IETF Logo Mail Archive

Re: [secdir] [Emu] Secdir last call review of draft-ietf-emu-rfc7170bis-15

Alexander Clouter <alex+ietf@coremem.com> Sat, 02 March 2024 16:27 UTC

Return-Path: <alex+ietf@coremem.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B09B6C14F6FD; Sat, 2 Mar 2024 08:27:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=coremem.com header.b="bBcO5/ji"; dkim=pass (2048-bit key) header.d=messagingengine.com header.b="SVlI+HOJ"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nb3z-2xnUHvg; Sat, 2 Mar 2024 08:27:38 -0800 (PST)
Received: from wfout7-smtp.messagingengine.com (wfout7-smtp.messagingengine.com [64.147.123.150]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF9A6C14F681; Sat, 2 Mar 2024 08:27:34 -0800 (PST)
Received: from compute3.internal (compute3.nyi.internal [10.202.2.43]) by mailfout.west.internal (Postfix) with ESMTP id 5D7891C00079; Sat, 2 Mar 2024 11:27:31 -0500 (EST)
Received: from imap46 ([10.202.2.96]) by compute3.internal (MEProxy); Sat, 02 Mar 2024 11:27:31 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coremem.com; h= cc:cc:content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1709396850; x=1709483250; bh=J1kaPIIemB iUgLEgcZtkjLYhxFYQsCZ9NdzdfrMgqag=; b=bBcO5/jisLIVQxRgsnTw+WG7Nh /BHGqZKitej7CVHx2vstb8cyJCumjvZOOpuaSJTJDxF9RcGpiRuPLNslYCu2oCaf GLcKSw7SYv0y72dtt43RuwLfqiyeERHQJ1istjt7ZZoFT53xQOBb9DPbhons9yLa v07aX3jLMGxmhwbpxT1U80mozhkQVTTr0cVB/S2YFCOfDayGo3OSQBqXm7hB4jzj WfdYjBNao+cSIX8wsfFOv5pnso1oHtgTpJ8uvvsjHYWjiNNUbpJj9hDfecDhqCqP hxRx8JLmH0a5g9biMX2E0d+2PKt9anDKPxG9lZSyjQy7iwt2Z9D/r0zWpOyw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s= fm1; t=1709396850; x=1709483250; bh=J1kaPIIemBiUgLEgcZtkjLYhxFYQ sCZ9NdzdfrMgqag=; b=SVlI+HOJG3+vka/ssAwy/iCKHxH2HD9eZwS4zh4iM15B kbSMZ3gt5TbLbxDViboT3UPjC528wb/47CiKTCpV9q40ghQZF+9uGs1SyTvfoPJJ EPv1Gbm9501T65jZ6bgvwUY99rbECeeYSOLFJRB5o72hCvqE2htcr4lf1wEpLtS0 HA2hRj7z2n457jZUdVcpiIvBCkOsPxqP1I4Tcr463bG3jBHcV43tBEF/vm3tQBhQ R6+cZMSdFNXK0s8ec5LVtrBtH36flEEOvUnR/G5mb3Vzi91v4VDlCxhkfswlKIxB i8xhwcT6EsGV+n7UbxJez2N6NsRN0neGshhImGa/DA==
X-ME-Sender: <xms:clPjZXtDO87ubVU65bvTJLKcSTMOM2x-WDndHyJXAaOm5AEGWOXB4A> <xme:clPjZYdZNjU9fcs30ssWPJAPg5h-BFXAClAMN40yc7k9v3H4Fpz6-iv0FqYRu6VYX 1Fk7COsrVACn9p2vA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvledrheefgdekjecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmdenuc fjughrpefofgggkfgjfhffhffvvefutgesthdtredtreertdenucfhrhhomhepfdetlhgv gigrnhguvghrucevlhhouhhtvghrfdcuoegrlhgvgidoihgvthhfsegtohhrvghmvghmrd gtohhmqeenucggtffrrghtthgvrhhnpeevgeehjeeuveekvedvhfehuedufeehgeduuedt leelieetheegffeitedtudfgudenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmh epmhgrihhlfhhrohhmpegrlhgvgidoihgvthhfsegtohhrvghmvghmrdgtohhm
X-ME-Proxy: <xmx:clPjZazAZw5hv5SIYTIn6wV46VpB_5pWRRCCeQjAhzK_u8KWwUnzkA> <xmx:clPjZWP9umRrNDUFTnJpf0eYliU9SGfzoKIV19H8lHsTzfqo__ty4g> <xmx:clPjZX-ZzJA8xK5tWHjG1ENKFTabh7NavIK04nj5tuV3H9Gt8IpwHA> <xmx:clPjZTYQCqy7kPfhf90m88fPRJx9KOpETRkpv8GJJcutDP8kHAG-rZfZr74>
Feedback-ID: ie3614602:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 98E3C2A20092; Sat, 2 Mar 2024 11:27:30 -0500 (EST)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.11.0-alpha0-205-g4dbcac4545-fm-20240301.001-g4dbcac45
MIME-Version: 1.0
Message-Id: <b6b6b90d-ff6b-486a-ab0e-d38c7b00c79f@app.fastmail.com>
In-Reply-To: <170934966282.22720.15728977796194077360@ietfa.amsl.com>
References: <170934966282.22720.15728977796194077360@ietfa.amsl.com>
Date: Sat, 02 Mar 2024 16:27:10 +0000
From: Alexander Clouter <alex+ietf@coremem.com>
To: David Mandelberg <david@mandelberg.org>, secdir@ietf.org
Cc: draft-ietf-emu-rfc7170bis.all@ietf.org, EMU WG <emu@ietf.org>, last-call@ietf.org
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/L7EbrB5hqZQSnT_3Q0Ip4QpfZz0>
Subject: Re: [secdir] [Emu] Secdir last call review of draft-ietf-emu-rfc7170bis-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 02 Mar 2024 16:27:42 -0000

On Sat, 2 Mar 2024, at 03:21, David Mandelberg via Datatracker wrote:
>
> (nit) If I understand the TEAP version negotiation and Crypto-Binding
> correctly, the negotiated version is not cryptographically verified until
> either (1) after the first inner method is completed or (2) just before the
> final result, if there are no inner methods. Is that correct?

Correct (section 4.2.13), these are when the peer sends a Intermediate-Result or Result TLV which must be accompanied with a Crypto-Binding TLV.

> Does that mean
> it's possible for an attacker to get both sides to speak a lower-than-ideal
> TEAP version while performing the first inner method, and if so, does that
> matter? Or could an attacker get one side to think it's using one version and
> the other side to think it's using another version? What affect would that have
> on the first inner method?

I think it does but I do not think it matters as none of the inner methods are aware or coupled to the version of TEAP being used.

In the future, if TEAPv2 came along, maybe the fallout could be that a non-superset of inner methods and attributes would be allowed and there would be no guards that may bump the state machine around.

Not sure what could be done, as RFC7170bis describes what is already deployed.

Maybe a TEAPv2 could use ALPN for the TLS jacket to avoid this..erk, I think I may have suggested something that could be retro fitted here without impacting existing implementations; assuming they would just ignore the ALPN.

> (nit) Also, should section 4.2.20 recommend against using that TLV until after
> the server is authenticated?

For the unauthenticated server this means really a provisioning process is about to take place which limits what the client is allowed to do next by section 3.11.3. Those methods must provide mutual authentication as one of their requirements.

I suspect we could limit the TLV to only be sent by *configured* clients as they would have verified the server always by that point using the outer TLS jacket.

We though would be unable to do this if someone knows of a use case where two authentication methods for provisioning are required (user+machine auth?).

> (nit, section 5.3) Is there any way to determine the border between (3) and
> (4)? If not, then in theory a MITM might be able to remove the last
> server-to-peer outer TLV and prepend it to the peer-to-server TLVs, or vice
> versa, and the MAC would be the same. However, each side knows which outer TLVs
> it sent before the MITM modified it, so I don't think this could accomplish
> anything in practice?

I do not think so as the crypto-bindings are validated back to back by each peer.

Interesting angle of attack though, never occurred to me.

Thanks

Alex

v2.23.0 | Report a Bug | By Email