IETF Logo Mail Archive

[radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS

Q Misell <q@as207960.net> Tue, 30 July 2024 07:21 UTC

Return-Path: <q@as207960.net>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3755C14F6E2 for <radext@ietfa.amsl.com>; Tue, 30 Jul 2024 00:21:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=as207960.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dr0fhyn2ygHa for <radext@ietfa.amsl.com>; Tue, 30 Jul 2024 00:21:33 -0700 (PDT)
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com [IPv6:2a00:1450:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 79553C14F61A for <radext@ietf.org>; Tue, 30 Jul 2024 00:21:33 -0700 (PDT)
Received: by mail-ej1-x62d.google.com with SMTP id a640c23a62f3a-a7a94478a4eso877305766b.1 for <radext@ietf.org>; Tue, 30 Jul 2024 00:21:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=as207960.net; s=google; t=1722324092; x=1722928892; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1ABjHS7pY5h1TGktsQDos4AlX6rTgB325WzYL1IHemo=; b=V0hnhmW9gHxTpwCFtlyb2azSduWGkN/s5CKBlgfwKUqUBYAZrjwmz2IDg0U3+lzxOx sIwV9l8b3eJUeBqcWdBWvHhO6LgGj8TMRSEz8sdN2taPnplXLvomJUQepf5TdG4k5VvU rfd5B0u3/vvk/gh/DfFNBTd9d4vK4t8JptKAnB3Jwxe1ZOGMuigy6dW7HdJ7FBjEpNxP ZK2Svy/pifILl4kb8gfVFvWDkhuH2kNwsLBKccMY+Oj5F+llmyQI1xyflXLNW9fyOoPs y3b9vO3indIIg1YDvPtrHA+4WrbXe7XVwnjZLwOp+aI7SLBnPA/UAlEh2qdBF/8DVx/r jP+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722324092; x=1722928892; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1ABjHS7pY5h1TGktsQDos4AlX6rTgB325WzYL1IHemo=; b=RKVRbNGWMPyIsoM+sEyaAuChxlkWia4L8WxIdNTpSR77tTkua85xXcHqQafvjsxUt4 U9xUFPIdnY1WyRzYPNhU+PhijHODF3KDSheJELHTzxNqIxNl0Uedjtaa7X2VFyB8/0Me 3YnrFMgvq+lp5JNMdunRA7kvKC1RN0DJOeG5rHMBLXzKnPujFQdMZ3Q6iFO+iTF3DJ5D gb4y3drOfEkbLNqCF5Z8MU6SDUoRXgQ4Xw6U0qjgVbVVG35ZkpFdEZcxAkOhbyXOoWSk o5RI5+WvLsthwzilFVcLh1HCD8kNrVbsVObZmYUfvlsqEQFeI+T7LP0kEegreCQAB6kU uOcQ==
X-Forwarded-Encrypted: i=1; AJvYcCUj01tvkvlu7MHV1DD7F650QSR7aLZFM+EfiDcnBuFdCftGSe2zfB0P9MctrA0ODjs/GVbpiaGO/8slp3gTtfA=
X-Gm-Message-State: AOJu0YxDdrnAsSp+v4LrXKMOHASrHiIUt3hjsZdNDlatlweoZUWu/ozA ZGF2lBbxPidX5h+aU6oBBAJp0hOaBvL4f4+XC4YSDsUiwXY+QbGqKgT7oJQR53fHj3UaD+Jjw9E pGhDsnK4IfFimU4Wq2YwKYNDWxx9yE0SjCbzCTQrNYO1uge5hS0oZiSiv+no=
X-Google-Smtp-Source: AGHT+IGXfTsx3di86tykJCaSpktjWErisneYP7D93RkqyZCRn3ZVgYGzPHGkqRFWqx3QNty8IgF4ElYUZchnKpdrQDo=
X-Received: by 2002:a17:907:2d86:b0:a7a:a33e:47bf with SMTP id a640c23a62f3a-a7d859576eamr119327466b.18.1722324091681; Tue, 30 Jul 2024 00:21:31 -0700 (PDT)
MIME-Version: 1.0
References: <3A0631E2-9679-4AC6-82DC-0ECD5DDCBE03@gmail.com> <85CCF592-FDEC-478B-AA03-E10DA209C9A5@deployingradius.com> <9C9E5617-451E-4CB7-A54A-EE049D91DBAE@gmail.com> <7c640ea7-7fc6-471d-b314-12036e2678af@switch.ch> <905C74AD-2E4E-4F41-A250-7E583ACE8C66@gmail.com>
In-Reply-To: <905C74AD-2E4E-4F41-A250-7E583ACE8C66@gmail.com>
From: Q Misell <q@as207960.net>
Date: Tue, 30 Jul 2024 09:20:55 +0200
Message-ID: <CAMEWqGs4XtyiSmUoJh8MqdaZsBL6MjfbQZFGjSQjNrBQccmA1w@mail.gmail.com>
To: Margaret Cullen <mrcullen42@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000ac6508061e71d331"
Message-ID-Hash: 3YF7JNDX2LIX7JTLTVO5T2IGAOLOT2US
X-Message-ID-Hash: 3YF7JNDX2LIX7JTLTVO5T2IGAOLOT2US
X-MailFrom: q@as207960.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Fabian Mauchle <fabian.mauchle=40switch.ch@dmarc.ietf.org>, radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Lack of Channel Bindings in RADIUS/(D)TLS
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/bzIanAIFZsPuSoynfDezui6SNgA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>

> So, I think we just need to say in the Security Considerations that we do
not use channel binding in RADIUS/(D)TLS because we mandate the use of
(D)TLS 1.2 or 1.3 with either PSKs or Certificates, and those protocols are
well-enough protected against MITM attacks already.

Agreed. The hop-by-hop nature of RADIUS and the common practice of
modifying messages at hops makes channel binding a moot point.
------------------------------

Any statements contained in this email are personal to the author and are
not necessarily the statements of the company unless specifically stated.
AS207960 Cyfyngedig, having a registered office at 13 Pen-y-lan Terrace,
Caerdydd, Cymru, CF23 9EU, trading as Glauca Digital, is a company
registered in Wales under № 12417574
<https://find-and-update.company-information.service.gov.uk/company/12417574>,
LEI 875500FXNCJPAPF3PD10. ICO register №: ZA782876
<https://ico.org.uk/ESDWebPages/Entry/ZA782876>. UK VAT №: GB378323867. EU
VAT №: EU372013983. Turkish VAT №: 0861333524. South Korean VAT №:
522-80-03080. AS207960 Ewrop OÜ, having a registered office at Lääne-Viru
maakond, Tapa vald, Porkuni küla, Lossi tn 1, 46001, trading as Glauca
Digital, is a company registered in Estonia under № 16755226. Estonian VAT
№: EE102625532. Glauca Digital and the Glauca logo are registered
trademarks in the UK, under № UK00003718474 and № UK00003718468,
respectively.


On Sat, 27 Jul 2024 at 01:03, Margaret Cullen <mrcullen42@gmail.com> wrote:

>
>
> > On Jul 25, 2024, at 2:47 AM, Fabian Mauchle <fabian.mauchle=
> 40switch.ch@dmarc.ietf.org> wrote:
> >
> > Trying to follow the discussion and understand the issue...
> >
> > On 24.07.2024 19:50, Margaret Cullen wrote:
> >> When you have two peers A and C, with an authorized proxy, B, you have
> two RADIUS sessions A -> B and B -> C.  This only works if A has a shared
> secret with B and B has a shared secret with C.  So, B is part of the
> trusted set of peers.  Using RadSec, a MITM (Z) could have no trust
> relationship with A or B, but be receiving traffic from A on one TLS
> connection, and forwarding it to C on a second TLS connection, while both A
> and B think that they are directly connected to each other.  Z is not part
> of the trusted peer group, Z is a MITM attacker.  This is quite different
> than that forwarding through an authorized proxy.
> >
> > If Z has no trust relationship with A, it can't be receiving traffic
> from A. As a MITM, Z would need to present a certificate (or other
> identity) to A that A accepts as trustworthy to establish the TLS
> connection A-Z, at which point the trust relationship between A and Z is
> established.
> >
> > As Alan already pointed out, RADIUS proxies are inherently MITM by
> design. That is why (in roaming scenarios where A,B and C belong to
> different parties) we use EAP as the actual AAA within RADIUS.
>
> Some RADIUS Authentications are single hop.  The way people are using
> Radsec in eduroam, an increasing number of them probably will be.
>
> Some RADIUS Authentications  involve several hops, but none of the RADIUS
> clients/proxies/servers along that path are MITM attackers.  They are
> typically mutually trusted systems that are either:  (1) operated by a
> single organization, or (2) operated by separate organizations in a
> consortium with mutual trust, agreed policies, and legal agreements.
>
> The question of whether we need crypto binding between the RADIUS and TLS
> layers for a single Client -> Server hop really has nothing to do with
> whether the packet will traverse other hops.  It has to do with whether
> there is a meaningful risk of a TLS MITM attack against a single hop that
> channel bindings could be used to detect or prevent.
>
> I am being told by TLS people that TLS 1.2 and 1.3 are secure against
> third-party MITM attacks, except in cases where the attacker has the PSK or
> Certificate for one side of the connection, in which case it would be
> easier for them to do a direct attack, rather than setting up a MITM
> attack.  I could argue that there are things one can do from a MITM
> position that you can’t do via a direct attack, especially if you have the
> server key and want to influence what the real Server does.  I am not sure
> anyone will agree or think that matters, though.
>
> So, I think we just need to say in the Security Considerations that we do
> not use channel binding in RADIUS/(D)TLS because we mandate the use of
> (D)TLS 1.2 or !.3 with either PSKs or Certificates, and those protocols are
> well-enough protected against MITM attacks already.
>
> Margaret
>
>
>
> >
> > --
> > Fabian Mauchle
> > Network
> > NOC:    +41 44 268 15 30
> > Direct: +41 44 268 15 39
> >
> > Switch
> > Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
> >
> > _______________________________________________
> > radext mailing list -- radext@ietf.org
> > To unsubscribe send an email to radext-leave@ietf.org
>
> _______________________________________________
> radext mailing list -- radext@ietf.org
> To unsubscribe send an email to radext-leave@ietf.org
>

v2.35.0 | Report a Bug | By Email | System Status