[radext] Re: Selfie Attack on TLS-PSK

Margaret Cullen <mrcullen42@gmail.com> Thu, 25 July 2024 01:48 UTC

Return-Path: <mrcullen42@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B150DC1930D8 for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 18:48:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.961
X-Spam-Level:
X-Spam-Status: No, score=-0.961 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lwwcu6PqMAwf for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 18:48:05 -0700 (PDT)
Received: from mail-il1-x135.google.com (mail-il1-x135.google.com [IPv6:2607:f8b0:4864:20::135]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A013DC1840C1 for <radext@ietf.org>; Wed, 24 Jul 2024 18:48:05 -0700 (PDT)
Received: by mail-il1-x135.google.com with SMTP id e9e14a558f8ab-3737dc4a669so316425ab.0 for <radext@ietf.org>; Wed, 24 Jul 2024 18:48:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721872084; x=1722476884; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=I/UXToCXc46Y17DLnSFG7tPOlW5yTEjc4BGZktfkgRE=; b=H+sYLLt+Tl5fJd+BQr2o6vIkCR6fBSXzjiYcwuIzkgt9lgpGbasyYixTgpJqSfFLN2 LkM4BdHO0efOSBI+fnWr7pArFwv2FGwPGh1od8l72ba3QZzXNd+s9qsnkHuJrBiRDARY oz/Lid4LQgZYK7oVpbPjbwXbH3wEJ2t7PPqI8zlImPSrJd9N/9WYPznaAT+h+JUGyGFE X1ldgHFsX6Ww6vjvCh9ZNWlN9fEb91Ta2hkPbks/ylglrnELHAujI6vwbMJDfuVe55iM MQ5C2zrL/CgeiW1CHTMZ2I0vnHlvebM4Sr7MkjMb1615HgnEQEL3HLnQnWatKlqmOT97 BT0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721872084; x=1722476884; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=I/UXToCXc46Y17DLnSFG7tPOlW5yTEjc4BGZktfkgRE=; b=RQ6xe+1mfddaNqbWFslr9Zi/5L5L1ssURYZkAXz2ppF2inhRjELUZQIEBpueSG5fz0 9xXxyq97FWJF32UGcQ5zQeo4osbYJr5LnYSsZseM/nxctR6qqUx7Zq2T9ebpxsSlnwaM 3n7OtqQqSfUEbe6CAhNWd+CjUnT+TCILhvJ/Be2qmLu4gwm/Twi4OUvQvZ5Ph7Cv2Z2l Lx7wi1MOAeyuEpFDaf7fZJ34OylKvN5pPBw2mCNn0/99fiPuQ+ANCdDQAZ33seukAYUQ w6KEIlnJAtCGZ+vkElJMllozXo2623y9PR9sB0qn7Rq+wCeCYh3q3O7n5zodnUMdaE/p EgtA==
X-Gm-Message-State: AOJu0Yywny9Mf6Memy1gnWfpPlFIQbqiqMU/WcAJR8GWs290qiN2/Nsh KaRgSPylRvOgwm4YTtkFbv5w72h3y1PSlmOJySkE5x0EGxffHN5AGQc+HA==
X-Google-Smtp-Source: AGHT+IGr3GSZDY5WCtKYDRzmzyUQW4uZMQyS9HSQRSNiAOYd3itnlGt8ra690orWqtLaCDJWDQysyg==
X-Received: by 2002:a92:cda5:0:b0:398:a2e0:18dc with SMTP id e9e14a558f8ab-39a2400fd06mr7376385ab.17.1721872084089; Wed, 24 Jul 2024 18:48:04 -0700 (PDT)
Received: from smtpclient.apple ([75.104.104.130]) by smtp.gmail.com with ESMTPSA id e9e14a558f8ab-39a22f13f81sm2149035ab.70.2024.07.24.18.48.02 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 24 Jul 2024 18:48:03 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-BA32CB2B-367F-4847-9840-9D11893FFF56"
Content-Transfer-Encoding: 7bit
From: Margaret Cullen <mrcullen42@gmail.com>
Mime-Version: 1.0 (1.0)
Date: Wed, 24 Jul 2024 20:47:48 -0500
Message-Id: <0B437C3C-5D0E-4E2C-B894-972A0A23A380@gmail.com>
References: <CAOW+2dsuMM7WGpOFHhg0Ts8mKA06q_LmRsPstzoHbods1V_Www@mail.gmail.com>
In-Reply-To: <CAOW+2dsuMM7WGpOFHhg0Ts8mKA06q_LmRsPstzoHbods1V_Www@mail.gmail.com>
To: Bernard Aboba <bernard.aboba@gmail.com>
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: HMHJ2PCILNJK7FLYUSSBLKKD36EMX25L
X-Message-ID-Hash: HMHJ2PCILNJK7FLYUSSBLKKD36EMX25L
X-MailFrom: mrcullen42@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Selfie Attack on TLS-PSK
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/ZWlvxkiUnxAXePdQPARoCnAR-GA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>

