[radext] Re: Selfie Attack on TLS-PSK

Alan DeKok <aland@deployingradius.com> Thu, 25 July 2024 16:41 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B1C1C20C8C7 for <radext@ietfa.amsl.com>; Thu, 25 Jul 2024 09:41:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fEv15rs_bs-c for <radext@ietfa.amsl.com>; Thu, 25 Jul 2024 09:41:13 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0625C180B65 for <radext@ietf.org>; Thu, 25 Jul 2024 09:40:52 -0700 (PDT)
Received: from smtpclient.apple (dhcp-8b5a.meeting.ietf.org [31.133.139.90]) by mail.networkradius.com (Postfix) with ESMTPSA id E65F451B; Thu, 25 Jul 2024 16:40:49 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <03e9f1c9-5f41-4e4c-a2ae-7f73c8aeab1e@switch.ch>
Date: Thu, 25 Jul 2024 09:40:47 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <E9E4E2CD-E974-4A21-992C-E8565B8D55C6@deployingradius.com>
References: <E66DC2E7-1D48-4B9F-BB3D-1D87D1E25F61@gmail.com> <39C18E1E-B1D0-407E-8AA6-20E513C7E308@deployingradius.com> <03e9f1c9-5f41-4e4c-a2ae-7f73c8aeab1e@switch.ch>
To: Fabian Mauchle <fabian.mauchle=40switch.ch@dmarc.ietf.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Message-ID-Hash: FVFOWOVRTMSMDYDDNPHWJVQFZXUQSTD3
X-Message-ID-Hash: FVFOWOVRTMSMDYDDNPHWJVQFZXUQSTD3
X-MailFrom: aland@deployingradius.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Selfie Attack on TLS-PSK
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/n-kUODhqvZD62edaA3S8TMcHcng>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>

On Jul 25, 2024, at 2:19 AM, Fabian Mauchle <fabian.mauchle=40switch.ch@dmarc.ietf.org> wrote:
> So what we want to avoid is for servers accepting connections from clients that 'impersonate' the servers identity (it would itself use for outgoing connections).
> 
> Maybe we should add something to section 4.3. 'PSK and PSK Identity Sharing' like:
> 
> "Nodes that act both as client and server at the same time MUST NOT share or reuse PSK identities between incoming and outgoing connections."

  I'll add this text to the TLS-PSK draft, and reference the Selfie attack.

> This might also have implications on radiusdtls-bis, since current proposals allow skipping the identity check and authorize e.g. based on policy OID. Such a scenario might also be susceptible to to Selfie.

  Yes.

  I think it's also worth updating the "deprecating insecure practices" document with some additional text.  I have some more topics to add, too:

* Access-Reject should be delayed, to prevent dictionary attacks

  Many RADIUS servers do this already.  But it's not written down anywhere.

  Note that Access-Request packets should only be delayed on the home server.  Proxies shouldn't delay them.

  This is relevant even when Access-Request packets contain Message-Authenticator.  Access-Request packets are triggered by user logins, and those can happen at any time.


* any comparison of digests, passwords, etc. should be constant-time.

  Many RADIUS servers do this already.  But it's not written down anywhere.

  Doing this will prevent certain classes of attack.  While these attacks are not known to be exploitable today, it's good practice to take preventative steps.

  Many other protocols have been subject to timing attacks.  I suspect the reason this hasn't been publicized for RADIUS is that no one bothered to try it.


* The routing issue should also be discussed, as it's applicable to all of RADIUS, independent of the transport protocol

  The document can note that there is no RADIUS routing protocol, and each system must be configured to pass only valid / expected traffic, and filter unexpected traffic.

  The big question here is "what to do with the bad traffic?"  Access-Request packets can get responses of Access-Reject.  Accounting-Request packets just get dropped?

  And can proxies engage in such filtering?  My point would be "yes".  Traffic which fails to satisfy local policy rules shouldn't be forwarded.

  Alan DeKok.