[radext] Re: Selfie Attack on TLS-PSK
Jan-Frederik Rieckers <rieckers@dfn.de> Tue, 30 July 2024 11:18 UTC
Return-Path: <rieckers@dfn.de>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE6E0C14F694 for <radext@ietfa.amsl.com>; Tue, 30 Jul 2024 04:18:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=dfn.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QVcj6iCuhCOo for <radext@ietfa.amsl.com>; Tue, 30 Jul 2024 04:18:20 -0700 (PDT)
Received: from a1004.mx.srv.dfn.de (a1004.mx.srv.dfn.de [194.95.233.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 328E0C14F5F6 for <radext@ietf.org>; Tue, 30 Jul 2024 04:18:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dfn.de; h= content-type:content-type:in-reply-to:subject:subject :organization:from:from:content-language:references:user-agent :mime-version:date:date:message-id:received; s=s1; t=1722338295; x=1724152696; bh=/QUWz7TruPesxxyAVhxsVBMzZHm05qh9AWesrc1wrBc=; b= Ljr17HuvT+z9f9YAtt/iOv0hfN/Iv1kUN95E37FXiGomELoz7aQ1BGHlOFxy9laX VAlC4iENEOpA0TZ1jkDrnGSsWomBu/DwrhFvTLEAA8Gr5DZs+3/Dml9f0PS0OmPK UrmaDxFPrFMb9Xr4Qpv0TsY5QsCCDE/0p/uc2GAb4tw=
Received: from mail.dfn.de (mail.dfn.de [194.95.245.150]) by a1004.mx.srv.dfn.de (Postfix) with ESMTPS id 2C65D2000EC for <radext@ietf.org>; Tue, 30 Jul 2024 13:18:15 +0200 (CEST)
Received: from [IPV6:2001:638:d:1011::4] (unknown [IPv6:2001:638:d:1011::4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mspool2.in.dfn.de (Postfix) with ESMTPSA id 890FC20A for <radext@ietf.org>; Tue, 30 Jul 2024 13:18:14 +0200 (CEST)
Message-ID: <f90ce022-945d-4f18-a58e-ff2fb774b86d@dfn.de>
Date: Tue, 30 Jul 2024 13:18:11 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: radext@ietf.org
References: <032f01dade8b$1fc33c40$5f49b4c0$@gmail.com> <9BE709A1-470B-4F54-A050-9F30C7A6CBD7@gmail.com> <03ef01dadf44$85ce2220$916a6660$@gmail.com> <CAMEWqGvCS25-2+enWq_VBZhPssTssfjoQgYHZHMbhHRHoJ_bhg@mail.gmail.com>
Content-Language: en-US
From: Jan-Frederik Rieckers <rieckers@dfn.de>
Autocrypt: addr=rieckers@dfn.de; keydata= xjMEYS90/RYJKwYBBAHaRw8BAQdAWXYFYTJZD1YR1SztUNqHenPGnf+gdQe/9LjiHlr2XATN J0phbi1GcmVkZXJpayBSaWVja2VycyA8cmllY2tlcnNAZGZuLmRlPsKWBBMWCAA+AhsDBQsJ CAcCBhUKCQgLAgQWAgMBAh4BAheAFiEE/fv7DCp4WBOrb8RyDYuiXSS+ypYFAmVbGkYFCQWP mkkACgkQDYuiXSS+ypYT0AD/TZAi4LsaVAAzkFSuejWnhQKRyJiPKcZUo7RHhGe1DAABAOBV K+OUb4o43IP2fVcVxKL9kyxArIAhehHp4cplQl8PzjgEYS90/RIKKwYBBAGXVQEFAQEHQBxo 6esD49rxn4d3su5fJJL79XjfKNy26LiFE9Gpg38+AwEIB8J+BBgWCAAmAhsMFiEE/fv7DCp4 WBOrb8RyDYuiXSS+ypYFAmVbGlAFCQWPmlMACgkQDYuiXSS+ypadsAEAqZTaohfkaVGeSk5x iiOcy47K43+ze2dUm5qja0eUUuQA/RNoF//lH8NeFNxN0Qs/Ej7MOdbr9B//R7To8AtqgiMJ
X-Enigmail-Draft-Status: N11222
Organization: DFN e.V.
In-Reply-To: <CAMEWqGvCS25-2+enWq_VBZhPssTssfjoQgYHZHMbhHRHoJ_bhg@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms080809060303050901070400"
Message-ID-Hash: HSVCRDK34EYQRH34KEXVXJWLFGCPEPXD
X-Message-ID-Hash: HSVCRDK34EYQRH34KEXVXJWLFGCPEPXD
X-MailFrom: rieckers@dfn.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Selfie Attack on TLS-PSK
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/A9f0bUqvo-MSpgklB5I4Z8VAIxk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
Hi Q, unfortunately, usually we do have connections in both directions. Taking DFN and Uni Bremen as an example: DFN is a proxy, but since RADIUS is hop-by-hop, each hop has a RADIUS client and a RADIUS server, so I'll use those terms. And the proxy acs as both client and server for connected institutions. The Uni Bremen is an eduroam IdP, meaning that the DFN acs as RADIUS client (on behalf of the actual RADIUS client, i.e. the APs at IETF). But it also acs as a RADIUS server for the Uni Bremen on behalf of every other IdP if users from different institutions are visiting Uni Bremen. I never thought of it before reading about the selfie attack, but I think most eduroam services would be susceptible for this kind of attack, even on RADIUS/UDP, since people probably didn't use different shared secrets in the different directions. I have to check it carefully, but I can think of some other potentially harmful scenarios, which could lead to a DoS. I'll write a mail again once I confirmed the existence of this flaw. Cheers, Janfred On 30.07.24 09:54, Q Misell wrote: > > Moin, > > Having read the Selfie paper here's my thoughts on what RADIUS should do > about it. > > > "Nodes that act both as client and server at the same time MUST NOT > share or reuse PSK identities between incoming and outgoing connections." > > I believe this wording is sufficient to protect against the attack. > > I also think there should be a note about a node only ever acting as > server or only ever acting as a client (i.e. only ever making outgoing > connections, or only ever accepting incoming connections) being > sufficient to protect against Selfie. > The concept of a server and client is new to RADIUS, but say in the case > of eduroam there's a clear relationship where say JISC (UK NREN) would > only ever accept incoming connections from member IdPs, and member IdPs > would only ever make outgoing connections to JISC. > Can anyone think of a scenario where this wouldn't be the case? > ------------------------------------------------------------------------ > > Any statements contained in this email are personal to the author and > are not necessarily the statements of the company unless specifically > stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan > Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a > company registered in Wales under № 12417574 > <https://find-and-update.company-information.service.gov.uk/company/12417574>, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca Digital, is a company registered in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are registered trademarks in the UK, under № UK00003718474 and № UK00003718468, respectively. > > > > On Fri, 26 Jul 2024 at 12:14, <josh.howlett@gmail.com > <mailto:josh.howlett@gmail.com>> wrote: > > Margaret wrote: > > Speaking as an individual… > > > > I am not talking about trying to establish any sort of > cryptographic end-to-end > > trust in a multi-hop RADIUS fabric. I agree that we don’t have > that today, and > > it is not our goal to change that. I am talking about the > security properties of a > > single RADIUS hop. I am also talking about how those properties > feed into the > > security models of multi-hop deployments. > > Ah, ok, sorry for the misrepresentation... > > > As Stefan points out, copying of a RADIUS/TLS-transmitted RADIUS > message > > on to a local network is different (and less secure) than dumb > copying of a > > message that was transmitted via RADIUS/UDP, because sensitive > data in the > > message transmitted via UDP will still be protected (to some > degree) by the > > RADIUS secret and MD5, while the packet coming from RADIUS/TLS > would use > > a well-known RADIUS secret, “radsec”, essentially equivalent to > sending the > > sensitive parts of the packet in clear text. > > The entity doing Stefan's "copying" is not a classic RADIUS entity. > It sounds like a proxy that operates purely at the transport layer > (and not the application layer). A RADIUS proxy translating TLS to > UDP must mint a new request using the secret shared with the > downstream server. > > There is a problem if Stefan's entity existed, but it isn't a mode > of operation supported the RFCs and I don't know of any products > doing this. > > > My point is that we should make sure that moving away from the > solution we > > are deprecating (RADIUS/UDP) and moving to any if the solutions > we are > > recommending (any one of the RadSec variants) does not result in > security > > regressions, and that any security model changes are well-documented. > > +1 > > Josh > > _______________________________________________ > radext mailing list -- radext@ietf.org <mailto:radext@ietf.org> > To unsubscribe send an email to radext-leave@ietf.org > <mailto:radext-leave@ietf.org> > > > _______________________________________________ > radext mailing list -- radext@ietf.org > To unsubscribe send an email to radext-leave@ietf.org -- Herr Jan-Frederik Rieckers Security, Trust & Identity Services E-Mail: rieckers@dfn.de | Fon: +49 30884299-339 | Fax: +49 30884299-370 Pronomen: er/sein | Pronouns: he/him __________________________________________________________________________________ DFN - Deutsches Forschungsnetz | German National Research and Education Network Verein zur Förderung eines Deutschen Forschungsnetzes e.V. Alexanderplatz 1 | 10178 Berlin https://www.dfn.de Vorstand: Prof. Dr.-Ing. Stefan Wesner | Prof. Dr. Helmut Reiser | Christian Zens Geschäftsführung: Dr. Christian Grimm | Jochem Pattloch VR AG Charlottenburg 7729B | USt.-ID. DE 136623822
- [radext] Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Bernard Aboba
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK hannes.tschofenig
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Jan-Frederik Rieckers
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen