headers
Glen Zorn | 1 Sep 2010 04:31

Re: security paper on tunneled authentication

I agree w/Bernard.  It is never too late to fix a broken document.

 

Hope this helps.

 

 ~gwz

 

From: emu-bounces <at> ietf.org [mailto:emu-bounces <at> ietf.org] On Behalf Of Bernard Aboba
Sent: Tuesday, August 31, 2010 10:48 PM
To: emu <at> ietf.org
Subject: Re: [Emu] security paper on tunneled authentication

 

Katrina Hoeper said:

"Unfortunately, it seems to be too late to reference the analysis in the tunnel requirement draft, but I hope that some people still might find it interesting."

[BA] The paper represents the most comprehensive analysis of tunneled authentication security to date, and brings into question a number of assumptions that have been made as to how MITM in the middle attacks can be mitigated.     In looking over the tunnel requirements document,  there are only a few places where the issue of MITM attacks is discussed, so if you believe there are changes that need to be made, you should go ahead and propose them.  

_______________________________________________
Emu mailing list
Emu <at> ietf.org
https://www.ietf.org/mailman/listinfo/emu
Permalink | Reply | 5 comments |
headers
Hoeper Katrin-QWKN37 | 1 Sep 2010 16:30

Re: security paper on tunneled authentication

I never said the document was broken, just that my paper would be a good reference to make implementers aware of the potential dangers of MITM attacks.

 

I will check the current draft for conflicts and, if necessary, propose changes.

 

Katrin

 

From: emu-bounces <at> ietf.org [mailto:emu-bounces <at> ietf.org] On Behalf Of Glen Zorn
Sent: Tuesday, August 31, 2010 9:31 PM
To: 'Bernard Aboba'; emu <at> ietf.org
Subject: Re: [Emu] security paper on tunneled authentication

 

I agree w/Bernard.  It is never too late to fix a broken document.

 

Hope this helps.

 

 ~gwz

 

From: emu-bounces <at> ietf.org [mailto:emu-bounces <at> ietf.org] On Behalf Of Bernard Aboba
Sent: Tuesday, August 31, 2010 10:48 PM
To: emu <at> ietf.org
Subject: Re: [Emu] security paper on tunneled authentication

 

Katrina Hoeper said:

"Unfortunately, it seems to be too late to reference the analysis in the tunnel requirement draft, but I hope that some people still might find it interesting."

[BA] The paper represents the most comprehensive analysis of tunneled authentication security to date, and brings into question a number of assumptions that have been made as to how MITM in the middle attacks can be mitigated.     In looking over the tunnel requirements document,  there are only a few places where the issue of MITM attacks is discussed, so if you believe there are changes that need to be made, you should go ahead and propose them.  

_______________________________________________
Emu mailing list
Emu <at> ietf.org
https://www.ietf.org/mailman/listinfo/emu
Permalink | Reply | 4 comments |
headers
Alan DeKok | 1 Sep 2010 16:34
Favicon
Gravatar

Re: security paper on tunneled authentication

Hoeper Katrin-QWKN37 wrote:
> I will check the current draft for conflicts and, if necessary, propose
> changes.

  I think that the main issue with the draft is that it requires
tunneled methods to allow for password authentication.  Your analysis
paper says that password methods cannot be made resistant to these attacks.

  If that is right, then I don't think there is anything to do in the draft.

  Alan DeKok.
Permalink | Reply | 3 comments |
headers
Hoeper Katrin-QWKN37 | 1 Sep 2010 16:40

Re: security paper on tunneled authentication

I agree. That's why I was thinking that adding a reference that makes
implementers aware of this problem would be a good idea. Then they can
make an educated decision about whether they want to implement
additional mitigation techniques (i.e. enforce policies) or to not use
password-based inner methods.

