IETF Logo Mail Archive

Re: [radext] Shepherd review of draft-ietf-radext-tls-psk-03

Alan DeKok <aland@deployingradius.com> Wed, 01 November 2023 17:28 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7C87C15154A; Wed, 1 Nov 2023 10:28:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DOgyZloR_AQ3; Wed, 1 Nov 2023 10:28:55 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 202E9C15C2A5; Wed, 1 Nov 2023 10:28:40 -0700 (PDT)
Received: from smtpclient.apple (unknown [75.98.136.130]) by mail.networkradius.com (Postfix) with ESMTPSA id 73BC8208; Wed, 1 Nov 2023 17:28:34 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <091b01da0cd0$570fb8f0$052f2ad0$@smyslov.net>
Date: Wed, 01 Nov 2023 13:28:33 -0400
Cc: radext@ietf.org, radext-chairs@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <F75CF375-73B2-43C9-A047-6350FA2DFD8A@deployingradius.com>
References: <091b01da0cd0$570fb8f0$052f2ad0$@smyslov.net>
To: Valery Smyslov <valery@smyslov.net>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/a202QyUle1zTtHuyQyV6_pjdTrM>
Subject: Re: [radext] Shepherd review of draft-ietf-radext-tls-psk-03
X-BeenThere: radext@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/radext>, <mailto:radext-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext/>
List-Post: <mailto:radext@ietf.org>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/radext>, <mailto:radext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Nov 2023 17:28:57 -0000

On Nov 1, 2023, at 10:33 AM, Valery Smyslov <valery@smyslov.net> wrote:
> this is a shepherd review of draft-ietf-radext-tls-psk-03. 
> First, as a shepherd, I have to ask the following questions:
> 
> 1. According to BCP79 all authors and contributors should either disclose
>    any known to them IPRs related to the draft or confirm that they are not aware of such IPRs.

  I have no IPR related to this draft.

  Unless noted below, I've followed the recommendations.

> 2. Are there existing implementations that follow this draft?

  FreeRADIUS has implemented TLS-PSK for a long time.  Radsecproxy also implements it.

> 5. Section 4.1
>    I don't think that referencing RFC8937 is appropriate in the context of this document.
>    The idea of improving randomness in RFC8937 is that a long term signature private
>     key is used to add an entropy to a random value. And this document assumes that 
>     peers don't have certificates (thus don't have long term signature private keys).
>     So, it's a bit weird to advice using them. Perhaps we could just reference RFC4086 instead?

  OK.

> 6.I think that a sentence should be added somewhere, that unless specifically clarified, 
>    by "TLS" both TLS and DTLS are meant in the document. 
>    For example, RFC 9325 has the following text:
> 
>   Unless it is explicitly called out that a recommendation applies to
>   TLS alone or to DTLS alone, each recommendation applies to both TLS
>   and DTLS.

  I'll add that in the introduction.

> 7. Section 4.1
>    I think that mentioning PAKE TLS needs reference (perhaps RFC5054 and RFC8492, something else?).

  Added.

> Text improvements.
> 1. Section 4.1.1
>    Just to avoid any confusion, can we clarify that by "Shared Secrets" here "RADIUS Shared Secrets" are meant?
>    Because PSKs are also "shared secrets", so there is some overlap in terminology and a room for confusion.

  I've added a sentence in the introduction:

This document uses "shared secret" to mean "RADIUS shared secret", and Pre-Shared Key (PSK) to mean secrets which are used with TLS-PSK.

> 2. Section 5.1
>     In the text "Due to the security issues described above" it is not immediately clear 
>     what issues are meant. Can we replace "above" with a reference to a Section
>     where these issues described?

  I've updated it to say instead:

The historic methods of signing RADIUS packets have not yet been cracked, but they are believed to be much less secure than modern TLS.  Theregore, when a RADIUS shared secret is used to sign RADIUS/UDP or RADIUS/TCP packets, that shared secret MUST NOT be used with TLS-PSK.  If the secrets were to be reused, then an attack on historic RADIUS cryptography could be trivially leveraged to decrypt TLS-PSK sessions.  Therefore in order to prevent confusion between shared secrets and TLS-PSKs, management interfaces and APIs need to label PSK fields as "PSK" or "TLS-PSK", rather than as "shared secret".

> 3. Section 5.1
>     I think that the text:
> ...
>   can be rephrased for better clarity. Perhaps:
> 
>   With TLS-PSK RADIUS/TLS clients MUST permit the configuration of a RADIUS
>   server IP address or host name, because dynamic server lookups [RFC7585] 
>   can only be used if servers use certificates.

  Done.

