IETF Logo Mail Archive

[radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS

Bernard Aboba <bernard.aboba@gmail.com> Fri, 26 July 2024 23:44 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A295C1D4A9C for <radext@ietfa.amsl.com>; Fri, 26 Jul 2024 16:44:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V50of9Cm1br9 for <radext@ietfa.amsl.com>; Fri, 26 Jul 2024 16:44:29 -0700 (PDT)
Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9A07BC1C6340 for <radext@ietf.org>; Fri, 26 Jul 2024 16:44:29 -0700 (PDT)
Received: by mail-pj1-x1033.google.com with SMTP id 98e67ed59e1d1-2cd5e3c27c5so1057071a91.3 for <radext@ietf.org>; Fri, 26 Jul 2024 16:44:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722037469; x=1722642269; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=U/G/6uQyXm3L+LBEoN9+v2EOIIwgcXPHlhM8GYZiIrg=; b=cmSjr9dOgnuIFkrRp0jfNif1FjugeW1lMMQxildanwKVbV037mUEwcfJSO4T+xECG+ 2wylZ4OSAUEAVwFwH3n/4B+qKHsjHWq0lKbgTNN4fvMrtcmrTyKJ7VmN4ULOvUE0D28V +kYvwdHsl2jxVUsUcETvSAsmGoHUgTcuEigr3/7CZ0dMOjp6sBK/nc3dVdt6We6MjpK6 DI7Ixqa8S2VEfrJCtPyvDZy8dloR20t3EFBSIAfX/MhLtfEWnIb/b0k9AT7Da9eKUVSY YK9u2mcASRhZhcxpRNJYYkeNmwTbiaPedvkhTiypyTIZykxIHVql4/+/tYQ5dE4kGJED efUw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722037469; x=1722642269; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=U/G/6uQyXm3L+LBEoN9+v2EOIIwgcXPHlhM8GYZiIrg=; b=bYJVVapXkhUUad6z4/C4ju/A2Ho8uCm+aKyqqFXWy56URLWHFXxpYNs02/Uj5N2zNh v3dx0ViOetqvb8nJ+FrIwOO9eDQMfAXJVaRv/a6vwr3COE/SJxSXFVKOIJTFjc91DocQ S6iD3153HcF4UphlVyAaQyeVfQHOJBlmLzkaLc+PVnDOTLtdt/aSfQ+AXLcsQ9tQP1tQ aKlCIMPi8TX6jVzbe3nOgHYK5YUTxUEnTiT0ALxFRi7biN337DTn3qdGJc39AcliFT6s +OpX3ZI0d55L0rCttLmOZrmtJMsDn4bBwhxPy+loffvbKmViuBnZUgZDeBTYyfFZmj/h +dJA==
X-Forwarded-Encrypted: i=1; AJvYcCUi25cX5z1sn4Jcs1CVTxD4AyKgRdTgaP+iketa/K6M6TGqub0y5WFfp4DYyq9A56q1uT3lbbFid3Rfoz7SMd8=
X-Gm-Message-State: AOJu0Yz9s1fMQOkaHgsrMrdEmuyOr38oYWsiSXyY/8GPQLJXBkpNA7fV 0X8pt40731IkUD2lTwNrCPYgqRCO2exXOGVdvo7OdylM2Cxo9N0vtFItDcRLDQNVZj520VgvtNn OSeUbofTfjBT/hXMkEbdv5kUv9yCrqoCOnfI=
X-Google-Smtp-Source: AGHT+IFW3iSl0KmaKTK6yrdeM7eXNTpRTzNmEmc+QuaJO4jmA/VsA5AZg41ml81BQc9xExUdN0/yPCgGG6v/rfafaOU=
X-Received: by 2002:a17:90b:1e01:b0:2c9:8b33:318f with SMTP id 98e67ed59e1d1-2cf7e1f7e0bmr1069989a91.11.1722037468977; Fri, 26 Jul 2024 16:44:28 -0700 (PDT)
MIME-Version: 1.0
References: <3A0631E2-9679-4AC6-82DC-0ECD5DDCBE03@gmail.com> <85CCF592-FDEC-478B-AA03-E10DA209C9A5@deployingradius.com> <9C9E5617-451E-4CB7-A54A-EE049D91DBAE@gmail.com> <7c640ea7-7fc6-471d-b314-12036e2678af@switch.ch> <905C74AD-2E4E-4F41-A250-7E583ACE8C66@gmail.com>
In-Reply-To: <905C74AD-2E4E-4F41-A250-7E583ACE8C66@gmail.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Fri, 26 Jul 2024 16:44:18 -0700
Message-ID: <CAOW+2dv7ZXMtoEDunM+x7PgT32-KuXt+1kPeB5giGzewFvotng@mail.gmail.com>
To: Margaret Cullen <mrcullen42@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000a0e5f5061e2f170c"
Message-ID-Hash: SZFNEPAND2SBPJ7ACZ7DDTJZABRL7WI5
X-Message-ID-Hash: SZFNEPAND2SBPJ7ACZ7DDTJZABRL7WI5
X-MailFrom: bernard.aboba@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Fabian Mauchle <fabian.mauchle=40switch.ch@dmarc.ietf.org>, radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/CTR2sbIXLbD-oqwww3-3bF35yVg>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>

