Re: [Emu] TEAP time again: Result and Intermediate and crypto binding TLVs with no inner EAP methods
There seems to have been a bad edit on my previous message on the 2nd flow. See below. On 05.10.22 18:42, Eliot Lear wrote: Hi everyone, Picking up on some TEAP work again. &TL;DR need clarity on how crypto-binding TLVs when there is no inner EAP method. Also note the use of request-action. Key questions: what value to pass for EMSK and MSK in crypto binding response when there is no inner method? Zeros? Also, can the flags indicate that there is no EMSK or MSK? This would solve our first problem. Finally, are we cool piggybacking Result and Crypto-binding on a PKCS#7 TLV? Flows follow: Use case 1: Device just wants to use TEAP in the same way one would use EAP-TLS. This would be what I would call "normal operations". That is, we would expect something along the following lines: ,.,--. |Peer||Server| `-+--'`--+---' |1 EAP-Request/| |Identity | | <- | | |2 EAP-Response/ | |Type=Identity | | -> | | ,!. |Section 3.2 |_\ `--' | 3 EAP-Request/ | | Type=TEAP, | | TEAP Start,| | Authority-ID TLV | | <- | | | 4 EAP-Response/| | Type=TEAP, | | TLS(ClientHello) | | -> | | | 5 EAP-Request/ | | Type=TEAP, | | TLS(ServerHello,| | ServerKeyExchange, | | ServerHelloDone)| | <- | | | 6 EAP-Response/ | | Type=TEAP, | | ClientKeyExchange, | | CertificateVerify, | | ChangeCipherSpec, | | Finished) | | -> | | ,!. |Section 3.3.3 |_\ `--' | 7 EAP-Request/ | | Type=TEAP, | | TLS(ChangeCipherSpec,| | Finished), | | Result TLV, | | Crypto-Binding TLV | | <- | | | 8 EAP-Response/ | | Type=TEAP, | | Result TLV, | | Crypto-Binding TLV | | -> | | | 9 EAP-Success| | <- ,-+--.,--+---. |Peer||Server| `'`--' Note the lack of an Intermediate Result TLV, because the text states that Intermediate Results are only required upon completion of an inner EAP method. The second use case involves the use of PKCS#10/PKCS#7 messages. We think that looks like this: ,. ,--. ,--. |Peer| |Server| |CA| `-+--' `--+---' `+-' |EAP-Request/ | | |Identity | | | <-- | | | | | EAP-Response/ | | | Type=Identity | | | --> | | | | | EAP-Request/ | | | Type=TEAP, | | | TEAP Start, | | | Authority-ID TLV | | | <-- | | | | | EAP-Response/| | | Type=TEAP, | | | TLS(ClientHello) | | | --> | | | | | EAP-Request/ | | |
[Emu] TEAP time again: Result and Intermediate and crypto binding TLVs with no inner EAP methods
Hi everyone, Picking up on some TEAP work again. &TL;DR need clarity on how crypto-binding TLVs when there is no inner EAP method. Also note the use of request-action. Key questions: what value to pass for EMSK and MSK in crypto binding response when there is no inner method? Zeros? Also, can the flags indicate that there is no EMSK or MSK? This would solve our first problem. Finally, are we cool piggybacking Result and Crypto-binding on a PKCS#7 TLV? Flows follow: Use case 1: Device just wants to use TEAP in the same way one would use EAP-TLS. This would be what I would call "normal operations". That is, we would expect something along the following lines: ,.,--. |Peer||Server| `-+--'`--+---' |1 EAP-Request/| |Identity | | <- | | |2 EAP-Response/ | |Type=Identity | | -> | | ,!. |Section 3.2 |_\ `--' | 3 EAP-Request/ | | Type=TEAP, | | TEAP Start,| | Authority-ID TLV | | <- | | | 4 EAP-Response/| | Type=TEAP, | | TLS(ClientHello) | | -> | | | 5 EAP-Request/ | | Type=TEAP, | | TLS(ServerHello,| | ServerKeyExchange, | | ServerHelloDone)| | <- | | | 6 EAP-Response/ | | Type=TEAP, | | ClientKeyExchange, | | CertificateVerify, | | ChangeCipherSpec, | | Finished) | | -> | | ,!. |Section 3.3.3 |_\ `--' | 7 EAP-Request/ | | Type=TEAP, | | TLS(ChangeCipherSpec,| | Finished), | | Result TLV, | | Crypto-Binding TLV | | <- | | | 8 EAP-Response/ | | Type=TEAP, | | Result TLV, | | Crypto-Binding TLV | | -> | | | 9 EAP-Success| | <- ,-+--.,--+---. |Peer||Server| `'`--' Note the lack of an Intermediate Result TLV, because the text states that Intermediate Results are only required upon completion of an inner EAP method. The second use case involves the use of PKCS#10/PKCS#7 messages. We think that looks like this: ,. ,--. ,--. |Peer| |Server| |CA| `-+--' `--+---' `+-' |EAP-Request/ | | |Identity | | | <-- | | | | | EAP-Response/ | | | Type=Identity | | | --> | | | | | EAP-Request/ | | | Type=TEAP, | | | TEAP Start, | | | Authority-ID TLV | | | <-- | | | | | EAP-Response/| | | Type=TEAP, | | | TLS(ClientHello) | | | --> | | | | | EAP-Request/ | | | Type=TEAP,| | | TLS(ServerHello, | | | ServerKeyExchange,| | |
