[TLS] TLS attacks relevant for EAP-TLS

John Mattsson <john.mattsson@ericsson.com> Fri, 11 January 2019 12:03 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8EED12F18C for <tls@ietfa.amsl.com>; Fri, 11 Jan 2019 04:03:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.854
X-Spam-Level:
X-Spam-Status: No, score=-8.854 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=LlVG7yYr; dkim=pass (1024-bit key) header.d=ericsson.com header.b=PVE22WpJ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DBFW9XsFXJYk for <tls@ietfa.amsl.com>; Fri, 11 Jan 2019 04:03:38 -0800 (PST)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31F1912E043 for <tls@ietf.org>; Fri, 11 Jan 2019 04:03:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/relaxed; q=dns/txt; i=@ericsson.com; t=1547208215; x=1549800215; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=2gAu5KPXMUgJeZp/oZhijDyIniQMyn0dF3vJJ9IWbJQ=; b=LlVG7yYrEVrdluh/nXlYQdQFeCOunSXcpGLUOkN3XushAkP74jKLlxqcWVmNwBCM vcgFF/0dYyVwJGO2yO+jBLVT2L+dW3PwYGbI4AymtxAuSb+xc1uRb7BLJ37b/t0n pWil3DvqjKdGPW7djhjgNKwXAQW7k2vNQ3221Ql2NaQ=;
X-AuditID: c1b4fb25-209009e000005ff7-05-5c388617493b
Received: from ESESSMB501.ericsson.se (Unknown_Domain [153.88.183.119]) by sesbmg23.ericsson.net (Symantec Mail Security) with SMTP id 41.F9.24567.716883C5; Fri, 11 Jan 2019 13:03:35 +0100 (CET)
Received: from ESESSMB502.ericsson.se (153.88.183.163) by ESESSMB501.ericsson.se (153.88.183.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Fri, 11 Jan 2019 13:03:34 +0100
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB502.ericsson.se (153.88.183.163) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Fri, 11 Jan 2019 13:03:34 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2gAu5KPXMUgJeZp/oZhijDyIniQMyn0dF3vJJ9IWbJQ=; b=PVE22WpJIqPEcG9AWg5c1s8ENm3ZjQgVxc2eProU2xpo6TzFKWUYaiBA7RA3wp88xtChCU4VB43mBTlkvjHpJQMzjK0YiMXbfoG6RtY4qr5/ZgWcXIc6wFMbdL7kSBWGz45dj2Sd+WsSXTYRvzrvAveNEY6+r2gEcjTrYJFp27c=
Received: from VI1PR07MB4175.eurprd07.prod.outlook.com (20.176.6.24) by VI1PR07MB4894.eurprd07.prod.outlook.com (20.177.200.88) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.16; Fri, 11 Jan 2019 12:03:33 +0000
Received: from VI1PR07MB4175.eurprd07.prod.outlook.com ([fe80::8df6:757e:fa8a:78f8]) by VI1PR07MB4175.eurprd07.prod.outlook.com ([fe80::8df6:757e:fa8a:78f8%4]) with mapi id 15.20.1516.010; Fri, 11 Jan 2019 12:03:33 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: "emu@ietf.org" <emu@ietf.org>, "uta@ietf.org" <uta@ietf.org>, "tls@ietf.org" <tls@ietf.org>
Thread-Topic: TLS attacks relevant for EAP-TLS
Thread-Index: AQHUqaWsgXVGUZ7xxECwEjEjO4oOxQ==
Date: Fri, 11 Jan 2019 12:03:32 +0000
Message-ID: <78409083-A0BF-459D-87B3-4F9E4E3152EC@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.14.0.181208
authentication-results: spf=none (sender IP is ) smtp.mailfrom=john.mattsson@ericsson.com;
x-originating-ip: [192.176.1.87]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR07MB4894; 6:oARDBW0bxLL5CPEXEzifzpC4+7j5Cdgk1zS6kcIvUbyCf1QFPo+K8bYqCbVmSpkAIn/p2YuAs2EM93Ct3VVuuSB4Jqz0bKxJNDuh5C5IbT976gjm/G+ZvbeTpx7kPlm8hapNPxCLaqI8d3wY++o+FvHTKHlrlJtqUzSpPILmvAJJh25KHP26A7Yb+GXiK9Ej1vXkFA+9JJgbiu1Bl8CulnhJoNQgrG2nwFvZfXyQrogmQ7ANo5fhKyxljCSnQUtaIC4Ws10jz2x6DrVgrPHRnMjvbQx+63RUzSeAJNsjbt4XzvXsHnmGH6QIauFKT8tg2QYCel6LYnANS+SAyK93Mbp4TEvSO6bBAEadI55DaaBoFUsKmfS1uxhNA8LWrTXCB47lX0DMyUoDY5q9dQtwedsqwU7BsbUOAnbW/qrerFp0ICtAovJBs3L4RJD/tn3E6PD3nbwi4iNWY0mcKLtZmw==; 5:znqVlLrbiqEzujQoQirIHZ4uZs6Esmr1un0t0Prg5SDC3hZ/mol02WrfGcq1+2sOJTMmuOarCGyl9Rv7l2pYOv/Q6BD07CtJbkVmcaZ9pGBUHvl65T4l3QaJh+BMFcBkb0p0m57xY1ya/E+DjlEgI11CTQHbILKeCn/qbK4gnzMGP6tnL1K+YeEEERF+MwwTWblo8gXcRU1lWQpzsyjqIw==; 7:FSJEW3VkuDWHnl8saAzrkSgfZcnZxVWOw2fFHZz3WnYu4r/C9dZsWIDhTAb6TyoaFj9PMzHv0s/JCtfgk9k8lg8l4CsIrddpNeLH77RmO927Klc2las5Vs2WRwbseCZqwThcTeHHYS3NTvMb1NZKKg==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: fa9f2d0c-4387-46b6-64f7-08d677bccf06
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600109)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:VI1PR07MB4894;
x-ms-traffictypediagnostic: VI1PR07MB4894:
x-microsoft-antispam-prvs: <VI1PR07MB4894302FE0D9CFB8DFC84B6C89850@VI1PR07MB4894.eurprd07.prod.outlook.com>
x-forefront-prvs: 09144DB0F7
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(136003)(39860400002)(376002)(366004)(346002)(199004)(189003)(6486002)(6436002)(102836004)(25786009)(83716004)(71200400001)(71190400001)(106356001)(44832011)(105586002)(8936002)(81166006)(81156014)(966005)(14454004)(8676002)(66066001)(68736007)(6512007)(450100002)(6116002)(2501003)(2201001)(4744005)(256004)(14444005)(5660300001)(99286004)(6506007)(36756003)(53936002)(82746002)(186003)(478600001)(7736002)(305945005)(33656002)(476003)(6306002)(110136005)(486006)(58126008)(86362001)(2906002)(316002)(26005)(2616005)(3846002)(97736004); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB4894; H:VI1PR07MB4175.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: eT07yWx9+3go6jU8j1K1Z3Ai6glkMT7UI6YD7Qr2t9pEUIKcdLF3b4feUprCnGLZS7iaTaex9Z57EAjhlTv2QcUsNwHN4dTjQnwUdnMBza7YEIvkEeUqirYScYtauRmtvzCRBeNCGt/0Dx3I/S5zrSYzLl7leda4ww/MDsg1BOhSEvNLyOKUXoraH7ksbvOC8OGTDQhog+ECkllp9fQ13zCg/0lod/wmLz4DC1ZTrpO+J5O4U2DpEMzMuHrm8TAkoznMl6zHXdl+0CqMtT+XVBscUBgQBfj5PDDv+iOyc0t4WlxeF9aej8VSmQK6SPU/Gg8glIJFLwV5rE//0GrGDpXm9o6xV6Ol/Grvxz7LsNsyxKyHgZVD2Wm2uMrZklaGFKaILJjFUDd1DojPt3yTFlj5X9lu+3GXmvy1jP9KpXc=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <30C6B5D8D9D1454DB5446EDA1D7C995B@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: fa9f2d0c-4387-46b6-64f7-08d677bccf06
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jan 2019 12:03:32.9269 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB4894
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFuplleLIzCtJLcpLzFFi42KZGbG9XFe8zSLGYP0tZYtj69eyWHw638Vo cepoM6MDs8eSJT+ZAhijuGxSUnMyy1KL9O0SuDKutO5mLdjCVbF02RqWBsYJXF2MnBwSAiYS bS+WsIHYQgJHGCWeXOKHsL8xStyYYtbFyAVkL2GSuHngCyOIwyIwgVliwqsLTBCZiUwSrdc6 2CFaHjFKzPgqBWKzCRhIzN3TADZWRCBR4mrTYkYQW1hAU2LZiuWMEHE9ib+rTrPD2N/+3WAF sVkEVCV+nJ4JVsMrYC/RuaKfBcRmFBCT+H5qDROIzSwgLnHryXwmiBcEJJbsOc8MYYtKvHz8 D2yOqIC+xINPB9ghemMlWlunA8U5gGoUJJb8lYQol5W4NL8b7DEJgSZ2iZuLm1ggEroSH6ZO ZYao95WYcjUJouYCo8TZSfvYIGq0JI7eegi1N1ti+vrzUL0yEl2bJjFC2LdYJSZ2MUHCJ1Vi +dpWqLicxKrehywTGPVmIXlnFtA6ZmAQrd+lDxH2kNhx6xULhK0oMaX7IfsscKgISpyc+YRl ASPrKkbR4tTipNx0I2O91KLM5OLi/Dy9vNSSTYzARHJwy2/VHYyX3zgeYhTgYFTi4bWrsYgR Yk0sK67MPcQowcGsJMJ7Og8oxJuSWFmVWpQfX1Sak1p8iFGag0VJnPePkGCMkEB6Yklqdmpq QWoRTJaJg1OqgdEyvObmlaPR4VKnEy3FHpg8lbP8ofn9O9eMhRxFDX+frJt7ztzCwWaLuZeH fvj+hrg7je6RNjs51VKdrzNr+4uFx0zj+xd8yvjlEQWxmKcSK9MZrJcwdkqeNfjtP7mfZ/EG z3vq+XunP7jakvXweu426W6HD3s+rHK8vkDbbxpz1RSxSS1tX5VYijMSDbWYi4oTATVwhuwg AwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/82CkLhquUnTz6vzq6nPUvWg8Egs>
Subject: [TLS] TLS attacks relevant for EAP-TLS
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jan 2019 12:03:40 -0000

Hi,

The draft "Using EAP-TLS with TLS 1.3" (draft-ietf-emu-eap-tls13-03) specifies the use of EAP-TLS with TLS 1.3:

https://tools.ietf.org/html/draft-ietf-emu-eap-tls13
https://github.com/emu-wg/draft-ietf-emu-eap-tls13

In Bangkok the EMU WG decided to analyse if some of the known attacks on TLS have relevance for EAP-TLS and if draft-ietf-emu-eap-tls13 should have some short security considerations on how when configure EAP-TLS to mitigate attacks when it is used with earlier versions of TLS (1.0, 1.1, 1.2).

My understanding is that most of the attacks on TLS (e.g. the ones listed in RFC 7457) are less serious for EAP-TLS as EAP-TLS only uses the TLS handshake and does not protect any application data. I am currently planning to reference RFC 7525 and RFC 7457. Are there any other documents that are relevant to reference and are there any specific attacks that should be highlighted?

I am thankful for any help or input.

Cheers,
John