[radext] Re: Selfie Attack on TLS-PSK
Margaret Cullen <mrcullen42@gmail.com> Thu, 25 July 2024 01:48 UTC
Return-Path: <mrcullen42@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B150DC1930D8 for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 18:48:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.961
X-Spam-Level:
X-Spam-Status: No, score=-0.961 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lwwcu6PqMAwf for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 18:48:05 -0700 (PDT)
Received: from mail-il1-x135.google.com (mail-il1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A013DC1840C1 for <radext@ietf.org>; Wed, 24 Jul 2024 18:48:05 -0700 (PDT)
Received: by mail-il1-x135.google.com with SMTP id e9e14a558f8ab-3737dc4a669so316425ab.0 for <radext@ietf.org>; Wed, 24 Jul 2024 18:48:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721872084; x=1722476884; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=I/UXToCXc46Y17DLnSFG7tPOlW5yTEjc4BGZktfkgRE=; b=H+sYLLt+Tl5fJd+BQr2o6vIkCR6fBSXzjiYcwuIzkgt9lgpGbasyYixTgpJqSfFLN2 LkM4BdHO0efOSBI+fnWr7pArFwv2FGwPGh1od8l72ba3QZzXNd+s9qsnkHuJrBiRDARY oz/Lid4LQgZYK7oVpbPjbwXbH3wEJ2t7PPqI8zlImPSrJd9N/9WYPznaAT+h+JUGyGFE X1ldgHFsX6Ww6vjvCh9ZNWlN9fEb91Ta2hkPbks/ylglrnELHAujI6vwbMJDfuVe55iM MQ5C2zrL/CgeiW1CHTMZ2I0vnHlvebM4Sr7MkjMb1615HgnEQEL3HLnQnWatKlqmOT97 BT0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721872084; x=1722476884; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=I/UXToCXc46Y17DLnSFG7tPOlW5yTEjc4BGZktfkgRE=; b=RQ6xe+1mfddaNqbWFslr9Zi/5L5L1ssURYZkAXz2ppF2inhRjELUZQIEBpueSG5fz0 9xXxyq97FWJF32UGcQ5zQeo4osbYJr5LnYSsZseM/nxctR6qqUx7Zq2T9ebpxsSlnwaM 3n7OtqQqSfUEbe6CAhNWd+CjUnT+TCILhvJ/Be2qmLu4gwm/Twi4OUvQvZ5Ph7Cv2Z2l Lx7wi1MOAeyuEpFDaf7fZJ34OylKvN5pPBw2mCNn0/99fiPuQ+ANCdDQAZ33seukAYUQ w6KEIlnJAtCGZ+vkElJMllozXo2623y9PR9sB0qn7Rq+wCeCYh3q3O7n5zodnUMdaE/p EgtA==
X-Gm-Message-State: AOJu0Yywny9Mf6Memy1gnWfpPlFIQbqiqMU/WcAJR8GWs290qiN2/Nsh KaRgSPylRvOgwm4YTtkFbv5w72h3y1PSlmOJySkE5x0EGxffHN5AGQc+HA==
X-Google-Smtp-Source: AGHT+IGr3GSZDY5WCtKYDRzmzyUQW4uZMQyS9HSQRSNiAOYd3itnlGt8ra690orWqtLaCDJWDQysyg==
X-Received: by 2002:a92:cda5:0:b0:398:a2e0:18dc with SMTP id e9e14a558f8ab-39a2400fd06mr7376385ab.17.1721872084089; Wed, 24 Jul 2024 18:48:04 -0700 (PDT)
Received: from smtpclient.apple ([75.104.104.130]) by smtp.gmail.com with ESMTPSA id e9e14a558f8ab-39a22f13f81sm2149035ab.70.2024.07.24.18.48.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 24 Jul 2024 18:48:03 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-BA32CB2B-367F-4847-9840-9D11893FFF56"
Content-Transfer-Encoding: 7bit
From: Margaret Cullen <mrcullen42@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Wed, 24 Jul 2024 20:47:48 -0500
Message-Id: <0B437C3C-5D0E-4E2C-B894-972A0A23A380@gmail.com>
References: <CAOW+2dsuMM7WGpOFHhg0Ts8mKA06q_LmRsPstzoHbods1V_Www@mail.gmail.com>
In-Reply-To: <CAOW+2dsuMM7WGpOFHhg0Ts8mKA06q_LmRsPstzoHbods1V_Www@mail.gmail.com>
To: Bernard Aboba <bernard.aboba@gmail.com>
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: HMHJ2PCILNJK7FLYUSSBLKKD36EMX25L
X-Message-ID-Hash: HMHJ2PCILNJK7FLYUSSBLKKD36EMX25L
X-MailFrom: mrcullen42@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Selfie Attack on TLS-PSK
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/ZWlvxkiUnxAXePdQPARoCnAR-GA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
On Jul 24, 2024, at 8:12 PM, Bernard Aboba <bernard.aboba@gmail.com> wrote:
In this message about Selfie as well as the previous post about channel bindings, I think you have raised several important points:1. If a NAS is supporting both RADIUS over (D)TLS as well as RADIUS CoA over (D)TLS, what does it need to do in order to avoid the Selfie attack?For example, MUST the same (D)TLS session be used in both directions?2. How does RADIUS over (D)TLS perform not just authentication (e.g. verification of certificates or PSKs), but also authorization?It is not sufficient for RADIUS clients and servers to use mutual authentication with certificates or PSKs. It is also necessary to verify that the endpoints are who they are expected to be. This may not be so simple in some deployment scenarios, such as where legacy NAS devices use RADIUS over (D)TLS proxies, so that a server can receive packets from many NASes over a (D)TLS session. How does the server validate that these packets are arriving on the right (D)TLS sessions? It may seem convenient to say "we don't care" but surely there are some packet/path combinations which would be unexpected, indicating mis-routing (and exposure of secrets as well as location info to unauthorized proxies/servers). For example, it would be "unusual" for a corpnet RADIUS server to receive RADIUS packets originating from a corpnet NAS over a (D)TLS session with a roaming partner.It's also important to realize that despite what the drafts might say, there will be deployments that throw common sense to the wind, such as by utilizing the same PSKs between multiple client/server pairs. The IETF is not the protocol police, but it is possible for documents to make the downsides clear, if only so as to make it difficult to say "nobody told us" when negligent deployments are compromised.On Jul 24, 2024, at 1:37 PM, Margaret Cullen <mrcullen42@gmail.com> wrote:
>
> On a separate but related note….
>
> I came across this attack while reading about TLS mutual authentication:
>
> https://eprint.iacr.org/2019/347.pdf" rel="noreferrer nofollow" target="_blank">https://eprint.iacr.org/2019/347.pdf
>
Nice! And :(
> Is this something we should consider before we recommend the use of TLS-PSK with TLS 1.3? Or has this issues already been addressed?
This is discussed in RFC 9527:
https://datatracker.ietf.org/doc/html/rfc9257#section-8" rel="noreferrer nofollow" target="_blank">https://datatracker.ietf.org/doc/html/rfc9257#section-8
I'll have to do a deeper dive to see how this affects the TLS-PSK document.
Alan DeKok.
_______________________________________________
radext mailing list -- radext@ietf.org
To unsubscribe send an email to radext-leave@ietf.org
- [radext] Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Bernard Aboba
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK hannes.tschofenig
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Jan-Frederik Rieckers
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen