[radext] Re: Selfie Attack on TLS-PSK
josh.howlett@gmail.com Thu, 25 July 2024 12:06 UTC
Return-Path: <josh.howlett@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01B61C18DBA6 for <radext@ietfa.amsl.com>; Thu, 25 Jul 2024 05:06:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zkpVMbrxtcOA for <radext@ietfa.amsl.com>; Thu, 25 Jul 2024 05:06:49 -0700 (PDT)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F4EDC18DBA0 for <radext@ietf.org>; Thu, 25 Jul 2024 05:06:49 -0700 (PDT)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-5a167b9df7eso1137459a12.3 for <radext@ietf.org>; Thu, 25 Jul 2024 05:06:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721909208; x=1722514008; darn=ietf.org; h=thread-index:content-language:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=sVeDDZDIxeEPL4/HO9hV6ktpqmWZ65HS+EaYSN52g0A=; b=aR0YHJYrVxRVy8M7w+Y4lMfV5df52OUr1r1oCtkSyzwvaUV80kpTY60WVbW7zzzi3G TTnfU2PjVZvFfPDCMZCFx8eIW58tkuVjjQDNKP4tnv8Iwo057kEB4iE/bLtYK6Oig3TK z5/8lMSjTD/bULLKNhH492pDSvA55j9qDru0diUN25R4aTZlXj6lJn2knR/BdRoBhN0C TDnXf+yBOPI8DdKj0PrSyQwJoxwNAQO1035C8dFisYGOITIKssZnlHhhCDRbSUcEiqNT 7uLqn6LhdayOOhEas3u5SqMKhDSaRi5z79n46nHeJ0GCnQgEfrguODa5/l8eCFbPr9Sd AKqg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721909208; x=1722514008; h=thread-index:content-language:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=sVeDDZDIxeEPL4/HO9hV6ktpqmWZ65HS+EaYSN52g0A=; b=imuHJKuCFUFeg0NDUpPgAZbFuDKC4CNpKZWKuUG9NlyF49lq0J/kScUYqtQHSvolTw leb7M7ggw61sYgcWjsb1EiRDHewvZkjb5GmHWjMBuo7bkPCkbkdy7J+HwS94DwjIKhhP IQ6Y9LyvFdA91sFeoRvcL7MvzFp0jW9riQa5U891ggpAPk+nwsXYSmtTRGHXNCbulYfX slgcs6q8nRU08Op9GSyXj50l3phkw8+z9Qdp80wklDgg5o0fPUuGM3cQ5yJOas9WMGbg KMJBJhXl+UMU3+I977csCbw3w87nvFBsvGU5bRWnJt9fPNQ8CxxvGX5Sf3S0C2mhBZwR A3bg==
X-Forwarded-Encrypted: i=1; AJvYcCWNl5s39XBMstB4yLH1OPV+mAsUPArSF8+Kl2/DF+Fd7LiL+vBIhRJ96rek2Kt1GqTqV7Tfvn7HeMYNRDGCus4=
X-Gm-Message-State: AOJu0Yxk1+Q4pgmk3clk9bK3qh65WnupUGbniNNhzghMEc6J3W5w1brQ tFliix0sv+7lM6h1CQ8LJ35EY1RW0mWOswZDNHAUCtw8sMZFQEGnS75deSnq
X-Google-Smtp-Source: AGHT+IGEEheC+5G2K6+zJSPha6I9FEY7nAJd1FfjdAFhmVI6D57ZhQmg3jeWZy73PxfJukIKNelOnQ==
X-Received: by 2002:a50:9f8a:0:b0:5a3:a9f8:cf20 with SMTP id 4fb4d7f45d1cf-5ac2c5a5de1mr1458536a12.34.1721909207139; Thu, 25 Jul 2024 05:06:47 -0700 (PDT)
Received: from CPCjoshNDRI8C ([20.160.85.47]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5ac631b0441sm761034a12.9.2024.07.25.05.06.46 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 25 Jul 2024 05:06:46 -0700 (PDT)
From: josh.howlett@gmail.com
To: 'Alan DeKok' <aland@deployingradius.com>, 'Bernard Aboba' <bernard.aboba@gmail.com>
References: <E66DC2E7-1D48-4B9F-BB3D-1D87D1E25F61@gmail.com> <39C18E1E-B1D0-407E-8AA6-20E513C7E308@deployingradius.com> <CAOW+2dsuMM7WGpOFHhg0Ts8mKA06q_LmRsPstzoHbods1V_Www@mail.gmail.com> <0C304B83-BD78-425B-B854-232FE7FE3387@deployingradius.com>
In-Reply-To: <0C304B83-BD78-425B-B854-232FE7FE3387@deployingradius.com>
Date: Thu, 25 Jul 2024 13:06:47 +0100
Message-ID: <032f01dade8b$1fc33c40$5f49b4c0$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-gb
Thread-Index: AQJ+xPFZ3cZf+5srMhq8lo+Kd19U5AGJwZTFAYyg0VoBmAPJYbCaAMxg
Message-ID-Hash: LVZJV4SY7HDTKV663W4BLJ4QSLXRVYEX
X-Message-ID-Hash: LVZJV4SY7HDTKV663W4BLJ4QSLXRVYEX
X-MailFrom: josh.howlett@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: 'Margaret Cullen' <mrcullen42@gmail.com>, radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Selfie Attack on TLS-PSK
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/XiSp6mtnbsBLuPruDZXRpHPUWwE>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
> > It is not sufficient for RADIUS clients and servers to use mutual > > authentication with certificates or PSKs. It is also necessary to verify that the > > endpoints are who they are expected to be. > > This may not be so simple in some > > deployment scenarios, such as where legacy NAS devices use RADIUS over > > (D)TLS proxies, so that a server can receive packets from many NASes over a > > (D)TLS session. How does the server validate that these packets are arriving on > > the right (D)TLS sessions? It may seem convenient to say "we don't care" but > > surely there are some packet/path combinations which would be unexpected, > > indicating mis-routing (and exposure of secrets as well as location info to > > unauthorized proxies/servers). For example, it would be "unusual" for a > > corpnet RADIUS server to receive RADIUS packets originating from a corpnet > > NAS over a (D)TLS session with a roaming partner. > > I'm not clear how this is any different from existing RADIUS routing (or lack > thereof). There's nothing in RADIUS/UDP which addresses these issues. Without wishing to speak for her, I think Margaret is noting that RADIUS over (D)TLS does not offer end-to-end assurances in the way that people tend to assume that TLS provides. The absence of this property is obvious in the UDP world: the trust boundary is clearly demarcated with explicit, manual configuration. It is intuitively obvious that a downstream proxy can modify packets in many ways, undetected. (D)TLS does not (and cannot) change this. However, TLS -- and certificates in particular -- offers new ways of defining the trust boundary. So, the security properties resulting from a given configuration could be hard to assess across a heterogenous deployment. As a data point, about 0.1% of requests on US eduroam originate from RADIUS clients that have nothing to do with WiFi because of proxy misconfiguration. Imagine having a VPN concentrator that can be accessed by a large part of the world's student population. The document does not set out to solve this problem; and nor should it. However, I think it would be good to discuss the issue in the Security Considerations section. I agree with your characterisation of this issue as a routing problem. One of the legacies of the NAI is that we're stuck in a realm-based forwarding paradigm, but this discussion shows that it is not sufficient to that a packet arrives at the right destination (a problem of discovery). It needs to travel there in a way that is consistent with policy (a problem of trust). Josh
- [radext] Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Bernard Aboba
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK hannes.tschofenig
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Jan-Frederik Rieckers
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen