[radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
Margaret Cullen <mrcullen42@gmail.com> Fri, 26 July 2024 23:03 UTC
Return-Path: <mrcullen42@gmail.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D5AC1C13AE2C for <radext@ietfa.amsl.com>; Fri, 26 Jul 2024 16:03:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.859
X-Spam-Level:
X-Spam-Status: No, score=-1.859 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zh_ybyP_2BEM for <radext@ietfa.amsl.com>; Fri, 26 Jul 2024 16:03:18 -0700 (PDT)
Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D31BC16941B for <radext@ietf.org>; Fri, 26 Jul 2024 16:03:18 -0700 (PDT)
Received: by mail-pl1-x632.google.com with SMTP id d9443c01a7336-1fd90c2fc68so10482435ad.1 for <radext@ietf.org>; Fri, 26 Jul 2024 16:03:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722034998; x=1722639798; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=tdfWyoONQweRMCEOMqUjTOe7r7b+Xk/59kYnitukYi0=; b=XJ1m2hgGQ/6OEJ0IhfcoyTN0niLxZcRs45xKgDDLxGfIHldNsoLVecvn6sh1y6TrsQ URaNzZPUca06yk9hGmVT7mXrhvJIBHF6i8rl+D8TnXdfs0xAxBqj1MMQVI9bz00V0k61 09Gty1Ho8A8sAmX0lX550J/4r/WAoxvrjPGOzViVqUNNzX3+ijGoNBflShsa9cr1i8NV 8llkwAEE+db+tt15LI18j28Vuo8fbfIIMUkJSCq30b1mDMAivfxX3g1PavS6onFKgCq6 glraR6EWNLXwF8CuWA12uwAe7Tj2rHHXu7WQmW5OoruNdsfl+9+yiQlpEeLI1e+3hTP+ WXZA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722034998; x=1722639798; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tdfWyoONQweRMCEOMqUjTOe7r7b+Xk/59kYnitukYi0=; b=UnLtD3xgokp0hARaOmd7At0mArFw5Pk8x9DJm8VL9SkKm2fo0MB1vBLqCil7xXDiu6 q93Y82091FwUIvrknPzAiHd7PLCrxF/LeuinNolzYuPoBwPClLLIMM4W1dTRuJZWYwJk sjM0zooE+BjaXjFOdDOKS7T8+/3nJzwcO7YOhtI8islsHN5L35jnmJ2eGoLDp/2yJknR Uv5Z5UibqHRM+Z+Kqi5SYMd2VtYrayfeAVLS+3dePNTJ26c9USJQcz93bvFJzhH86CHI HuEjYGjDMMxKKexpbJU1A8KPhESWXFU14ayondy8fi/9qLYVKYKZmGSrDoM+Aa98f2Yn 1YjA==
X-Gm-Message-State: AOJu0YyDsb4l7MCK8FN5E+T+7g1YUTHWzLsK2TCk11x+R2Y/8fhKC/06 IlzC4b838L9U5PX4jH0hkEMeFeXSTEfMubUygJjmHihvDJAbNWqTEq+ZDXTE
X-Google-Smtp-Source: AGHT+IFIhRWsxmN42Y394NIwnkbIMwomHfsXZtm60XN4kCCL4NZPA4TKHrc6TyAsX1wsG0hiTr/5cA==
X-Received: by 2002:a17:902:b689:b0:1fd:d56e:2c0d with SMTP id d9443c01a7336-1ff0485bbf6mr11170895ad.31.1722034997742; Fri, 26 Jul 2024 16:03:17 -0700 (PDT)
Received: from smtpclient.apple ([2001:67c:1232:144:ec07:97c2:d784:6450]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-1fed7f94c10sm38354995ad.245.2024.07.26.16.03.15 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 26 Jul 2024 16:03:15 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Margaret Cullen <mrcullen42@gmail.com>
In-Reply-To: <7c640ea7-7fc6-471d-b314-12036e2678af@switch.ch>
Date: Fri, 26 Jul 2024 16:03:14 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <905C74AD-2E4E-4F41-A250-7E583ACE8C66@gmail.com>
References: <3A0631E2-9679-4AC6-82DC-0ECD5DDCBE03@gmail.com> <85CCF592-FDEC-478B-AA03-E10DA209C9A5@deployingradius.com> <9C9E5617-451E-4CB7-A54A-EE049D91DBAE@gmail.com> <7c640ea7-7fc6-471d-b314-12036e2678af@switch.ch>
To: Fabian Mauchle <fabian.mauchle=40switch.ch@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Message-ID-Hash: 5YGWSPUMP6TI5HERG565P4KHDKNFEVA7
X-Message-ID-Hash: 5YGWSPUMP6TI5HERG565P4KHDKNFEVA7
X-MailFrom: mrcullen42@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/bmHtIcCdzOZsNRtm1oyaa6M8_s8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
> On Jul 25, 2024, at 2:47 AM, Fabian Mauchle <fabian.mauchle=40switch.ch@dmarc.ietf.org> wrote: > > Trying to follow the discussion and understand the issue... > > On 24.07.2024 19:50, Margaret Cullen wrote: >> When you have two peers A and C, with an authorized proxy, B, you have two RADIUS sessions A -> B and B -> C. This only works if A has a shared secret with B and B has a shared secret with C. So, B is part of the trusted set of peers. Using RadSec, a MITM (Z) could have no trust relationship with A or B, but be receiving traffic from A on one TLS connection, and forwarding it to C on a second TLS connection, while both A and B think that they are directly connected to each other. Z is not part of the trusted peer group, Z is a MITM attacker. This is quite different than that forwarding through an authorized proxy. > > If Z has no trust relationship with A, it can't be receiving traffic from A. As a MITM, Z would need to present a certificate (or other identity) to A that A accepts as trustworthy to establish the TLS connection A-Z, at which point the trust relationship between A and Z is established. > > As Alan already pointed out, RADIUS proxies are inherently MITM by design. That is why (in roaming scenarios where A,B and C belong to different parties) we use EAP as the actual AAA within RADIUS. Some RADIUS Authentications are single hop. The way people are using Radsec in eduroam, an increasing number of them probably will be. Some RADIUS Authentications involve several hops, but none of the RADIUS clients/proxies/servers along that path are MITM attackers. They are typically mutually trusted systems that are either: (1) operated by a single organization, or (2) operated by separate organizations in a consortium with mutual trust, agreed policies, and legal agreements. The question of whether we need crypto binding between the RADIUS and TLS layers for a single Client -> Server hop really has nothing to do with whether the packet will traverse other hops. It has to do with whether there is a meaningful risk of a TLS MITM attack against a single hop that channel bindings could be used to detect or prevent. I am being told by TLS people that TLS 1.2 and 1.3 are secure against third-party MITM attacks, except in cases where the attacker has the PSK or Certificate for one side of the connection, in which case it would be easier for them to do a direct attack, rather than setting up a MITM attack. I could argue that there are things one can do from a MITM position that you can’t do via a direct attack, especially if you have the server key and want to influence what the real Server does. I am not sure anyone will agree or think that matters, though. So, I think we just need to say in the Security Considerations that we do not use channel binding in RADIUS/(D)TLS because we mandate the use of (D)TLS 1.2 or !.3 with either PSKs or Certificates, and those protocols are well-enough protected against MITM attacks already. Margaret > > -- > Fabian Mauchle > Network > NOC: +41 44 268 15 30 > Direct: +41 44 268 15 39 > > Switch > Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland > > _______________________________________________ > radext mailing list -- radext@ietf.org > To unsubscribe send an email to radext-leave@ietf.org
- [radext] Lack of Channel Bindings in RADIUS/(D)TLS Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Fabian Mauchle
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Margaret Cullen
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Valery Smyslov
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Fabian Mauchle
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Q Misell
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Peter Deacon
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Michael Richardson
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Bernard Aboba
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Alan DeKok
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Stefan Paetow
- [radext] Re: Lack of Channel Bindings in RADIUS/(… Q Misell