IETF Logo Mail Archive

Review of draft-zorn-radius-keywrap

Bernard Aboba <bernard_aboba@hotmail.com> Tue, 14 December 2010 16:55 UTC

Return-Path: <owner-radiusext@ops.ietf.org>
X-Original-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Delivered-To: ietfarch-radext-archive-IeZ9sae2@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 65E2828B797 for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Tue, 14 Dec 2010 08:55:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.353
X-Spam-Level:
X-Spam-Status: No, score=-102.353 tagged_above=-999 required=5 tests=[AWL=0.245, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GGpolofeCi0N for <ietfarch-radext-archive-IeZ9sae2@core3.amsl.com>; Tue, 14 Dec 2010 08:55:49 -0800 (PST)
Received: from psg.com (psg.com [IPv6:2001:418:1::62]) by core3.amsl.com (Postfix) with ESMTP id 9F64E28B23E for <radext-archive-IeZ9sae2@lists.ietf.org>; Tue, 14 Dec 2010 08:55:48 -0800 (PST)
Received: from majordom by psg.com with local (Exim 4.72 (FreeBSD)) (envelope-from <owner-radiusext@ops.ietf.org>) id 1PSY8q-000LUj-L4 for radiusext-data0@psg.com; Tue, 14 Dec 2010 16:54:20 +0000
Received: from blu0-omc2-s2.blu0.hotmail.com ([65.55.111.77]) by psg.com with esmtp (Exim 4.72 (FreeBSD)) (envelope-from <bernard_aboba@hotmail.com>) id 1PSY8m-000LUS-KP for radiusext@ops.ietf.org; Tue, 14 Dec 2010 16:54:16 +0000
Received: from BLU152-W25 ([65.55.111.73]) by blu0-omc2-s2.blu0.hotmail.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 14 Dec 2010 08:54:15 -0800
Message-ID: <BLU152-w254A72A67B88BD7E45D58193130@phx.gbl>
Content-Type: multipart/alternative; boundary="_84db86b4-750d-49a3-9458-fced07eeec38_"
X-Originating-IP: [76.108.72.166]
From: Bernard Aboba <bernard_aboba@hotmail.com>
To: ietf@ietf.org, radiusext@ops.ietf.org
Subject: Review of draft-zorn-radius-keywrap
Date: Tue, 14 Dec 2010 08:54:15 -0800
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 14 Dec 2010 16:54:15.0532 (UTC) FILETIME=[8A7E82C0:01CB9BAF]
Sender: owner-radiusext@ops.ietf.org
Precedence: bulk
List-ID: <radiusext.ops.ietf.org>

There are two major issues remaining in this document.

One issue is that in a number of places, the document appears to 
contradict IETF standards track documents. 

Examples:

Section 3.1

      If the client requires the use of the Keying-Material Attribute
      for keying material delivery and it is not present in the Access-
      Accept or Access-Challenge message, the client MAY ignore the
      message in question and end the user session.

[BA] Presumbly the MAY is included here for security reasons, such as preventing
the client from accepting a downlevel key from a server from which it has
previously received keying material described in this document, thus preventing
spoofing in the event that the RADIUS shared secret (or MD5) is compromised.
However, in such a situation the key material itself would be compromised,
so that some sort of warning should probably be raised. 

My recommendation is that this be rewritten to state the considerations 
underlying the MAY, as well as recommended behavior in line with RFC 2865
Section 5.26, which states:

      Clients which do not receive desired vendor-specific information
      SHOULD make an attempt to operate without it, although they may do
      so (and report they are doing so) in a degraded mode.

RFC 2865 is written this way to prevent the creation of proprietary RADIUS
implementations that require the presence of vendor-specific information. 

Section 3.3

      Any packet that contains an instance of the Message-
      Authentication-Code Attribute SHOULD NOT contain an instance of
      the Message-Authenticator Attribute [RFC3579].

[BA] Since the Message-Authenticator Attribute is mandated by RFC 3579,
this represents a contradiction.  My recommendation would be to remove
this sentence, and require that the key used in computing the 
Message-Authentication-Code be cryptographically independent of the
RADIUS shared secret.  That way both attributes can be included without
damage.

Section 5

   It is RECOMMENDED in this memo that two new keys, a key encrypting
   key and a message authentication key, be shared by the RADIUS client
   and server.  If implemented, these two keys MUST be different from
   each other and SHOULD NOT be based on a password.  These two keys
   SHOULD be cryptographically independent of the RADIUS shared secret
   used in calculating the Response Authenticator [RFC2865], Request
   Authenticator [RFC2866] [RFC5176] and Message-Authenticator Attribute
   [RFC3579]; otherwise if the shared secret is broken, all is lost.

[BA] I believe that cryptgraphic independence of the RADIUS shared secret
needs to be a MUST, since the goal of this document is to provide security
even in a situation where the RADIUS shared secret could be compromised. 

Another issue is that there are a number of fields for which "the content 

of this field is outside the scope of this document." The document

needs to provide enough information on these fields to enable

interoperability.  Currently it is not clear if this is the case. 



Fields which are not adequately explained include the following:



Section 3.1 Keying-Material



      KEK ID



         The KEK ID field is 16 octets in length and contains an

         identifier for the KEK.  The KEK ID MUST refer to an encryption

         key of a type and length appropriate for use with the algorithm

         specified by the Enc Type field (see above).  This key is used

         to protect the contents of the Data field (below).  Further

         specification of the content of this field is outside the scope

         of this document.



      KM ID



         The KM ID field is 16 octets in length and contains an

         identifier for the contents of the Data field.  The KM ID MAY

         be used by communicating parties to identify the material being

         transmitted.  The combination of App ID and KM ID MUST uniquely

         identify the keying material between the parties utilizing it.

         The KM ID is assumed to be known to the parties that derived

         the keying material.  If the KM ID is not used it is set to 0.

         Further specification of the content of this field is outside

         the scope of this document.



Section 3.3  Message-Authentication-Code



      MAC Key ID



         The MAC Key ID field is 16 octets in length and contains an

         identifier for the key.  The MAC Key ID MUST refer to a key of

         a type and length appropriate for use with the algorithm

         specified by the MAC Type field (see above).  Further

         specification of the content of this field is outside the scope

         of this document.

v2.23.0 | Report a Bug | By Email