Another (D)TLS security factor concerns _when_ RADIUS packets containing privacy-sensitive or security-sensitive data are sent over the (D)TLS session.  We need to make sure that the mechanisms we are using will not transmit the initial RADIUS packet contents until an encrypted session has been established with a properly authenticated and authorized peer.

I am currently trying to learn enough about DTLS to understand whether that is guaranteed by the DTLS protocol, or if the RADIUS server needs to do something to make sure that happens.

I would welcome help understanding how this works  from people with good DTLS knowledge and experience…

Margaret

On Jul 24, 2024, at 8:12 PM, Bernard Aboba <bernard.aboba@gmail.com> wrote:


In this message about Selfie as well as the previous post about channel bindings, I think you have raised several important points:

1. If a NAS is supporting both RADIUS over (D)TLS as well as RADIUS CoA over (D)TLS, what does it need to do in order to avoid the Selfie attack?  

For example, MUST the same (D)TLS session be used in both directions? 

2. How does RADIUS over (D)TLS perform not just authentication (e.g. verification of certificates or PSKs), but also authorization? 

It is not sufficient for RADIUS clients and servers to use mutual authentication with certificates or PSKs. It is also necessary to verify that the endpoints are who they are expected to be.  This may not be so simple in some deployment scenarios, such as where legacy NAS devices use RADIUS over (D)TLS proxies, so that a server can receive packets from many NASes over a (D)TLS session. How does the server validate that these packets are arriving on the right (D)TLS sessions?  It may seem convenient to say "we don't care" but surely there are some packet/path combinations which would be unexpected, indicating mis-routing (and exposure of secrets as well as location info to unauthorized proxies/servers). For example, it would be "unusual" for a corpnet RADIUS server to receive RADIUS packets originating from a corpnet NAS over a (D)TLS session with a roaming partner. 

It's also important to realize that despite what the drafts might say, there will be deployments that throw common sense to the wind, such as by utilizing the same PSKs between multiple client/server pairs. The IETF is not the protocol police, but it is possible for documents to make the downsides clear, if only so as to make it difficult to say "nobody told us" when negligent deployments are compromised. 

On Wed, Jul 24, 2024 at 3:00 PM Alan DeKok <aland@deployingradius.com> wrote:
On Jul 24, 2024, at 1:37 PM, Margaret Cullen <mrcullen42@gmail.com> wrote:
>
> On a separate but related note….
>
> I came across this attack while reading about TLS mutual authentication:
>
> https://eprint.iacr.org/2019/347.pdf" rel="noreferrer nofollow" target="_blank">https://eprint.iacr.org/2019/347.pdf
>
  Nice!  And :(

> Is this something we should consider before we recommend the use of TLS-PSK with TLS 1.3? Or has this issues already been addressed?

  This is discussed in RFC 9527:

  https://datatracker.ietf.org/doc/html/rfc9257#section-8" rel="noreferrer nofollow" target="_blank">https://datatracker.ietf.org/doc/html/rfc9257#section-8

  I'll have to do a deeper dive to see how this affects the TLS-PSK document.

  Alan DeKok.

_______________________________________________
radext mailing list -- radext@ietf.org
To unsubscribe send an email to radext-leave@ietf.org