different attacks have been reported as part of revelations
associated with pervasive surveillance. Some of the reported attacks
involved compromising smart cards, such as attacking SIM card
manufacturers and operators in an effort to compromise shared secrets
stored on these cards. Since the publication of those reports,
manufacturing and provisioning processes have gained much scrutiny
and have improved. However, the danger of resourceful attackers for
these systems is still a concern.
This specification is an optional extension to the EAP-AKA'
authentication method which was defined in [RFC9048]. The extension,
when negotiated, provides Forward Secrecy for the session key
generated as a part of the authentication run in EAP-AKA'. This
prevents an attacker who has gained access to the long-term pre-
shared secret in a SIM card from being able to decrypt any past
communications. In addition, if the attacker stays merely a passive
eavesdropper, the extension prevents attacks against future sessions.
This forces attackers to use active attacks instead.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-emu-aka-pfs/
There is also an htmlized version available at:
https://datatracker.ietf.org/doc/html/draft-ietf-emu-aka-pfs-06
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-emu-aka-pfs-06
Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
- [Emu] I-D Action: draft-ietf-emu-aka-pfs-06.txt internet-drafts
- Re: [Emu] I-D Action: draft-ietf-emu-aka-pfs-06.t… John Mattsson