[radext] Re: Selfie Attack on TLS-PSK
josh.howlett@gmail.com Fri, 26 July 2024 10:13 UTC
Return-Path: <josh.howlett@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C9DCC1840C6 for <radext@ietfa.amsl.com>; Fri, 26 Jul 2024 03:13:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nku81mBwU12i for <radext@ietfa.amsl.com>; Fri, 26 Jul 2024 03:13:57 -0700 (PDT)
Received: from mail-ed1-x52b.google.com (mail-ed1-x52b.google.com [IPv6:2a00:1450:4864:20::52b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35535C14F70C for <radext@ietf.org>; Fri, 26 Jul 2024 03:13:57 -0700 (PDT)
Received: by mail-ed1-x52b.google.com with SMTP id 4fb4d7f45d1cf-5a156557026so2323100a12.2 for <radext@ietf.org>; Fri, 26 Jul 2024 03:13:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721988835; x=1722593635; darn=ietf.org; h=thread-index:content-language:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:from:to:cc:subject:date:message-id:reply-to; bh=BLRWXJHhJrcQU2AJRB7OH0PkKXSYgue2IpgQWjeFOog=; b=mhdCICyMaSFbZocwxBJHg75yC1s7cFMglrqJLTdmHYw21s/rLi3DjD9GroL8K/JRbU NAy8GTa/tOX9gHq+o1LvCvZJhSAlSoFCqezVHL+BYhH9FYyg8jszTZsEenmR/jVB9SbQ dV0+TBlYgjA6T1Za+mh95A6hCrpVF3ESsmsYPcQMpeXqE1JCyPMnJ6rjF92wgOZWQMh7 VPFbYcOnQB/gf7h+bQvw8eVAQj2TvDVqLHesGnjdI4LEkz82Xl7k+c/P5VjONdFpa554 0UT6+GqptibQkUbCehkjd4Yxij5z/5jq750HYY1G0dmSr/zjqZkiEfhUdLuWFtwG9LZA xsaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721988835; x=1722593635; h=thread-index:content-language:content-transfer-encoding :mime-version:message-id:date:subject:in-reply-to:references:cc:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=BLRWXJHhJrcQU2AJRB7OH0PkKXSYgue2IpgQWjeFOog=; b=lq4rYRQ9sPGwLdprJss9O6ZTFVT33GgxLmxAD9g9pMZMpfxmxph+w2/zFLJ08N7ZBI 0Z3HeCsaWmZtijxKFi/gFcdJVPMO6iNfSQBtg+u/GfY+Wz8aF6tpC/g/rjxW1opzyvvs C46iCf54IeLinabXTfVa6DG2qc7IZidjln2sQy28oXegJqeY2eMuSY7HzZ70xtzQLB/i a82zrE2t/B8zYN2hWRHagflpqSRUMc3H88RExrJdAhPBWYx+S8IBoE8Xi/Xs4iSSMmxA z0Mk9cet1IkUDfB1E0F4sbTrSjQoLBaZkI7cEH5P2ZWT8s4IH+XeCfN4HFCt1ux1HLvc QjMg==
X-Forwarded-Encrypted: i=1; AJvYcCW6nBMfMX8PU+H8dJb3oDyGerED5tkZpCdLPE4fRS6XO9dumWDNQcENXc7kMLN6+/NlEw9vPqBDO6VSlHVFAOQ=
X-Gm-Message-State: AOJu0YzPoeOL4xZux9IHRprjoVHiPuazX53XFmA8nN7OPgNMpCZ4Tvxn gv84R/KzMGx0Tu106dPBtHhRkUm/TVQNJIo0bXYZXisilHDi54+F
X-Google-Smtp-Source: AGHT+IEYuA1g6jm9J8/LQIqParhoCpKeTFAichgHjG2JEevas9yfROAEZr62rPtN12NWeuFQa/b9Hw==
X-Received: by 2002:a50:a6c9:0:b0:57c:c3aa:6c68 with SMTP id 4fb4d7f45d1cf-5ac63b5a78amr4227645a12.20.1721988835236; Fri, 26 Jul 2024 03:13:55 -0700 (PDT)
Received: from CPCjoshNDRI8C ([20.160.85.47]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5ac64eb399esm1714563a12.65.2024.07.26.03.13.54 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Jul 2024 03:13:54 -0700 (PDT)
From: josh.howlett@gmail.com
To: 'Margaret Cullen' <mrcullen42@gmail.com>
References: <032f01dade8b$1fc33c40$5f49b4c0$@gmail.com> <9BE709A1-470B-4F54-A050-9F30C7A6CBD7@gmail.com>
In-Reply-To: <9BE709A1-470B-4F54-A050-9F30C7A6CBD7@gmail.com>
Date: Fri, 26 Jul 2024 11:13:55 +0100
Message-ID: <03ef01dadf44$85ce2220$916a6660$@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Content-Language: en-gb
Thread-Index: AQH+2aPYUgiyA3AJwG5aJJnPcl3JHADW4B5vsboZBTA=
Message-ID-Hash: TYJHXG7GRF443UJCZ3QHSRVOXOYHQEYM
X-Message-ID-Hash: TYJHXG7GRF443UJCZ3QHSRVOXOYHQEYM
X-MailFrom: josh.howlett@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: 'Alan DeKok' <aland@deployingradius.com>, 'Bernard Aboba' <bernard.aboba@gmail.com>, radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Selfie Attack on TLS-PSK
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/ZAxmCx8kUyaNQRLRXpPqyy7eWMc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
Margaret wrote: > Speaking as an individual… > > I am not talking about trying to establish any sort of cryptographic end-to-end > trust in a multi-hop RADIUS fabric. I agree that we don’t have that today, and > it is not our goal to change that. I am talking about the security properties of a > single RADIUS hop. I am also talking about how those properties feed into the > security models of multi-hop deployments. Ah, ok, sorry for the misrepresentation... > As Stefan points out, copying of a RADIUS/TLS-transmitted RADIUS message > on to a local network is different (and less secure) than dumb copying of a > message that was transmitted via RADIUS/UDP, because sensitive data in the > message transmitted via UDP will still be protected (to some degree) by the > RADIUS secret and MD5, while the packet coming from RADIUS/TLS would use > a well-known RADIUS secret, “radsec”, essentially equivalent to sending the > sensitive parts of the packet in clear text. The entity doing Stefan's "copying" is not a classic RADIUS entity. It sounds like a proxy that operates purely at the transport layer (and not the application layer). A RADIUS proxy translating TLS to UDP must mint a new request using the secret shared with the downstream server. There is a problem if Stefan's entity existed, but it isn't a mode of operation supported the RFCs and I don't know of any products doing this. > My point is that we should make sure that moving away from the solution we > are deprecating (RADIUS/UDP) and moving to any if the solutions we are > recommending (any one of the RadSec variants) does not result in security > regressions, and that any security model changes are well-documented. +1 Josh
- [radext] Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Bernard Aboba
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK hannes.tschofenig
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Jan-Frederik Rieckers
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen