Re: [saag] RADIUS is deprecating MD5
Jan-Frederik Rieckers <rieckers@uni-bremen.de> Sun, 31 March 2024 16:50 UTC
Return-Path: <rieckers@uni-bremen.de>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E1B06C14F5FD for <saag@ietfa.amsl.com>; Sun, 31 Mar 2024 09:50:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uni-bremen.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oZf8dT_X7mAn for <saag@ietfa.amsl.com>; Sun, 31 Mar 2024 09:50:39 -0700 (PDT)
Received: from smtp.zfn.uni-bremen.de (smtp.zfn.uni-bremen.de [134.102.50.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE88EC14F683 for <saag@ietf.org>; Sun, 31 Mar 2024 09:50:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=uni-bremen.de; s=2019; t=1711903831; bh=+Xleqn/zeO4wBWcYApqflkQ4mz9nWQfIQS3FRnJTeDE=; h=Date:Subject:To:References:From:In-Reply-To; b=YNSw4RZD4gj1L2FeBYlGnfeMDLl7vAm8z22V55psCRLIm7WrO+WCDa3jsF4dG5EqY v+5bTTXJ4YYLrzE0TBOYsEMoVWoesbWkwcEMeW+tH0M1iQEZvtS3T/2HhYhgqvhrv6 cFb551KSDNla1TSGIv7zCAJoxVlbYJ+whMxUviGBNTMi3PczaarVAw/Ds15Q6cGVkH bGN5MonFdT4SD40q24jNpPK5+tKrjzbWXSqyYxDCqvcPRlsy+IF/uq5eN5Bd9WSee1 pVqsklFds3b9agQbve6BGA/Amq0BMFz+BQpBbUCK5Gx8dgcxFLuSbTex2W/Hld7WF2 dg/7iQiACEojw==
Received: from [IPV6:2a02:8106:57:952a:1c8e:df6a:b2a4:7ff9] (unknown [IPv6:2a02:8106:57:952a:1c8e:df6a:b2a4:7ff9]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4V70WV6nZYzDCc9 for <saag@ietf.org>; Sun, 31 Mar 2024 18:50:30 +0200 (CEST)
Message-ID: <1546dbf1-2c0e-4208-acd1-d7af3dda3740@uni-bremen.de>
Date: Sun, 31 Mar 2024 18:50:30 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: saag@ietf.org
References: <755BC73B-B981-4986-B45A-E9796DCC66BC@deployingradius.com> <ME0P300MB0713122730DC9574730AC816EE382@ME0P300MB0713.AUSP300.PROD.OUTLOOK.COM> <Zgl6ejdpJNOyUja0@chardros.imrryr.org> <E1B4CCB5-202F-4087-8B56-9E7F3D73D1D0@deployingradius.com> <ZgmDLfNxV2RKSA5o@chardros.imrryr.org> <21309D5A-E824-42C7-8BAB-366AD568E9F4@deployingradius.com> <ZgmPg0qgA9stSeUo@chardros.imrryr.org>
Content-Language: en-US
From: Jan-Frederik Rieckers <rieckers@uni-bremen.de>
X-Enigmail-Draft-Status: N11222
In-Reply-To: <ZgmPg0qgA9stSeUo@chardros.imrryr.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-512"; boundary="------------ms060503080705000600000101"
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/zJO31emLr8phR4cZtDKb5sB-FzY>
Subject: Re: [saag] RADIUS is deprecating MD5
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 31 Mar 2024 16:50:44 -0000
I think those issues are not necessarily linked, but we can tackle them together. Issue one is the missing integrity protection for requests and the weak integrity protection (because solely based on MD5) for responses. For EAP messages, the usage of Message-Authenticator is required, which adds an integrity check for requests and improves the integrity check for responses. It's still based on MD5 (and unfortunately has no mechanism to update it, so we are fixed on HMAC-MD5 for that), but at least it gives some security. Issue two is privacy, and that one we can't really tackle easily if we keep the protocol as-is, we need actual encryption for that. In both cases, the existing implementations would have to be updated. If we define a new integrity check attribute with a negotiable algorithm, I fear most appliances would just ignore it, because requiring it would break compatibility with everyone who didn't implement it yet and if nobody uses it, why should it be implemented? But we already have a solution ready, that solves our integrity and our privacy problems which is RADIUS/(D)TLS. The TLS layer takes care of confidentiality and integrity, so we don't need to do that on RADIUS level any more. So with the deprecation of RADIUS/UDP, we solve the problem of relying on MD5 for security AND the issue of privacy of additional attributes that would otherwise have been sent in clear. Cheers, Janfred On 31.03.24 18:29, Viktor Dukhovni wrote: > On Sun, Mar 31, 2024 at 11:55:35AM -0400, Alan DeKok wrote: >> On Mar 31, 2024, at 11:37 AM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote: >>> This does not sound like an MD5 issue, rather this is about metadata >>> leakage from RADIUS/UDP, and MD5 is mostly just collateral damage or >>> a distraction from the core issue? >> >> We know that MD5 is insecure. We know that many Access-Request packets lack all integrity checks. I've been trying to fix this issue since 2005 or so. >> >> Why can't we just say "yes, 1993-era protocols are bad. Wrap them in TLS. Move on". >> >> I am more than a bit surprised that there is any resistance to this effort. > > I'm just trying to better understand the core issue, which seems to be > UDP more than MD5, best I can tell from the discussion so far. Others > can speak to whether or not the deprecation is or isn't overly > disruptive relative to the benefits. >
- [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Bernard Aboba
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Viktor Dukhovni
- Re: [saag] RADIUS is deprecating MD5 Eliot Lear
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Paul Hoffman
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Bernard Aboba
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Jan-Frederik Rieckers
- Re: [saag] RADIUS is deprecating MD5 Paul Wouters
- Re: [saag] RADIUS is deprecating MD5 Peter Gutmann
- Re: [saag] RADIUS is deprecating MD5 Alan DeKok