Re: [Emu] System level forward secrecy for EAP+AAA
Alan DeKok <aland@deployingradius.com> Sun, 09 April 2023 18:56 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E931EC17A743 for <emu@ietfa.amsl.com>; Sun, 9 Apr 2023 11:56:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JyyOo6SrOCDI for <emu@ietfa.amsl.com>; Sun, 9 Apr 2023 11:56:39 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DB9AC1782D7 for <emu@ietf.org>; Sun, 9 Apr 2023 11:56:38 -0700 (PDT)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id B5B5B562; Sun, 9 Apr 2023 18:56:31 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <AS5PR07MB96931A38EECF28228F4A29EAF0949@AS5PR07MB9693.eurprd07.prod.outlook.com>
Date: Sun, 09 Apr 2023 14:56:29 -0400
Cc: "emu@ietf.org" <emu@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F75119F7-35BB-4117-AD59-50E74924DB31@deployingradius.com>
References: <AS5PR07MB96931A38EECF28228F4A29EAF0949@AS5PR07MB9693.eurprd07.prod.outlook.com>
To: Karl Norrman <karl.norrman=40ericsson.com@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/uJDDqhwN_fP2NyuDkai-acDrVd4>
Subject: Re: [Emu] System level forward secrecy for EAP+AAA
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Apr 2023 18:56:44 -0000
On Apr 9, 2023, at 2:06 PM, Karl Norrman <karl.norrman=40ericsson.com@dmarc.ietf.org> wrote: > Is there any RFC to reference for forward secrecy for the EAP+AAA framework, which gives recommendations for preventing the attack below? > > Many RFCs for EAP methods and AAA contain various recommendations regarding forward secrecy, but I did not find any that gives concrete guidance to prevent the following attack on forward secrecy for the established session key. The attack seems applicable regardless of EAP method used. > > 1. Adversary records all traffic between EAP server S and pass-through authenticator A even though it is protected by IPsec or TLS. In particular, the adversary records the traffic containing the session key sk that is passed from S to A after successful completion of the EAP run. If the AAA transport isn't secured, then anyone can observe EAP traffic, or the location, "obfuscated" passwords, etc. The attacks are described in some detail in https://datatracker.ietf.org/doc/draft-dekok-radext-deprecating-radius/. If the AAA traffic is protected by IPSec or TLS (as is commonly done), then the EAP traffic can only be observed by (a) radio-level sniffing of supplicant to AP traffic, or (b) trusted parties in the AAA framework. The one remaining attack is if the AAA systems use TLS without a method providing PFS. In which case anyone capable of recording all of the traffic on the net can do so, and then crack the session keys at their leisure. > 2. Session using sk expires and all involved parties delete sk. > > 3. Adversary now compromises S and obtains its long-term key. If the EAP method provides forward secrecy, this does not help the adversary get to sk. So, there is forward secrecy w.r.t. the long-term key. However, it is not inconceivable that the adversary at the compromise also gets hold of the session keys for IPsec/TLS, at least for some deployments. If IPsec/TLS has not been rekeyed since step 2, then the adversary can use the IPsec/TLS session key to decrypt the traffic recorded in step 1 and obtain sk. That is, the sk is not forward secure in practice on a system level. i.e. if TLS doesn't use PFS, and EAP methods don't use PFS, then sessions can be compromised. > To protect against the attack, one can for example update the keys for long-termed IPsec/TLS sessions after every EAP handshake, Is that for AAA sessions? I'd agree that EAP methods should provide PFS. TLS does this for TLS-based EAP methods via RFC7525, etc. My confusion is that EAP doesn't use IPSec. Connections between AAA systems might use IPSec or TLS, but those connections are 100% independent of the data which they transport. AAA servers will not change the status of inter-AAA connections based on snooping the contents of AAA traffic. > or for TLS maybe even run a new handshake for every EAP run. For a more relaxed version of forward secrecy, one can do key updates at regular intervals. The AKE establishing keys for IPsec/TLS must also be forward secure w.r.t. its long-term keys. > > I plan to add such recommendations to draft-ietf-emu-aka-pfs, but it seems wrong that such recommendations should be in individual EAP methods RFCs. It seems a better fit for a more general EAP/AAA document that implementors of any EAP method would read. I'm trying to understand the attack here. I'm not sure how EAP has anything to do with IPSec or AAA transport. EAP doesn't use IPSec, and AAA transports aren't affected by EAP. What I understand as as the problem is: a) people snooping supplicant -> AP traffic can attack an EAP session b) AAA systems can snoop all EAP traffic that they forward this is pretty much by design, as AAA does not provide for end-to-end security. c) AAA systems not using PFS are vulnerable to an attacker who can snoop the traffic, and crack it at their leisure. TLS/IPSec makes this a bit harder against an attacker with few resources. UDP/TCP transport is not recommended when AAA traffic sent across insecure networks. Alan DeKok.
- [Emu] System level forward secrecy for EAP+AAA Karl Norrman
- Re: [Emu] System level forward secrecy for EAP+AAA Alan DeKok
- Re: [Emu] System level forward secrecy for EAP+AAA Karl Norrman
- Re: [Emu] System level forward secrecy for EAP+AAA Alan DeKok
- Re: [Emu] System level forward secrecy for EAP+AAA Karl Norrman
- Re: [Emu] System level forward secrecy for EAP+AAA Alan DeKok
- Re: [Emu] System level forward secrecy for EAP+AAA josh.howlett
- Re: [Emu] System level forward secrecy for EAP+AAA Karl Norrman
- Re: [Emu] System level forward secrecy for EAP+AAA Alan DeKok
- Re: [Emu] System level forward secrecy for EAP+AAA Karl Norrman
- Re: [Emu] System level forward secrecy for EAP+AAA Heikki Vatiainen