> -----Original Message-----
> From: Alan DeKok [mailto:aland <at> deployingradius.com]
> Sent: Wednesday, September 01, 2010 9:34 AM
> To: Hoeper Katrin-QWKN37
> Cc: Glen Zorn; Bernard Aboba; emu <at> ietf.org
> Subject: Re: [Emu] security paper on tunneled authentication
> 
> Hoeper Katrin-QWKN37 wrote:
> > I will check the current draft for conflicts and, if necessary,
propose
> > changes.
> 
>   I think that the main issue with the draft is that it requires
> tunneled methods to allow for password authentication.  Your analysis
> paper says that password methods cannot be made resistant to these
attacks.
> 
>   If that is right, then I don't think there is anything to do in the
> draft.
> 
>   Alan DeKok.
Permalink | Reply | 2 comments |
headers
Joe Salowey | 1 Sep 2010 17:51
Picon
Favicon

Re: security paper on tunneled authentication

I'd be glad to add a reference.

On 9/1/10 7:40 AM, "Hoeper Katrin-QWKN37" <khoeper <at> motorola.com> wrote:

> I agree. That's why I was thinking that adding a reference that makes
> implementers aware of this problem would be a good idea. Then they can
> make an educated decision about whether they want to implement
> additional mitigation techniques (i.e. enforce policies) or to not use
> password-based inner methods.
> 
> 
>> -----Original Message-----
>> From: Alan DeKok [mailto:aland <at> deployingradius.com]
>> Sent: Wednesday, September 01, 2010 9:34 AM
>> To: Hoeper Katrin-QWKN37
>> Cc: Glen Zorn; Bernard Aboba; emu <at> ietf.org
>> Subject: Re: [Emu] security paper on tunneled authentication
>> 
>> Hoeper Katrin-QWKN37 wrote:
>>> I will check the current draft for conflicts and, if necessary,
> propose
>>> changes.
>> 
>>   I think that the main issue with the draft is that it requires
>> tunneled methods to allow for password authentication.  Your analysis
>> paper says that password methods cannot be made resistant to these
> attacks.
>> 
>>   If that is right, then I don't think there is anything to do in the
>> draft.
>> 
>>   Alan DeKok.
> _______________________________________________
> Emu mailing list
> Emu <at> ietf.org
> https://www.ietf.org/mailman/listinfo/emu
Permalink | Reply | 0 comments |
headers
Sam Hartman | 1 Sep 2010 18:57
Picon
Favicon

Re: security paper on tunneled authentication

>>>>> "Hoeper" == Hoeper Katrin-QWKN37 <khoeper <at> motorola.com> writes:

    Hoeper> I agree. That's why I was thinking that adding a reference
    Hoeper> that makes implementers aware of this problem would be a
    Hoeper> good idea. Then they can make an educated decision about
    Hoeper> whether they want to implement additional mitigation
    Hoeper> techniques (i.e. enforce policies) or to not use
    Hoeper> password-based inner methods.

Well, we also want to make sure that if you're using a non-password
inner method, then we are not vulnerable to MITM issues.
Permalink | Reply | 0 comments |
headers
Sam Hartman | 1 Sep 2010 19:11
Picon
Favicon

How does cryptographic binding work


So, this paper makes it clear that I don't understand some of this stuff
as well as I thought I did.  No surprise there; it's complicated and
this has not been my primary area of focus. so let's see if I can be
educated.

In the part of the world I'm familiar with, we address this problem by
authenticating the identity of the outer tunnel as part of the inner
tunnel.  For example for a TLS-based tunnel we might hash the TLS finish
message into the inner method.  We don't even try to do anything with
plaintext password methods: there's no point you're just kidding
yourself.  We do try and do something with things like SCRAM (think
mschapv2 roughly).  We're typically using the tunnel in order to fight
against dictionary attacks mounted by observers or to provide session
security later.

If I'm reading this paper right that's not what we're doing here in EAP.
We're taking some quantity from the inner method and binding to that?

What's the rationale for that?
Permalink | Reply | 5 comments |
headers
Joe Salowey | 2 Sep 2010 01:38
Picon
Favicon

Re: How does cryptographic binding work

The basic reason for this is that EAP methods have a well defined mechanism
to output key material. There hasn't been a mechanism to import data into a
method, channel bindings may change this.

Key generating EAP methods export an MSK.  The MSK is then mixed with key
material extracted from the TLS keying material to form a combined key.
This combined key is then used in a MAC calculation on some data sent within
the tunnel.  The details vary depending on the method.  Typically the MSK
exported from the tunnel method also have the inner method MSK mixed in with
the TLS key material.

There are cases with some EAP methods where data from the TLS tunnel has
been used directly in the inner method.  This behavior causes differences
between the way the method behaves inside the tunnel and outside the tunnel,
which may complicate implementations in many cases.

EAP tunnel methods typically do not try to do any binding with plaintext
basic PAP-like password exchanges.

Hope this helps to clarify things.

Joe

On 9/1/10 10:11 AM, "Sam Hartman" <hartmans-ietf <at> mit.edu> wrote:

> 
> 
> So, this paper makes it clear that I don't understand some of this stuff
> as well as I thought I did.  No surprise there; it's complicated and
> this has not been my primary area of focus. so let's see if I can be
> educated.
> 
> In the part of the world I'm familiar with, we address this problem by
> authenticating the identity of the outer tunnel as part of the inner
> tunnel.  For example for a TLS-based tunnel we might hash the TLS finish
> message into the inner method.  We don't even try to do anything with
> plaintext password methods: there's no point you're just kidding
> yourself.  We do try and do something with things like SCRAM (think
> mschapv2 roughly).  We're typically using the tunnel in order to fight
> against dictionary attacks mounted by observers or to provide session
> security later.
> 
> If I'm reading this paper right that's not what we're doing here in EAP.
> We're taking some quantity from the inner method and binding to that?
> 
> What's the rationale for that?
> _______________________________________________
> Emu mailing list
> Emu <at> ietf.org
> https://www.ietf.org/mailman/listinfo/emu
Permalink | Reply | 4 comments |
headers
Sam Hartman | 2 Sep 2010 01:56
Picon
Favicon

Re: How does cryptographic binding work

>>>>> "Joe" == Joe Salowey <jsalowey <at> cisco.com> writes:

    Joe> The basic reason for this is that EAP methods have a well
    Joe> defined mechanism to output key material. There hasn't been a
    Joe> mechanism to import data into a method, channel bindings may
    Joe> change this.

OK, but I'm not sure this quite gets you the properties you want.

As best I can tell:

* The server wants assurance that if an inner method is somehow lifted
  out of a tunneled exchange, the inner method cannot be used alone or
  in a different tunnel.

* The client wants assurance that it's talking to a consistent server so
  that you only end up having to authenticate the server at one level.

Impersonating peers to servers and impersonating servers to peers both
have value to an attacker in different situations.

I think these are the properties you want (And I think the definition in
RFC 3748 is a bit under specified) and I'm not sure how what you've
described gets that.
Permalink | Reply | 3 comments |
headers
Joe Salowey | 2 Sep 2010 04:51
Picon
Favicon

Re: How does cryptographic binding work


On 9/1/10 4:56 PM, "Sam Hartman" <hartmans-ietf <at> mit.edu> wrote:

>>>>>> "Joe" == Joe Salowey <jsalowey <at> cisco.com> writes:
> 
>     Joe> The basic reason for this is that EAP methods have a well
>     Joe> defined mechanism to output key material. There hasn't been a
>     Joe> mechanism to import data into a method, channel bindings may
>     Joe> change this.
> 
> OK, but I'm not sure this quite gets you the properties you want.
> 
[Joe] What we wanted from this mechanism was to ensure that the tunnel
endpoints was the same as the inner method endpoints.

> As best I can tell:
> 
> * The server wants assurance that if an inner method is somehow lifted
>   out of a tunneled exchange, the inner method cannot be used alone or
>   in a different tunnel.
> 
[Joe] We didn't want to modify the method.  The purpose was to restrict the
method only to the a particular tunnel type, but we wanted to make sure that
the particular instance of method execution wasn't executed in a different
tunnel or without a tunnel.

> * The client wants assurance that it's talking to a consistent server so
>   that you only end up having to authenticate the server at one level.
> 
[Joe] For most cases the assumption is that the server is authenticated by
the tunnel method. 

> Impersonating peers to servers and impersonating servers to peers both
> have value to an attacker in different situations.
> 
> I think these are the properties you want (And I think the definition in
> RFC 3748 is a bit under specified) and I'm not sure how what you've
> described gets that.

[Joe]  I'm not sure if I understand the properties you describe, so I'm not
sure if they line up with the goals of making sure the tunnel endpoints are
the same as the inner method endpoints.
Permalink | Reply | 0 comments |

Gmane