[radext] Re: Selfie Attack on TLS-PSK
Q Misell <q@as207960.net> Tue, 30 July 2024 07:55 UTC
Return-Path: <q@as207960.net>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2819C14F6AA for <radext@ietfa.amsl.com>; Tue, 30 Jul 2024 00:55:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=as207960.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gUmNAYGyYfmp for <radext@ietfa.amsl.com>; Tue, 30 Jul 2024 00:55:03 -0700 (PDT)
Received: from mail-ed1-x534.google.com (mail-ed1-x534.google.com [IPv6:2a00:1450:4864:20::534]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09990C14F69E for <radext@ietf.org>; Tue, 30 Jul 2024 00:55:02 -0700 (PDT)
Received: by mail-ed1-x534.google.com with SMTP id 4fb4d7f45d1cf-5a20de39cfbso6123940a12.1 for <radext@ietf.org>; Tue, 30 Jul 2024 00:55:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=as207960.net; s=google; t=1722326101; x=1722930901; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3xwL8SzWOdpSa9fd3yfaoPfX6jO8x3LuKQJwZGtvtRE=; b=ggmsGWQ7wrC8VbuIucbV6X39wbnWO+Ggl+EQ/TWN3h6iu2u8c4fiWEUFIGbqe37TlV GO+UrTsWIL01mgYcic7mI2Ang2JvBtO4T1IJwiu724ObJKyRWIsfhESFQRurStuEqKnl 6GUDfaApNz2mO+vg+eOY0FcIsavTTARsGbgYcjgo0V4ZB2Q9PhwnsdeMzPZpdeRGNZGo 5gE74/Xuo44volhnKLF++jMnNjMWhy9tS5gO1M2AgIDmpx0QqJq4kH1EzL3c7C+enPU2 4AvSQ8daLc//iIT5XpoR4YpJf64my91fcV6hK8v3Aq6yu9wMqKAg7ru+JcRjgtNVefDN Hazg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722326101; x=1722930901; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3xwL8SzWOdpSa9fd3yfaoPfX6jO8x3LuKQJwZGtvtRE=; b=qvAqfpt5fomVm7/ZYcx9DkhTeipAgfD+CCIPdZuFaP8DkOCoAn9PtJ1yLfzy45J+VG oytRx+onIG0hXsIDOEq1mmvq7AZB86WJqCyBqlruUJsJkeENBAgiXZwvu1Fp4kaoM2WQ gbqGC7pcpHWEi2PQ7AYwyseQtu4ufD9xyMV120iwdKcqbenco2Ckp6qCnShgPGcdW3KY YumJGxPOaaMX96gAI7u0+aN6/1AvGxeRdPF6rjsdaCTs8eV0cqDRV71GCwvST6haRHdW rQGs8/1EiMy4+Lvc7fjsWpGPqjCKT4/2pdOdOkVaqYO1W0Z5eLrVUMafEiGR/edUDfGN /lNQ==
X-Forwarded-Encrypted: i=1; AJvYcCU4SXbSJtJadmRVBm4ya7JS+O5YVIahL1c2xq1VKKK7Za5NuudMExrj3mcOV8SV7zwaAtfBsHx+cYqUnG3TbHs=
X-Gm-Message-State: AOJu0YwsHwMHFR6UiIT8IRVurIdFOt3WRWiEzK+ULW+Kx/PPYEHakIvF nk5LMcswCPn89N8YBDwylOzkP7ROuKMt5AW2BajncjONX/jxpKztcIlONyCrAnKP6rqAPr1QlRm M8UlS0AOgcfYDhF8UoRl1JQDH34AKk/QCFzQZCkoB2MhNxf58u0Rfx/jP4nfvzw==
X-Google-Smtp-Source: AGHT+IGH6OA0DeWnQMzO+M6/4W5TK8r3PY75C+fwpWc5atJf0jB+FVVwWMh2JgND9c59mOCfDH1MYsiGwk4/KS3ynI8=
X-Received: by 2002:a50:9e64:0:b0:5a2:694e:5faa with SMTP id 4fb4d7f45d1cf-5b0205d6384mr6000489a12.8.1722326101139; Tue, 30 Jul 2024 00:55:01 -0700 (PDT)
MIME-Version: 1.0
References: <032f01dade8b$1fc33c40$5f49b4c0$@gmail.com> <9BE709A1-470B-4F54-A050-9F30C7A6CBD7@gmail.com> <03ef01dadf44$85ce2220$916a6660$@gmail.com>
In-Reply-To: <03ef01dadf44$85ce2220$916a6660$@gmail.com>
From: Q Misell <q@as207960.net>
Date: Tue, 30 Jul 2024 09:54:24 +0200
Message-ID: <CAMEWqGvCS25-2+enWq_VBZhPssTssfjoQgYHZHMbhHRHoJ_bhg@mail.gmail.com>
To: josh.howlett@gmail.com
Content-Type: multipart/alternative; boundary="000000000000724b29061e724b7a"
Message-ID-Hash: OKA527BZXP656VRCPXZMWQN7H3LSD7HZ
X-Message-ID-Hash: OKA527BZXP656VRCPXZMWQN7H3LSD7HZ
X-MailFrom: q@as207960.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Margaret Cullen <mrcullen42@gmail.com>, Alan DeKok <aland@deployingradius.com>, Bernard Aboba <bernard.aboba@gmail.com>, radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Selfie Attack on TLS-PSK
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/PvRxJtvLeUD0PTwPo-b10hCS9NI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
Moin, Having read the Selfie paper here's my thoughts on what RADIUS should do about it. > "Nodes that act both as client and server at the same time MUST NOT share or reuse PSK identities between incoming and outgoing connections." I believe this wording is sufficient to protect against the attack. I also think there should be a note about a node only ever acting as server or only ever acting as a client (i.e. only ever making outgoing connections, or only ever accepting incoming connections) being sufficient to protect against Selfie. The concept of a server and client is new to RADIUS, but say in the case of eduroam there's a clear relationship where say JISC (UK NREN) would only ever accept incoming connections from member IdPs, and member IdPs would only ever make outgoing connections to JISC. Can anyone think of a scenario where this wouldn't be the case? ------------------------------ Any statements contained in this email are personal to the author and are not necessarily the statements of the company unless specifically stated. AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace, Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company registered in Wales under № 12417574 <https://find-and-update.company-information.service.gov.uk/company/12417574>, LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876 <https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №: 522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca Digital, is a company registered in Estonia under № 16755226. Estonian VAT №: EE102625532. Glauca Digital and the Glauca logo are registered trademarks in the UK, under № UK00003718474 and № UK00003718468, respectively. On Fri, 26 Jul 2024 at 12:14, <josh.howlett@gmail.com> wrote: > Margaret wrote: > > Speaking as an individual… > > > > I am not talking about trying to establish any sort of cryptographic > end-to-end > > trust in a multi-hop RADIUS fabric. I agree that we don’t have that > today, and > > it is not our goal to change that. I am talking about the security > properties of a > > single RADIUS hop. I am also talking about how those properties feed > into the > > security models of multi-hop deployments. > > Ah, ok, sorry for the misrepresentation... > > > As Stefan points out, copying of a RADIUS/TLS-transmitted RADIUS message > > on to a local network is different (and less secure) than dumb copying > of a > > message that was transmitted via RADIUS/UDP, because sensitive data in > the > > message transmitted via UDP will still be protected (to some degree) by > the > > RADIUS secret and MD5, while the packet coming from RADIUS/TLS would use > > a well-known RADIUS secret, “radsec”, essentially equivalent to sending > the > > sensitive parts of the packet in clear text. > > The entity doing Stefan's "copying" is not a classic RADIUS entity. It > sounds like a proxy that operates purely at the transport layer (and not > the application layer). A RADIUS proxy translating TLS to UDP must mint a > new request using the secret shared with the downstream server. > > There is a problem if Stefan's entity existed, but it isn't a mode of > operation supported the RFCs and I don't know of any products doing this. > > > My point is that we should make sure that moving away from the solution > we > > are deprecating (RADIUS/UDP) and moving to any if the solutions we are > > recommending (any one of the RadSec variants) does not result in security > > regressions, and that any security model changes are well-documented. > > +1 > > Josh > > _______________________________________________ > radext mailing list -- radext@ietf.org > To unsubscribe send an email to radext-leave@ietf.org >
- [radext] Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Bernard Aboba
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK hannes.tschofenig
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Jan-Frederik Rieckers
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen