[radext] Re: Selfie Attack on TLS-PSK
Margaret Cullen <mrcullen42@gmail.com> Thu, 25 July 2024 18:23 UTC
Return-Path: <mrcullen42@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8AD2C180B56 for <radext@ietfa.amsl.com>; Thu, 25 Jul 2024 11:23:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.859
X-Spam-Level:
X-Spam-Status: No, score=-1.859 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nRu10BfyJIzO for <radext@ietfa.amsl.com>; Thu, 25 Jul 2024 11:23:17 -0700 (PDT)
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com [IPv6:2607:f8b0:4864:20::62b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61F88C1840FF for <radext@ietf.org>; Thu, 25 Jul 2024 11:23:17 -0700 (PDT)
Received: by mail-pl1-x62b.google.com with SMTP id d9443c01a7336-1fc49c0aaffso10318765ad.3 for <radext@ietf.org>; Thu, 25 Jul 2024 11:23:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721931796; x=1722536596; darn=ietf.org; h=to:references:message-id:date:cc:in-reply-to:from:subject :mime-version:content-transfer-encoding:from:to:cc:subject:date :message-id:reply-to; bh=/KwTuozyHqVgLyW1ENph846ksVZeLmWRfv1OrQMq4Gg=; b=VcUyQGkNNzJrJYmfFyMfNPpAo4cT3nFzHc2rjH7WBbMVafbJVpMAF+65Wt5dVmtA6Z o1RIXiPBAaAgR/pXVe3+Hi/wY7Jz9jWunEcg6ZRjDYwh8Cr4k0l2xgLUfFisonCEOHr2 PkBLqCjRoRlGKt/wqG8s69MzKsy+OGgJXXRcCjVmq8wem+UnVA/NpKzvQer7UN20Vqzf h+UF1bIIi9MWoY7JbXkDykveGeMXWkVGJxp5vPRRWbH1o18HyxPjZz87v/+pGLyUZorm eECJhir1GiUzIdFThYlvxN7Afa34VN231055cYN0fWr7CmGSnOd6pYbmhJ3S+fy43be8 uF0w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721931796; x=1722536596; h=to:references:message-id:date:cc:in-reply-to:from:subject :mime-version:content-transfer-encoding:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=/KwTuozyHqVgLyW1ENph846ksVZeLmWRfv1OrQMq4Gg=; b=WmsKOUEEU8ugOd51K9AQ7WTmZQCnPbi3B4dk5Q9FZZkGF8HGaPco3SLM5EJBX9Ejt2 JGCGbwriC+zXOMrEIQjNQxYANM684GAqqYcDl83UIgLuWJbu1LCbjvlD72fnEY93FKgE KYgRcP7Mx3jmLAPZ+I0PGUwVKnZ/h2BXwfhWVsZADRaUaUwrydxAg3gVjmAuEdsT6izi FWkjjsQ1A/eLpVIQ7kOfoIwTXv7F7BHSGIcxWekGwd7smHtKRohZ5K1m50fCQ9WUQE4M 2YT6OZPBPD9DTYkdEVABc/3ovGqH/8G6nxk2Y05WtyA+1yge3ganU6WLBVs5L6rDGxCW gaGw==
X-Forwarded-Encrypted: i=1; AJvYcCWpGHY7kZrTX8NmKHIPKhfgcLTMcTXmlrqUyR8zphwR+4xBtMKyrN0A9ZhmwNaNSb6pXOC/CMbvoxpL/hM8FCM=
X-Gm-Message-State: AOJu0Yxb7QXDIPmYyvd0Wg5HmzoclK/xj04rq70mmuPVqje4U4V1Z3qT KTmYyV9JWBLRR+pnoMZ5n0Pn5eNqBdYAcRzJSrWUrt1uMwP3hYNUmVfMLaxS
X-Google-Smtp-Source: AGHT+IH9FrXPT0/xugDb15JE18PAdeTK9k5gbqoZ8Z615jKPsqJhW40cTlpSJvQD/W37c8UQPV2nyg==
X-Received: by 2002:a17:903:41c3:b0:1f9:9221:6c2d with SMTP id d9443c01a7336-1fed9309df1mr29337875ad.53.1721931796345; Thu, 25 Jul 2024 11:23:16 -0700 (PDT)
Received: from smtpclient.apple ([2001:67c:1232:144:e462:8099:7838:6456]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1fed7c7f650sm17385475ad.59.2024.07.25.11.23.15 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 25 Jul 2024 11:23:15 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
From: Margaret Cullen <mrcullen42@gmail.com>
In-Reply-To: <032f01dade8b$1fc33c40$5f49b4c0$@gmail.com>
Date: Thu, 25 Jul 2024 11:23:05 -0700
Message-Id: <9BE709A1-470B-4F54-A050-9F30C7A6CBD7@gmail.com>
References: <032f01dade8b$1fc33c40$5f49b4c0$@gmail.com>
To: josh.howlett@gmail.com
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: 7MXPU5VEZYVJDMRNY76UOZDNYFYGHHE7
X-Message-ID-Hash: 7MXPU5VEZYVJDMRNY76UOZDNYFYGHHE7
X-MailFrom: mrcullen42@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Alan DeKok <aland@deployingradius.com>, Bernard Aboba <bernard.aboba@gmail.com>, radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Selfie Attack on TLS-PSK
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/9pfvBZvtz9PRZLZFkMSAu_4TG1Y>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
Speaking as an individual… I am not talking about trying to establish any sort of cryptographic end-to-end trust in a multi-hop RADIUS fabric. I agree that we don’t have that today, and it is not our goal to change that. I am talking about the security properties of a single RADIUS hop. I am also talking about how those properties feed into the security models of multi-hop deployments. It doesn’t matter, for a single hop, whether the client or the server (or both) are proxies. Nor does it matter how or why a client wants to send a series of RADIUS packets to a particular RADIUS server. Talking about what happened at other hops is all smoke. There might not even be other hops. There is currently one standard way to send RADIUS traffic across a single hop: - RADIUS/UDP (using pre-shared secrets) We are proposing to standardize 4 additional ways to send RADIUS traffic across a single hop: - RADIUS/TLS-PSK - RADIUS/TLS (using certificates) - RADIUS/DTLS-PSK - RADIUS/DTLS (using certificates) These could be described as four variants of RadSec. The security properties of these four variants are similar but not the same, and they are all considerably different from RADIUS/UDP. I am trying to understand (and I personally believe that the WG should be trying to understand and document) the differences between the security properties of each of these variants, and the differences between these variants and RADIUS/UDP. We should also take special note of how those properties differ from RADIUS/UDP, and understand the impact of those differences (if any) on current multi-hop RADIUS deployment models. I don’t think it is sufficient to say “RADIUS isn’t secure, anyway, so it doesn’t matter” or to say “just use TLS” which doesn’t make any more sense, in my opinion, than saying “just use IPsec”. There are differences between authenticating a peer at the RADIUS layer (using shared secrets) vs. trusting that the peer was authenticated at the transport layer. There are also differences between encrypting information based on a RADIUS layer key (the shared secret) vs sending sensitive information in clear text over an encrypted channel. These differences have security implications that we need to understand and document. I am particularly concerned about the second change, removing protection of the sensitive parts of the RADIUS packet, but that might just be because it is the first potentially damaging difference I noticed. Let’s take Stefan Winter’s example where he said: “But even then I can imagine operators to state: our internal network is perfectly secure, so we don't need custom shared secrets and allow a dumb copy & forward of the datagrams with the existing shared secret "radsec".” As Stefan points out, copying of a RADIUS/TLS-transmitted RADIUS message on to a local network is different (and less secure) than dumb copying of a message that was transmitted via RADIUS/UDP, because sensitive data in the message transmitted via UDP will still be protected (to some degree) by the RADIUS secret and MD5, while the packet coming from RADIUS/TLS would use a well-known RADIUS secret, “radsec”, essentially equivalent to sending the sensitive parts of the packet in clear text. Who is going to tell this operator that he has to consider this security regression when moving to RadSec? Do we think he will go read the RFCs (where we do not yet document this fact, but should), or that he will just assume that the newer, non-deprecated version of RADIUS is “more secure”? This security difference would also apply to storing or transmitting raw RADIUS packets for logging or debugging. With RadSec, more sensitive data would essentially be in clear text in those packets, perhaps including passwords. [Note: We could fix this problem, without reintroducing manually configured secrets, by using unique TLS channel information to protect sensitive parts of the RADIUS packet, ideally with a stronger algorithm than MD5…. But that is ranging away from the point of this message.] My point is that we should make sure that moving away from the solution we are deprecating (RADIUS/UDP) and moving to any if the solutions we are recommending (any one of the RadSec variants) does not result in security regressions, and that any security model changes are well-documented. Margaret > On Jul 25, 2024, at 5:06 AM, josh.howlett@gmail.com wrote: > >> >>> It is not sufficient for RADIUS clients and servers to use mutual >>> authentication with certificates or PSKs. It is also necessary to verify that the >>> endpoints are who they are expected to be. >>> This may not be so simple in some >>> deployment scenarios, such as where legacy NAS devices use RADIUS over >>> (D)TLS proxies, so that a server can receive packets from many NASes over a >>> (D)TLS session. How does the server validate that these packets are arriving on >>> the right (D)TLS sessions? It may seem convenient to say "we don't care" but >>> surely there are some packet/path combinations which would be unexpected, >>> indicating mis-routing (and exposure of secrets as well as location info to >>> unauthorized proxies/servers). For example, it would be "unusual" for a >>> corpnet RADIUS server to receive RADIUS packets originating from a corpnet >>> NAS over a (D)TLS session with a roaming partner. >> >> I'm not clear how this is any different from existing RADIUS routing (or lack >> thereof). There's nothing in RADIUS/UDP which addresses these issues. > > Without wishing to speak for her, I think Margaret is noting that RADIUS over (D)TLS does not offer end-to-end assurances in the way that people tend to assume that TLS provides. > > The absence of this property is obvious in the UDP world: the trust boundary is clearly demarcated with explicit, manual configuration. It is intuitively obvious that a downstream proxy can modify packets in many ways, undetected. > > (D)TLS does not (and cannot) change this. However, TLS -- and certificates in particular -- offers new ways of defining the trust boundary. So, the security properties resulting from a given configuration could be hard to assess across a heterogenous deployment. As a data point, about 0.1% of requests on US eduroam originate from RADIUS clients that have nothing to do with WiFi because of proxy misconfiguration. Imagine having a VPN concentrator that can be accessed by a large part of the world's student population. > > The document does not set out to solve this problem; and nor should it. However, I think it would be good to discuss the issue in the Security Considerations section. > > I agree with your characterisation of this issue as a routing problem. One of the legacies of the NAI is that we're stuck in a realm-based forwarding paradigm, but this discussion shows that it is not sufficient to that a packet arrives at the right destination (a problem of discovery). It needs to travel there in a way that is consistent with policy (a problem of trust). > > Josh
- [radext] Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Bernard Aboba
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK hannes.tschofenig
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Jan-Frederik Rieckers
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen