[radext] Re: Selfie Attack on TLS-PSK
Alan DeKok <aland@deployingradius.com> Thu, 25 July 2024 22:04 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: radext@ietfa.amsl.com
Delivered-To: radext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A129FC1D4A94 for <radext@ietfa.amsl.com>; Thu, 25 Jul 2024 15:04:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VTNJiHetWj21 for <radext@ietfa.amsl.com>; Thu, 25 Jul 2024 15:04:33 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6BA27C1D4A75 for <radext@ietf.org>; Thu, 25 Jul 2024 15:04:33 -0700 (PDT)
Received: from smtpclient.apple (dhcp-8fa9.meeting.ietf.org [31.133.143.169]) by mail.networkradius.com (Postfix) with ESMTPSA id CA715828; Thu, 25 Jul 2024 22:04:29 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <9BE709A1-470B-4F54-A050-9F30C7A6CBD7@gmail.com>
Date: Thu, 25 Jul 2024 15:04:27 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <0265E702-4220-42F5-9B42-DD8DB0F44EDE@deployingradius.com>
References: <032f01dade8b$1fc33c40$5f49b4c0$@gmail.com> <9BE709A1-470B-4F54-A050-9F30C7A6CBD7@gmail.com>
To: Margaret Cullen <mrcullen42@gmail.com>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Message-ID-Hash: 4XG2VAJB3UIVVRVZ7FG4SJNB3SM23KDC
X-Message-ID-Hash: 4XG2VAJB3UIVVRVZ7FG4SJNB3SM23KDC
X-MailFrom: aland@deployingradius.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-radext.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: josh.howlett@gmail.com, Bernard Aboba <bernard.aboba@gmail.com>, radext@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [radext] Re: Selfie Attack on TLS-PSK
List-Id: RADIUS EXTensions working group discussion list <radext.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/radext/td0fupMMSFQuIe9KSnJH8wJz3qw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/radext>
List-Help: <mailto:radext-request@ietf.org?subject=help>
List-Owner: <mailto:radext-owner@ietf.org>
List-Post: <mailto:radext@ietf.org>
List-Subscribe: <mailto:radext-join@ietf.org>
List-Unsubscribe: <mailto:radext-leave@ietf.org>
On Jul 25, 2024, at 11:23 AM, Margaret Cullen <mrcullen42@gmail.com> wrote: > As Stefan points out, copying of a RADIUS/TLS-transmitted RADIUS message on to a local network is different (and less secure) than dumb copying of a message that was transmitted via RADIUS/UDP, because sensitive data in the message transmitted via UDP will still be protected (to some degree) by the RADIUS secret and MD5, while the packet coming from RADIUS/TLS would use a well-known RADIUS secret, “radsec”, essentially equivalent to sending the sensitive parts of the packet in clear text. I think that description is not correct, though. The RADIUS packets have some kind of transport behavior (TLS, shared secrets, whatever). That behavior is defined hop by hop. So when a proxy forwards traffic, it doesn't care what the previous transport is. i.e. When packets go from A->B, and then B->C, the transport profile for A->B has zero impact on the transport profile for B->C. The proxy "B" uses the following process: 1) receive packets from A using whatever transport is there 2) uses the "A" profile to decrypt / de-obfuscate the packet, and get the actual clear-text data 3) some local proxy processing and policies 4) decides for forward the packet to C 5) use the "C" profile to encrypt / obfuscate the clear-text data, to get data to put into a packet 6) send the packet to C So anything that happens A->B doesn't affect any traffic being sent B->C. > This security difference would also apply to storing or transmitting raw RADIUS packets for logging or debugging. With RadSec, more sensitive data would essentially be in clear text in those packets, perhaps including passwords. The packets are already in clear-text on the server. The packets are only protected "on the wire", by the transport protocol. So RADIUS/UDP has exactly this problem: all logging, debugging, etc. is done with the clear-text passwords available to the server. Implementations have to be careful how they manage those secrets. Alan DeKok.
- [radext] Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Bernard Aboba
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK hannes.tschofenig
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK josh.howlett
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Jan-Frederik Rieckers
- [radext] Re: Selfie Attack on TLS-PSK Alan DeKok
- [radext] Re: Selfie Attack on TLS-PSK Fabian Mauchle
- [radext] Re: Selfie Attack on TLS-PSK Q Misell
- [radext] Re: Selfie Attack on TLS-PSK Margaret Cullen