[Emu] Benjamin Kaduk's No Objection on draft-ietf-emu-rfc5448bis-07: (with COMMENT)

2020-04-07 Thread Benjamin Kaduk via Datatracker 
Benjamin Kaduk has entered the following ballot position for
draft-ietf-emu-rfc5448bis-07: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-emu-rfc5448bis/



--
COMMENT:
--

I mostly only read the diff and skimmed the rest.

Section 1

   The rest of this specification is structured as follows.  Section 3
   defines the EAP-AKA' method.  Section 4 adds support to EAP-AKA to
   prevent bidding down attacks from EAP-AKA'.  Section 5 specifies
   requirements regarding the use of peer identities, including how EAP-
   AKA' identifiers are used in 5G context.  Section 6 specifies what

I'm not sure if it's "EAP-AKA' identifiers being used in 5G context" or
"5G identifiers being used in an EAP-AKA' context" -- which way does the
causality go?

Section 4

   Note that we assume (Section 7) that EAP-AKA' is always stronger than
   EAP-AKA.  As a result, there is no need to prevent bidding "down"
   attacks in the other direction, i.e., attackers forcing the endpoints
   to use EAP-AKA'.

I'd prefer to say something like "we do not provide" rather than "there
is no need".

Section 5.2

I agree with the IoTdir reviewer's concerns about over-stating the need
for a secure PRNG in pseudonym generation.

Section 5.3.1

   In all other cases, the following applies:

  The identity used in the key derivation formula MUST be exactly
  the one sent in EAP-AKA' AT_IDENTITY attribute, if one was sent,
  regardless of the kind of identity that it may have been.  If no
  AT_IDENTITY was sent, the identity MUST be the exactly the one
  sent in the generic EAP Identity exchange, if one was made.
  Again, the identity MUST be used exactly as sent.

  If no identity was communicated inside EAP, then the identity is
  the one communicated outside EAP in link layer messaging.

  In this case, the used identity MUST be the identity most recently
  communicated by the peer to the network, again regardless of what
  type of identity it may have been.

Just to check: there's a strong message sequencing, so that there cannot
be ambiguity between peers about the "most recently communicated"
identity?

Section 5.3.1.1

 23415099...@nai.5gc.mnc015.mcc234.3gppnetwork.org

Should this be using an example domain name instead of 3gppnetwork.org?
(I think "no", but have to check.)

Section 5.3.2.1

 For the null-scheme:

   type0.rid678.schid0.userid09@nai.5gc.mnc015.
   mcc234.3gppnetwork.org

 For the Profile  protection scheme:

   type0.rid678.schid1.hnkey27.ecckey.
   cip.mac@nai.5gc.
   mnc015.mcc234.3gppnetwork.org

[ditto]

Section 6

   The EAP-AKA' Session-Id is the concatenation of the EAP Type Code
   (0x32, one byte) with the contents of the RAND field from the AT_RAND
   attribute, followed by the contents of the AUTN field in the AT_AUTN
   attribute:

 Session-Id = 0x32 || RAND || AUTN

   When using fast re-authentication, the EAP-AKA' Session-Id is the
   concatenation of the EAP Type Code (0x32) with the contents of the
   [...]

nit: the second paragraph contradicts the first, since the first one
does not disclaim that it's only for "regular authentication"
(non-fast-reauthentication).

Section 7

  In general, it is expected that the current negotiation
  capabilities in EAP-AKA' are sufficient for some types of
  extensions and cryptographic agility, including adding Perfect
  Forward Secrecy ([I-D.ietf-emu-aka-pfs]) and perhaps others.  But
  as with how EAP-AKA' itself came about, some larger changes may
  require a new EAP method type.

Could we mention that we are not agile with respect to the use of
SHA256/HMAC-SHA256?

Section 7.2

   Basin et al [Basin2018] have performed formal analysis and concluded
   that the AKA protocol would have benefited from additional security
   requirements, such as key confirmation.

This feels a bit like a teaser -- what would be gained/prevented by
using key confirmation?  Is there a path towards performing key
confirmation in the future?

