[radext] Re: Selfie Attack on TLS-PSK

Alan DeKok <aland@deployingradius.com> Thu, 25 July 2024 04:52 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CE4CC1D531F for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 21:52:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n5u1RcRzqWJc for <radext@ietfa.amsl.com>; Wed, 24 Jul 2024 21:52:11 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BF0B8C1D5306 for <radext@ietf.org>; Wed, 24 Jul 2024 21:52:09 -0700 (PDT)
Received: from smtpclient.apple (dhcp-911c.meeting.ietf.org [31.133.145.28]) by mail.networkradius.com (Postfix) with ESMTPSA id 936B2659; Thu, 25 Jul 2024 04:52:06 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <CAOW+2dsuMM7WGpOFHhg0Ts8mKA06q_LmRsPstzoHbods1V_Www@mail.gmail.com>
Date: Wed, 24 Jul 2024 21:52:04 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <0C304B83-BD78-425B-B854-232FE7FE3387@deployingradius.com>
References: <E66DC2E7-1D48-4B9F-BB3D-1D87D1E25F61@gmail.com> <39C18E1E-B1D0-407E-8AA6-20E513C7E308@deployingradius.com> <CAOW+2dsuMM7WGpOFHhg0Ts8mKA06q_LmRsPstzoHbods1V_Www@mail.gmail.com>
To: Bernard Aboba <bernard.aboba@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Message-ID-Hash: XVDCSZCHY77GE4Q5QRKJVQKTKY5FOBOH
X-Message-ID-Hash: XVDCSZCHY77GE4Q5QRKJVQKTKY5FOBOH
X-MailFrom: aland@deployingradius.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Margaret Cullen <mrcullen42@gmail.com>, radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Selfie Attack on TLS-PSK
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/fhBT9ZqYczdAKnnj71CKNn6Mlo4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>

On Jul 24, 2024, at 6:11 PM, Bernard Aboba <bernard.aboba@gmail.com> wrote:
> In this message about Selfie as well as the previous post about channel bindings, I think you have raised several important points:
> 
> 1. If a NAS is supporting both RADIUS over (D)TLS as well as RADIUS CoA over (D)TLS, what does it need to do in order to avoid the Selfie attack?  
> 
> For example, MUST the same (D)TLS session be used in both directions? 

  Ideally yes, but we likely need to support all possible other scenarios.

> 2. How does RADIUS over (D)TLS perform not just authentication (e.g. verification of certificates or PSKs), but also authorization? 
> 
> It is not sufficient for RADIUS clients and servers to use mutual authentication with certificates or PSKs. It is also necessary to verify that the endpoints are who they are expected to be.  This may not be so simple in some deployment scenarios, such as where legacy NAS devices use RADIUS over (D)TLS proxies, so that a server can receive packets from many NASes over a (D)TLS session. How does the server validate that these packets are arriving on the right (D)TLS sessions?  It may seem convenient to say "we don't care" but surely there are some packet/path combinations which would be unexpected, indicating mis-routing (and exposure of secrets as well as location info to unauthorized proxies/servers). For example, it would be "unusual" for a corpnet RADIUS server to receive RADIUS packets originating from a corpnet NAS over a (D)TLS session with a roaming partner. 

  I'm not clear how this is any different from existing RADIUS routing (or lack thereof).  There's nothing in RADIUS/UDP which addresses these issues.

  RADIUS/UDP is perhaps "protected" from this by the simple fact that client-server relationships are manually configured.  Things change when there is dynamic discovery, as with RFC 7585.  What I can't find in 7585 is any mention of filtering packets inside of the TLS tunnel.  It looks like these issues were missed in that document.

  So the historic RADIUS way of dealing with these issues is to ignore them.

  Do we want to have the TLSbis document solve these issues, or just mention them?

> It's also important to realize that despite what the drafts might say, there will be deployments that throw common sense to the wind, such as by utilizing the same PSKs between multiple client/server pairs. The IETF is not the protocol police, but it is possible for documents to make the downsides clear, if only so as to make it difficult to say "nobody told us" when negligent deployments are compromised. 

  I think we will get "nobody told us" when the specifications are explicit and clear, but your point is still valid.

  Alan DeKok.