Re: [saag] RADIUS is deprecating MD5
Bernard Aboba <bernard.aboba@gmail.com> Sun, 31 March 2024 17:01 UTC
Return-Path: <bernard.aboba@gmail.com>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21E1AC14F6F4 for <saag@ietfa.amsl.com>; Sun, 31 Mar 2024 10:01:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.094
X-Spam-Level:
X-Spam-Status: No, score=-2.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5aMCK9he85U2 for <saag@ietfa.amsl.com>; Sun, 31 Mar 2024 10:01:53 -0700 (PDT)
Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4B8C1C14F6F2 for <saag@ietf.org>; Sun, 31 Mar 2024 10:01:53 -0700 (PDT)
Received: by mail-pl1-x62e.google.com with SMTP id d9443c01a7336-1e252f2bf23so1762715ad.2 for <saag@ietf.org>; Sun, 31 Mar 2024 10:01:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711904513; x=1712509313; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=LnxR5YXJGcY7gQfD4UiXWsXQL9by3rlAT+x/0/w85BM=; b=eQCEwQs/FznAlj+cNMHnG0TEYIZyFX+XyNaHnu60ccQQseWe9+pJmf+faV3gyZypBP uNQ8Y2z9iLbV9OCH3Db5WzV/bZyyk6TOxTpdgrytZGsLVBWszXmidGaEuW+noeq/7BC/ 76kRb3V1n148cnj+9z36D6heV6+Ho6NqSZLjRSDxHy/XKmDQ05OAzDIfyrfiOHxPzdEI sMvtiJPsCbkilEaoHVf1XRb4A9iizNaDlYgc5kdIsFhAuzhfGd+VyNWuv7R6of6Sx9A5 9kxLi1L7OEMM7LbTwougnGEku50h+nnvkK31bwA8a+NWkg1WFLPMtHdnkqc4PTPQYlpT W5Aw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711904513; x=1712509313; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=LnxR5YXJGcY7gQfD4UiXWsXQL9by3rlAT+x/0/w85BM=; b=p5eXSPUrJNItf320wqktPrU4zjsRUKMtq2HAJ6tuzntmWgN9I2CHP3pb4p9jBqOt/1 bOuPlkfWgUAZPDgt6I1Y+5xEP3Z4ixf4kSwCWhCHeRUB8uMMYew6QQYs6VTJwEMxseUw E8Avpldhgt6BveA4knEWzBF4xwLPZmIBp83HFjsZ97PDOMwOYaODDXeYr4LsbuKGOBjp tnn0Un2io72T4qDpqJ6bsNYqOxvp2VVSD8pWi+J9R4OKvAREm7NLcczBkoQw1+sE//4C kGGF5+EpIYS4/x3VoPBOjra/w/R+wo+Ahet9bNtjq+WM0QewlVMHUq1WpVE1sH91iA51 5eQQ==
X-Gm-Message-State: AOJu0YyTWtE/H9kKNjWWIbJcXn0LSba9uB04S8WnpGFSs/5V8VoA73e+ IJnTd1aNHlIvIHvJwqNc4jlkQy0bw74I1jQCnJVF8R1t3mK3gaeDMUbucqORTZnhVnlxaGy3jIo hVOI0RVGZ1gbaZG8Cmpu8AMBwAWY8GbzwMxw=
X-Google-Smtp-Source: AGHT+IF/s2EyRBdJr4Q8a13JlDjE6BMAMkOJjkCu9jZ5l3HhWQAmQcY+ucSl0abLwMhAARXhzTqscobbH+o6DQ+KMCo=
X-Received: by 2002:a17:90a:9414:b0:29b:ad3a:7b01 with SMTP id r20-20020a17090a941400b0029bad3a7b01mr4737623pjo.46.1711904512415; Sun, 31 Mar 2024 10:01:52 -0700 (PDT)
MIME-Version: 1.0
References: <755BC73B-B981-4986-B45A-E9796DCC66BC@deployingradius.com> <ME0P300MB0713122730DC9574730AC816EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <Zgl6ejdpJNOyUja0@chardros.imrryr.org> <E1B4CCB5-202F-4087-8B56-9E7F3D73D1D0@deployingradius.com> <ZgmDLfNxV2RKSA5o@chardros.imrryr.org> <21309D5A-E824-42C7-8BAB-366AD568E9F4@deployingradius.com>
In-Reply-To: <21309D5A-E824-42C7-8BAB-366AD568E9F4@deployingradius.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Sun, 31 Mar 2024 10:01:36 -0700
Message-ID: <CAOW+2du2K-Za83y5mWC7BvR9B9kQBOtEE7=RawpgEJvWnD0Xcg@mail.gmail.com>
To: Alan DeKok <aland@deployingradius.com>
Cc: saag@ietf.org
Content-Type: multipart/alternative; boundary="0000000000005a1e7b0614f7d4c2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/pLeXJL7zScv7C70IkQNR9RTmCXk>
Subject: Re: [saag] RADIUS is deprecating MD5
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 17:01:57 -0000
Alan said: " We know that MD5 is insecure. We know that many Access-Request packets lack all integrity checks. I've been trying to fix this issue since 2005 or so. Why can't we just say "yes, 1993-era protocols are bad. Wrap them in TLS. Move on". I am more than a bit surprised that there is any resistance to this effort." [BA] The effort to upgrade RADIUS security is now more than a decades. The effort kicked off in 2011 with the publication of RFC 6421, which laid out the requirements as well as the thinking on how a transition would work. The RADEXT WG, which I chaired, then solicited and published as Experimental RFCs solutions which were based on RADIUS over (D)TLS. The protocols were subsequently implemented, and drafts are incorporating clarifications and updates. To be sure, the deployment barriers are significant, but the transition model has been thought through. For example, it is possible to run a mixture of secure and insecure RADIUS clients along with servers supporting both existing and secure RADIUS so as to allow for legacy devices implementing only classic RADIUS to continue to operate alongside new devices implementing secure RADIUS. When all the legacy devices have been replaced, the server can be reconfigured to accept only secure RADIUS requests. The initial RADIUS over (D)TLS RFCs didn't have to say much about MD5 because the approach was to encrypt and authenticate RADIUS packets using TLS cyphersuites. This approach worked and can continue to be used with the new specifications under development. The problem occurred in FIPS-140 environments where calls to MD5 primitives *fail*. The original specifications were not crystal clear on the desired behavior in such a situation, and there were hints that some very bad bugs could arise (e.g. secrets sent in the clear over the network). Alan and others took the initiative to come up with recommendations covering not only RADIUS servers, but also RADIUS clients and even FIPS-configured clients not running RADIUS at all. Those experienced with operating FIPS-140 compliant services may be particularly interested in understanding how the recommendations would apply to their situations. On Sun, Mar 31, 2024 at 8:56 AM Alan DeKok <aland@deployingradius.com> wrote: > On Mar 31, 2024, at 11:37 AM, Viktor Dukhovni <ietf-dane@dukhovni.org> > wrote: > > This does not sound like an MD5 issue, rather this is about metadata > > leakage from RADIUS/UDP, and MD5 is mostly just collateral damage or > > a distraction from the core issue? > > We know that MD5 is insecure. We know that many Access-Request packets > lack all integrity checks. I've been trying to fix this issue since 2005 > or so. > > Why can't we just say "yes, 1993-era protocols are bad. Wrap them in > TLS. Move on". > > I am more than a bit surprised that there is any resistance to this > effort. > > Alan DeKok. > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag >
- [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Bernard Aboba
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
- Re: [saag] RADIUS is deprecating MD5 Eliot Lear
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Paul Hoffman
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Bernard Aboba
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Paul Wouters
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok