[secdir] Security directorate review of draft-ietf-radext-tls-psk-09
Hilarie Orman <ho@alum.mit.edu> Thu, 14 March 2024 16:48 UTC
Return-Path: <hilarie@purplestreak.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 575FAC151099; Thu, 14 Mar 2024 09:48:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.358
X-Spam-Level:
X-Spam-Status: No, score=-2.358 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ErkriWoUrTXL; Thu, 14 Mar 2024 09:48:39 -0700 (PDT)
Received: from out01.mta.xmission.com (out01.mta.xmission.com [166.70.13.231]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 321E8C15108D; Thu, 14 Mar 2024 09:48:36 -0700 (PDT)
Received: from mx04.mta.xmission.com ([166.70.13.214]:48962) by out01.mta.xmission.com with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <hilarie@purplestreak.com>) id 1rkoFv-003Z96-3m; Thu, 14 Mar 2024 10:48:35 -0600
Received: from [166.70.232.207] (port=46021 helo=enoether.rhmr.com) by mx04.mta.xmission.com with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.93) (envelope-from <hilarie@purplestreak.com>) id 1rkoFu-00818d-4j; Thu, 14 Mar 2024 10:48:34 -0600
Received: from enoether.rhmr.com (localhost [127.0.0.1]) by enoether.rhmr.com (8.15.2/8.15.2/Debian-22ubuntu3) with ESMTP id 42EGmX2f2912894; Thu, 14 Mar 2024 10:48:33 -0600
Received: (from alicew@localhost) by enoether.rhmr.com (8.15.2/8.15.2/Submit) id 42EGmX9r2912893; Thu, 14 Mar 2024 10:48:33 -0600
Date: Thu, 14 Mar 2024 10:48:33 -0600
Message-Id: <202403141648.42EGmX9r2912893@enoether.rhmr.com>
X-Authentication-Warning: enoether.rhmr.com: alicew set sender to hilarie using -f
From: Hilarie Orman <ho@alum.mit.edu>
Reply-To: Hilarie Orman <ho@alum.mit.edu>
To: iesg@ietf.org, secdir@ietf.org
Cc: draft-ietf-radext-tls-psk.all@ietf.org
X-XM-SPF: eid=1rkoFu-00818d-4j; ; ; mid=<202403141648.42EGmX9r2912893@enoether.rhmr.com>; ; ; hst=mx04.mta.xmission.com; ; ; ip=166.70.232.207; ; ; frm=hilarie@purplestreak.com; ; ; spf=softfail
X-SA-Exim-Connect-IP: 166.70.232.207
X-SA-Exim-Mail-From: hilarie@purplestreak.com
X-Spam-DCC: XMission; sa07 1397; Body=1 Fuz1=1 Fuz2=1
X-Spam-Combo: ****;iesg@ietf.org, secdir@ietf.org
X-Spam-Relay-Country:
X-Spam-Timing: total 424 ms - load_scoreonly_sql: 0.05 (0.0%), signal_user_changed: 11 (2.6%), b_tie_ro: 9 (2.2%), parse: 0.77 (0.2%), extract_message_metadata: 4.3 (1.0%), get_uri_detail_list: 1.70 (0.4%), tests_pri_-2000: 2.3 (0.5%), tests_pri_-1000: 2.2 (0.5%), tests_pri_-950: 1.23 (0.3%), tests_pri_-900: 0.98 (0.2%), tests_pri_-90: 74 (17.4%), check_bayes: 72 (17.0%), b_tokenize: 7 (1.6%), b_tok_get_all: 8 (1.9%), b_comp_prob: 3.1 (0.7%), b_tok_touch_all: 50 (11.7%), b_finish: 0.96 (0.2%), tests_pri_0: 316 (74.4%), check_dkim_signature: 0.48 (0.1%), check_dkim_adsp: 23 (5.4%), poll_dns_idle: 17 (3.9%), tests_pri_10: 2.2 (0.5%), tests_pri_500: 8 (1.8%), rewrite_mail: 0.00 (0.0%)
X-SA-Exim-Version: 4.2.1 (built Sat, 08 Feb 2020 21:53:50 +0000)
X-SA-Exim-Scanned: Yes (on mx04.mta.xmission.com)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/OKVafQKqS64vYyABd_KLu2iTzLE>
Subject: [secdir] Security directorate review of draft-ietf-radext-tls-psk-09
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 16:48:40 -0000
Security review of RADIUS and TLS-PSK draft-ietf-radext-tls-psk-09 Do not be alarmed. I generated this review of this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written with the intent of improving security requirements and considerations in IETF drafts. Comments not addressed in last call may be included in AD reviews during the IESG review. Document editors and WG chairs should treat these comments just like any other last call comments. The document has advice about using TLS pre-shared keys with RADIUS. It addresses the immediate question of "why is anyone using pre-shared keys" by pointing out that certificates can be bulky and difficult to manage, and then follows with 15 pages of advice on using pre-shared keys. That is wryly amusing. Reuse is the bugaboo of pre-shared keys, so the main message from the document is "don't reuse them." Another PSK vulnerability is the symmetry between server and client authentication, and I think that could be promoted to an earlier section. Page 5 has example code for turning random data in human readable ascii strings, but it seems overly specific (why use "-" as the separator?), and it does not include an example decode routine or advice about rejecting malformed strings. On page 12, there is the statement: "The intent for TLS-PSK is for it to be used in internal / secured networks, where clients come from a small number of known locations". This seems important enough to be included in the introduction. Section 4.1.1 says: "It is RECOMMENDED that RADIUS clients and servers track all used shared secrets and PSKs, and then verify that the following requirements all hold true: * no shared secret is used for more than one RADIUS client * no PSK is used for more than one RADIUS client * no shared secret is used as a PSK" I take this mean that these items should be checked anytime a shared secret or PSK is added or changed. But, a naive implementation might create a master list of all such secrets to use for checking, and that is an unnecessary security risk. Perhaps there should be guidance about using a hash list for checking? The text about checking PSK identities on page 7 has some rules about distinguishing different kinds of identities based on whether or not they are proper UTF-8 encodings. That might be practical, but it sounds really hokey. I don't know the probability of random (ascii?) strings being legal UTF-8, so I am not even sure that the method is sound. I'm not sure I understand the discussion of "resumption" on pages 15-16. The text says that an identity can change between the initial full handshake and the need for resumption. That could happen if a client changed its IP address within an allowed block. Is resumption so important that it must be supported instead of requiring a new handshake? And resumption credentials can last for a full week, which seems oddly long. There is no discussion of key lifetimes or change procedures (other than the one week for resumption), so I guess that it is covered by administrative practices in RADIUS? 5.2.2. "else the server ignores the session ticker," presumably is "ticket"? Hilarie
- [secdir] Security directorate review of draft-iet… Hilarie Orman
- Re: [secdir] Security directorate review of draft… Alan DeKok