[radext] Re: Selfie Attack on TLS-PSK

Fabian Mauchle <fabian.mauchle@switch.ch> Thu, 25 July 2024 09:19 UTC

Return-Path: <fabian.mauchle@switch.ch>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D32B0C1840D1 for <radext@ietfa.amsl.com>; Thu, 25 Jul 2024 02:19:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=switch.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9hOXEslWhqtv for <radext@ietfa.amsl.com>; Thu, 25 Jul 2024 02:19:41 -0700 (PDT)
Received: from mx3.switch.ch (mx3.switch.ch [85.235.88.34]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27365C1840D6 for <radext@ietf.org>; Thu, 25 Jul 2024 02:19:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=switch.ch; l=1690; s=selector1; t=1721899181; h=message-id:date:mime-version:subject:to:references:from: in-reply-to:content-transfer-encoding; bh=AVbcrOXDDfL2J/HuU5iEdFufJLudMVtWIS09TY6y9+0=; b=pUN5mKvhexIeW7oIPN3++pLkWzCH198VAEMvBtY5pw8iuVzYI4W4jJUK T/nZL5q8cE2Mzk3UAzdtjxfbi6A4CG/H5cTG5i7NX+xyc+QwkJUp6B2Qo nEkRZ9h/OeNMYlUGvZ7f85zKW7w/4Z9rH1MXjuger7u3bjxKUAf7zZ1PU 5aAIi2eA3fZWbZbihQ85iR935iYTMaZLj+wSkaLc7Kaf3YnVn64WQZiBj /qkfs46jUQgwjqczY5tWaH4P5tOwYFUewSgio1NpLM/oJTcEWUhKjmGZg zc3l8wYsalxMyiIpA7hPd9zNMuQ4+8/0QmUi7FbeiqHtTxcSrRSyqHCmc w==;
X-IronPort-MAIL-FROM: fabian.mauchle@switch.ch
X-IronPort-AV: E=Sophos;i="6.09,235,1716242400"; d="scan'208";a="9064006"
Received: from unknown (HELO SWH-S02-EXC1.swd.switch.ch) ([172.16.60.11]) by mx3int.switch.ch with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Jul 2024 11:19:39 +0200
Received: from [130.59.24.78] (172.16.60.33) by SWH-S02-EXC1.swd.switch.ch (172.16.60.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1258.34; Thu, 25 Jul 2024 11:19:39 +0200
Message-ID: <03e9f1c9-5f41-4e4c-a2ae-7f73c8aeab1e@switch.ch>
Date: Thu, 25 Jul 2024 11:19:38 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: radext@ietf.org
References: <E66DC2E7-1D48-4B9F-BB3D-1D87D1E25F61@gmail.com> <39C18E1E-B1D0-407E-8AA6-20E513C7E308@deployingradius.com>
Content-Language: en-US, de-CH
From: Fabian Mauchle <fabian.mauchle@switch.ch>
In-Reply-To: <39C18E1E-B1D0-407E-8AA6-20E513C7E308@deployingradius.com>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
X-Originating-IP: [172.16.60.33]
X-ClientProxiedBy: SWH-S05-EXC3.swd.switch.ch (172.16.60.14) To SWH-S02-EXC1.swd.switch.ch (172.16.60.11)
Message-ID-Hash: C5ONZQ4I6QUJP6TBXJXEDYSJDQJ72ILT
X-Message-ID-Hash: C5ONZQ4I6QUJP6TBXJXEDYSJDQJ72ILT
X-MailFrom: fabian.mauchle@switch.ch
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Selfie Attack on TLS-PSK
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/SE3OkVPC7EHPHYR6FvbHK7Y9kis>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>


On 25.07.2024 00:00, Alan DeKok wrote:
> On Jul 24, 2024, at 1:37 PM, Margaret Cullen <mrcullen42@gmail.com> wrote:
>>
>> On a separate but related noteā€¦.
>>
>> I came across this attack while reading about TLS mutual authentication:
>>
>> https://eprint.iacr.org/2019/347.pdf
>>
>    Nice!  And :(
>   
>> Is this something we should consider before we recommend the use of TLS-PSK with TLS 1.3? Or has this issues already been addressed?
> 
>    This is discussed in RFC 9527:
> 
>    https://datatracker.ietf.org/doc/html/rfc9257#section-8
> 
>    I'll have to do a deeper dive to see how this affects the TLS-PSK document.

Unless I missed something...

TLS-PSK the server identifies (and authorizes) the client based on the 
PSK identity, and authenticates it by the PSK key.

The client authenticates the server by the PSK key, and authorizes it by 
the sole fact that it knew the key.

So what we want to avoid is for servers accepting connections from 
clients that 'impersonate' the servers identity (it would itself use for 
outgoing connections).

Maybe we should add something to section 4.3. 'PSK and PSK Identity 
Sharing' like:

"Nodes that act both as client and server at the same time MUST NOT 
share or reuse PSK identities between incoming and outgoing connections."


This might also have implications on radiusdtls-bis, since current 
proposals allow skipping the identity check and authorize e.g. based on 
policy OID. Such a scenario might also be susceptible to to Selfie.

-- 
Fabian Mauchle
Network
NOC:    +41 44 268 15 30
Direct: +41 44 268 15 39

Switch
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland