IETF Logo Mail Archive

Re: [radext] CUI comments in "deprecating insecure transports"

Heikki Vatiainen <hvn@radiatorsoftware.com> Thu, 27 July 2023 13:28 UTC

Return-Path: <hvn@radiatorsoftware.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC288C14CE39 for <radext@ietfa.amsl.com>; Thu, 27 Jul 2023 06:28:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.905
X-Spam-Level:
X-Spam-Status: No, score=-6.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=radiatorsoftware-com.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id brw1VmL2ZVXp for <radext@ietfa.amsl.com>; Thu, 27 Jul 2023 06:28:28 -0700 (PDT)
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com [IPv6:2a00:1450:4864:20::52f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C1598C14CE5D for <radext@ietf.org>; Thu, 27 Jul 2023 06:28:28 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id 4fb4d7f45d1cf-5221cf2bb8cso1276939a12.1 for <radext@ietf.org>; Thu, 27 Jul 2023 06:28:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=radiatorsoftware-com.20221208.gappssmtp.com; s=20221208; t=1690464507; x=1691069307; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=VWvy/frn2yfv2egsvgbjYKTTcXox+hDK262t6e33nDc=; b=uhUA7BngHmLVxGLRONGBoDFFOpYWw1LO+IpZGzXPA6q8kxpMXCWD3eGKwPIULyiMS1 p9jzB7aSadofq5rvhAvcfw2HlRxyJNBSUrARF4VhMmK2huKEB/3gdo5lHReHhitHL6eR lw5VK/J2ckQksVAifanpNRwM8Uw6NF29lm5lsCx0pQAjrd2ntdSPc+vT4ONcpa0Nx1WF OpdEKviIIhTrNufxrE2Nm4G1D92NtaOHiJoQoFVTaFuSoOGr2CBK+iokrsW5e9BdBTil NBU5GoRRLAQL3hvbXeraRkUAuR1cAqD9FTs1rlV19y0a6OOr7k31+WqV7kuNSyqhUSeI rWbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690464507; x=1691069307; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VWvy/frn2yfv2egsvgbjYKTTcXox+hDK262t6e33nDc=; b=UgQ8Cu/bNCVbLq3p8Casaa+rP8TD9ocmC997GZaKsXPJYzttdueep4uyDyIwygYXns h0tt+QBYsEliul2PBMj8y9mEzxU7cAt/nhho5Ihql+n70mK+nRxagwI7yU6q1gT1vntI zKrsnMTcugzU8jGJTIDUle0sjD1ITC+0+4GPuGeTwYDh4CVMAwKT/RfnPNw0L6S9W/n2 6U9By6cN+eXTWU1I6UDItuGzDXb9TnbHeU6nMpmPvj1ddEezHsYKNGEMpbEbX15n8WC6 W+rZqGyEa9lK6ogG1AcrSq1c2RNi6JCVKkD5RP/f00u+uP7AiYDrsnSTaeFWM04AhvIW aepg==
X-Gm-Message-State: ABy/qLYNS/y/AknwYn1sjPnm/BZk+ZhxGLhJyaTocnZ0h1HcPCSz55/X hzV8+vueZytnaDAsfZyb3Db7WVVj8CeknjyCKt4vk3yJvc8WUPYC
X-Google-Smtp-Source: APBJJlGaW6ZopeuiHDxXxY77B3C6t8QGKXLg239HPOSccs8B0uaRugBn8+TcHuQKnwW3RxMgeXiFc0oIq/GosSvcdjU=
X-Received: by 2002:aa7:cd0a:0:b0:522:4dd0:de6e with SMTP id b10-20020aa7cd0a000000b005224dd0de6emr1857546edw.8.1690464506763; Thu, 27 Jul 2023 06:28:26 -0700 (PDT)
MIME-Version: 1.0
References: <BC530A34-D348-44D0-886E-DB1ECF3A5010@deployingradius.com> <06c301d9bfc0$e07154d0$a153fe70$@gmail.com> <5F5C2E17-2061-4FFC-942A-9C4ED861EE5F@deployingradius.com> <a0df55dd-01e3-44ee-bc18-183d7057390c@app.fastmail.com> <A0D7BF87-C696-4C52-A0B7-E88AE5274D20@deployingradius.com> <c06f35b0-f6bb-4ed0-bea4-bb3ec348f487@app.fastmail.com> <9175A7B7-F3F5-4C13-90C9-9311A8C721C8@freeradius.org>
In-Reply-To: <9175A7B7-F3F5-4C13-90C9-9311A8C721C8@freeradius.org>
From: Heikki Vatiainen <hvn@radiatorsoftware.com>
Date: Thu, 27 Jul 2023 16:28:10 +0300
Message-ID: <CAA7Lko-visUq83tK8T8SSq1xKTJRbRCh=QTojwqKP7D=HeTZGw@mail.gmail.com>
To: radext@ietf.org
Content-Type: multipart/alternative; boundary="0000000000006e7bc8060177f0e5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/L4FpnxiiZs0iB_PYV4sKBZ8XtX4>
Subject: Re: [radext] CUI comments in "deprecating insecure transports"
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jul 2023 13:28:32 -0000

On Wed, 26 Jul 2023 at 22:15, Arran Cudbard-Bell <a.cudbardb=
40freeradius.org@dmarc.ietf.org> wrote:


> > On Jul 26, 2023, at 11:29, Alexander Clouter <alex+ietf@coremem.com>
> wrote:
>
> > SessionTicket is there in the clear of the ClientHello, right? You
> cannot read the opaque part, but it is a stable identifier for about 24
> hours.
>
> Largely true for TLS < 1.3, but with TLS 1.3 all bets are off.
>
> A new session ticket can be sent during session resumption (I think
> FreeRADIUS does this by default, at least in v4), and multiple session
> tickets can be issued per authentication attempt.  RFC8446 also describes
> single use tickets as an anti-replay defence.  In order to use this as a
> reliable cross-session identifier you'd need to be able to observe the
> session tickets being sent by the server, which you can't do with TLS 1.3.
>

New ticket with each resumption appears to be what OpenSSL does by default.
Based on what I've seen with TLSv1.3: initialise the SSL context with
number of tickets set to 1 (as suggested by EAP-TLSv1.3 RFC 9190, section
2.1.2) and when a client authenticates with a full TLS handshake, they get
one new ticket. When they resume, they get another new ticket. The
subsequent resumptions then all hand out one new ticket. The new ticket
server sends is encrypted.

I think session tickets with EAP in TLSv1.2 are not supported, but tracking
the server based resumption ClientHello SessionID would work with TLSv1.2
and earlier.


> EAP-SIM/EAP-AKA/EAP-AKA' can all mutate or regenerate their Pseudonym and
> Fast-Reauth identities on every authentication attempt whether it's resumed
> or not, but the new values are always sent within AT_ENCR_DATA which is
> opaque to eavesdroppers, and so defeats tracking.
>

With the SIM based EAP method, there's also this specification from the
Wireless Broadband Alliance:
https://wballiance.com/resource/imsi-privacy-protection-for-wi-fi/

This allows the EAP client to encrypt its IMSI (basis of its EAP Identity)
even with the first authentication. This uses a client configuration which
can also be set so that the client never sends out its IMSI without
encryption, no matter what the EAP server requests.

Anyway, just to make the point that privacy won't automatically be
> compromised by TLS or AKA based EAP methods when performing
> session-resumption.
>

Agreed.

-- 
Heikki Vatiainen
hvn@radiatorsoftware.com

v2.35.0 | Report a Bug | By Email | System Status