Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

[Jim Schaad <ietf@augustcellars.com>]

I am going to come down on the side of no PSK should not be supported.
However my issues have nothing to do with how things are implemented and
more to do with the security properties of the EAP method.

When you use certificates, there is no leakage of who the client is as this
is encrypted by TLS.  When you use a restore session ticket, it is possible
to limit the number of times that the ticket can be used (for example once).
The PSK identity is public and unprotected so it can be used to track.  If
one is using PSK for the purpose of authentication then that value will
always be visible to intermediate parties for the purpose of tracking.
This can be slightly mitigated by using restore session tickets with PSK,
but you are going to send that PSK identifier over the wire many times.


This is just informational and can be ignored:

My current favorite way to deal with PSK/ticket identifiers is with
encryption:

32 bytes of index into table
32 bytes of date information
32 bytes of SIV (synthetic IV)

Encrypt the first two items using the SIV.  You can then have multiple keys
for decryption.  One for PSKs and a resolving one for session tickets.  If
the identifier does not decrypt then you reject.  Otherwise you look at the
date information and the index in the table for the secret information.  

It is even possible to play games with AAD to do things like scope the
tickets up front - if you put in the name/address of the NAS then you have a
prescreen on where the ticket can be used.

Jim




-----Original Message-----
From: Emu <emu-bounces@ietf.org> On Behalf Of Alan DeKok
Sent: Wednesday, September 18, 2019 2:59 PM
To: Owen Friel (ofriel) <ofriel@cisco.com>
Cc: draft-ietf-emu-eap-tls13@ietf.org; EMU WG <emu@ietf.org>
Subject: Re: [Emu] POST WGLC Comments draft-ietf-emu-eap-tls13

On Sep 18, 2019, at 5:42 PM, Owen Friel (ofriel) <ofriel@cisco.com> wrote:
> Giving some implementation guidance seems appropriate here. Naively, one
could envisage the implementation simply having a DB table for extern PSKs
and a table that holds NewSessionTickets. An implementation could simply
check the extern PSK table using the PskIdentity.identity, and if no match
is found then check the NewSessionTickets table.

  Which works, but should be called out in the draft.

  And what is to prevent the system from generating conflicting PSK
identities?  i.e. I don't control OpenSSL.  From what I see, TLS 1.3
resumption means that OpenSSLL will choose whatever PSK identity it deems
fit.

  As an implementor and/or admin, how do I choose *pre-provisioned* PSK
identities which won't conflict with the ones OpenSSL choose?

> The default OpenSSL NSK ticketId is 32 bytes long
https://github.com/openssl/openssl/blob/558ea84743918f7a93bfbfc259f86ad1fa4c
8de9/include/openssl/ssl3.h#L127 so something has gone seriously wrong if
there is a clash (poor randoms, etc.). 

  i.e. "pick a long string and that should be good enough".

  If that really is the guidance, then this should also be called out in the
draft.  PSK identities MUST be long (ideally 32 octets or more), and MUST be
generated from a CSPRNG.

  Which then leads to the question of what will the poor user enter in a UI?
If "end users" shouldn't be doing this, the draft also needs to call that
out.

> Well, more precisely, the PSK identity is visible in the ClientHello, not
the actual PSK of course.

  Sure.

> And the PSK *must not* be a user-manageable string such as the
>> NAI.  On the other hand, if the PSK is sent after encryption begins, 
>> then the PSK *should* be a user-manageable string such as an NAI.
> 
> https://tools.ietf.org/html/rfc8446#section-2.2 also states:
> ...
> so TLS-PSK is not suitable for a user entered low entropy password. We 
> need a PAKE for that (c.f. the ongoing CFRG PAKE assessment)

  Sure.

> There are some use cases Eliot and I are looking at related to IoT
onboarding where a TLS-PSK authentication has definite value, and we really
don't want to see this avenue closed off in EAP.

  I don't know the exact use-case, but TBH I'd suggest EAP-PWD for that.
I'm not sure that EAP-TLS with PSK adds any value here.

  Allowing PSK means that the draft should likely say "end users MUST NOT be
using TLS-PSK".  Or maybe "TLS-PSK MUST be used only where systems can be
automatically provisioned with long binary data for both PSK identity and
PSK itself".  Or even "PSK identities and/or passwords that are composed
solely of printable ASCII characters are likely to be humanly entered, and
thus insecure".

  Which means, of course, that people will ignore that and demand simple
user names / passwords for EAP-TLS with PSK.  Because that's ever so much
easier than using nasty certs.

  That isn't something we should encourage.  It may be worth just forbidding
it.

  Alan DeKok.

_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu