Re: [TLS] [Emu] Underspecification of EAP-TLS 1.3 State Machine
John Mattsson <john.mattsson@ericsson.com> Thu, 04 February 2021 14:22 UTC
Return-Path: <john.mattsson@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 13AA83A1504; Thu, 4 Feb 2021 06:22:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.353
X-Spam-Level:
X-Spam-Status: No, score=-0.353 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_DOTEDU=1.997] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id id25HbZKsJ88; Thu, 4 Feb 2021 06:22:26 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00060.outbound.protection.outlook.com [40.107.0.60]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3E3433A1505; Thu, 4 Feb 2021 06:22:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fk+N0ByvsqBuEsY6Irmall4/KZGWBZeXZrOoKuM0k2lxkHdkJFATfTQojrb1JBNTLoJHcKpc6Jy9q1DhAYaIGfGjnKQ76pnOmRIW6Q/5Sh/iuyzsbhHbJGo6x2gt18tijnxEytTlQRgC05lVwiFDEeirr4tnfEUuwT9+C+XMTn8/pxxE9IjeGs/cPKxjcI7E76xDpsqpUjexvXupB3uuuh63QGw4MJQL4rTqXekgjSiqnzvDsjW8l+KuCPCQQNYTomQ+bX008yPMj/DuAVVhO1XAGXd5gZVGwhopYza73mzvUHDc3IIZlaunZR535TZri/N4/DOi3cXwnyfly18P2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=46NGt63Hdtf1D96ds1f7cTGYbH3+VTI/FKn6DogXlxc=; b=DToSyHXna5aG+fLimVK82Iyab8MthHt4kUfdl3gayiL8nFoQ+9+uUv08SgapaM062Aj1MJwl7WPFVE7VdwMMlrsA4QWSA8lUV+9MH1Hik60UisjzJr6VVhDUg58ps5+yUE7gPrM9rBhjOEwLrQaBlrv96omwOs7HesGxt9cMqRQMbkWEKizGJaarSBzfC33N3TaqqEhflpvNLt5GpdPorQeB8Ff/OUDLe83mSmk4X1aqlZ5bxuCT3wyiY81WdjzQnRrwFomDeVnkedinxdStiZsVTuUShHfwIX4tf7jdHi+XSWVvyHoyCK2mzsynMJ8ISsIbAWj2sT0a25oAS6UR1Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=46NGt63Hdtf1D96ds1f7cTGYbH3+VTI/FKn6DogXlxc=; b=JmBHX3ZWeVvaAcRGfzpZzaCdaPtUPCDVqMKwg1LODirKLlBsreERstSdxJGeMz/lM48P4iJLzv8+ZUVs9B4GoRsB6sVwKI1zy7tby2l1XVMG4n+KfM54jkax8YVqOg53wdXWxf3BPnGIkrayGNg8iBUEGGsEdPGy1SYJ/r/0b5Y=
Received: from (2603:10a6:3:4b::8) by HE1PR0701MB3050.eurprd07.prod.outlook.com (2603:10a6:3:4b::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3825.8; Thu, 4 Feb 2021 14:22:23 +0000
Received: from HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268]) by HE1PR0701MB3050.eurprd07.prod.outlook.com ([fe80::c555:6e47:970c:1268%11]) with mapi id 15.20.3825.023; Thu, 4 Feb 2021 14:22:23 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Bernard Aboba <bernard.aboba@gmail.com>, "emu@ietf.org" <emu@ietf.org>, "TLS@ietf.org" <TLS@ietf.org>
Thread-Topic: [Emu] Underspecification of EAP-TLS 1.3 State Machine
Thread-Index: AQHW+Xei1LMAQqIzHEO/CrX3nRzncqpH/Y6AgAAilAA=
Date: Thu, 04 Feb 2021 14:22:23 +0000
Message-ID: <C3B0FD18-9305-450F-B8C7-FEF2AFFCB818@ericsson.com>
References: <CAOW+2dvGQGc4-awvmaj=k4esv=vDp+Eb7RRvv88xEqPhOGJSFQ@mail.gmail.com> <4991F280-1644-43CB-A5DE-CE364641966F@ericsson.com>
In-Reply-To: <4991F280-1644-43CB-A5DE-CE364641966F@ericsson.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.45.21011103
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [81.225.97.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e3218cdf-72c0-4b72-c897-08d8c9184a32
x-ms-traffictypediagnostic: HE1PR0701MB3050:
x-microsoft-antispam-prvs: <HE1PR0701MB3050A3B6E9AD9C1B6526A0F789B39@HE1PR0701MB3050.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MpU6y/a3elbHznI9ItO/7cO7qa33OTtpcmc9qYX8o5rgIh5Am4eju1HLv66fojy/G4OHf/qo+K8KqxzAOvhXHww+CGYmoyU90xT1ZNWmZyAtq3FdrE6Z2i1GC7SroPGwOk6UQdyv81ebZ4sBllUJOBB6dOxrFH4Z1+nH0b5YBVMVqAf6bcfLNFM2X8NiyK7jw+BuKXhxodVVmP5sLozrkKGA8a9LURTPTTD4siGuv9ujEV4QLXu3ka7zVEzs1gj/AgKPtNpCd3MiOC8npZ8Lsr30kq1LXkuIa/zEkAwISXZafANT/NBq7RgPCzT2rDJIGFPxGqGqYYr+imGxFrJSzU4ZGpxJzotE11cBBNJJMrOcJDDz2riGYntU9ZCsYiSrlqnf0/Tw+HC2f6fJnhpfcCRL6eRV0tJCXMvyFGjjNCpMwPcfS/FzEGi0QS9YZJGVa8ejI6cpugDTDI5treFuTsdwNumij5T1iQryT00a81tPB8rfvkJvgiwVfWeZOs7TSt5kDznTXdirmd8+yhqFtadAfUM+JkBz+QQMMOYX9ylm1DFfnEj1Cf9AFw/PEX+f8UfLOAPS4hwKoxvYj9Y9eK5HZzXrPD7TKlunjzuGIgXKsPWN0R9K9xJ+9G5x693HZPnJR6EQcw1hDXxprFAZKg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB3050.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(366004)(39860400002)(396003)(346002)(376002)(2906002)(6506007)(110136005)(83380400001)(2616005)(478600001)(36756003)(166002)(86362001)(186003)(71200400001)(66446008)(64756008)(66556008)(8676002)(53546011)(33656002)(76116006)(316002)(26005)(44832011)(66946007)(8936002)(6512007)(6486002)(66476007)(5660300002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: YjHIFerFyGyU3r5TWhVZZieeJaHhThPzqfv6QZO56eeDwZ9ESLQ03kcvkRWwvueLgT6uqAALqfH1xxluzng5fu+7rhLPPvsf9gWUfpJYnQWuJtu/7ld5wtmC/qBec06Kk+ShzMO62NmJY8XUBaceyRvevk07P901I5ITxEsnFLdkSNmu5fgImkSjIJ6o1Wf0qWD7ww/ennXpUP900SZZq50JVI/WiixzqqH8675vxhEt500YX9RXgBR5L+/GF33wEhh9yLoGGuxgb5ef6YsfgDb2amf0jtyy655SQBp/HOQ9Bjsl5XVZsV9DzUQgaBe5pxVi5A1kqLoDFHL9xIcq7aWeXCuidRR4bZUPq7a7deHzvB0ND0WDAHCrFwBXXHwWV04o0AlKY0355dnsAM/qPTlIZm4oEemRImxj0IXFGHhApM5J+VidsyZX6c4ZqAIqYDELGWJQ8bT3FuIY/6W4b/exID/t/NiFC9Y4gStbiQLuSKoTLTsKbeoYpbfi0T9RGXRAIg1FP+g8+0v5+d6liAYgL1TMKUEdwRGxfK1TrUBnzYOXTJRx4C99k0BUPlpuWkTUCSiESypiIs6Zv6iOr9rSn7le/0r00Y3tidKRuZ85oOP9fpT9RYxc9rs5KdLszwu+a8iuTE/y4dnVWheG3opJ83C9fNQnm8wBbej4C8Sll3hxweSyTDJHAJRybgd42Ak+ezjWfmJzuMSnu58ZxdBmAKEyVYAoWZwXOoqBBl7edXo832mU94UrveUPu8t9hmY2GP9p/wIuE9tjzjvBG645dpP2QTg6uyOMhduZYuRFda84emB4MzOvIAop9U9xu3/LOxLh2aT8RQ8fyJiJiMUi11FnFL2/IRtoMJLNg/fVNFarufLWpliasCfohjFOprIquT7PD4q2qMAFvLxl/1+DTgYhTnRIN9UyaPqxt7Cq38+KXloGC/ch2MYvCv9+FPscpulAueBEttIiZIs1GJRzQEaS4WF0zaxR9sXKyj2dHOnRdyQi/5er+0MZkbE6yHZA4mTX4Zs9dmLJcrz9I6HEY0Nmmzo/Thev86eghwk8swQ9AYAdhbn6EMn8fGeBpEyJeJicBk7wc1mPjWAOIzCaQTMrG7yuTGoxtrGvcZ3TVbxbP2d/fMWPaDZnTVb5GyUab9rGYc+kd7RW4TYiD8ngXYgutWufz1Z2kYNnn+mwIGvmW5B6rtKF+gqkBaff9RjWwUxcIvkIDcpFPX60UUS02Vtm/Y0aI2pnr/vPK81C6a55eRcPgSIXTRtrZYvxa6rvs5LRf90uQoEHhsazHnq92HOQNdKzukzr1iYKz3d8bmMFf7eHIDQ7j5LgTnsS
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_C3B0FD189305450FB8C7FEF2AFFCB818ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB3050.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e3218cdf-72c0-4b72-c897-08d8c9184a32
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 Feb 2021 14:22:23.2915 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: FDa555kpRuJn2C7zu0TgvKeVhc2m0+tYbk1igroicWSI66NxVfpOrRt8tIpht5k2ggCUaESUvjSnMorEu2P7Oe/9jAyvnkapYaKzwNNcuzE=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB3050
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/C0994Qflq1DunLRw-1n50vjSRPE>
Subject: Re: [TLS] [Emu] Underspecification of EAP-TLS 1.3 State Machine
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2021 14:22:29 -0000
I think the major decision for the EMU WG to make going forward is to agree if EAP-TLS 1.3 MUST have an alternative success indication. RFC 5216 does not discuss the EAP state machine at all, but in TLS 1.2 the server finished can be used as an alternative success indication. close_notify might be possible to turn into an alternative success indication if the TLS implementation can be profiled to not send any close_notify by itself. I don't know if there are any cases where an implementation would send close_notify without the application telling it to. If the wg agrees that an authenticated alternative success indication is needed (this is to my understanding needed in e.g. 802.11) then the process would be that the EAP-TLS server first process the second flight from the client, if that verifies correctly, the server send application data commit message / close_notify. Introducing an authenticated alternative success indication would not require any changes to the -14 message flows. In -13 the commitment message would have to be sent in a later flight than server finished. If a mandatory authenticated alternative success indication is introduced in EAP-TLS 1.3, I do not think any future additions to TLS 1.3 would be needed for EAP-TLS 1.3. From: John Mattsson <john.mattsson@ericsson.com> Date: Thursday, 4 February 2021 