[TLS] EAP-in-TLS and channel bindings
Simon Josefsson <simon@josefsson.org> Fri, 01 April 2011 08:40 UTC
Return-Path: <simon@josefsson.org>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 8980D3A65A5 for <tls@core3.amsl.com>; Fri, 1 Apr 2011 01:40:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.435
X-Spam-Level:
X-Spam-Status: No, score=-103.435 tagged_above=-999 required=5 tests=[AWL=-0.836, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vdc0LSU6WOFZ for <tls@core3.amsl.com>; Fri, 1 Apr 2011 01:40:03 -0700 (PDT)
Received: from yxa-v.extundo.com (yxa-v.extundo.com [213.115.69.139]) by core3.amsl.com (Postfix) with ESMTP id C8E723A63CB for <tls@ietf.org>; Fri, 1 Apr 2011 01:40:02 -0700 (PDT)
Received: from latte.josefsson.org (c80-216-4-108.bredband.comhem.se [80.216.4.108]) (authenticated bits=0) by yxa-v.extundo.com (8.14.3/8.14.3/Debian-5+lenny1) with ESMTP id p318fYit026433 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT) for <tls@ietf.org>; Fri, 1 Apr 2011 10:41:35 +0200
X-Hashcash: 1:22:110401:tls@ietf.org::lnCPbrb7HzkIKy2S:Duny
From: Simon Josefsson <simon@josefsson.org>
To: tls@ietf.org
OpenPGP: id=B565716F; url=http://josefsson.org/key.txt
Date: Fri, 01 Apr 2011 10:41:34 +0200
Message-ID: <87ipuycqip.fsf@latte.josefsson.org>
User-Agent: Gnus/5.110016 (No Gnus v0.16) Emacs/23.2 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
X-Virus-Scanned: clamav-milter 0.97 at yxa-v
X-Virus-Status: Clean
Subject: [TLS] EAP-in-TLS and channel bindings
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2011 08:40:04 -0000
Hi,
I want to explain again what I (unsuccessfully) tried to raise during
the presentation. First it helps to recall the protocol flow with
TLS-in-EAP, from the document:
Client Server
------ ------
ClientHello(*) -------->
ServerHello(*)
(Certificate)
ServerKeyExchange
EapMsg(Identity-Request)
<-------- ServerHelloDone
ClientKeyExchange
(CertificateVerify)
ChangeCipherSpec
InterimAuth
EapMsg(Identity-Reply) -------->
ChangeCipherSpec
InterimAuth
EapMsg(GPSK-Request)
<--------
EapMsg(GPSK-Reply) -------->
EapMsg(GPSK-Request)
<--------
EapMsg(GPSK-Reply) -------->
EapMsg(Success)
<-------- Finished
Finished -------->
Note that the "Finished" messages are not sent until AFTER the EAP
exchange. This means that the "tls-unique" channel binding (which
refers to the Finished messages) is not available to the EAP mechanism.
That means that the EAP mechanism is not able to channel bind to TLS
using "tls-unique", which results in weaker than necessary
authentication as far as I can see.
Do you see the problem now?
I see a few solutions:
1) Specify that when EAP-in-TLS is used, the "tls-unique" channel
binding should use the "InterimAuth" message instead of the "Finished"
message.
2) Specify a channel binding for TLS that doesn't use the "Finished"
message.
3) Specify that you always need to complete a full TLS handshake first,
and then re-handshake and do the EAP handshake during that phase.
There may be other solutions. At this point I don't have an opinion on
what is a good way to resolve this.
/Simon
- [TLS] EAP-in-TLS and channel bindings Simon Josefsson
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Simon Josefsson
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Michael D'Errico
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Michael D'Errico
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- [TLS] Modifying the TLS state machine Simon Josefsson
- Re: [TLS] Modifying the TLS state machine Yoav Nir
- Re: [TLS] Modifying the TLS state machine Nico Williams
- Re: [TLS] Modifying the TLS state machine Eric Rescorla
- Re: [TLS] EAP-in-TLS and channel bindings Yaron Sheffer
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] Modifying the TLS state machine Nikos Mavrogiannopoulos
- Re: [TLS] Modifying the TLS state machine Eric Rescorla
- Re: [TLS] Modifying the TLS state machine Nikos Mavrogiannopoulos
- Re: [TLS] Modifying the TLS state machine Nico Williams
- Re: [TLS] Modifying the TLS state machine Nico Williams
- Re: [TLS] Modifying the TLS state machine Martin Rex
- Re: [TLS] EAP-in-TLS and channel bindings Tom Wu
- Re: [TLS] EAP-in-TLS and channel bindings Tom Wu
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Tom Wu
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nikos Mavrogiannopoulos
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nikos Mavrogiannopoulos
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nikos Mavrogiannopoulos
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams
- Re: [TLS] EAP-in-TLS and channel bindings Yoav Nir
- Re: [TLS] EAP-in-TLS and channel bindings Nico Williams