[radext] Re: Selfie Attack on TLS-PSK

Bernard Aboba <bernard.aboba@gmail.com> Thu, 25 July 2024 01:12 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C6CAC14F6AB for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 18:12:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xjh-F4RgAmg8 for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 18:12:09 -0700 (PDT)
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 867EDC14F609 for <radext@ietf.org>; Wed, 24 Jul 2024 18:12:09 -0700 (PDT)
Received: by mail-pf1-x42e.google.com with SMTP id d2e1a72fcca58-70d2b921cdfso358353b3a.0 for <radext@ietf.org>; Wed, 24 Jul 2024 18:12:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721869929; x=1722474729; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=JMusRNyp7OUgTZEKUB5cBO3Bbx39aKvCBlQ5rgwv6zw=; b=lYSiTAzhScKUEvDg8x4DS7XxaYLMHBqda+6+qNneB7SyvUYxIdMLAx9Sl19R4GmOoR FTtdiNMIxrLIQZ/Bg55hI10TOCkboE79iT9yR4BAnLnfYcTGSjquuFz5R8c5dRDNl/7e N9qU3VBPdE0eCqmRrpNQs/5nuJeaRJMKp2t6Yi97vzoAdRJ+GLUCvbFEM9c11UEm3LoF yJHaG9megos0ZQhi2D+oR6D8JAM2x4xkcQF1nud5YWSnyBpCpAUHfA/xw5dbQkMjiaX2 qlQowggzzqZ+46EqU0ImstV8hDsjEj4o6IQHF/tns06Uyd4RdK28YRbxJcFP5nrtrnsw /5qg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721869929; x=1722474729; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=JMusRNyp7OUgTZEKUB5cBO3Bbx39aKvCBlQ5rgwv6zw=; b=DXj5l6c6SULREaAtK8v0py+onYjl7cdCDPWUYfFl17UdMuKrFoRsR6g2q6GnFK9T+H TXbmF4PwVoXH/5Nsjtjxo3+yn29umx06loqtx9spzPJSfFEh9w+u5CEI/pmYBQVWtswN 0JvzscAD6iST7MuCM6LFMTHJI97WE/5MpJyQQ1T/2o39c1xyHoDWwMZRqkdPeaAVwdE2 X0gUPdeWHlbalM44LzKAX23wCQaq7CVUDOdy44Iuv2jWYXust0iZjvRxT3E3wjpUA0IN map0PWAqbo8eW78qGal1pnSN1QZUTguXsbzg2esE/claBth7tiaOdmqL/S3AQ6rRE6kC PEnw==
X-Gm-Message-State: AOJu0Yy8OUkfh8kDeJAYTyyKkDk+Rt7De/m27d8LsAenRhdiylKSTRxm SeR/EeNLb7Mkjr4UH8HLF+U2XFF7Uj3hGswSyNJyQiOeEAAgyQMO//Wq3PVDuo0vNaffgc7QJRv 8HTqdxfrqAVYCPhcXfsoNJhhPr1c=
X-Google-Smtp-Source: AGHT+IGPVgX/+b1QcH5pLoTiwza9p9QXonK0dBbwcEZKnhJZfOpNAvp84PrOg50iLy+mNSYbWJt8FVJK6BWvogg8rrg=
X-Received: by 2002:a05:6a21:2fc7:b0:1c3:b20f:de15 with SMTP id adf61e73a8af0-1c472d1bae8mr1692212637.52.1721869928801; Wed, 24 Jul 2024 18:12:08 -0700 (PDT)
MIME-Version: 1.0
References: <E66DC2E7-1D48-4B9F-BB3D-1D87D1E25F61@gmail.com> <39C18E1E-B1D0-407E-8AA6-20E513C7E308@deployingradius.com>
In-Reply-To: <39C18E1E-B1D0-407E-8AA6-20E513C7E308@deployingradius.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Wed, 24 Jul 2024 18:11:57 -0700
Message-ID: <CAOW+2dsuMM7WGpOFHhg0Ts8mKA06q_LmRsPstzoHbods1V_Www@mail.gmail.com>
To: Margaret Cullen <mrcullen42@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000074b73c061e081504"
Message-ID-Hash: 4S53UFHL57JXGECXHSYHCGABQM5EVVIB
X-Message-ID-Hash: 4S53UFHL57JXGECXHSYHCGABQM5EVVIB
X-MailFrom: bernard.aboba@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Selfie Attack on TLS-PSK
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/8gtjuiwYbI0-NDaa7GW2sXIDN9U>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>

In this message about Selfie as well as the previous post about channel
bindings, I think you have raised several important points:

*1. If a NAS is supporting both RADIUS over (D)TLS as well as RADIUS CoA
over (D)TLS, what does it need to do in order to avoid the Selfie attack?  *

For example, MUST the same (D)TLS session be used in both directions?

*2. How does RADIUS over (D)TLS perform not just authentication (e.g.
verification of certificates or PSKs), but also authorization? *

It is not sufficient for RADIUS clients and servers to use mutual
authentication with certificates or PSKs. It is also necessary to verify
that the endpoints are who they are expected to be.  This may not be so
simple in some deployment scenarios, such as where legacy NAS devices use
RADIUS over (D)TLS proxies, so that a server can receive packets from many
NASes over a (D)TLS session. How does the server validate that these
packets are arriving on the right (D)TLS sessions?  It may seem convenient
to say "we don't care" but surely there are some packet/path combinations
which would be unexpected, indicating mis-routing (and exposure of secrets
as well as location info to unauthorized proxies/servers). For example, it
would be "unusual" for a corpnet RADIUS server to receive RADIUS packets
originating from a corpnet NAS over a (D)TLS session with a roaming
partner.

It's also important to realize that despite what the drafts might say,
there will be deployments that throw common sense to the wind, such as by
utilizing the same PSKs between multiple client/server pairs. The IETF is
not the protocol police, but it is possible for documents to make the
downsides clear, if only so as to make it difficult to say "nobody told us"
when negligent deployments are compromised.

On Wed, Jul 24, 2024 at 3:00 PM Alan DeKok <aland@deployingradius.com>
wrote:

> On Jul 24, 2024, at 1:37 PM, Margaret Cullen <mrcullen42@gmail.com> wrote:
> >
> > On a separate but related note….
> >
> > I came across this attack while reading about TLS mutual authentication:
> >
> > https://eprint.iacr.org/2019/347.pdf
> >
>   Nice!  And :(
>
> > Is this something we should consider before we recommend the use of
> TLS-PSK with TLS 1.3? Or has this issues already been addressed?
>
>   This is discussed in RFC 9527:
>
>   https://datatracker.ietf.org/doc/html/rfc9257#section-8
>
>   I'll have to do a deeper dive to see how this affects the TLS-PSK
> document.
>
>   Alan DeKok.
>
> _______________________________________________
> radext mailing list -- radext@ietf.org
> To unsubscribe send an email to radext-leave@ietf.org
>