Margaret said:

"because we mandate the use of (D)TLS 1.2 or !.3 with either PSKs or
Certificates, and those protocols are well-enough protected against MITM
attacks already."

[BA] Does the WG really need to take a position on whether (D)TLS 1.2
provides adequate protection (currently or in the future)?

There are known security issues with TLS 1.2 that are mitigated in TLS 1.3,
and TLS 1.3 libraries are also more likely to support PQC ciphersuites to
mitigate future attacks.

The transition to RADIUS over (D)TLS is likely to be protracted. It would
be unfortunate for that transition to be initiated with (D)TLS 1.2 and then
for another transition to be required to (D)TLS 1.3.




On Fri, Jul 26, 2024 at 4:03 PM Margaret Cullen <mrcullen42@gmail.com>
wrote:

>
>
> > On Jul 25, 2024, at 2:47 AM, Fabian Mauchle <fabian.mauchle=
> 40switch.ch@dmarc.ietf.org> wrote:
> >
> > Trying to follow the discussion and understand the issue...
> >
> > On 24.07.2024 19:50, Margaret Cullen wrote:
> >> When you have two peers A and C, with an authorized proxy, B, you have
> two RADIUS sessions A -> B and B -> C.  This only works if A has a shared
> secret with B and B has a shared secret with C.  So, B is part of the
> trusted set of peers.  Using RadSec, a MITM (Z) could have no trust
> relationship with A or B, but be receiving traffic from A on one TLS
> connection, and forwarding it to C on a second TLS connection, while both A
> and B think that they are directly connected to each other.  Z is not part
> of the trusted peer group, Z is a MITM attacker.  This is quite different
> than that forwarding through an authorized proxy.
> >
> > If Z has no trust relationship with A, it can't be receiving traffic
> from A. As a MITM, Z would need to present a certificate (or other
> identity) to A that A accepts as trustworthy to establish the TLS
> connection A-Z, at which point the trust relationship between A and Z is
> established.
> >
> > As Alan already pointed out, RADIUS proxies are inherently MITM by
> design. That is why (in roaming scenarios where A,B and C belong to
> different parties) we use EAP as the actual AAA within RADIUS.
>
> Some RADIUS Authentications are single hop.  The way people are using
> Radsec in eduroam, an increasing number of them probably will be.
>
> Some RADIUS Authentications  involve several hops, but none of the RADIUS
> clients/proxies/servers along that path are MITM attackers.  They are
> typically mutually trusted systems that are either:  (1) operated by a
> single organization, or (2) operated by separate organizations in a
> consortium with mutual trust, agreed policies, and legal agreements.
>
> The question of whether we need crypto binding between the RADIUS and TLS
> layers for a single Client -> Server hop really has nothing to do with
> whether the packet will traverse other hops.  It has to do with whether
> there is a meaningful risk of a TLS MITM attack against a single hop that
> channel bindings could be used to detect or prevent.
>
> I am being told by TLS people that TLS 1.2 and 1.3 are secure against
> third-party MITM attacks, except in cases where the attacker has the PSK or
> Certificate for one side of the connection, in which case it would be
> easier for them to do a direct attack, rather than setting up a MITM
> attack.  I could argue that there are things one can do from a MITM
> position that you can’t do via a direct attack, especially if you have the
> server key and want to influence what the real Server does.  I am not sure
> anyone will agree or think that matters, though.
>
> So, I think we just need to say in the Security Considerations that we do
> not use channel binding in RADIUS/(D)TLS because we mandate the use of
> (D)TLS 1.2 or !.3 with either PSKs or Certificates, and those protocols are
> well-enough protected against MITM attacks already.
>
> Margaret
>
>
>
> >
> > --
> > Fabian Mauchle
> > Network
> > NOC:    +41 44 268 15 30
> > Direct: +41 44 268 15 39
> >
> > Switch
> > Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
> >
> > _______________________________________________
> > radext mailing list -- radext@ietf.org
> > To unsubscribe send an email to radext-leave@ietf.org
>
> _______________________________________________
> radext mailing list -- radext@ietf.org
> To unsubscribe send an email to radext-leave@ietf.org
>

v2.35.0 | Report a Bug | By Email | System Status