Re: [secdir] Security directorate review of draft-ietf-radext-tls-psk-09
Alan DeKok <aland@deployingradius.com> Sun, 17 March 2024 05:09 UTC
Return-Path: <aland@deployingradius.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68B9EC14CEFA; Sat, 16 Mar 2024 22:09:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 49QbCJKeCHNo; Sat, 16 Mar 2024 22:09:22 -0700 (PDT)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6CB4C14F69F; Sat, 16 Mar 2024 22:09:19 -0700 (PDT)
Received: from smtpclient.apple (dhcp-809c.meeting.ietf.org [31.133.128.156]) by mail.networkradius.com (Postfix) with ESMTPSA id 6C28040E; Sun, 17 Mar 2024 05:09:15 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <202403141648.42EGmX9r2912893@enoether.rhmr.com>
Date: Sun, 17 Mar 2024 15:09:11 +1000
Cc: iesg@ietf.org, secdir@ietf.org, draft-ietf-radext-tls-psk.all@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <341D7A02-F550-498C-999E-E17717D75129@deployingradius.com>
References: <202403141648.42EGmX9r2912893@enoether.rhmr.com>
To: Hilarie Orman <ho@alum.mit.edu>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/GBR2J-wuKOA60NEgAlpNJe2d198>
Subject: Re: [secdir] Security directorate review of draft-ietf-radext-tls-psk-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Mar 2024 05:09:26 -0000
On Mar 15, 2024, at 2:48 AM, Hilarie Orman <ho@alum.mit.edu> wrote: > The document has advice about using TLS pre-shared keys with RADIUS. > It addresses the immediate question of "why is anyone using pre-shared > keys" by pointing out that certificates can be bulky and difficult to > manage, and then follows with 15 pages of advice on using pre-shared > keys. That is wryly amusing. The main advice there is for implementors, and the advice for admins is a small part of that. By pushing the work from admins (many and less experienced) to implementors (fewer and more experienced), we hope that TLS-PSK will be easily deployed. > Reuse is the bugaboo of pre-shared keys, so the main message from the > document is "don't reuse them." Another PSK vulnerability is the > symmetry between server and client authentication, and I think that > could be promoted to an earlier section. OK. I'll make some changes. > Page 5 has example code for turning random data in human readable > ascii strings, but it seems overly specific (why use "-" as the > separator?), and it does not include an example decode routine or > advice about rejecting malformed strings. The intent here was to show how easy it was to create and manage secure PSKs. The PSKs end up being used in a hash function, so the exact format (string or raw binary) matters somewhat less. i.e. the goal wasn't to allow decoding of the keys from a "mandated format". The document does not suggest that implementations enforce any particular format for PSKs. I'll add some text clarifying this. > On page 12, there is the statement: > "The intent for TLS-PSK is for it to be used in internal / secured > networks, where clients come from a small number of known locations". > This seems important enough to be included in the introduction. OK. > Section 4.1.1 says: > "It is RECOMMENDED that RADIUS clients and servers track all used > shared secrets and PSKs, and then verify that the following > requirements all hold true: > * no shared secret is used for more than one RADIUS client > * no PSK is used for more than one RADIUS client > * no shared secret is used as a PSK" > > I take this mean that these items should be checked anytime a shared > secret or PSK is added or changed. But, a naive implementation might > create a master list of all such secrets to use for checking, and that > is an unnecessary security risk. Perhaps there should be guidance > about using a hash list for checking? Perhaps. An implementation is required to read and store the PSKs and shared secrets somewhere as clear-text, and use them to verify packets or TLS sessions. So it doesn't really concern me if that data is stored in the application somewhere. That storage is required in order for the secrets and PSKs to work. That data also needs to be stored somewhere outside of the application in a configuration file or configuration management system. > The text about checking PSK identities on page 7 has some rules about > distinguishing different kinds of identities based on whether or not > they are proper UTF-8 encodings. That might be practical, but it > sounds really hokey. I don't know the probability of random (ascii?) > strings being legal UTF-8, so I am not even sure that the method is > sound. It's the best we have, and is an issue with TLS itself. This document can only document that issue, and give guidance for implementors on dealing with it. At the minimum, octets of zero (0x00) are invalid UTF-8. So we know that it is possible to trivially create identities which are distinguishable. > I'm not sure I understand the discussion of "resumption" on pages 15-16. > The text says that an identity can change between the initial > full handshake and the need for resumption. That is how TLS works, unfortunately. > That could happen if > a client changed its IP address within an allowed block. Is > resumption so important that it must be supported instead of requiring > a new handshake? The issue is less resumption of TLS-PSK sessions, than using TLS-PSK at the same time as certificate authentications. The resumption for certificate-based sessions will use PSKs. Since certificate chains are large, it is vital that we support resumption for that case. That limitation motivates the discussion of distinguishing resumption from "plain" PSK. We're not so much interested in resuming TLS-PSK sessions, but instead distinguishing "plain" TLS-PSK from resumptions created by other TLS authentication methods. I'll add some text to clarify this. > And resumption credentials can last for a full week, > which seems oddly long. That time frame is straight from RFC 8446. > There is no discussion of key lifetimes or change procedures (other > than the one week for resumption), so I guess that it is covered by > administrative practices in RADIUS? I'm not sure what to recommend here. Perhaps adding some text saying that PSKs should be changed. But it's not clear how often is good enough, or what the change procedures should be. > 5.2.2. "else the server ignores the session ticker," presumably is "ticket"? Fixed, thanks. Alan DeKok.
- [secdir] Security directorate review of draft-iet… Hilarie Orman
- Re: [secdir] Security directorate review of draft… Alan DeKok