IETF Logo Mail Archive

Re: [TLS] [Emu] Underspecification of EAP-TLS 1.3 State Machine

Bernard Aboba <bernard.aboba@gmail.com> Mon, 08 February 2021 11:40 UTC

Return-Path: <bernard.aboba@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 757A33A165C; Mon, 8 Feb 2021 03:40:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.1
X-Spam-Level:
X-Spam-Status: No, score=-0.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URI_DOTEDU=1.997] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GibFVlPsIcYU; Mon, 8 Feb 2021 03:40:24 -0800 (PST)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF4633A1658; Mon, 8 Feb 2021 03:40:23 -0800 (PST)
Received: by mail-lj1-x22c.google.com with SMTP id f19so16541023ljn.5; Mon, 08 Feb 2021 03:40:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=g6vpFoMd2bj1zblddvuWdJnykS5sJjcJv4vJC2DN+lU=; b=lFDZasaZ7wGMMpQXT5nEG11q3BVCyirlAfWoHEZO/opWGYRqGHZUz/kX95ZorxMvgw +zN84k6ymqApd+0NwEXdiNGNVdRWY38ZyBTzozwfFZxeBc/LHrd1Luj5Ck9iNweMeM+C AEWpAsJDdFGYdVJ9ZkI5YBoyXgxsQeGaTlljKHm04GcZx/60I4p74mnq4EZ/kI4q1f9H u4ph/K+GntiWp6aR2rSTFOQhF8yN565ZcD4lTD1u5K70gkOZm19Q2YHA+QA6i9WqnJe3 iLT8Mt9yuEDigCfIGyD6PsMawBXsk8mbE4OXgqS9Z8shhIG39MvUkvzSeGSOPam68acr oEnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=g6vpFoMd2bj1zblddvuWdJnykS5sJjcJv4vJC2DN+lU=; b=Rs9bXNY/V60WXk1qRF/qnOsA+qwXTn1iah+V241KhgbT40RsMzg8qnizpyR0N52H4/ URi1fnm3DHBoIeQHajzPAApcCpMYEpuf5UhWAB0PUQqlQfyt6HSqhsj4bZOFbH/VqcND M7B7PD2T9w0d46uV3KtD39CJvN8S5KeCexkbQ9EgjeDuzoUD9KHFKLw634KD6Fy30PYu MRpFIvYiWDhlMQ4dvXu94DTcExyPtbM0p2zqaelRTVPirY8HFmkvX8CKmdCWvBfyNEwf 7VBtnOLL97+Wbz+oVP/wIim5sv5LFRHJcxI866UwmBgxFisoaPjNmzD4BOxtbpEqh4nl fP3Q==
X-Gm-Message-State: AOAM530Xrov/3343NRoqPSL0iymR5dOyM623P+QAzb/B3N9LelcUuPgt 3exJE+4iFmtf30QcXJn7icZoTECIFUGv/OE9cskEPTKufr65jQ==
X-Google-Smtp-Source: ABdhPJwo5vmO0sx1Bz7wMXZWdA2FixQ6gzowuRTGn4aM0/y6DhOzscL3ITMxQL01b/u6p++RnCjQI+bxc1F9FjKzDBs=
X-Received: by 2002:a2e:824b:: with SMTP id j11mr10770838ljh.473.1612784422001; Mon, 08 Feb 2021 03:40:22 -0800 (PST)
MIME-Version: 1.0
References: <CAOW+2dvGQGc4-awvmaj=k4esv=vDp+Eb7RRvv88xEqPhOGJSFQ@mail.gmail.com> <4991F280-1644-43CB-A5DE-CE364641966F@ericsson.com> <f62b935b-2ee5-1954-1b82-5e28186f71ca@ericsson.com> <C65C7E0C-F889-4151-A28C-B638A3B2DB56@ericsson.com>
In-Reply-To: <C65C7E0C-F889-4151-A28C-B638A3B2DB56@ericsson.com>
From: Bernard Aboba <bernard.aboba@gmail.com>
Date: Mon, 08 Feb 2021 03:40:11 -0800
Message-ID: <CAOW+2dvqSMbi-7iik-RM+LoYJPCORnYe1kfkKNOmo87XyiCuBw@mail.gmail.com>
To: John Mattsson <john.mattsson@ericsson.com>
Cc: Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>, "emu@ietf.org" <emu@ietf.org>, "TLS@ietf.org" <TLS@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000092a1de05bad1a22d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rvG_216CUH4tWCC7Bkd0Hj6yw-s>
Subject: Re: [TLS] [Emu] Underspecification of EAP-TLS 1.3 State Machine
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Feb 2021 11:40:28 -0000

John said:


"Based on your comments it seems like protected success indication is not
needed in IEEE 802 for security reasons."


[BA] As described in RFC 4137, protected success indications prevent
attacks involving injection of unprotected EAP-Failure indications, as well
as enabling key synchronization.  So yes, they do serve a purpose.


Would also be good to conclude that other methods do not need an alternate
success indication.


[BA] That would not be good, because it would be an incorrect conclusion.



Note that RFC 4137 is informal and not mandatory to follow.


[BA] Every EAP implementation I am aware of supports RFC 4137.  It was
specifically developed to address security vulnerabilities that were
considered serious enough to block deployment of EAP.  So you can say it is
"informal", "not required", etc. but in practice it is implemented and
necessary.


Similarly a implementation can ignore the alternative success indication
unless EAP-TLS 1.3 makes it mandatory.


[BA] Implementers are going to support alt success and alt failure
indications, as they indicated on the mailing list, because those
indications have been supported by EAP-TLS and other secure EAP methods for
more than a decade. It's not productive to re-introduce security
vulnerabilities into EAP after years of work to remove them.

On Sun, Feb 7, 2021 at 10:39 PM John Mattsson <john.mattsson@ericsson.com>
wrote:

> Thanks Mohit,
>
>
>
> Based on your comments it seems like protected success indication is not
> needed in IEEE 802 for security reasons. Would be good with more feedback
> on this. EAP-TLS 1.3 might get a protected success indication anyway, but
> the draft should have a few sentences about what the alternate success
> indication is good for. Would also be good to conclude that other methods
> do not need an alternate success indication. Seems like e.g. RFC 5448
> removed the optional result indications from RFC 4187, probably after an
> agreement that they were not needed.
>
>
>
> Note that RFC 4137 is informal and not mandatory to follow. Similarly a
> implementation can ignore the alternative success indication unless EAP-TLS
> 1.3 makes it mandatory. In RFC 5216 it is to my understanding up to the
> implementation if it wants to use server Finished as a alternate success
> indication.
>
>
>
> Cheers,
>
> John
>
>
>
> *From: *Mohit Sethi M <mohit.m.sethi=40ericsson.com@dmarc.ietf.org>
> *Date: *Monday, 8 February 2021 at 06:33
> *To: *John Mattsson <john.mattsson@ericsson.com>, Bernard Aboba <
> bernard.aboba@gmail.com>, "emu@ietf.org" <emu@ietf.org>, "TLS@ietf.org" <
> TLS@ietf.org>
> *Subject: *Re: [Emu] Underspecification of EAP-TLS 1.3 State Machine
>
>
>
> Hi all,
>
> I have now read both the papers. I am not sure the attacks in [2] are
> anymore possible:
>
> - The first attack described in section 4.1.1 shows that an EAP-Success
> leads to an unconditional transition to the Authenticated state
> irrespective of the current state. However, I am not sure this is the case
> anymore as RFC 4137 (https://tools.ietf.org/html/rfc4137#appendix-A.1)
> now says :
>
>                              |------------------------+--------------
>
>                              |      rxSuccess &&      |
>
>                              |  (reqId == lastId) &&  |       SUCCESS
>
>                              |   (decision != FAIL)   |
>
>                              |------------------------+--------------
>
> The peer cannot simply transition to SUCCESS state as the decision is
> initialized to FAIL. The decision is set to COND_SUCC or UNCOND_SUCC only
> after the peer decides that the server has sufficiently been authenticated
> (for EAP methods with mutual authentication).
>
> - The second attack described in section 4.2 relies on the adversary
> sending a disassociate management frame and then uses the MAC address of
> the authenticated supplicant to gain network access. This again should not
> work as a) 802.11w-2009 protects disassociate management frame, and b)
> EAP-Success is followed by 4-way handshake after which there is per packet
> authenticity and integrity (with Key Confirmation Key). The attacker cannot
> gain network access without knowing the PMK (derived from the MSK) and
> performing the 4-way handshake.
>
> The attacks in [1] are not specific to EAP. The attacks relate to Denial
> of Service (DoS) by injecting spoofed alerts in TLS. John has suggested the
> following text for the draft (which I think is sufficient):
>
> Protected TLS Error alerts are protected failure result indications and
> enables the EAP-TLS peer and EAP-TLS server to determine that the failure
> result was not spoofed by an attacker. Protected failure result indications
> provide integrity protection and replay but MAY be unauthenticated.
> Protected failure result does not significantly improve availability as TLS
> 1.3 treats most malformed data as a fatal error.
>
> --Mohit
>
> [1] Extensible Authentication Protocol Vulnerabilities and Improvements :
> https://scholarworks.sjsu.edu/cgi/viewcontent.cgi?article=1431&context=etd_projects
> [2] An Initial Security Analysis of the IEEE 802.1X Standard :
> http://www.cs.cornell.edu/people/egs/615/mishra-arbaugh.pdf
>
> On 2/4/21 2:18 PM, John Mattsson wrote:
>
> Hi Bernard,
>
>
>
> I (re-)read the papers you send.
>
>
>
> - "Extensible Authentication Protocol Vulnerabilities and Improvements
> Improvements"
>
>
>
>   This paper talks attacks on availability by spoofing messages. It looks
> into a small amount of ways where spoofed messages causes the TLS
> connection to fail, especially it focus on alert messages.
>
>
>
>   TLS and EAP-TLS is trivial for an on-path attacker to shut down.
> Basically any small error is fatal in TLS. Focusing on alert messages does
> not seem correct. An attacker can e.g. at any time send a small record with
> length 2^15, which causes TLS to terminate the connection. I think the only
> thing that can be achieved without rewriting TLS is that availability
> attacks does not cause long-term damage, i.e. the nodes can retry the
> handshake.
>
>
>
> - "An Initial Security Analysis of the IEEE 802.1X Standard"
>
>
>
>   This paper discusses attacks on 801.11. The weaknesses described seems
> to come from 802.11 / EAP interactions.
>
>
>
> The discussions around IETF 102 was that the uncertainty (NewSessionTicket
> or not) in TLS 1.3 was "inconvinient" and that it would be convient to get
> rid of the uncertainty. Bernard then pointed out that any message changing
> the state need to be authenticated to that it is not possible to spoof. I
> think that both the application layer commit message as well as
> close_notify fulfill these old requirements.
>
>
>
>
>
> I think your analysis is correct.
>
>
>
> 1. What constitutes an "alternative success" indication in the EAP-TLS 1.3
> protocol?
>
>
>
> The -13 commitment message verifies that both sides are in possession of a
> derived key. But the server finished already does that. As you state, the
> -13 commitment message is not an alternative success indication. I think it
> would be easy to make it an alternative success indication be mandating
> that the EAP-TLS server must only send it after verifying the client
> finished. I do not think defining a new exporter is needed.
>
>
>
> The -14 close_notify is also not an alternative success indication and can
> not be made into one either.
>
>
>
> If the requirement is that an alternative authenticated success indication
> is needed. Then I think:
>
>
>
> - We need to have an extra roundtrip.
>
> - close_notify does not work and cannot be made to work
>
> - Application data commit message could work as an alternative success
> indication. TLS would have to be profiled so the alternative success is
> only send be EAP-TLS server after client finished processed successfully.
>
>
>
> 2. At what point should keys be pushed down to the lower layer?
>
>
>
> What is the exact requirement for eapKeyAvailable = TRUE to be set?
>
>
>
> My understanding reading RFC 4137 (correct me if I am wrong) is that it is
> not enough that the other party is authenticated, but that an alternative
> success indication has been sent/received. If that is correct the EAP-TLS
> server would set eapKeyAvailable = TRUE after sendign the alternative
> success indication and the EAP-TLS client would set eapKeyAvailable = TRUE
> after receiving the alternative success indication.
>
>
>
> 3. What constitutes an "alternative failure" indication in EAP-TLS 1.3?
>
>
>
> Yes, I agree, receipt of TLS Alert messages should be considered an
> alternative failure mechanism.
>
>
>
> 4. What is the purpose of the commitment message?
>
>
>
> The -01 to -13 purpose was to indicate in an authenticated way that the
> EAP-TLS method would not continue and that only success or failure could
> follow.
>
>
>
> If an alternative success indication is required. Which it seems to be
> according to your mail. I think the alternative success indication would
> replace the old commitment message.
>
>
>
> I think
>
>
>
> Cheers,
>
> John
>
>
>
> *From: *Emu <emu-bounces@ietf.org> <emu-bounces@ietf.org> on behalf of
> Bernard Aboba <bernard.aboba@gmail.com> <bernard.aboba@gmail.com>
> *Date: *Tuesday, 2 February 2021 at 16:25
> *To: *"emu@ietf.org" <emu@ietf.org> <emu@ietf.org> <emu@ietf.org>
> *Subject: *[Emu] Underspecification of EAP-TLS 1.3 State Machine
>
>
>
> The EAP TLS 1.3 specification does not currently specify how EAP TLS 1.3
> interacts with the EAP state machine as specified in RFC 4137.  It appears
> to me that this under-specification is at the root of the questions about
> the commitment message.
>
>
>
> Historically, under-specification of the EAP-TLS state machine has been a
> source of potential security vulnerabilities by enabling packet injection
> attacks [1][2], including attacks involving the injection of EAP-Success
> and EAP-Failure mechanisms.
>
>
>
> RFC 4137 Sections 4.1.1 and 4.1.2 define several variables:
>
>
>
>    altAccept (boolean)
>
>
>
>       Alternate indication of success, as described in [RFC3748 <https://tools.ietf.org/html/rfc3748>].
>
>
>
>    altReject (boolean)
>
>
>
>       Alternate indication of failure, as described in [RFC3748 <https://tools.ietf.org/html/rfc3748>].
>
>
>
>    eapKeyData (EAP key)
>
>
>
>       Set in peer state machine when keying material becomes available.
>
>       Set during the METHOD state.  Note that this document does not
>
>       define the structure of the type "EAP key".  We expect that it
>
>       will be defined in [Keying <https://tools.ietf.org/html/rfc4137#ref-Keying>].
>
>
>
>    eapKeyAvailable (boolean)
>
>
>
>       Set to TRUE in the SUCCESS state if keying material is available.
>
>       The actual key is stored in eapKeyData.
>
>
>
> The issue in the EAP-TLS 1.3 specification is that the interlock with these variables is not defined.
>
>
>
> For example, it appears to me that the commitment message verifies that both sides are in possession of a derived key,
>
> allowing the eapKeyData variables to be set.  However, it does not appear to me that the successful validation of the commitment message is
>
> sufficient to allow keys to be pushed down to the lower layer, allowing data to flow.
>
> Therefore the eapKeyAvailable variable should not yet be set to TRUE.
>
>
>
> Also, the commitment message does not constitute an alternative success indication because it is possible for an
>
> alternative failure indication (e.g. a TLS alert) to be sent after the commitment message.
>
> If the commitment message did constitute an alternative success mechanism, then an attacker injecting an
>
> EAP-Success message would be able to cause the peer to believe that authentication
>
> had succeeded even though it had actually failed (e.g. TLS alert sent after the commitment message).
>
>
>
> Given these issues, I believe the specification needs to answer several questions:
>
>
>
> 1. What constitutes an "alternative success" indication in the EAP-TLS 1.3 protocol?
>
> 2. At what point should keys be pushed down to the lower layer?
>
> 3. What constitutes an "alternative failure" indication in EAP-TLS 1.3?
>
> 4. What is the purpose of the commitment message?
>
>
>
> Only question 3 looks straight forward to me: receipt of TLS Alert messages should be considered an alternative failure mechanism,
>
> although perhaps some caveats need to be applied to address the injection attacks described in [1].
>
>
>
> [1] EAP Vulnerabilities and Improvements, Extensible Authentication Protocol Vulnerabilities and Improvements (sjsu.edu) <https://scholarworks.sjsu.edu/cgi/viewcontent.cgi?article=1431&context=etd_projects>
>
> [2] An Analysis of the IEEE 802.1X Standard, An Initial Security Analysis of the IEEE 802.1X Standard | Request PDF (researchgate.net) <https://www.researchgate.net/publication/2562682_An_Initial_Security_Analysis_of_the_IEEE_8021X_Standard>
>
>
>
> _______________________________________________
>
> Emu mailing list
>
> Emu@ietf.org
>
> https://www.ietf.org/mailman/listinfo/emu
>
>

v2.23.0 | Report a Bug | By Email