[Emu] TEAP time again: Result and Intermediate and crypto binding TLVs with no inner EAP methods
Eliot Lear <lear@lear.ch> Wed, 05 October 2022 16:42 UTC
Return-Path: <lear@lear.ch>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 99647C14F744 for <emu@ietfa.amsl.com>; Wed, 5 Oct 2022 09:42:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, T_SPF_HELO_PERMERROR=0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=lear.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jxKSaKbA3t3L for <emu@ietfa.amsl.com>; Wed, 5 Oct 2022 09:42:30 -0700 (PDT)
Received: from upstairs.ofcourseimright.com (upstairs.ofcourseimright.com [185.32.222.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2E745C14F731 for <emu@ietf.org>; Wed, 5 Oct 2022 09:42:28 -0700 (PDT)
Received: from [IPV6:2001:420:c0f8:1004::86] ([IPv6:2001:420:c0f8:1004:0:0:0:86]) (authenticated bits=0) by upstairs.ofcourseimright.com (8.15.2/8.15.2/Debian-18) with ESMTPSA id 295GgPYG1468881 (version=TLSv1.3 cipher=TLS_AES_128_GCM_SHA256 bits=128 verify=NO) for <emu@ietf.org>; Wed, 5 Oct 2022 18:42:25 +0200
Authentication-Results: upstairs.ofcourseimright.com; dmarc=none (p=none dis=none) header.from=lear.ch
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=lear.ch; s=upstairs; t=1664988146; bh=OjKe5/DS+iaZcwBSwGfvFMTkdaiR++Je+S3DD2VVUXI=; h=Date:To:From:Subject:From; b=wsTNsEk2TCGP0xp0kBqDx0M7Ra8RrMCxUVo7e7I7kOKe8olBnuVNk97+3R3cydM4t mg04/LWBSq7NZRfvWIQT3erX9NqWtPQNHgdPW3xuXWeqtOgi69CdyNKKpQzXBFhmd/ Cj6gHTmvs1ri3rgDME7Ss/5m7JW7fmwKx+Wnkq3A=
Content-Type: multipart/alternative; boundary="------------5Zt880hTlJzCo0QL1J0KHXMq"
Message-ID: <3a0ecc89-ed32-b954-5150-b8a6d768090b@lear.ch>
Date: Wed, 05 Oct 2022 18:42:24 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.13.1
Content-Language: en-US
To: EMU WG <emu@ietf.org>
From: Eliot Lear <lear@lear.ch>
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/wdn4LaYSmSvpHCTlIb4iszeJpCg>
Subject: [Emu] TEAP time again: Result and Intermediate and crypto binding TLVs with no inner EAP methods
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Oct 2022 16:42:34 -0000
Hi everyone,
Picking up on some TEAP work again.
&TL;DR need clarity on how crypto-binding TLVs when there is no inner
EAP method. Also note the use of request-action.
Key questions: what value to pass for EMSK and MSK in crypto binding
response when there is no inner method? Zeros?
Also, can the flags indicate that there is no EMSK or MSK? This would
solve our first problem.
Finally, are we cool piggybacking Result and Crypto-binding on a PKCS#7 TLV?
Flows follow:
Use case 1:
Device just wants to use TEAP in the same way one would use EAP-TLS.
This would be what I would call "normal operations". That is, we would
expect something along the following lines:
,----. ,------.
|Peer| |Server|
`-+--' `--+---'
| 1 EAP-Request/ |
| Identity |
| <---------------------
| |
| 2 EAP-Response/ |
| Type=Identity |
| --------------------->
| |
,----------------------------!.
|Section 3.2 |_\
`------------------------------'
| 3 EAP-Request/ |
| Type=TEAP, |
| TEAP Start, |
| Authority-ID TLV |
| <---------------------
| |
| 4 EAP-Response/ |
| Type=TEAP, |
| TLS(ClientHello) |
| --------------------->
| |
| 5 EAP-Request/ |
| Type=TEAP, |
| TLS(ServerHello, |
| ServerKeyExchange, |
| ServerHelloDone) |
| <---------------------
| |
| 6 EAP-Response/ |
| Type=TEAP, |
| ClientKeyExchange, |
| CertificateVerify, |
| ChangeCipherSpec, |
| Finished) |
| --------------------->
| |
,----------------------------!.
|Section 3.3.3 |_\
`------------------------------'
| 7 EAP-Request/ |
| Type=TEAP, |
| TLS(ChangeCipherSpec,|
| Finished), |
| Result TLV, |
| Crypto-Binding TLV |
| <---------------------
| |
| 8 EAP-Response/ |
| Type=TEAP, |
| Result TLV, |
| Crypto-Binding TLV |
| --------------------->
| |
| 9 EAP-Success |
| <---------------------
,-+--. ,--+---.
|Peer| |Server|
`----' `------'
Note the lack of an Intermediate Result TLV, because the text states
that Intermediate Results are only required upon completion of an inner
EAP method.
The second use case involves the use of PKCS#10/PKCS#7 messages. We
think that looks like this:
,----. ,------. ,--.
|Peer| |Server| |CA|
`-+--' `--+---' `+-'
| EAP-Request/ | |
| Identity | |
| <-------------------------------------------------- |
| | |
| EAP-Response/ | |
| Type=Identity | |
| --------------------------------------------------> |
| | |
| EAP-Request/ | |
| Type=TEAP, | |
| TEAP Start, | |
| Authority-ID TLV | |
| <-------------------------------------------------- |
| | |
| EAP-Response/ | |
| Type=TEAP, | |
| TLS(ClientHello) | |
| --------------------------------------------------> |
| | |
| EAP-Request/ | |
| Type=TEAP, | |
| TLS(ServerHello, | |
| ServerKeyExchange, | |
| ServerHelloDone) | |
| <-------------------------------------------------- |
| | |
| EAP-Response/ | |
| Type=TEAP, | |
| ClientKeyExchange, | |
| CertificateVerify, | |
| ChangeCipherSpec, | |
| Finished) | |
| --------------------------------------------------> |
| | |
,---------------------------------------------------------!. |
|Section 4.2.9 |_\ |
`-----------------------------------------------------------' |
| EAP-Request/ | |
| Type=TEAP, | |
| TLS(ChangeCipherSpec, | |
| Finished), | |
| Request Action TLV(Status=Failure | |
| ,Action=Process-TLV,TLV=PKCS#10) | |
| <-------------------------------------------------- |
| | |
| EAP-Response/ | |
| Type=TEAP | |
| {PKCS#10 TLV} | |
| --------------------------------------------------> |
| | |
,---------------------------------------------------------!. |
|Section 4.2.17 |_\ |
`-----------------------------------------------------------' |
| | PKCS#10 |
| | -------------->
| | |
| | PKCS#7 |
| | <--------------
| | |
| EAP-Request/ | |
| Type=TEAP, | |
| {PKCS#7 TLV,Crypto-Binding TLV,Result TLV=Success}| |
| <-------------------------------------------------- |
| | |
,---------------------------------------------------------!. |
|Section 4.2.16 |_\ |
McNext> plantuml -ttxt reenroll-short.uml
McNext> more reenroll-short.atxt
,----. ,------. ,--.
|Peer| |Server| |CA|
`-+--' `--+---' `+-'
| EAP-Request/ | |
| Identity | |
| <-------------------------------------------------- |
| | |
| EAP-Response/ | |
| Type=Identity | |
| --------------------------------------------------> |
| | |
| EAP-Request/ | |
| Type=TEAP, | |
| TEAP Start, | |
| Authority-ID TLV | |
| <-------------------------------------------------- |
| | |
| EAP-Response/ | |
| Type=TEAP, | |
| TLS(ClientHello) | |
| --------------------------------------------------> |
| | |
| EAP-Request/ | |
| Type=TEAP, | |
| TLS(ServerHello, | |
| ServerKeyExchange, | |
| ServerHelloDone) | |
| <-------------------------------------------------- |
| | |
| EAP-Response/ | |
| Type=TEAP, | |
| ClientKeyExchange, | |
| CertificateVerify, | |
| ChangeCipherSpec, | |
| Finished) | |
| --------------------------------------------------> |
| | |
,---------------------------------------------------------!. |
|Section 4.2.9 |_\ |
`-----------------------------------------------------------' |
| EAP-Request/ | |
| Type=TEAP, | |
| TLS(ChangeCipherSpec, | |
| Finished), | |
| Request Action TLV(Status=Failure | |
| ,Action=Process-TLV,TLV=PKCS#10) | |
| <-------------------------------------------------- |
| | |
,---------------------------------------------------------!. |
|Section 4.2.17 |_\ |
`-----------------------------------------------------------' |
| EAP-Response/ | |
| Type=TEAP | |
| {PKCS#10 TLV} | |
| --------------------------------------------------> |
| | |
| | PKCS#10 |
| | -------------->
| | |
| | PKCS#7 |
| | <--------------
| | |
,---------------------------------------------------------!. |
|Section 4.2.16 |_\ |
|Section 3.3.3 | |
`-----------------------------------------------------------' |
| EAP-Request/ | |
| Type=TEAP, | |
| {PKCS#7 TLV,Crypto-Binding TLV,Result TLV=Success}| |
| <-------------------------------------------------- |
| | |
| Eap-Response/ | |
| Type=TEAP | |
| {Crypto-Binding TLV, | |
| Result TLV=Success} | |
| --------------------------------------------------> |
| | |
| EAP-Success | |
| <-------------------------------------------------- |
,-+--. ,--+---. ,+-.
|Peer| |Server| |CA|
`----' `------' `--'
Eliot