[radext] Re: Selfie Attack on TLS-PSK
Bernard Aboba <bernard.aboba@gmail.com> Thu, 25 July 2024 01:12 UTC
Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C6CAC14F6AB for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 18:12:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xjh-F4RgAmg8 for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 18:12:09 -0700 (PDT)
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 867EDC14F609 for <radext@ietf.org>; Wed, 24 Jul 2024 18:12:09 -0700 (PDT)
Received: by mail-pf1-x42e.google.com with SMTP id d2e1a72fcca58-70d2b921cdfso358353b3a.0 for <radext@ietf.org>; Wed, 24 Jul 2024 18:12:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721869929; x=1722474729; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=JMusRNyp7OUgTZEKUB5cBO3Bbx39aKvCBlQ5rgwv6zw=; b=lYSiTAzhScKUEvDg8x4DS7XxaYLMHBqda+6+qNneB7SyvUYxIdMLAx9Sl19R4GmOoR FTtdiNMIxrLIQZ/Bg55hI10TOCkboE79iT9yR4BAnLnfYcTGSjquuFz5R8c5dRDNl/7e N9qU3VBPdE0eCqmRrpNQs/5nuJeaRJMKp2t6Yi97vzoAdRJ+GLUCvbFEM9c11UEm3LoF yJHaG9megos0ZQhi2D+oR6D8JAM2x4xkcQF1nud5YWSnyBpCpAUHfA/xw5dbQkMjiaX2 qlQowggzzqZ+46EqU0ImstV8hDsjEj4o6IQHF/tns06Uyd4RdK28YRbxJcFP5nrtrnsw /5qg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721869929; x=1722474729; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=JMusRNyp7OUgTZEKUB5cBO3Bbx39aKvCBlQ5rgwv6zw=; b=DXj5l6c6SULREaAtK8v0py+onYjl7cdCDPWUYfFl17UdMuKrFoRsR6g2q6GnFK9T+H TXbmF4PwVoXH/5Nsjtjxo3+yn29umx06loqtx9spzPJSfFEh9w+u5CEI/pmYBQVWtswN 0JvzscAD6iST7MuCM6LFMTHJI97WE/5MpJyQQ1T/2o39c1xyHoDWwMZRqkdPeaAVwdE2 X0gUPdeWHlbalM44LzKAX23wCQaq7CVUDOdy44Iuv2jWYXust0iZjvRxT3E3wjpUA0IN map0PWAqbo8eW78qGal1pnSN1QZUTguXsbzg2esE/claBth7tiaOdmqL/S3AQ6rRE6kC PEnw==
X-Gm-Message-State: AOJu0Yy8OUkfh8kDeJAYTyyKkDk+Rt7De/m27d8LsAenRhdiylKSTRxm SeR/EeNLb7Mkjr4UH8HLF+U2XFF7Uj3hGswSyNJyQiOeEAAgyQMO//Wq3PVDuo0vNaffgc7QJRv 8HTqdxfrqAVYCPhcXfsoNJhhPr1c=
X-Google-Smtp-Source: AGHT+IGPVgX/+b1QcH5pLoTiwza9p9QXonK0dBbwcEZKnhJZfOpNAvp84PrOg50iLy+mNSYbWJt8FVJK6BWvogg8rrg=
X-Received: by 2002:a05:6a21:2fc7:b0:1c3:b20f:de15 with SMTP id adf61e73a8af0-1c472d1bae8mr1692212637.52.1721869928801; Wed, 24 Jul 2024 18:12:08 -0700 (PDT)
MIME-Version: 1.0
References: <E66DC2E7-1D48-4B9F-BB3D-1D87D1E25F61@gmail.com> <39C18E1E-B1D0-407E-8AA6-20E513C7E308@deployingradius.com>
In-Reply-To: <39C18E1E-B1D0-407E-8AA6-20E513C7E308@deployingradius.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Wed, 24 Jul 2024 18:11:57 -0700
Message-ID: <CAOW+2dsuMM7WGpOFHhg0Ts8mKA06q_LmRsPstzoHbods1V_Www@mail.gmail.com>
To: Margaret Cullen <mrcullen42@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000074b73c061e081504"
Message-ID-Hash: 4S53UFHL57JXGECXHSYHCGABQM5EVVIB
X-Message-ID-Hash: 4S53UFHL57JXGECXHSYHCGABQM5EVVIB
X-MailFrom: bernard.aboba@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Selfie Attack on TLS-PSK
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/8gtjuiwYbI0-NDaa7GW2sXIDN9U>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
In this message about Selfie as well as the previous post about channel bindings, I think you have raised several important points: *1. If a NAS is supporting both RADIUS over (D)TLS as well as RADIUS CoA over (D)TLS, what does it need to do in order to avoid the Selfie attack? * For example, MUST the same (D)TLS session be used in both directions? *2. How does RADIUS over (D)TLS perform not just authentication (e.g. verification of certificates or PSKs), but also authorization? * It is not sufficient for RADIUS clients and servers to use mutual authentication with certificates or PSKs. It is also necessary to verify that the endpoints are who they are expected to be. This may not be so simple in some deployment scenarios, such as where legacy NAS devices use RADIUS over (D)TLS proxies, so that a server can receive packets from many NASes over a (D)TLS session. How does the server validate that these packets are arriving on the right (D)TLS sessions? It may seem convenient to say "we don't care" but surely there are some packet/path combinations which would be unexpected, indicating mis-routing (and exposure of secrets as well as location info to unauthorized proxies/servers). For example, it would be "unusual" for a corpnet RADIUS server to receive RADIUS packets originating from a corpnet NAS over a (D)TLS session with a roaming partner. It's also important to realize that despite what the drafts might say, there will be deployments that throw common sense to the wind, such as by utilizing the same PSKs between multiple client/server pairs. The IETF is not the protocol police, but it is possible for documents to make the downsides clear, if only so as to make it difficult to say "nobody told us" when negligent deployments are compromised. On Wed, Jul 24, 2024 at 3:00 PM Alan DeKok <aland@deployingradius.com> wrote: > On Jul 24, 2024, at 1:37 PM, Margaret Cullen <mrcullen42@gmail.com> wrote: > > > > On a separate but related note…. > > > > I came across this attack while reading about TLS mutual authentication: > > > > https://eprint.iacr.org/2019/347.pdf > > > Nice! And :( > > > Is this something we should consider before we recommend the use of > TLS-PSK with TLS 1.3? Or has this issues already been addressed? > > This is discussed in RFC 9527: > > https://datatracker.ietf.org/doc/html/rfc9257#section-8 > > I'll have to do a deeper dive to see how this affects the TLS-PSK > document. > > Alan DeKok. > > _______________________________________________ > radext mailing list -- radext@ietf.org > To unsubscribe send an email to radext-leave@ietf.org >
- [radext] Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Bernard Aboba
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK hannes.tschofenig
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Jan-Frederik Rieckers
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen