Re: [Last-Call] [Emu] Secdir last call review of draft-ietf-emu-rfc7170bis-15
Alexander Clouter <alex+ietf@coremem.com> Sun, 03 March 2024 18:56 UTC
Return-Path: <alex+ietf@coremem.com>
X-Original-To: last-call@ietfa.amsl.com
Delivered-To: last-call@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4284C14F5F8; Sun, 3 Mar 2024 10:56:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.807
X-Spam-Level:
X-Spam-Status: No, score=-2.807 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b="QCHY6hg1"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="do/lZwM8"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H2Qgjvv9n2rr; Sun, 3 Mar 2024 10:56:25 -0800 (PST)
Received: from fhigh4-smtp.messagingengine.com (fhigh4-smtp.messagingengine.com [103.168.172.155]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B84D2C14F5E3; Sun, 3 Mar 2024 10:56:24 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailfhigh.nyi.internal (Postfix) with ESMTP id B56B31140087; Sun, 3 Mar 2024 13:56:23 -0500 (EST)
Received: from imap46 ([10.202.2.96]) by compute3.internal (MEProxy); Sun, 03 Mar 2024 13:56:23 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1709492183; x=1709578583; bh=frPlja+PB9 yqAR8vvFc4pHKeWxsjdGbjySXFip8gRYw=; b=QCHY6hg1vmpXtzTHxqA6aZFfH9 TdOnNC0j01Rp0uXy6PLNfzeB25FFBE9BiwzpxZloea5oT4T9p7ON92RiFY+7SJ4x N0PDQmbZNa2J3kdB/1xsQ2FD+8aV26iVXRCpMv6UInKLZjjrDK2ecnnOWnkTAaW0 QN5bstnZU6Wc2nX0VvNg4JT9OTX1Jmlc6Jo3WdNwIshcTLxO3fkzvE+vv/NGq1K8 AcYZDi4F6/ChYQhquKfiRSR5Yev68tLDV8JqhmkbwLzNVDsZs/dML8rx+075Gbxn 5hH4stZyL9MtyNatTD1wQUtrajyybubAmxq+qOzRN5gBuvEuBgQCLdA4bzPw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1709492183; x=1709578583; bh=frPlja+PB9yqAR8vvFc4pHKeWxsj dGbjySXFip8gRYw=; b=do/lZwM8m5dXOWKbV8kB1MmekYIsqvn6xFc70Y3TNdEj plxQmcNMI75O7JF2CetvBUJa511QdqW6ziJkxRlw19KSwILu8dXfpZHma43lep34 V1jtQT6BGcM4Iz1zjMHGA4CTBZ0AeuVv1DGCEpn7THm/5AohVSp752X9lSJ4YkI8 wZ+bSDeOfCB5pTXXlMeZZkGZmCvr9vgee1w1VBcRAPT+b5i1xleRD5gO/NDdstxw 92hZQrPJScGQqjvEBYDxFHyZZr1l/AAzvsHBlwbEfmgGWNdV8jf1a84a+kmonA1u m55WX8CgxUHeFLCGT8b6HCdTlyyr+wxL/71zp0L3aw==
X-ME-Sender: <xms:18fkZfLlHenYoHo3U_CrGbAc5R1mQbdOsGmLDsh9rrBb-Gmo0oEASQ> <xme:18fkZTJwYD3gZS2aPE39F2_GdRdoT6eNz9CK1gY1HbeGoruh-CB2fhy45nUvL0FYE MWxTOSb6jE2UER4zA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrheehgdduudejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnhhtshculddquddttddmne cujfgurhepofgfggfkjghffffhvfevufgtsehttdertderredtnecuhfhrohhmpedftehl vgigrghnuggvrhcuvehlohhuthgvrhdfuceorghlvgigodhivghtfhestghorhgvmhgvmh drtghomheqnecuggftrfgrthhtvghrnhepgeefhfdvleeghfekhfdvhfekffffieeugeei vedvudehgfeufffhhfetgeetgfetnecuffhomhgrihhnpehgihhthhhusgdrtghomhenuc evlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpegrlhgvgido ihgvthhfsegtohhrvghmvghmrdgtohhm
X-ME-Proxy: <xmx:18fkZXsJVYgNX3bIopl6zSwrgP-zXe4CgWrHJNZOU07CSVKPwKP7vA> <xmx:18fkZYb3AB_MNi-C5nji8Eiinb5vkcR7nHJaM1oOk9-N77TK7cjAzQ> <xmx:18fkZWaMl7FAI4mrahX10K8S8gj_KES76zMyL-cc7a9Uir3M7Jh5hg> <xmx:18fkZdUv5QLodb3_ddDzI2XO56senmeoYjrsNRzWHPq9k7KhLsI6nQ>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 63E0E2A2008B; Sun, 3 Mar 2024 13:56:23 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-205-g4dbcac4545-fm-20240301.001-g4dbcac45
MIME-Version: 1.0
Message-Id: <7eb58c04-2fa2-4221-80d3-8f8526b16cc9@app.fastmail.com>
In-Reply-To: <f3384fef-8e72-4401-86f7-c15aa3dc92b0@mandelberg.org>
References: <170934966282.22720.15728977796194077360@ietfa.amsl.com> <b6b6b90d-ff6b-486a-ab0e-d38c7b00c79f@app.fastmail.com> <f3384fef-8e72-4401-86f7-c15aa3dc92b0@mandelberg.org>
Date: Sun, 03 Mar 2024 18:56:02 +0000
From: Alexander Clouter <alex+ietf@coremem.com>
To: David Mandelberg <david@mandelberg.org>, secdir@ietf.org
Cc: draft-ietf-emu-rfc7170bis.all@ietf.org, EMU WG <emu@ietf.org>, last-call@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/last-call/2VarCunkp15uHoXiECeZpm2GAfg>
Subject: Re: [Last-Call] [Emu] Secdir last call review of draft-ietf-emu-rfc7170bis-15
X-BeenThere: last-call@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IETF Last Calls <last-call.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/last-call>, <mailto:last-call-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/last-call/>
List-Post: <mailto:last-call@ietf.org>
List-Help: <mailto:last-call-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/last-call>, <mailto:last-call-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Mar 2024 18:56:29 -0000
On Sat, 2 Mar 2024, at 18:20, David Mandelberg wrote:
>> Maybe a TEAPv2 could use ALPN for the TLS jacket to avoid this..erk, I think I may have suggested something that could be retro fitted here without impacting existing implementations; assuming they would just ignore the ALPN.
>
> ALPN would solve the problem of speaking different versions, but the
> version downgrade problem would still stick around until the first
> Crypto-Binding, right? (Not saying that's a problem, just want to make
> sure we all understand what it would and wouldn't provide.)
I do not think so as the ALPN, which is a {Client,Server}Hello extension, is protected and checked during TLS Finished.
Should mean that if someone is tampering with the handshake, it should fail at that point, more importantly before we get to any inner methods.
I have added a 'version downgrade' note to the security considerations.
https://github.com/emu-wg/rfc7170bis/pull/32
> If it's not feasible to require server authentication before sending
> Identity-Hint, then maybe at least document what information can be
> leaked by it and in what circumstances? Or maybe recommend that
> implementations don't send it by default to unauthenticated servers, but
> offer a way for the user to override that default?
My PR also includes a 'SHOULD NOT' for unauthenticated provisioning. I added to the TLV section the recommendation to anonymise any identities sent during unauthenticated provisioning. Also slipped in a snippet or two in the security considerations section too.
Maybe here instead we could just remove the first "shall not send" and instead just keep the second "recommended send as anon" part?
We still have an opportunity to change this as no one has implemented or deployed this TLV in the wild yet.
Back to thinking of the consequence of messing with the opportunistic Identity-Hint TLVs being sent, I do not know if this is actually a problem.
The authentication flows here are:
1. unauthenticated provisioning Phase 1 completes
2. [optionally] peer includes one or more Identity-Hint TLVs
3. server sends EAP-Payload[EAP-Identity]
4. peer *always* responds with the full identity via EAP-Payload[EAP-Identity(bob@example.com)]
An attacker could just run this N times to jiggle out the information that would have been leaked opportunistically by the client...or just wait for the EAP-Identity in the next frame.
Back to thinking of the consequence of messing with the outer-TLVs, I have added a suggestion that implementations may wish to add a Vendor-Specific TLV as dummy to neuter this. Not sure if we want to actually firm this up to "do this and use *this* particular Vendor-Specific TLV"?
Thanks
- [Last-Call] Secdir last call review of draft-ietf… David Mandelberg via Datatracker
- Re: [Last-Call] [Emu] Secdir last call review of … Alexander Clouter
- Re: [Last-Call] [Emu] Secdir last call review of … David Mandelberg
- Re: [Last-Call] [secdir] [Emu] Secdir last call r… Alan DeKok
- Re: [Last-Call] [Emu] Secdir last call review of … Alexander Clouter
- Re: [Last-Call] [Emu] Secdir last call review of … Alan DeKok
- Re: [Last-Call] [Emu] Secdir last call review of … Alexander Clouter
- Re: [Last-Call] [Emu] Secdir last call review of … Alan DeKok
- Re: [Last-Call] [Emu] Secdir last call review of … Alexander Clouter