[radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
Alan DeKok <aland@deployingradius.com> Wed, 24 July 2024 17:21 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E37E4C1519A6 for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 10:21:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8ps-h9clZlB1 for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 10:21:00 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A3A9C16942C for <radext@ietf.org>; Wed, 24 Jul 2024 10:20:59 -0700 (PDT)
Received: from smtpclient.apple (dhcp-911c.meeting.ietf.org [31.133.145.28]) by mail.networkradius.com (Postfix) with ESMTPSA id 23D1A20A; Wed, 24 Jul 2024 17:20:56 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <3A0631E2-9679-4AC6-82DC-0ECD5DDCBE03@gmail.com>
Date: Wed, 24 Jul 2024 10:20:54 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <85CCF592-FDEC-478B-AA03-E10DA209C9A5@deployingradius.com>
References: <3A0631E2-9679-4AC6-82DC-0ECD5DDCBE03@gmail.com>
To: Margaret Cullen <mrcullen42@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Message-ID-Hash: BIKE45Y4JN6RHYPZ5IQCK3FZSNOHAANI
X-Message-ID-Hash: BIKE45Y4JN6RHYPZ5IQCK3FZSNOHAANI
X-MailFrom: aland@deployingradius.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/VML3W8gzrhjG1vXAeXn6dY3doQ4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
On Jul 24, 2024, at 9:43 AM, Margaret Cullen <mrcullen42@gmail.com> wrote: > While working through the RADIUS (D)TLS document last night, I realized that RADIUS/(D)TLS does not include support for TLS channel binding. In other words, there is nothing in the RADIUS/(D)TLS layer that ensures that both ends of a single RADIUS hop are using the same unique (D)TLS session. Without channel binding, RADIUS running over (D)TLS may be open to MITM attacks including: blocking valid traffic, spoofing Access-Accepts or Rejects, viewing sensitive data, replay attacks, redirection, DoS, etc. If the client and server validate each others identity, does that matter? We already know that RADIUS proxies can see peoples passwords, block traffic, change accepts to rejects, etc. We already know that the client might be a proxy, so the client doesn't (in fact) own or even understand the data it's forwarding. RADIUS proxies are designed to be MITM, with full MITM capabilities. So channel binding here just proves what we already known: this proxy is trusted to mangle packets. > It is up to the WG to decide what to do about this. As a WG chair, I will insist that, at the very least, we need to update the Security Considerations section in the RADIUS/(D)TLS document to point out this properly of the RADIUS/(D)TLS protocol and its implications. > > Speaking as an individual, it is my opinion that we should add channel bindings to RADIUS/(D)TLS. Just to clarify the difference between channel binding (RFC 6677) from cryptographic binding. Channel bindings prevent the "lying NAS" problem, where a pretend NAS forwards traffic to the "real" system. This is only needed for EAP, because the supplicant doesn't have a trust relationship with the NAS, only with the RADIUS server. i.e. We have communication Suppliant -> NAS -> RADIUS (A, B, and C for simplicity). A && C share trust (server cert, user credentials). B & C share trust (RADIUS shared secret). But A doesn't trust B. Channel bindings are a statement by C to A that "you can trust this particular B". But for RADIUS/TLS, we don't have multiple parties. There's just client and server. Either they trust each other, or they don't. In contrast, cryptographic bindings ensure that any derived challenges / keys are associated with the TLS connection. So that a MITM can't force the use of a particular challenge, and this break authentication protocols. But for RADIUS/TLS, we don't have any challenges, etc. which are sent between client and server. The client and server are effectively routing AAA traffic which they don't understand, control, or even originate. So I don't see how either cryptographic binding or channel binding helps here. > Currently, RADIUS/UDP is (albeit poorly) protected against MITM attacks by the use of pre-shared secrets and MD5. Unfortunately, MD5 is fairly easy to crack these days. In contrast, RADIUS/(D)TLS is not protected by RADIUS pre-shared secrets, because of the use of well-known “secrets” (radsec or radsec/dtls) instead. In the absence of any other way to verify that RADIUS traffic is being sent to/from the intended peer, RADIUS/(D)TLS is even less well-protected against MITM attacks than RADIUS/UDP. Any MITM attack on RADIUS/TLS would involve breaking TLS. Or, require that one / both ends fail to validate the others credentials. RFC 5056 discusses these issues. In short, if the channel is (a) authenticated, and (b) integrity checked, and (c) private / encrypted, channel bindings are much less useful. The main use of channel bindings is when there are multiple protocols and/or multiple parties involved. The different protocols are bound together to form one logical shared communications session. But with RADUS/TLS, there are no multiple protocols, and there are no multiple parties. One client sends packets to one server. Both ends authenticate each other. We rely on TLS to do authentication, integrity checks, and privacy checks. > Channel binding with (D)TLS is a well-trodden path in the IETF, and I think it would be best for us to add channel binding to the RADIUS/(D)TLS specification before we move it to the Standards Track. We are already making non-backwards compatible changes to RADIUS/(D)TLS in the new document (such as requiring servers to implement DTLS, as well as TLS), so I think this would be our best opportunity to correct this omission and standardize a sound specification. Channel binding in RADIUS/(D)TLS could likely be accomplished by adding an attribute that securely verifies that both ends are using the same TLS session, and exchanging that attribute in RADIUS packets before any sensitive data is transmitted. For those of you who aren’t familiar with TLS, TLS provides a unique session token that can be used for this purpose. But we've already authenticated the server via TLS. How does it help to tie the application data to the TLS session? We already know that the "next" server is forwarding packets elsewhere. The next server is already a MITM, and is already known to be mangling packets. > There are, of course, other benefits to transporting RADIUS over (D)TLS vs. UDP that make it highly desirable to deprecate RADIUS/UDP in favor of RADIUS?(D)TLS, such as encrypting RADIUS packets so they cannot be seen in plain text in transit. I am definitely _not_ suggesting that we stay with UDP instead of moving to (D)TLS — I’m suggesting that we fix RADIUS/(D)TLS, so that we do not expose RADIUS to new MITM attacks. > > I would, as an individual, and as a WG chair, like to hear other people’s opinions about what (if anything) we should do to resolve this issue. I'm not sure what benefits channel binding would add. I can't think of a concrete case where a MITM attack could occur, and where channel bindings would catch it. Alan DeKok.
- [radext] Lack of Channel Bindings in RADIUS/(D)TLS Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Fabian Mauchle
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Valery Smyslov
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Fabian Mauchle
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Q Misell
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Peter Deacon
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Stefan Paetow
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Q Misell