[radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS

Margaret Cullen <mrcullen42@gmail.com> Wed, 24 July 2024 17:50 UTC

Return-Path: <mrcullen42@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D90A3C14F61C for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 10:50:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.859
X-Spam-Level:
X-Spam-Status: No, score=-1.859 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OMGQu1LXoAhH for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 10:50:43 -0700 (PDT)
Received: from mail-qk1-x730.google.com (mail-qk1-x730.google.com [IPv6:2607:f8b0:4864:20::730]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 735C5C1CAE6E for <radext@ietf.org>; Wed, 24 Jul 2024 10:50:43 -0700 (PDT)
Received: by mail-qk1-x730.google.com with SMTP id af79cd13be357-7a1d3959ad5so14722085a.0 for <radext@ietf.org>; Wed, 24 Jul 2024 10:50:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721843442; x=1722448242; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=DiZiNRL/t79waegz/9jqsmYgXr7AdA4s+5jYAhwNb3g=; b=lZPlQzOjfeVn1ZB+od9scU1u/pQighWt8mw4D3Ey92/BxMRUAaLqqKQuAop3RRzYFv ufNBpof/qH7Mqf0r8r617PJn93dh7udrBnYNCQTkPsyFxuvJlvJAyHYMCbVnIlWptUup ppZwIeURgbSS7vNIvBcS1ktfd+NNTjREOz668gDJUGXA+zYuhzeu8nPfNjj9R4ruCJnT kR4fTs6G8NwvkiwspKlEjsYWj4PhYML2EiU5v41DqbvXA+ElgqyR/jOtJVG+Jy6+aM0y pZgMhubrBe+AlnxUi3R+F1LKqnCnYvHn/KB9Xqj+eZn7iRWe8OjACnaMQ3OCuYYTqfdt plrw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721843442; x=1722448242; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DiZiNRL/t79waegz/9jqsmYgXr7AdA4s+5jYAhwNb3g=; b=JQZlLnw8jd9haHKaXhdtbAQfuRGialnV444WR4gKQToghCXFR8qEZW4UTbFECBuoXc EPynTZTqG0kwITu8wYjpTtHyNVQdRLHjFP7pU4xY8XNKtOklSQSZyvcr7sYOD1JCzgBb i8SBXQgZGZWeeMlgnqn7bRHKFmcUpqg1KYXBWYu7hXmSUqGGGl0E4UGJCp6gQ84I1Oqi /5D6YWLh+/oO0w0WFQiYXi4MuucQIfygYVGW2zRITInX2EVP16LLaiFJVZvsGFwCnveb 0ZZEMOq8opWCp8aCnTy46IAxcVqxkLz3ggwTcS3WnPRh3Q8USXjWe3ly7XhCoYGwssAo T+yQ==
X-Gm-Message-State: AOJu0YwkcBMMRFas6g5ylZf6v+cxqQmYhKQCSrF5nmkGWIZS6GPVoLV1 zl+X7fcsaeDBl5Rfn8LqIJNy5hla7PhOU292lqhASWyDqrXnBBkHlOPHZA==
X-Google-Smtp-Source: AGHT+IEnhPSqs9QEFiI4+Xt7veW9kMyUgn+8mQtI71Mo6pbg188JsrurM1BgU8WwjrkYANbgn0Ev7Q==
X-Received: by 2002:a05:620a:4107:b0:79b:a8df:7829 with SMTP id af79cd13be357-7a1ccd2c6ecmr412649885a.14.1721843442086; Wed, 24 Jul 2024 10:50:42 -0700 (PDT)
Received: from smtpclient.apple ([2601:18c:503:9630:c449:e6b1:db51:1469]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-44fd84bda4esm7640251cf.36.2024.07.24.10.50.41 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Jul 2024 10:50:41 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Margaret Cullen <mrcullen42@gmail.com>
In-Reply-To: <85CCF592-FDEC-478B-AA03-E10DA209C9A5@deployingradius.com>
Date: Wed, 24 Jul 2024 13:50:40 -0400
Content-Transfer-Encoding: quoted-printable
Message-Id: <9C9E5617-451E-4CB7-A54A-EE049D91DBAE@gmail.com>
References: <3A0631E2-9679-4AC6-82DC-0ECD5DDCBE03@gmail.com> <85CCF592-FDEC-478B-AA03-E10DA209C9A5@deployingradius.com>
To: Alan DeKok <aland@deployingradius.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Message-ID-Hash: MPVYL4GIDW2QFIGOWS2RBOCVWTJLIGMP
X-Message-ID-Hash: MPVYL4GIDW2QFIGOWS2RBOCVWTJLIGMP
X-MailFrom: mrcullen42@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/XgZ9TgVWfHkBLfCtANh9KFsZL0s>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>

Hi Alan,

Thank you very much for your careful explanation.  However, it doesn’t entirely address my concern…. Let me take one comment out-of-context, with the goal of brevity, not of trying to misrepresent what you said...

> On Jul 24, 2024, at 1:20 PM, Alan DeKok <aland@deployingradius.com> wrote:
>  Channel bindings are a statement by C to A that "you can trust this particular B".
> 
>  But for RADIUS/TLS, we don't have multiple parties.  There's just client and server.  Either they trust each other, or they don't.
> 
>  In contrast, cryptographic bindings ensure that any derived challenges / keys are associated with the TLS connection.  So that a MITM can't force the use of a particular challenge, and this break authentication protocols.
> 
>  But for RADIUS/TLS, we don't have any challenges, etc. which are sent between client and server.  The client and server are effectively routing AAA traffic which they don't understand, control, or even originate.
> 
>  So I don't see how either cryptographic binding or channel binding helps here.

For RADIUS/UDP, though, we _do_ have a challenge that ensures that the client is authorized to send a message to the server, and that the server is authorized to receive a message from the client — based on pre-shared keys and MD5.  We also have a mechanism to ensure that if a RADIUS request reaches the wrong server (e,g. an attacker) the most sensitive parts of the RADIUS message cannot be seen in clear text — also based on pre-shared keys and MD5.

Those mechanisms have been removed in RADIUS/(D)TLS, and they have not really been replaced by anything.

>  But we've already authenticated the server via TLS.  How does it help to tie the application data to the TLS session? 

This is only true if we know that the system on the other end of the TLS session is an authorized peer.  How do we know that?  

Without checking that the TLS session token is the same on both ends of a TLS session, it is possible that the TLS session is being terminated by a MITM who has a second TLS session with the intended peer, and is shuttling data between those sessions while viewing the data, and potentially modifying parts of it that are not protected at the application layer, etc.

When you have two peers A and C, with an authorized proxy, B, you have two RADIUS sessions A -> B and B -> C.  This only works if A has a shared secret with B and B has a shared secret with C.  So, B is part of the trusted set of peers.  Using RadSec, a MITM (Z) could have no trust relationship with A or B, but be receiving traffic from A on one TLS connection, and forwarding it to C on a second TLS connection, while both A and B think that they are directly connected to each other.  Z is not part of the trusted peer group, Z is a MITM attacker.  This is quite different than that forwarding through an authorized proxy.

Is there some way that TLS protects from a MITM attack these days that removes the need for channel binding to avoid this possibility?  In previous work I’ve done involving (D)TLS, albeit quite a few years ago, the application layer had to do a cryptographic exchange to ensure that both ends were using the same TLS session.

Margaret