Re: [Emu] Secdir last call review of draft-ietf-emu-rfc7170bis-15
Alexander Clouter <alex+ietf@coremem.com> Sun, 03 March 2024 19:05 UTC
Return-Path: <alex+ietf@coremem.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5476FC14F5FB; Sun, 3 Mar 2024 11:05:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b="tIKv56/o"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="YDMkIwcV"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vys3JISolQ4j; Sun, 3 Mar 2024 11:05:35 -0800 (PST)
Received: from fhigh4-smtp.messagingengine.com (fhigh4-smtp.messagingengine.com [103.168.172.155]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 829D4C14F5F9; Sun, 3 Mar 2024 11:05:35 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailfhigh.nyi.internal (Postfix) with ESMTP id 7F65011400E8; Sun, 3 Mar 2024 14:05:34 -0500 (EST)
Received: from imap46 ([10.202.2.96]) by compute3.internal (MEProxy); Sun, 03 Mar 2024 14:05:34 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1709492734; x=1709579134; bh=Bz/vT9SVxV jESPYR09u7jrmF035yaXBK5WK7yB8mduw=; b=tIKv56/oJFcWE1zUCYM4IiureX OQkMAknd3iRNFLcT/k0xSiu1KhfU4nGwNrI4GyxqytCqAj+5gdK+Gw/MR4SmekWO dYEuuWVoV99q1UqwqoXC9QeZl6no05oRTbZhSQ6WH1XO6te7/uWXTboE5ktmaft6 xfGtUI7BYGFifHy67hdZHhXRNQ4m8dUN+BvoFwauinGi1SLaxVhJcwm4vvPPieJI X6++bcuKlhohzLxnI+o1aXsT0rAvURL4nkGNySG3XInqSfMCLRsetNh1cUiwzZPC 8TtH8twJNK6loPxoTfbJqQ015Vz3PdRfcaGR2JnXwDkQsnIYVUy5V47rRurw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1709492734; x=1709579134; bh=Bz/vT9SVxVjESPYR09u7jrmF035y aXBK5WK7yB8mduw=; b=YDMkIwcVWyraaw9bNaBQEgiK0Bju6vu/UYHP2OBKRBGx qpRmPAiTvPFAxmjFpKFm7qAUosRSgg4yNwdYY/tRhBzBM48yzTv2H6S6v/lYzKCt aWfMOddNSxgF8U52pZdO0d3iIVzit/ZvvllhpsaRl/sqBMPapFgwDas47MWkFmzZ 7zlVkTuXOQeT8bUyWPDmhTNkrDllwSI7c+KYU7RQtNNlfhzHXzRVVTTf97NJr2Yb ZrJH20UMqjxqaGfPpCn1ykMYwN5SqKsiw+V2ZvqWpyrnvBD5jkSHTRV9p56NnGE4 Idsw5NJTMZI9DW/xVGb0ExHVNSoCfy0mBLdO6TAyCw==
X-ME-Sender: <xms:_snkZcdXhQ578IzBTTmYE2O-BhMvLkpX9wWIkBhcAIjK1vjknbEYkw> <xme:_snkZeNFDcHEV1t5ZkTpI0d1lAQYiT-fu6OXTHb8EKjeD414HLvR9rcnWtw8Cgbly cPQxX12S1I7Ns4BYQ>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrheehgdduudelucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvfevufgtsehttdertderredtnecuhfhrohhmpedftehl vgigrghnuggvrhcuvehlohhuthgvrhdfuceorghlvgigodhivghtfhestghorhgvmhgvmh drtghomheqnecuggftrfgrthhtvghrnhepveegheejueevkeevvdfhheeuudefheegudeu tdelleeiteehgeffieettddugfdunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrg hmpehmrghilhhfrhhomheprghlvgigodhivghtfhestghorhgvmhgvmhdrtghomh
X-ME-Proxy: <xmx:_snkZdgLFV6xVMJFXog-CtUv_CAs9jxoravAsn2951Yi5bI92OnwQg> <xmx:_snkZR-HnXcjp0LLOdisMfXajnZKsML9GGNz5-HVqn3qXEwN9LF3tg> <xmx:_snkZYsmUCQE1s0CxDa8Vb62xHm7Gp9stn2kELWHKWJ4B691ZioeOA> <xmx:_snkZSV-TzOg7r9Z7zv3n8vad6hvK7I1AahRzALqafShfCyfV1vDEQ>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 449602A2008B; Sun, 3 Mar 2024 14:05:34 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-205-g4dbcac4545-fm-20240301.001-g4dbcac45
MIME-Version: 1.0
Message-Id: <c7a59cf9-b5f0-40bf-9c9b-496fdf89484a@app.fastmail.com>
In-Reply-To: <2A5A060E-241C-433E-A281-037BA1D53437@deployingradius.com>
References: <170934966282.22720.15728977796194077360@ietfa.amsl.com> <2A5A060E-241C-433E-A281-037BA1D53437@deployingradius.com>
Date: Sun, 03 Mar 2024 19:05:14 +0000
From: Alexander Clouter <alex+ietf@coremem.com>
To: Alan DeKok <aland@deployingradius.com>, David Mandelberg <david@mandelberg.org>
Cc: secdir@ietf.org, draft-ietf-emu-rfc7170bis.all@ietf.org, EMU WG <emu@ietf.org>, last-call@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/s-UhMVKxLfVs-l9eNIqQj6QmO14>
Subject: Re: [Emu] Secdir last call review of draft-ietf-emu-rfc7170bis-15
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Mar 2024 19:05:40 -0000
On Sun, 3 Mar 2024, at 15:52, Alan DeKok wrote: >> If not, then in theory a MITM might be able to remove the last >> server-to-peer outer TLV and prepend it to the peer-to-server TLVs, or vice >> versa, and the MAC would be the same. However, each side knows which outer TLVs >> it sent before the MITM modified it, so I don't think this could accomplish >> anything in practice? > > The server calculates the compound MAC using the outer TLVs it sent, > and the outer TLVs it received from the peer. > > The peer calculates the compound MAC using the outer TLVs it sent, > and the outer TLVs it received from the server. > > As a result, and modification in transit is detected, because the > compound MAC will not be the same. Took me a moment to figure out what David was pointing to but I think you are incorrect. In Section 5.3 (Computing the Compound MAC), you are calculating the MAC through blind concatenation and there is no machinery in there to distinguish "this bit was in the server->peer" and "this bit was in the peer->server"; unfortunately if only a NUL byte has been used to join the concatenation it could have fixed this. So the idea is an attacker could strip off the *last* Outer-TLV and instead graft it as an Outer-TLV to the following packet in the opposite direction. The MACs would then match. My proposal would be to just use a dummy (marked optional) Outer-TLV that would be ignored by the other end to avoid this problem; sort of like GREASE...but to fix an insecurity instead. Cheers
- [Emu] Secdir last call review of draft-ietf-emu-r… David Mandelberg via Datatracker
- Re: [Emu] Secdir last call review of draft-ietf-e… Alexander Clouter
- Re: [Emu] Secdir last call review of draft-ietf-e… David Mandelberg
- Re: [Emu] [secdir] Secdir last call review of dra… Alan DeKok
- Re: [Emu] Secdir last call review of draft-ietf-e… Alexander Clouter
- Re: [Emu] Secdir last call review of draft-ietf-e… Alan DeKok
- Re: [Emu] Secdir last call review of draft-ietf-e… Alexander Clouter
- Re: [Emu] Secdir last call review of draft-ietf-e… Alan DeKok
- Re: [Emu] Secdir last call review of draft-ietf-e… Alexander Clouter