IETF Logo Mail Archive

Re: [Emu] Issue 47 Certificate identity checks

Alan DeKok <aland@deployingradius.com> Mon, 12 April 2021 12:48 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 126693A1C70 for <emu@ietfa.amsl.com>; Mon, 12 Apr 2021 05:48:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ldolLjfgxu4R for <emu@ietfa.amsl.com>; Mon, 12 Apr 2021 05:48:09 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96D473A1C6F for <emu@ietf.org>; Mon, 12 Apr 2021 05:48:09 -0700 (PDT)
Received: from [192.168.46.152] (24-52-251-6.cable.teksavvy.com [24.52.251.6]) by mail.networkradius.com (Postfix) with ESMTPSA id 974241DC; Mon, 12 Apr 2021 12:48:04 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.4\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAOgPGoArm2RdEN4V-L9XEUvOeG0Vs+58Zj_p3Y2yRY0aYsVV_A@mail.gmail.com>
Date: Mon, 12 Apr 2021 08:48:03 -0400
Cc: EMU WG <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <950CF2A7-2C9A-4BAE-8EA2-0FC2DE3C740C@deployingradius.com>
References: <CAOgPGoArm2RdEN4V-L9XEUvOeG0Vs+58Zj_p3Y2yRY0aYsVV_A@mail.gmail.com>
To: Joseph Salowey <joe@salowey.net>
X-Mailer: Apple Mail (2.3608.120.23.2.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/kk4Zvxtg6xYREeIAZA3NFsaYa_k>
Subject: Re: [Emu] Issue 47 Certificate identity checks
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 12:48:14 -0000

On Apr 11, 2021, at 11:19 PM, Joseph Salowey <joe@salowey.net> wrote:
> RFC 5216 lacks guidance on how to validate the EAP server's certificate especially with respect to identities.

  Yes.  :)

> RFC 5216 recommends validating the certificate path is valid and that the extended key usage attributes are either not present, allow for any usage or allow for TLS server usage.   This creates an issue that if the same truest root is used for EAP TLS and for other TLS server usage that any TLS server will be able to extend its privilege and behave as an EAP server.   The following recommendations are made for implementations and deployments to avoid this problem.

  One of my colleagues, Arran Cudbard-Bell wrote a cute tool a few years ago.  It would pretend to be a WiFI hotspot.  Then when systems tried to do EAP, it would strip the realm from the EAP identity.  It would then, use HTTPS to connect to a web server for that realm, and download that HTTPS server cert.  That cert would then be cloned under a new "self signed" CA, and the cloned cert presented to the user.

  The only real difference between the "real" and "fake" certs was the root CA / trust anchor.

  So yes, this is a real issue.  Even in a trusted environment, a web server admin can set up a WiFi hotspot using the HTTPS server cert.  This seems wrong.

> 1. EAP TLS Peer implementations SHOULD allow for configuration of names to match against SANs of type DNS name that are authorized to act as EAP-TLS servers. 

  Given the above attacks, I'm not sure that this helps.

> 2. CAs MAY issue certs to EAP Servers that specify the id-kp-eapOverLAN EKU specified in RFC 3770.  EAP TLS peer implementations SHOULD allow for the configuration to require the id-kp-eapOverLAN EKU for validation of EAP server certificates.  

  That's good, but as discussed previously on this list, it's essentially impossible to get those certs from public CAs.  Claims of "just start your own public CA" notwithstanding, the only practical way to do it is with a private CA.

> 3. If the above options are not available then separate trust roots need to be used to issue certificates for EAP-TLS server and for TLS servers.  EAP TLS peer implementations MUST allow for configuration of a unique trust root to validate the server's certificate.  
> 
> EAP-TLS peer implementations SHOULD provide ways to automate the configuration of the information necessary for the validation of the certificate.  

  After looking into this in some depth, the only real thing you can depend on is the CA.  If the CA is trusted, nothing else matters.  If the CA is not trusted, then nothing else matters.

  i.e. for any kind of increased security you'd like to add to EAP-TLS, you can almost always find a scenario where that security forbids real-world use-cases we'd like to support.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email