Section 7.3

   As described Section 7.2, after the publication of RFC 5448, new

nit: "As described in"

   In particular, it is crucial that manufacturers limit access to the
   secret information and the cards only to necessary systems and
   personnel.  It is also crucial that secure mechanisms be used to
   communicate the secrets between the manufacturer and the operator
   that adopts those cards for

Re: [Emu] draft-dekok-emu-tls-eap-types discussion

2020-04-07 Thread Jorge Vergara 
>Microsoft has already said that they won't rev their EAP-TLS implementation 
>until they can also rev PEAP.

PEAP/TTLS/TEAP - we (Microsoft) believe all should be addressed at the same 
time and will postpone TLS 1.3 support until such a time as we are able to make 
the updates together.

>* should the document drop references to TEAP?
> Given Jouni Malinen's comments on implementing TEAP, it may be worth simply 
> noting that we're waiting for a TEAP update document

I've reviewed the current errata, and acknowledge their validity, but am not 
sure that any of them would impact this document.

The most relevant errata to this document seems to be 
https://www.rfc-editor.org/errata/eid5770. As noted in the errata, the 
calculation of keys becomes confusing when methods export both MSK and EMSK 
because it is not clearly specified which value IMCK[j] should take on during 
the calculation of S-IMCK[j]. The addition of clarifying information is 
welcome, but I don't believe this ambiguity currently prevents a compliant 
implementation - for example, an implementation could avoid this ambiguity by 
choosing to use either the MSK/EMSK exclusively, and communicating that to the 
server via the Compound MAC TLV. The server can then make a policy decision on 
whether it is accepting of this decision by the client and follow suit, or 
reject the client.

The specifics of resolving this particular errata is a digression from my main 
point - I believe a clarification can be added to the main TEAP document at a 
future time without impacting the contents of this document. Ambiguity about 
which IMCK to use in S-IMCK calculation should not impact the definition of the 
cryptographic calculations.

On the document contents themselves, I have this review: The key derivation 
proposed for TEAP/FAST uses the definition from FAST, which is not identical to 
the TEAP derivation. Namely, FAST used MSK[j] in the derivation, but TEAP uses 
IMSK[j], which may be equivalent in some cases, but may not in others where the 
inner method exports an EMSK.

Specifically, I believe this line of section 2.2 should change from
  IMCK[j] = TLS-Exporter("EXPORTER: Inner Methods Compound Keys", 
S-IMCK[j-1] | MSK[j], 60)
To
  IMCK[j] = TLS-Exporter("EXPORTER: Inner Methods Compound Keys", 
S-IMCK[j-1] | IMSK[j], 60)
For TEAP.

Jorge

-Original Message-
From: Emu  On Behalf Of Alan DeKok
Sent: Friday, April 3, 2020 1:48 PM
To: EMU WG 
Subject: [Emu] draft-dekok-emu-tls-eap-types discussion

https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-dekok-emu-tls-eap-types-01data=02%7C01%7Cjovergar%40microsoft.com%7C2c42095edc4e4cd61ce408d7d8106200%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637215437188744711sdata=ndLp%2FSzsDlX%2FKYx0UR0uf77rHgCjGej4kdZPpywuD9Q%3Dreserved=0

  I haven't seen much discussion on the document.  There are still some open 
questions:

* should it be published simultaneously with draft-ietf-emu-eap-tls13?
   If so, we need some consensus on this document, and quick.

   If not, when do we publish this draft?  Microsoft has already said that they 
won't rev their EAP-TLS implementation until they can also rev PEAP.

* Should the document simply drop references to FAST?
  It looks like the effort has moved to TEAP.
  Perhaps we should note that FAST cannot be used with TLS 1.3, and that TEAP 
should be used instead

* should the document drop references to TEAP?
 Given Jouni Malinen's comments on implementing TEAP, it may be worth simply 
noting that we're waiting for a TEAP update document

* Without FAST / TEAP, the document is about 4 pages of text.  Is there 
anything controversial, missing, etc?

* What are the barriers to adoption and publication?

  Alan DeKok.

___
Emu mailing list
Emu@ietf.org
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Femudata=02%7C01%7Cjovergar%40microsoft.com%7C2c42095edc4e4cd61ce408d7d8106200%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637215437188744711sdata=lkoHzd0fgN4z1oalqV2jW9pewUGSnlRLeKpiFew4Yw8%3Dreserved=0

___
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu