Hi Steve,
Thanks for taking time to perform a detailed review the document. Comments
inline below:
On Apr 13, 2012, at 11:26 AM, Stephen Hanna wrote:
I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG. These comments were written primarily for the benefit of the
security area directors. Document editors and WG chairs should treat
these comments just like any other last call comments. I apologize
for submitting these comments a day after the IETF LC closed.
Other commitments delayed my work. I hope these are still useful.
Thanks,
Steve
------
secdir review of draft-ietf-emu-chbind-14
This document defines channel bindings for EAP methods, providing
a way to address the lying NAS and lying provider problems.
Overall, I have no objections to this document. However,
I do have some comments. I have divided these comments
into substantive and non-substantive ones.
Substantive Comments
--------------------
In the Introduction, the second paragraph says that the
problem "results when the same credentials are used to
access multiple services that differ in some interesting
property". Do you mean client or server credentials?
I think you mean EAP server credentials. Please be more
explicit to make this clearer, since many people will
assume that you mean client (EAP peer) credentials. If
I'm correct and you do mean EAP server credentials,
I suggest that you say so in the first sentence of
this paragraph and also in the last sentence.
[Joe] The case here is both client and server credentials. If different
credentials are required for each type of service then the authenticator will
not be able to lie about the type of service it is representing to the client
because the client credentials are bound to the service.
In the next paragraph, you give an example where a low
security network is used to read email and a high security
network is use to access valuable confidential information.
A better example would be to use the low security network
for web surfing. Reading email can require a lot of security.
[Joe] OK
In the first paragraph of the Problem Statement, the second
sentence says "However, when operating in pass-through mode,
the EAP server can be far removed from the authenticator."
While this is true, I think the more relevant statement here
is that the EAP server can be far removed from the EAP peer.
This paragraph is all about problems that can arise when
parties between the EAP peer and the EAP server (including
the authenticator) are malicious or compromised. So the
important thing to point out at the start of the paragraph
is the large number of parties that may come between the
EAP server and the EAP peer.
[Joe] I think I see your point, but I'm not sure. Traditionally, we have
often thought of the path between EAP peer and EAP authenticator as being
vulnerable to having multiple parties able to insert themselves into the
conversation. However it may be the case that the authenticator the peer is
talking to isn't the one it thinks it is and the "real" authenticator may be
somewhere in the path as well. The conversation between the EAP peer and EAP
server will not be compromised, however the result of the conversation may not
have its intended effect.
In the second bullet of section 3 (on page 7), the EAP GSS-API
mechanism is a good example. However, I wonder if this attack
might take a slightly different form. Could the IM server
pretend to be the mail server? I think so. That's just one
specific example of a relatively untrusted service pretending
to be a relatively trusted service. I suggest that you add
an example like that since the current language is quite
abstract.
[Joe] I agree having a more concrete example would be helpful.
Overall, I found the document too abstract for my taste. When
I read an RFC that's defining a protocol to be implemented,
I prefer to read a description of the problem to be solved
and then a clear definition of the protocol. This document
reads like a combination of an academic paper and a protocol
definition. For example, section 4.1 describes two categories
of approach to EAP channel bindings: exchanging the actual
network information or encoding the network information into
a blob that is used to derive EAP session keys. The rest of
section 4.1 goes on to discuss the pros and cons of these
approaches. Then section 4.2 defines a bunch of requirements
for transporting channel bindings in a lower layer's secure
association protocol. While that's interesting, the actual
protocol defined in this document sends the actual network
information in EAP. Why bother spending several pages talking
about things that this protocol doesn't actually do?
[Joe] THis is historical and reflects the discussion we had in the working as
the document was being developed.
I see
several downsides to including that text in this document.
First, you're making it harder for the reader to understand
what they actually need to do to implement this protocol.
You've probably decreased by half the number of people who
will actually read all of this document. Second, some people
will use that digression to support arguments like ("My
incompatible implementation is compliant with RFC XXXX
because I encoded the network information into a blob
and used that to generate EAP session keys"). IETF is an
engineering organization. We should make our specs as clear
and simple as possible and no simpler. This document includes
lots of interesting theory that's not needed for its purpose.
If you're interested in seeing this document widely implemented,
I suggest that you remove as much of that as possible and focus
the document on explaining the problem and defining a protocol
that solves it. Or you can leave it as is. I'm sure some people
will implement it. Just not as many. Friendly suggestion. Take
it or leave it.
[Joe] I can see your point, but I think some members of the working group would
object if we removed some of this material. If its not clear perhaps we can so
a better job of indicating what is normative and what is informative.
In the first paragraph of section 5.1, you say that "the
EAP server needs to be able to access information from the
AAA server that is utilized during the EAP session and a
local database". Which information? A parenthetical example
(an e.g.) would help with understanding what you mean.
[Joe] OK
In section 7.1, you explain that this document isn't useful
without an accompanying document defining what information
should be included in i1 for each lower layer. Are those
documents being prepared for all or at least some of the
lower layers? I couldn't find any in a quick search. I know
we can't wait for everything to be ready but it would be
nice to see at least one or two of those documents so that
we can have confidence that this protocol can support all
the things that those documents will need.
[Joe] That not how I interpret the text in section 7.1. This document does
specify a general attribute that can be used to specify the type of lower layer
used to carry EAP. Section 7.1 states that additional documents will be
needed to specify attributes specific to a particular lower layer. ABFAB is
working on a document that contains this information for their lower layer,
draft-ietf-abfab-gss-eap.
In section 7.2, you define a new RADIUS attribute that
identifies the EAP lower layer in use. But you say in
the first sentence of that section that this attribute
is defined to "carry the EAP lower layer". That sounds
like all the lower layer traffic will be encapsulated
in this attribute and carried in it. I think you should
change the word "carry" in that text to "identify".
Unless I misunderstood you.
[Joe] OK
As I read section 8, I wonder whether include the User-Name
attribute in i2 could open the system up to attacks where
an authenticator or intermediate proxy could remove the
anonymity of a user who's using a pseudonym for the
username by changing the value of the User-Name attribute
to the username of the user suspected of being responsible
for this authentication. If the channel bindings checks
fail, the authenticator will know they were wrong but if
the channel bindings checks succeed, the authenticator
will have confirmation of the user's identity.
[Joe] Perhaps, on the one hand I would think the system would not behave this
way, the server would be expecting a pseudonym or token and fail if it got
something else. On the other hand, I don' think the text for the user-name
check or the test itself are that useful. We could either warn against the
possible identity disclosure or remove the user-name check.
I didn't understand that sending i2 from the server to
the peer is optional until I got to section 9.1. In section
5.3, you said that "For success, the server returns the
attributes that were considered by the server in making
the determination that channel bindings are successfully
validated". Which of these is right?
[Joe] The server is required to return the channel-binding attributes it
verified because the client may require certain attributes to be checked.
This list of verified attributes is not equivalent to i2. i2 is what
attributes are sent in the AAA protocol and I don't think it should be
referenced here. Instead it should probably say:
"sending the result from server to peer over integrity-protected channel"
At the top of page 23, you say that "In many EAP deployments
today attacks where one NAS can impersonate another are
out of scope." Do you mean that these attacks are generally
not considered but they are a potential problem? Or that
they are not a problem? I think they are always a possible
problem. Even when all the NASes are owned and managed by
the same organization that runs the AAA server and no proxies
are used, there's still the potential for a NAS to become
compromised. So I think you should say these attacks are
"not considered although a real concern" not that they are
"out of scope".
[Joe] As EAP is deployed in most cases today the authenticator is not
identified, it is merely authorized as being part of the network. The peer
does not expect differentiated service based on the NAS it is connected to.
Since the service is the same it does not matter to the peer if one
authenticator impersonates another. When we start discussing use case such as
ABFAB where different services are being provided did the identity of the
authenticator really become an issue.
Perhaps the following text is better
"In many EAP deployments today attacks where one authenticator can impersonate
another not a real concern since different authenticators provide the same
service. In these situations an authenticator does not gain significant
advantage in impersonating another authenticator. "
And then the following sentence says that
"Channel bindings brings these attacks into scope". Again,
I think those attacks are always a potential issue. Channel
bindings provide a good way to address them, whereas there
were few ways to do so before. Maybe it would be better to
say that.
[Joe] I see your point here, how about:
"The use of EAP in situations where different authenticators provide different
services makes the ability to authorize different authenticators more
important. The system as a whole needs to be analyzed to
evaluate cases where one authenticator may impersonate another and to
evaluate the impact of this impersonation. Channel bindings provides a way to
address these issues. "
In the next paragraph, you say that when cryptographic binding
is used in a tunnel method, the MSK is disclosed to the NAS.
I don't think that's right. The MSK that's disclosed to the
NAS is the one generated by the outer method. The MSK that's
used in cryptographic binding is the one that's generated by
the inner method. I don't think there's a problem there.
[Joe] OK, this test is referring to where there is separate between the
terminating server of the inner and outer methods. Maybe it would be clearer
if the text said the following:
"Even when cryptographic binding does attempt to confirm that the inner and
outer server are the same, the Master Session Key (MSK) from the inner method
is typically used to protect the binding. However, if the outer method tunnel
terminates on the authenticator the inner MSK is disclosed to the
authenticator, which can attack cryptographic binding."
Later in that paragraph, you say that an attack where the NAS
terminates an EAP tunnel method is not in scope for existing
models for cryptographic binding. I think that's wrong also.
EAP tunnel methods protect against just this sort of attack.
The first step in these methods is for the EAP peer and the
EAP server to build a TLS tunnel. This requires the EAP peer
to authenticate the EAP server and decide whether it's trusted.
If the NAS has credentials that will cause the EAP peer to
trust it as an EAP server, a MITM attack is possible. Of course,
that's true for any secure communications and it's a very bad
situation. That's why the EAP peer must be very careful about
who it trusts and how it authenticates them and the EAP server
(and any CAs or other TTPs) must also be similarly careful.
I don't see that any of this has much to do with channel bindings.
Am I missing something here? If so, please explain it. And maybe
you can clarify the text so that other folks get it also.
[Joe] The issue is when you have different services the client may not have
enough information to determine what an authenticator is authorized for based
on its identity alone. In this case it would like help from the server that
terminates the inner method. However current crypto binding is based on the
MSK so the authenticator can generate whatever channel binding quantities it
wants because the authenticator has all the necessary key material. In order
for channel bindings to determine if the authenticator is authorized or not,
the method needs protect the channel bindings with a key generated from the
inner method EMSK that the authenticator does not possess. Here is some text
that may help:
"If the authenticator controls the cryptographic binding then it also controls
the channel binding parameters and results. If the channel binding process is
used to differentiate one authenticator from another then the authenticator can
claim to support services that it was not authorized to. This attack was not
in scope for existing threat models for cryptographic binding because
differentiated authenticators was not a consideration. Thus, existing
cryptographic binding does not typically provide mutual authentication of the
inner method server required for channel binding."
In section 9.2, this paragraph appears:
Dishonest peers can only manipulate the first message i1 of the
channel binding protocol. In this scenario, a peer sends i1' to the
server. If i1' is invalid, the channel binding validation will fail.
On the other hand if i1' passes the validation, either the original
i1 was wrong and i1' corrected the problem or both i1 and i1'
constitute valid information. A peer could potentially gain an
advantage in auditing or charging if both are valid and information
from i1 is used for auditing or charging. Such peers can be detected
by including the information in i2 and checking i1 against i2.
In the penultimate sentence, I think you mean "information from
i1' is used for auditing or charging." There's no problem if
information from i1 is used for auditing. If that happens, the
bad peer's information is being ignored.
[Joe] I think you are correct.
That paragraph does make me wonder about another attack that
could be enabled by channel bindings. What if a malicious peer
gets perfectly good i1 from a NAS but then sends bad i1' to
the EAP server with a goal of damaging the reputation of the
NAS? The EAP peer could be working for a competitor of the
organization that runs the NAS or just be malicious. Is that
a valid concern? If so, maybe you should cite it and suggest
a countermeasure.
[Joe] I think this is a valid concern for some environments. I think we should
add a section for that.
In section 9.4, you refer to "the optional result message".
I didn't know before this that the result message was optional.
Could you make that clear earlier?
[Joe] The result message is not intended to be optional. This text needs to be
fixed.
In the IANA Considerations, you talk about creating a new
"EAP Channel Binding Parameters" top level registry. That's
fine. But then you talk about a "Channel Binding Codes"
registry. Didn't you mean a "sub registry"? If you want
the Channel Binding Codes registry to be in the EAP Channel
Binding Paramters registry, I think the first one is really
a sub registry.
[Joe] Yes
Also, you say that "Early allocation is
allowed" for that registry. What does that mean? I don't
see any description of "early allocation" in RFC 5226.
I expect that IANA will want to know what they need to
do to provide "early allocation". How early? Etc.
[Joe] OK, I need to check if there is any convention here.
In the definition of the "Channel Binding Namespaces"
registry, did you want to include a reference column
as you did in the "Channel Binding Codes" registry?
If so, maybe you should say so.
[Joe] OK
At the end of section 11.1, a sentence says that
"Values skipped in the above table are available
for assignment." I don't think any values were skipped
so I don't think you need that sentence.
[Joe] Yup, left over from previous version.
Appendix A is pretty similar to section 1. Might you
be able to merge them somehow?
[Joe] I think the authors attempted to do this and then decided it was better
to keep them separate.
In section A.3, you describe downgrading attacks and
how channel bindings can prevent them. However, I think
this will only work if the EAP peer rejects all methods
that don't include channel bindings. Otherwise, the NAS
can just offer an unauthorized EAP method that permits
it to obtain the user's credentials and off to the bank.
[Joe] I believe you are correct.
Non-Substantive Comments
------------------------
In the top right header of the first page, the organization
for T. Clancy should probably be Virginia Tech not Electrical
and Computer Engineering.
In the fourth paragraph of the Introduction, I think you should
add the word "the" before "lying provider" problem. In the last
sentence of that paragraph, I'd suggest adding "also" before
"gain access". That should make things clearer.
In the first bullet in section 3 (at the bottom of page 6),
"virtual Lads" should probably be "virtual LANs". Unless you
are talking about some other phenomenon! ;-)
In the second paragraph of section 4.3, the phrase "More often
it is useful" can be confusing. The word "it" seems to refer
to the subject of the previous sentence ("verification of the
MAC or IP address of the NAS"). Actually, the word "it" refers
to the idea of making policy decisions about services but that
idea doesn't appear until later in the sentence. I suggest that
you reword the sentence to say "More often the best approach is
to make policy decisions [...]".
In the first sentence of section 8, the phrase "a AAA Accept-
Request messages" can't be right. Is it singular or plural?
I think it's plural so the word "a" should be removed.
In section 12 (Acknowledgements), I think Sam Hartman's last
name should be capitalized.
_______________________________________________
secdir mailing list
secdir(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/secdir
wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview