Re: [TLS] EAP-in-TLS and channel bindings

Nico Williams <nico@cryptonector.com> Mon, 04 April 2011 07:40 UTC

DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :in-reply-to:references:date:message-id:subject:from:to:cc :content-type:content-transfer-encoding; q=dns; s= cryptonector.com; b=n5i2fAnEfx7CK6tginDqtitPsUuoXdG6LFBcp2dbDGms lweK6iybl1z/owAtQ+O+mi9bpXY7MNrxXQ8h6HLzldO93I/AKHyO0qPrOW1/OF+E AhvQ98PHjBSQOMjSb0I/FJwNQwmve5YkF+8ZMggSLXTuYCQ+g+bXiU6zJAH1o0Y=
MIME-Version: 1.0
In-Reply-To: <BANLkTimicdj2y9eJ3XRA2FYX5uU6XpZ95w@mail.gmail.com>
References: <87ipuycqip.fsf@latte.josefsson.org> <AANLkTi=qgzJSizeS22ewyYB3cHZBoESMXrt0xO=QJgHP@mail.gmail.com> <F50A7509-951E-435E-A00B-2D366F240B19@checkpoint.com> <BANLkTikROgMh-dP=fT6ZQr1o-A90fgnxzQ@mail.gmail.com> <B299FA78-95CD-478D-B129-51AD04872C51@checkpoint.com> <BANLkTimicdj2y9eJ3XRA2FYX5uU6XpZ95w@mail.gmail.com>
Date: Mon, 04 Apr 2011 02:42:08 -0500
Message-ID: <BANLkTi=1O7xCaTFai=kTtQqtS4WL7i9w+A@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: Yoav Nir <ynir@checkpoint.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Cc: Simon Josefsson <simon@josefsson.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] EAP-in-TLS and channel bindings
Precedence: list

On Mon, Apr 4, 2011 at 2:26 AM, Nico Williams <nico@cryptonector.com> wrote:
> On Mon, Apr 4, 2011 at 1:44 AM, Yoav Nir <ynir@checkpoint.com> wrote:
>>> I'm not sure that EAP has no use for tls-unique here...  Suppose
>>> you're talking to an MITM (see the Comodo CA compromise...).  Don't
>>> you want to make sure that they are not able to cut-n-paste the EAP
>>> exchange to the real service??  I would think that you do!  In EAP
>>> this would be called "cryptographic binding", not "channel binding" --
>>> we have a sad terminology issue :(
>>
>> Some EAP methods, especially the good ones, have some random values in them, so they're protected against cut-and-paste. The security considerations should state why it's a good idea to use such methods.
>
> I'm not seeing that.  Let's say we have a client C, an MITM M, a
> server S, and a AAA server A.  So we have C<->M<->S and C<=M<->S=>A.
> M terminates a TLS connection to C and is the client of a TLS
> connection to S, and M relays all other messages (including the TLS
> extensions for carrying EAP messages) between C and S until the point
> where the EAP exchange is complete, and then M closes the connection
> to C.  From that point on M pretends to be the user authenticated by
> EAP.
>
> To prevent that attack we have to do something such as a) change the
> keying of TLS, or b) demonstrate to C and S that they have the same
> TLS connection.  We can't do (a) because you might not be able to
> change keying until after some point in the EAP exchanges that is past
> the TLS ChangeCipherSpec and Finished  message exchanges, and you
> can't delay those TLS messages because you can't change the TLS state
> machine.  That leaves you with (b).

BTW, this is properly the province of RFC5056 channel binding.  That's
because you have a secure channel (TLS) and authentication above it
(EAP), and you want the channel to speak for the authenticated
parties, which is precisely what RFC5056 channel binding is all about.

Also, you should go look at ABFAB WG.  ABFAB is working on an
EAP-based mechanism for the GSS-API (they have much running code too,
so it's not pie in the sky).  Combined with
draft-williams-tls-sasl-opt, ABFAB would give you pretty much the same
exact thing you're trying to accomplish :)

Nico
--

[TLS] EAP-in-TLS and channel bindings Simon Josefsson
Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
Re: [TLS] EAP-in-TLS and channel bindings Simon Josefsson
Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
Re: [TLS] EAP-in-TLS and channel bindings Michael D'Errico
Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
Re: [TLS] EAP-in-TLS and channel bindings Michael D'Errico
Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
[TLS] Modifying the TLS state machine Simon Josefsson
Re: [TLS] Modifying the TLS state machine Yoav Nir
Re: [TLS] Modifying the TLS state machine Nico Williams
Re: [TLS] Modifying the TLS state machine Eric Rescorla
Re: [TLS] EAP-in-TLS and channel bindings Yaron Sheffer
Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
Re: [TLS] Modifying the TLS state machine Nikos Mavrogiannopoulos
Re: [TLS] Modifying the TLS state machine Eric Rescorla
Re: [TLS] Modifying the TLS state machine Nikos Mavrogiannopoulos
Re: [TLS] Modifying the TLS state machine Nico Williams
Re: [TLS] Modifying the TLS state machine Nico Williams
Re: [TLS] Modifying the TLS state machine Martin Rex
Re: [TLS] EAP-in-TLS and channel bindings Tom Wu
Re: [TLS] EAP-in-TLS and channel bindings Tom Wu
Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
Re: [TLS] EAP-in-TLS and channel bindings Tom Wu
Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
Re: [TLS] EAP-in-TLS and channel bindings Nikos Mavrogiannopoulos
Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
Re: [TLS] EAP-in-TLS and channel bindings Nikos Mavrogiannopoulos
Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
Re: [TLS] EAP-in-TLS and channel bindings Nikos Mavrogiannopoulos
Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
Re: [TLS] EAP-in-TLS and channel bindings Nico Williams