IETF Logo Mail Archive

Re: [secdir] [Emu] Secdir last call review of draft-ietf-emu-rfc7170bis-15

Alan DeKok <aland@deployingradius.com> Sun, 03 March 2024 15:52 UTC

Return-Path: <aland@deployingradius.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67A23C15153F; Sun, 3 Mar 2024 07:52:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dxbqie8Q9hOd; Sun, 3 Mar 2024 07:52:18 -0800 (PST)
Received: from mail.networkradius.com (mail.networkradius.com [62.210.147.122]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77127C15153C; Sun, 3 Mar 2024 07:52:17 -0800 (PST)
Received: from smtpclient.apple (135-23-95-173.cpe.pppoe.ca [135.23.95.173]) by mail.networkradius.com (Postfix) with ESMTPSA id 956165E6; Sun, 3 Mar 2024 15:52:14 +0000 (UTC)
Authentication-Results: NetworkRADIUS; dmarc=none (p=none dis=none) header.from=deployingradius.com
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.1\))
From: Alan DeKok <aland@deployingradius.com>
In-Reply-To: <170934966282.22720.15728977796194077360@ietfa.amsl.com>
Date: Sun, 03 Mar 2024 10:52:13 -0500
Cc: secdir@ietf.org, draft-ietf-emu-rfc7170bis.all@ietf.org, emu@ietf.org, last-call@ietf.org
Content-Transfer-Encoding: quoted-printable
Message-Id: <2A5A060E-241C-433E-A281-037BA1D53437@deployingradius.com>
References: <170934966282.22720.15728977796194077360@ietfa.amsl.com>
To: David Mandelberg <david@mandelberg.org>
X-Mailer: Apple Mail (2.3696.120.41.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/he1ahzm7Efn4fQAzopJtbfcBRvc>
Subject: Re: [secdir] [Emu] Secdir last call review of draft-ietf-emu-rfc7170bis-15
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Mar 2024 15:52:19 -0000

On Mar 1, 2024, at 10:21 PM, David Mandelberg via Datatracker <noreply@ietf.org> wrote:
> 
> (nit) If I understand the TEAP version negotiation and Crypto-Binding
> correctly, the negotiated version is not cryptographically verified until
> either (1) after the first inner method is completed or (2) just before the
> final result, if there are no inner methods. Is that correct?

  Yes.

  The semi-good news is that there is only one version of TEAP defined. 

> Does that mean
> it's possible for an attacker to get both sides to speak a lower-than-ideal
> TEAP version while performing the first inner method, and if so, does that
> matter?

  Since there's only one TEAP version, no other version can be negotiated.  So the issue is mostly theoretical.

  If an attacker modifies the headers to use a lower-than-ideal TEAP version, then the Crypto-Binding TLV will eventually discover this, and the entire authentication will be rejected.

  So it doesn't matter if any inner method is successful, the binding will prevent 

> Or could an attacker get one side to think it's using one version and
> the other side to think it's using another version? What affect would that have
> on the first inner method?

  I think the answer is "yes" to the first question.  It wouldn't affect the first inner method.  But as above, the change will be discovered via Crypto-Binding, and the entire authentication will fail.

> (nit) Overall this document seems to support two different modes, one where the
> TLS tunnel provides server authentication, and one where the tunnel doesn't but
> inner methods can provide it later and then use Crypto-Binding to verify the
> tunnel. There are a few sections that seem to be written as if the TLS tunnel
> always provides server authentication though: 7.1, 7.4.1 (2nd paragraph), and
> 7.8.

  I'll fix that and update the document.

> Also, should section 4.2.20 recommend against using that TLV until after
> the server is authenticated?

  I think so, yes.  I'll add a note.

> (nit, section 3.2) "[RFC9325] Section 4.2 for TLS 1.3." should say 4.3 instead,
> right?

  Yes.

> (nit, section 3.11.4) Is "WAP" a typo of "EAP"?

  Yes.

> (nit, section 5.3) Is there any way to determine the border between (3) and
> (4)?

  No.

> If not, then in theory a MITM might be able to remove the last
> server-to-peer outer TLV and prepend it to the peer-to-server TLVs, or vice
> versa, and the MAC would be the same. However, each side knows which outer TLVs
> it sent before the MITM modified it, so I don't think this could accomplish
> anything in practice?

  The server calculates the compound MAC using the outer TLVs it sent, and the outer TLVs it received from the peer.

  The peer calculates the compound MAC using the outer TLVs it sent, and the outer TLVs it received from the server.

  As a result, and modification in transit is detected, because the compound MAC will not be the same.

v2.23.0 | Report a Bug | By Email