at 13:18 To: Bernard Aboba <bernard.aboba@gmail.com>, "emu@ietf.org" <emu@ietf.org>, "TLS@ietf.org" <TLS@ietf.org> Subject: Re: [Emu] Underspecification of EAP-TLS 1.3 State Machine Hi Bernard, I (re-)read the papers you send. - "Extensible Authentication Protocol Vulnerabilities and Improvements Improvements" This paper talks attacks on availability by spoofing messages. It looks into a small amount of ways where spoofed messages causes the TLS connection to fail, especially it focus on alert messages. TLS and EAP-TLS is trivial for an on-path attacker to shut down. Basically any small error is fatal in TLS. Focusing on alert messages does not seem correct. An attacker can e.g. at any time send a small record with length 2^15, which causes TLS to terminate the connection. I think the only thing that can be achieved without rewriting TLS is that availability attacks does not cause long-term damage, i.e. the nodes can retry the handshake. - "An Initial Security Analysis of the IEEE 802.1X Standard" This paper discusses attacks on 801.11. The weaknesses described seems to come from 802.11 / EAP interactions. The discussions around IETF 102 was that the uncertainty (NewSessionTicket or not) in TLS 1.3 was "inconvinient" and that it would be convient to get rid of the uncertainty. Bernard then pointed out that any message changing the state need to be authenticated to that it is not possible to spoof. I think that both the application layer commit message as well as close_notify fulfill these old requirements. I think your analysis is correct. 1. What constitutes an "alternative success" indication in the EAP-TLS 1.3 protocol? The -13 commitment message verifies that both sides are in possession of a derived key. But the server finished already does that. As you state, the -13 commitment message is not an alternative success indication. I think it would be easy to make it an alternative success indication be mandating that the EAP-TLS server must only send it after verifying the client finished. I do not think defining a new exporter is needed. The -14 close_notify is also not an alternative success indication and can not be made into one either. If the requirement is that an alternative authenticated success indication is needed. Then I think: - We need to have an extra roundtrip. - close_notify does not work and cannot be made to work - Application data commit message could work as an alternative success indication. TLS would have to be profiled so the alternative success is only send be EAP-TLS server after client finished processed successfully. 2. At what point should keys be pushed down to the lower layer? What is the exact requirement for eapKeyAvailable = TRUE to be set? My understanding reading RFC 4137 (correct me if I am wrong) is that it is not enough that the other party is authenticated, but that an alternative success indication has been sent/received. If that is correct the EAP-TLS server would set eapKeyAvailable = TRUE after sendign the alternative success indication and the EAP-TLS client would set eapKeyAvailable = TRUE after receiving the alternative success indication. 3. What constitutes an "alternative failure" indication in EAP-TLS 1.3? Yes, I agree, receipt of TLS Alert messages should be considered an alternative failure mechanism. 4. What is the purpose of the commitment message? The -01 to -13 purpose was to indicate in an authenticated way that the EAP-TLS method would not continue and that only success or failure could follow. If an alternative success indication is required. Which it seems to be according to your mail. I think the alternative success indication would replace the old commitment message. I think Cheers, John From: Emu <emu-bounces@ietf.org> on behalf of Bernard Aboba <bernard.aboba@gmail.com> Date: Tuesday, 2 February 2021 at 16:25 To: "emu@ietf.org" <emu@ietf.org> Subject: [Emu] Underspecification of EAP-TLS 1.3 State Machine The EAP TLS 1.3 specification does not currently specify how EAP TLS 1.3 interacts with the EAP state machine as specified in RFC 4137. It appears to me that this under-specification is at the root of the questions about the commitment message. Historically, under-specification of the EAP-TLS state machine has been a source of potential security vulnerabilities by enabling packet injection attacks [1][2], including attacks involving the injection of EAP-Success and EAP-Failure mechanisms. RFC 4137 Sections 4.1.1 and 4.1.2 define several variables: altAccept (boolean) Alternate indication of success, as described in [RFC3748<https://tools.ietf.org/html/rfc3748>]. altReject (boolean) Alternate indication of failure, as described in [RFC3748<https://tools.ietf.org/html/rfc3748>]. eapKeyData (EAP key) Set in peer state machine when keying material becomes available. Set during the METHOD state. Note that this document does not define the structure of the type "EAP key". We expect that it will be defined in [Keying<https://tools.ietf.org/html/rfc4137#ref-Keying>]. eapKeyAvailable (boolean) Set to TRUE in the SUCCESS state if keying material is available. The actual key is stored in eapKeyData. The issue in the EAP-TLS 1.3 specification is that the interlock with these variables is not defined. For example, it appears to me that the commitment message verifies that both sides are in possession of a derived key, allowing the eapKeyData variables to be set. However, it does not appear to me that the successful validation of the commitment message is sufficient to allow keys to be pushed down to the lower layer, allowing data to flow. Therefore the eapKeyAvailable variable should not yet be set to TRUE. Also, the commitment message does not constitute an alternative success indication because it is possible for an alternative failure indication (e.g. a TLS alert) to be sent after the commitment message. If the commitment message did constitute an alternative success mechanism, then an attacker injecting an EAP-Success message would be able to cause the peer to believe that authentication had succeeded even though it had actually failed (e.g. TLS alert sent after the commitment message). Given these issues, I believe the specification needs to answer several questions: 1. What constitutes an "alternative success" indication in the EAP-TLS 1.3 protocol? 2. At what point should keys be pushed down to the lower layer? 3. What constitutes an "alternative failure" indication in EAP-TLS 1.3? 4. What is the purpose of the commitment message? Only question 3 looks straight forward to me: receipt of TLS Alert messages should be considered an alternative failure mechanism, although perhaps some caveats need to be applied to address the injection attacks described in [1]. [1] EAP Vulnerabilities and Improvements, Extensible Authentication Protocol Vulnerabilities and Improvements (sjsu.edu)<https://scholarworks.sjsu.edu/cgi/viewcontent.cgi?article=1431&context=etd_projects> [2] An Analysis of the IEEE 802.1X Standard, An Initial Security Analysis of the IEEE 802.1X Standard | Request PDF (researchgate.net)<https://www.researchgate.net/publication/2562682_An_Initial_Security_Analysis_of_the_IEEE_8021X_Standard>
- Re: [TLS] [Emu] Underspecification of EAP-TLS 1.3… John Mattsson
- Re: [TLS] [Emu] Underspecification of EAP-TLS 1.3… John Mattsson
- Re: [TLS] [Emu] Underspecification of EAP-TLS 1.3… John Mattsson
- Re: [TLS] [Emu] Underspecification of EAP-TLS 1.3… Bernard Aboba
- Re: [TLS] [Emu] Underspecification of EAP-TLS 1.3… Alan DeKok
- Re: [TLS] [Emu] Underspecification of EAP-TLS 1.3… Mohit Sethi M
- Re: [TLS] [Emu] Underspecification of EAP-TLS 1.3… John Mattsson
- Re: [TLS] [Emu] Underspecification of EAP-TLS 1.3… Bernard Aboba
- Re: [TLS] [Emu] Underspecification of EAP-TLS 1.3… Bernard Aboba