> The following issues are not formal and probably require some discussion.
> So I want to identify them here mostly from SECRIR reviewer point of view.
> 
> 1. Section 4.1
>    There are requirements on PSKs length, but it is not mentioned that 
>    they must be uniformly random, which is important for the security of TLS-PSK.
>    Perhaps this is implied, but it's better to spell this out.

  I'll add a note.

>    And then I'm a bit concerned that a script generated PSK is provided.
>    First, the script "as is" is inconsistent with the requirement above
>    (I assume that PSKs are random), because it generates only 12 bytes
>    of random data, while the requirement is that PSKs MUST be at least 16 bytes.
>    Yes, there is a text that if you want more, just modify the script,
>    but most implementers will just copy-paste it. Please, don't provoke them
>    to make wrong things.

  I can update that to generate 16 bytes of random data.  That change was already made in my local copy.

>    In addition, I'm not sure that converting PSKs to a human-readable form is a good idea.
>    This conversion makes PSKs weaker (the length is increased, while the initial entropy
>    persists, the distribution becomes non-uniform). In my understanding PSKs often 
>    are entered to the systems just referencing a file containing them, not by entering them letter by letter.

  I suppose it depends on the UI how they are entered.  It's likely worth adding a note that PSKs should be taken either from a file, or if the admin needs to enter them, from a hex string.

  If the PSKs are hashed before they're used, a non-uniform distribution shouldn't cause issues, I think.

> 2. Section 6.2.
>    In the text:
> 
>   The alternative would be to suggest that RADIUS servers allow any
>   source IP address to connect and try TLS-PSK, which could be a
>   security risk.
> 
>   I think that we should explain what security risk is meant.
>   Otherwise it looks like handwaving.

   How about:

In order to securely support dynamic source IP addresses for clients, we also require that servers limit clients based on a network range.  The alternative would be to suggest that RADIUS servers allow any source IP address to connect and try TLS-PSK, which could be a security risk.  When RADIUS servers do no source IP address filtering, that opennes it easier for attackers to send malicious traffic to the server.  An issue with a TLS library or even a TCP/IP stack could permit the attacker to gain unwarranted access.  In contrast, when IP address filtering is done, attackers generally must first gain access to a secure network before attacking the RADIUS server.


> 3. Section 6.2.
>    The following assertion:
> 
>   It is significantly easier for an attacker to crack a PSK than
>   to forge a client certificate.
> 
>   is not true in general (with sufficiently strong PSKs) and
>   is plain wrong if we talk about quantum computers, which
>   will break any certificate but cannot break PSKs. So, either
>   more context should be given (e.g. we assume that 
>   certificate private keys are stored in HSMs, while
>   PSKs are not etc.) or this assertion should be removed.

  OK.  How about:

Even where {{RFC7585}} dynamic discovery is not used, servers SHOULD NOT permit TLS-PSK to be used across the wider Internet.  The intent for TLS-PSK is for it to be used in internal / secured networks, where clients come from a small number of known locations.  In contrast, certificates can be generated and assigned to clients without any interaction with the RADIUS server.  Therefore if the RADIUS server needs to accept connections from clients at unknown locations, the only secure method is to use client certificates.

>   In my understanding this assertion justifies the requirement
>   for servers to filter clients' IP addresses when PSKs are used.
>   Perhaps it is better to justify this requirement by mentioning,
>   that PSKs are provided to a known clients which location
>   is usually well-known, thus we can add a safeguard on IP level.
>   On contrast, certificates can be obtained by clients from CAs
>   without servers prior knowledge, so it is generally impossible
>   to filter out IP addresses of (not-yet-known) clients' in this case.

  Updated text as above to discuss this.

> 4. Section 6.2.1
>   The text:
> 
>   A server supporting this specification MUST be configurable with a
>   set of "allowed" network ranges from which clients are permitted to
>   connect.
> 
>   needs a clarification that only clients wishing to use PSK are considered here.
>   Perhaps:
> 
>   A server supporting this specification MUST be configurable with a
>   set of "allowed" network ranges from which clients wishing to use PSK in TLS
>   are permitted to connect.

  How about:

A server supporting this specification MUST be configurable with a set of "allowed" network ranges from which clients are permitted to connect.  Any connection from outside of the allowed range(s) MUST be rejected before any PSK identity is checked.  It is RECOMMENDED that servers support IP address filtering even when TLS-PSK is not used.  There are few reasons for a server to have a default configuration which allows connections from any source IP address.

>   Then, an interesting question is what to do with clients that wish to use
>   both certificates and PSK (see RFC 8773)? Should servers filter out
>   IP addresses of these clients or not? I think some clarification is needed in the draft.

  See above.  It is useful to *always* filter by IPs, even when certificates are being used.  I can't see any reason why a server supporting TLS + certificates would default to allowing clients from any source IP.

  Alan DeKok.

v2.23.0 | Report a Bug | By Email