[TLS] EAP-in-TLS and channel bindings
Simon Josefsson <simon@josefsson.org> Fri, 01 April 2011 08:40 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8980D3A65A5 for <tls@core3.amsl.com>; Fri, 1 Apr 2011 01:40:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.435
X-Spam-Level:
X-Spam-Status: No, score=-103.435 tagged_above=-999 required=5 tests=[AWL=-0.836, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vdc0LSU6WOFZ for <tls@core3.amsl.com>; Fri, 1 Apr 2011 01:40:03 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [213.115.69.139]) by core3.amsl.com (Postfix) with ESMTP id C8E723A63CB for <tls@ietf.org>; Fri, 1 Apr 2011 01:40:02 -0700 (PDT)
Received: from latte.josefsson.org (c80-216-4-108.bredband.comhem.se [80.216.4.108]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p318fYit026433 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <tls@ietf.org>; Fri, 1 Apr 2011 10:41:35 +0200
X-Hashcash: 1:22:110401:tls@ietf.org::lnCPbrb7HzkIKy2S:Duny
From: Simon Josefsson <simon@josefsson.org>
To: tls@ietf.org
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
Date: Fri, 01 Apr 2011 10:41:34 +0200
Message-ID: <87ipuycqip.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110016 (No Gnus v0.16) Emacs/23.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.97 at yxa-v
X-Virus-Status: Clean
Subject: [TLS] EAP-in-TLS and channel bindings
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2011 08:40:04 -0000
Hi, I want to explain again what I (unsuccessfully) tried to raise during the presentation. First it helps to recall the protocol flow with TLS-in-EAP, from the document: Client Server ------ ------ ClientHello(*) --------> ServerHello(*) (Certificate) ServerKeyExchange EapMsg(Identity-Request) <-------- ServerHelloDone ClientKeyExchange (CertificateVerify) ChangeCipherSpec InterimAuth EapMsg(Identity-Reply) --------> ChangeCipherSpec InterimAuth EapMsg(GPSK-Request) <-------- EapMsg(GPSK-Reply) --------> EapMsg(GPSK-Request) <-------- EapMsg(GPSK-Reply) --------> EapMsg(Success) <-------- Finished Finished --------> Note that the "Finished" messages are not sent until AFTER the EAP exchange. This means that the "tls-unique" channel binding (which refers to the Finished messages) is not available to the EAP mechanism. That means that the EAP mechanism is not able to channel bind to TLS using "tls-unique", which results in weaker than necessary authentication as far as I can see. Do you see the problem now? I see a few solutions: 1) Specify that when EAP-in-TLS is used, the "tls-unique" channel binding should use the "InterimAuth" message instead of the "Finished" message. 2) Specify a channel binding for TLS that doesn't use the "Finished" message. 3) Specify that you always need to complete a full TLS handshake first, and then re-handshake and do the EAP handshake during that phase. There may be other solutions. At this point I don't have an opinion on what is a good way to resolve this. /Simon
- [TLS] EAP-in-TLS and channel bindings Simon Josefsson
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Simon Josefsson
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Michael D'Errico
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Michael D'Errico
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- [TLS] Modifying the TLS state machine Simon Josefsson
- Re: [TLS] Modifying the TLS state machine Yoav Nir
- Re: [TLS] Modifying the TLS state machine Nico Williams
- Re: [TLS] Modifying the TLS state machine Eric Rescorla
- Re: [TLS] EAP-in-TLS and channel bindings Yaron Sheffer
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] Modifying the TLS state machine Nikos Mavrogiannopoulos
- Re: [TLS] Modifying the TLS state machine Eric Rescorla
- Re: [TLS] Modifying the TLS state machine Nikos Mavrogiannopoulos
- Re: [TLS] Modifying the TLS state machine Nico Williams
- Re: [TLS] Modifying the TLS state machine Nico Williams
- Re: [TLS] Modifying the TLS state machine Martin Rex
- Re: [TLS] EAP-in-TLS and channel bindings Tom Wu
- Re: [TLS] EAP-in-TLS and channel bindings Tom Wu
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Tom Wu
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nikos Mavrogiannopoulos
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nikos Mavrogiannopoulos
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nikos Mavrogiannopoulos
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams