[radext] Lack of Channel Bindings in RADIUS/(D)TLS
Margaret Cullen <mrcullen42@gmail.com> Wed, 24 July 2024 16:43 UTC
Return-Path: <mrcullen42@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 650B2C151531 for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 09:43:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.858
X-Spam-Level:
X-Spam-Status: No, score=-1.858 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VFlLdhZxJEcz for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 09:43:19 -0700 (PDT)
Received: from mail-qk1-x72b.google.com (mail-qk1-x72b.google.com [IPv6:2607:f8b0:4864:20::72b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F2317C1CAE66 for <radext@ietf.org>; Wed, 24 Jul 2024 09:43:19 -0700 (PDT)
Received: by mail-qk1-x72b.google.com with SMTP id af79cd13be357-79f06c9c929so107308885a.0 for <radext@ietf.org>; Wed, 24 Jul 2024 09:43:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721839399; x=1722444199; darn=ietf.org; h=to:date:message-id:subject:mime-version:content-transfer-encoding :from:from:to:cc:subject:date:message-id:reply-to; bh=oFed5T+Iwvok2jw5a0OEN6AOG/oN1Tv4cpMuGNUAhns=; b=jS59ADq28HeHwh97VIT5uu33iJJmn5g3RaWHRSlxOTlNwJr5wr4U0du8VvJ4pnh1Cz o4/wOfaaA6cnwddfVUhxpA/3ug1LpQ5FX5TNPvyHhcPnEl5bvac3+xGvhBzYJ+vOiewb q/Ad1T9q5fDxK2NMlBolz4C5THXuD0eJAId7zEjC0rv0SDo22pxy15NR60LG/l8e6kkc ude6tSukGfX+VQem7/QJMZCbjnPoE7fNbXfBq68FHz4k9xmEml2A/ylyjkCdM7V546KY 4dhXj2ItF7NXgG0OA+oE2fzA0367nXBrjHrz7B0Ynv1CwH21HS+CVzR+HHfxqVBVO4Du MC1A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721839399; x=1722444199; h=to:date:message-id:subject:mime-version:content-transfer-encoding :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=oFed5T+Iwvok2jw5a0OEN6AOG/oN1Tv4cpMuGNUAhns=; b=PNQHVuBmbfWOazcoU0MRyFuRn3EwwOzj5miE0vfb72qRY0XGqndvrzi67DCKNQVIqH P4AP0KNu5XpcYlILc6tugUUKM2ZS+915XiyEsqxZGHlhDeJQMVKTJY0LqvllkSG1L9/w FugHVfZycn90dMA2OwG0ffWnbTF2bM3J7OghBEMMgAensHQBvaxWjuvATj2mvjSX2sa9 4CpxwTGILi/aAtU1UAYPni+pcn+7d1bruJLTqwXjvyW2ifWT8eXjnvt5qX4PXtSZ878Q VtnpPrnaWvLZmm9AytzsFBt/EFrxpiYFo6Xq6jZfvAcTkVTBB+aKxxe+xHxMk7MVIlqa KT0Q==
X-Gm-Message-State: AOJu0YzSEhAAzoohD1yRMMA5yP7EsteLy8vQb4Qzr0hW+5IGHX7ynQY0 VPgzB35psGjQrh2UpQgMJ6AgWgzD1KQxpOdU0DL5q7Vy9aAju8GEb/Loyg==
X-Google-Smtp-Source: AGHT+IHyt6JH36Y5gPGiPCJ2cajtFRN7wA+9USb7sq636GNraMv2fbf6WX+Q+OUq1FFdOGkMSdbW7A==
X-Received: by 2002:a05:620a:404c:b0:7a1:62d3:b9a3 with SMTP id af79cd13be357-7a1ccd3296amr418855585a.17.1721839398555; Wed, 24 Jul 2024 09:43:18 -0700 (PDT)
Received: from smtpclient.apple ([2601:18c:503:9630:c449:e6b1:db51:1469]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7a199005bacsm593101385a.60.2024.07.24.09.43.17 for <radext@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 24 Jul 2024 09:43:17 -0700 (PDT)
From: Margaret Cullen <mrcullen42@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
Message-Id: <3A0631E2-9679-4AC6-82DC-0ECD5DDCBE03@gmail.com>
Date: Wed, 24 Jul 2024 12:43:16 -0400
To: radext@ietf.org
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Message-ID-Hash: DN7ZBPC3K66JZCL3Y3AE7THORB2U2WF4
X-Message-ID-Hash: DN7ZBPC3K66JZCL3Y3AE7THORB2U2WF4
X-MailFrom: mrcullen42@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Lack of Channel Bindings in RADIUS/(D)TLS
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/_ss2mh0J9wqNepY4YFame7bmXjU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
Hi radext folks, While working through the RADIUS (D)TLS document last night, I realized that RADIUS/(D)TLS does not include support for TLS channel binding. In other words, there is nothing in the RADIUS/(D)TLS layer that ensures that both ends of a single RADIUS hop are using the same unique (D)TLS session. Without channel binding, RADIUS running over (D)TLS may be open to MITM attacks including: blocking valid traffic, spoofing Access-Accepts or Rejects, viewing sensitive data, replay attacks, redirection, DoS, etc. It is up to the WG to decide what to do about this. As a WG chair, I will insist that, at the very least, we need to update the Security Considerations section in the RADIUS/(D)TLS document to point out this properly of the RADIUS/(D)TLS protocol and its implications. Speaking as an individual, it is my opinion that we should add channel bindings to RADIUS/(D)TLS. Currently, RADIUS/UDP is (albeit poorly) protected against MITM attacks by the use of pre-shared secrets and MD5. Unfortunately, MD5 is fairly easy to crack these days. In contrast, RADIUS/(D)TLS is not protected by RADIUS pre-shared secrets, because of the use of well-known “secrets” (radsec or radsec/dtls) instead. In the absence of any other way to verify that RADIUS traffic is being sent to/from the intended peer, RADIUS/(D)TLS is even less well-protected against MITM attacks than RADIUS/UDP. Channel binding with (D)TLS is a well-trodden path in the IETF, and I think it would be best for us to add channel binding to the RADIUS/(D)TLS specification before we move it to the Standards Track. We are already making non-backwards compatible changes to RADIUS/(D)TLS in the new document (such as requiring servers to implement DTLS, as well as TLS), so I think this would be our best opportunity to correct this omission and standardize a sound specification. Channel binding in RADIUS/(D)TLS could likely be accomplished by adding an attribute that securely verifies that both ends are using the same TLS session, and exchanging that attribute in RADIUS packets before any sensitive data is transmitted. For those of you who aren’t familiar with TLS, TLS provides a unique session token that can be used for this purpose. There are, of course, other benefits to transporting RADIUS over (D)TLS vs. UDP that make it highly desirable to deprecate RADIUS/UDP in favor of RADIUS?(D)TLS, such as encrypting RADIUS packets so they cannot be seen in plain text in transit. I am definitely _not_ suggesting that we stay with UDP instead of moving to (D)TLS — I’m suggesting that we fix RADIUS/(D)TLS, so that we do not expose RADIUS to new MITM attacks. I would, as an individual, and as a WG chair, like to hear other people’s opinions about what (if anything) we should do to resolve this issue. Margaret
- [radext] Lack of Channel Bindings in RADIUS/(D)TLS Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Fabian Mauchle
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Valery Smyslov
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Fabian Mauchle
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Q Misell
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Peter Deacon
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Stefan Paetow
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Q Misell