[radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
Alan DeKok <aland@deployingradius.com> Wed, 24 July 2024 19:49 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92C1AC1840E5 for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 12:49:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6QxIIOOyNayR for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 12:49:45 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A147DC17C882 for <radext@ietf.org>; Wed, 24 Jul 2024 12:49:45 -0700 (PDT)
Received: from smtpclient.apple (dhcp-911c.meeting.ietf.org [31.133.145.28]) by mail.networkradius.com (Postfix) with ESMTPSA id CE75720A; Wed, 24 Jul 2024 19:49:42 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <9C9E5617-451E-4CB7-A54A-EE049D91DBAE@gmail.com>
Date: Wed, 24 Jul 2024 12:49:41 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <A122D999-6A09-4E16-8E91-8154F6EA1A91@deployingradius.com>
References: <3A0631E2-9679-4AC6-82DC-0ECD5DDCBE03@gmail.com> <85CCF592-FDEC-478B-AA03-E10DA209C9A5@deployingradius.com> <9C9E5617-451E-4CB7-A54A-EE049D91DBAE@gmail.com>
To: Margaret Cullen <mrcullen42@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Message-ID-Hash: I7S7GKPVRLOFIFOQNKJECTDC7LB5YJBX
X-Message-ID-Hash: I7S7GKPVRLOFIFOQNKJECTDC7LB5YJBX
X-MailFrom: aland@deployingradius.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/aOk5tIc0d_N0mVWFla9NYivHBXI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
On Jul 24, 2024, at 10:50 AM, Margaret Cullen <mrcullen42@gmail.com> wrote: >> But we've already authenticated the server via TLS. How does it help to tie the application data to the TLS session? > > This is only true if we know that the system on the other end of the TLS session is an authorized peer. How do we know that? By authenticating both ends. EAP-TTLS and PEAP need channel binding, because the TLS connection is authenticated at only one end. EAP-TLS doesn't do channel binding, because both ends are authenticated. With RADIUS/TLS, both ends are authenticated, just as with EAP-TLS. This is covered in RFC 8446: https://datatracker.ietf.org/doc/html/rfc8446#appendix-C.5 i.e. unauthenticated systems need channel binding. > Without checking that the TLS session token is the same on both ends of a TLS session, it is possible that the TLS session is being terminated by a MITM who has a second TLS session with the intended peer, and is shuttling data between those sessions while viewing the data, and potentially modifying parts of it that are not protected at the application layer, etc. From my understanding, that's true only if there isn't mutual authentication. > When you have two peers A and C, with an authorized proxy, B, you have two RADIUS sessions A -> B and B -> C. This only works if A has a shared secret with B and B has a shared secret with C. So, B is part of the trusted set of peers. Using RadSec, a MITM (Z) could have no trust relationship with A or B, but be receiving traffic from A on one TLS connection, and forwarding it to C on a second TLS connection, while both A and B think that they are directly connected to each other. Z is not part of the trusted peer group, Z is a MITM attacker. This is quite different than that forwarding through an authorized proxy. A TLS intermediary works only if both > Is there some way that TLS protects from a MITM attack these days that removes the need for channel binding to avoid this possibility? In previous work I’ve done involving (D)TLS, albeit quite a few years ago, the application layer had to do a cryptographic exchange to ensure that both ends were using the same TLS session. From my understanding, mutual authentication means that isn't necessary. Alan DeKok.
- [radext] Lack of Channel Bindings in RADIUS/(D)TLS Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Fabian Mauchle
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Valery Smyslov
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Fabian Mauchle
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Q Misell
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Peter Deacon
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Stefan Paetow
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Q Misell