IETF Logo Mail Archive

Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)

Mohit Sethi M <mohit.m.sethi@ericsson.com> Tue, 05 January 2021 15:05 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3187B3A0FD2; Tue, 5 Jan 2021 07:05:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.612
X-Spam-Level:
X-Spam-Status: No, score=-2.612 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.25, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.262, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q2oWad_BUoSp; Tue, 5 Jan 2021 07:05:27 -0800 (PST)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-eopbgr20064.outbound.protection.outlook.com [40.107.2.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E4D93A0D81; Tue, 5 Jan 2021 07:05:26 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WrRP7xZ1VnYdQVPc6VLfHOgaTNJ1A2J0vDdy6an84nelhJMWJFDI3RfzuJr7q++7BPjBnA3R+kvxs5394yfjIQDBbWOGqtJCG1rXygxoheXraDb8DIpd/gTvNorBHM4UPqQush02NyKQMCeqVeyJevstBjrTsVtFEMBlTbNbsBnnB/QaQL7Db8WnAuUgm4SyAkPGy17s5HAGbQFaQKubNbbklBu1FhUpQds+rWfzk8QvhUXihbv7TzNVl0V1EJ2qZCb/kWTfSozwVOEPyq0mpY3sQ9Z1N5nVTuWwyEMPm/SPux9hZzcL8Td8o2d5l4aBLGzP2zxmw1jOYCBLKu5MPw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=znhMHj3iq5MZpDJqbv1yXqlnJauxFzc86PyNGnfd0M8=; b=KVCGLH5tpES4TYU/6r+aoQnGnlCyx1qMRANqiQOeZ2hSFme0Icn18EpZimPPFy0oJ5qXdIm0EmBdSMrilKLzC61GqrvLeYn2OpsEES9sIlYKUJAmhqChmnga9k2PbbRW3ucKKXx0vKtI50w9iYaNloqmi94YPIBou7XMM2j1uP3U9MmYEF/YPU8uDQI9HHwqxIHFiPKD9SwIUHOxzrSZl2LJ2vZrWmhFAqKCguYgBZBVChLjLLq9NSRhF/SYmSZ0qN+KR3/kp9EBTpxDgRfXpt317ALzQ5A5sExMdNG68U091NTo9Bts9GANzs+8zQB4JQKZTOaVkTN5rRekGAnBBw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=znhMHj3iq5MZpDJqbv1yXqlnJauxFzc86PyNGnfd0M8=; b=E7mrYFnF8LsxsLHg+28UQ3lDHxP+twcqpJ2SPsXvbMm54ZOY6YJlJtt6QiYwTJDcewd/cpOhSZGaIMobvSnGnWT0fgCbXFwgqiOTtLpnBHqLCi8aem3I87t0tjWr7pmW4HaSGhm6E85pHXBKUEoJNG3ldaS7s/zUzZQ9x7ITeh4=
Received: from HE1PR0701MB2394.eurprd07.prod.outlook.com (2603:10a6:3:70::13) by HE1PR0702MB3564.eurprd07.prod.outlook.com (2603:10a6:7:8c::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3742.4; Tue, 5 Jan 2021 15:05:23 +0000
Received: from HE1PR0701MB2394.eurprd07.prod.outlook.com ([fe80::a012:f1c5:3df:a9d7]) by HE1PR0701MB2394.eurprd07.prod.outlook.com ([fe80::a012:f1c5:3df:a9d7%12]) with mapi id 15.20.3742.006; Tue, 5 Jan 2021 15:05:23 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Joseph Salowey <joe@salowey.net>, Alan DeKok <aland@deployingradius.com>
CC: "tls@ietf.org" <tls@ietf.org>, EMU WG <emu@ietf.org>, Martin Thomson <mt@lowentropy.net>, Benjamin Kaduk <kaduk@mit.edu>
Thread-Topic: [Emu] [TLS] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
Thread-Index: AQHW0/v3Sc9XnYEKVU2ViWlCU2YXag==
Date: Tue, 05 Jan 2021 15:05:23 +0000
Message-ID: <e669002f-caff-1e6e-e28b-d09157eb0c07@ericsson.com>
References: <160815821055.25925.15897627611548078426@ietfa.amsl.com> <20201216223842.GR64351@kduck.mit.edu> <0f2b05db-5c98-43d4-aae3-cf620814bacc@www.fastmail.com> <A4BBA31B-8754-4D8C-B0F1-D1C6C859F6AE@deployingradius.com> <CAOgPGoBvBzhA0q4gFqpFSm2HkAs6NoyLc6RVZYLtTYsNd02i8A@mail.gmail.com>
In-Reply-To: <CAOgPGoBvBzhA0q4gFqpFSm2HkAs6NoyLc6RVZYLtTYsNd02i8A@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
authentication-results: salowey.net; dkim=none (message not signed) header.d=none;salowey.net; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [188.67.160.225]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 57770f82-724e-4957-b27a-08d8b18b537a
x-ms-traffictypediagnostic: HE1PR0702MB3564:
x-microsoft-antispam-prvs: <HE1PR0702MB35647CFD3E430A52A9C97364D0D10@HE1PR0702MB3564.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: QBzmEOeZsEhqr7G8JFWc0Wm8mmGnPN35zv58uerSQXrdrS7JAAi8aV9dWC+jGEK81bMqPXOtQPAOPfLzdZuR4y1GXSyrvZivBWSrn+Yy0YsjAlhsCCulBwKAy0XLV8+JtQDbxOjRJSolTxClM64Ppig2P4t1QDhpneF0ZydGDmm/AmhcRxF4wDBG8XkBwFFVm7uiDjyVN1FbrI5IQ7QQ0Z8HwxmgJxOppLRvkNNISq8xpKUTVe5Nq5mb3mcDJ0LOPpytiLgKrTnUmindOQRIvt1HjkpGCvWKElc84/7yk2T372DoT3pS7eKQ7CdL6LxLvm2Lmv4k62Rr+9p1WJrBEdhuDhH+Hf5ICpnL386rPV93WU51duImSnQGToHQNFijX2F4yRiyqvlB7NR1YepLfLScCnZeRr5CMdUyS3YuEzVY9d7G+MIYZV7LWHLTK77cU59R/BM95MPwPx0QSWFa1jttDfl7HOX0w/GXkBtrElcOCMsGCCtQdLbvA72K4/Hoqk/fPwzOpghi8Ygg6CroZ8F5merjhlLqzaM8aCg1ALyDUEwN6P9HjKNRZSYAFC5b
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:HE1PR0701MB2394.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(346002)(366004)(39860400002)(396003)(53546011)(31696002)(966005)(186003)(478600001)(26005)(6506007)(110136005)(45080400002)(36756003)(31686004)(86362001)(4326008)(6486002)(8936002)(316002)(83380400001)(8676002)(166002)(66556008)(66476007)(66446008)(64756008)(66946007)(76116006)(2906002)(5660300002)(54906003)(2616005)(6512007)(71200400001)(43740500002)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: M3fn9VvBxVj3Bpm/lLe6jgW0PoQtB21D0YOjr0YJZnMuOYU0ciLg+qT6fvYQhuXOUq2XxJfETqJBBwPlNPag/IbqaMQ9NdQlitWAiktD2gxz380f1hsUB7eEL8hsCmJflleS1vb29VkKk1N5GC8tnCQNxzHNtYm2oTaqZ1Lyex3rKqKauMFQcnsUz7+0SDRk88j1J3QaWubpFeh74PxCGAF9QY/1cMYQOHSqaqNb/PQb7nApJok6KlIebcfYAlyod4KpHV6G2Nn4TRkHwjnQfUjEYNLCFXn0crTc3sWkPaYdLXdgGyhEN3soGHxBlM+S1Rv7juVZC6v1HiqgWxrERGFTa27TyPKyp/V8BeFOU5EKtX27/5AGFNMiX47d4pxS0+2fBiNAjveNpKK0XDc+aSCE7eF4P3/QI/3J+gtSmdgrmznCFWtw1fvg7e6Ls9s7nUQm3fZAaEnaxI5WVErIzUGGf0TVp6rf+p43XHxQPLhBdYKtcCHr7YcCvC1S/Ok5cvVAnNSnVSDGW7Mv5Yony1KS8Fpbl/HWSNk9UqU/I+MOS+t56c/kSrtXH9Eoc35rTHIwBMQwy8x++eh8t4h2HkDt4MRZfG9d0hRvbcdMf05WNJ+IHEYoMaNsTEk2AKIDH1H614c5ktFu6Ht5mFRbC7XOVcQL03/YOsYNAKQ6W5pwesUlGW2l6JhNItze5ljDeNDA7+ue2XoxrcA2p3TR4IUbIVff7MIU7Ol17KJdXv60jGDA7J1MYBz/TMNVafyR0DNRPh+M8mHDeCDyMB9Fc69Mf7WnbCj6/QUATnERq3GaicJqG3LBdXV74SFrXWCDIoIWOJ/eRjCjn2+FSq0P4cmXrogpvTEs/NrnvG2g4On+DELeydNXixzZXj6DeRvB/JdbzrqU08RDXPISZv5qvxnYfLDMsF53f17gpFVcO7yH2cwN8RhZR+T7F89TGbhDTAO5FQll0ajSy37nhUNEaCwyzJSzOajJHbZ1S43YjRw=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_e669002fcaff1e6ee28bd09157eb0c07ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: HE1PR0701MB2394.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 57770f82-724e-4957-b27a-08d8b18b537a
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jan 2021 15:05:23.0646 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: mKJGY55bqfpw1EKQ0ih97QNnxUB4NpP2of58k+0tANd9k/GzosTzVAGxp/+dDvkk2i/jusWtPEbUGLkI7r04r6xCS0At7sU3LivHSqRpJAw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0702MB3564
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/lBjl56nyUZYHBrcb2clExCncBWw>
Subject: Re: [TLS] [Emu] Fwd: Benjamin Kaduk's Discuss on draft-ietf-emu-eap-tls13-13: (with DISCUSS and COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jan 2021 15:05:30 -0000

Hi Joe,

On 1/5/21 8:44 AM, Joseph Salowey wrote:


On Mon, Jan 4, 2021 at 6:08 AM Alan DeKok <aland@deployingradius.com<mailto:aland@deployingradius.com>> wrote:
On Jan 3, 2021, at 10:44 PM, Martin Thomson <mt@lowentropy.net<mailto:mt@lowentropy.net>> wrote:
> # Key Schedule
>
> The other thing I observe is the way that this slices up the exporter output.  This was something that old versions of TLS did, but TLS 1.3 did away with.  Though RFC 5216 did this, EAP-TLS for TLS 1.3 doesn't need to.  This could - and should - do the same.  All it means is having more exporter labels.

  That's easy enough to change at this state.  The question is what are those labels?
  And, we're getting very close to needing an implementation soon.  RFC 8446 is over two years old.  Web services have started serious migration to TLS 1.3.  But we still don't even have a standard for EAP.  I suggest that this is an issue.

  At this point, we have inter-operability of TLS 1.3 for EAP-TLS, with the major EAP peer / server implementations.  This code is alpha, and not in any major release.  But we need to decide fairly soon what we're doing, as testing and releases take time.

  The alternative is to dither around for another year or two, all the while relying on legacy TLS versions for 802.1X / WiFi authentication.  i.e. packets which are trivially monitored by anyone with a WiFi card.

> I appreciate that this uses exporters now rather than abusing the internal PRF.  That's good.  The next step is to dispense with the intermediate values (Key_Material, MSK, EMSK, IV) and all the slicing that occurs and use the TLS exporter for each of the six values that the protocol requires.  I also note that the 0x0D value is used multiple times, unnecessarily, both as a context strong to the exporter and as a prefix to the session ID.

  If EAP-TLS was the only TLS-based EAP method, I would agree with you.  But it's not.  Historically, each TLS-based EAP method uses it's own key derivations, using method-specific strings.  This practice made implementations more difficult and error-prone.

[Joe] It may be worth having separate exporter tags for EMSK and MSK.  (EXPORTER_EAP_TLS_MSK and EXPORTER_EAP_TLS_EMSK).   I believe current applications define the use EAP key material based on the MSK or EMSK.   The mechanism for splitting the MSK into Enc-RECV-Key and Enc-SNED-Key I believe is only used in specific legacy cases (WEP, MPPE?) and may still be the radius attributes used in some deployments, so I don't think we should alter that derivation.   I'm not sure where the IV is used, but I don't think splitting it up more will be helpful.

This sounds reasonable. I was initially hesitant to change because we have working implementations. But after a brief glance at the current hostap implementation: https://w1.fi/cgit/hostap/tree/src/eap_server/eap_server_tls.c#n356; I am convinced that using separate labels for MSK and EMSK is better. The current implementation seems incorrect.

About the IV: RFC 5247 (published after RFC 5216) says the following (https://tools.ietf.org/html/rfc5247#section-1.2):

As a result, its use has been deprecated and it is
      OPTIONAL for EAP methods to generate it.  However, when it is
      generated, it MUST be unpredictable.

Should we still export it in EAP-TLS with TLS 1.3?

And the same question for Enc-SEND-Key and Enc-RECV-Key. They are defined in RFC 2548: https://tools.ietf.org/html/rfc2548, but not exported or used in hostap/freeradius implementations. It could be that they are still used by Microsoft but I am unsure?

--Mohit




  The use of 0x0D is to allow standard key derivations across TLS-based EAP methods.  The other methods replaced the 0x0D byte with their own EAP type value.  This practice greatly simplifies implementations.

  See https://tools.ietf.org/html/draft-dekok-emu-tls-eap-types-00 for more information.

  Alan DeKok.

_______________________________________________
Emu mailing list
Emu@ietf.org<mailto:Emu@ietf.org>
https://www.ietf.org/mailman/listinfo/emu



_______________________________________________
Emu mailing list
Emu@ietf.org<mailto:Emu@ietf.org>
https://www.ietf.org/mailman/listinfo/emu

v2.23.0 | Report a Bug | By Email