[Emu] Review of Requirements for an Tunnel Based EAP Method

[Bernard Aboba <bernard_aboba at hotmail.com>]

Overall, this document is in very good shape.  Kudos to the authors. 

A comment on EAP header protection (Section 4.2.3) and Type code modification (Section 6.3): 4.2.3.  EAP Header Protection

   A tunnel method SHOULD provide protection of the outer EAP header
   information when possible to make sure the outer EAP header is not
   modified by the intermediaries.

6.3.  Outer EAP Method Header

   There are several existing EAP methods which use a similar packet
   format to EAP-TLS.  Often for the initial portions of the exchange
   the execution of the method is identical except for the method ID.
   Protection of the outer EAP header helps to avoid vulnerabilities
   that may arise when an attacker attempts to modify packets to make
   one EAP message look like one from a different method.

[BA] The EAP header defined in RFC 3748 looks like this: 
    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Code      |  Identifier   |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Type ...
   +-+-+-+-+
Section 6.3 refers to modification of the Type field which can potentiallyenable an attacker to make one TLS-based EAP method look like another one.  It's worth
noting that such an attack can be addressed without necessarily From emu-bounces at ietf.org  Wed Jun 25 23:46:56 2008
Return-Path: <emu-bounces at ietf.org>
X-Original-To: emu-archive at megatron.ietf.org
Delivered-To: ietfarch-emu-archive at core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id D08E93A68E4;
	Wed, 25 Jun 2008 23:46:56 -0700 (PDT)
X-Original-To: emu at core3.amsl.com
Delivered-To: emu at core3.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by core3.amsl.com (Postfix) with ESMTP id 7EEC83A6840
	for <emu at core3.amsl.com>; Wed, 25 Jun 2008 23:46:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.465
X-Spam-Level:
X-Spam-Status: No, score=-1.465 tagged_above=-999 required=5 tests=[AWL=0.533,
	BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_66=0.6]
Received: from mail.ietf.org ([64.170.98.32])
	by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id SWK-L81+Gyj4 for <emu at core3.amsl.com>;
	Wed, 25 Jun 2008 23:46:54 -0700 (PDT)
Received: from blu0-omc3-s1.blu0.hotmail.com (blu0-omc3-s1.blu0.hotmail.com
	[65.55.116.76]) by core3.amsl.com (Postfix) with ESMTP id 178373A69AF
	for <emu at ietf.org>; Wed, 25 Jun 2008 23:46:54 -0700 (PDT)
Received: from BLU137-W37 ([65.55.116.74]) by blu0-omc3-s1.blu0.hotmail.com
	with Microsoft SMTPSVC(6.0.3790.3959);
	Wed, 25 Jun 2008 23:46:53 -0700
Message-ID: <BLU137-W37804D710254C2A819E5A993A30 at phx.gbl>
X-Originating-IP: [24.16.124.122]
From: Bernard Aboba <bernard_aboba at hotmail.com>
To: <emu at ietf.org>
Date: Wed, 25 Jun 2008 23:46:53 -0700
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 26 Jun 2008 06:46:53.0322 (UTC)
	FILETIME=[6B0DCEA0:01C8D758]
Subject: [Emu] Review of Requirements for an Tunnel Based EAP Method
X-BeenThere: emu at ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/emu>,
	<mailto:emu-request at ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/pipermail/emu>
List-Post: <mailto:emu at ietf.org>
List-Help: <mailto:emu-request at ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>,
	<mailto:emu-request at ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="==============33345879=="
Sender: emu-bounces at ietf.org
Errors-To: emu-bounces at ietf.org

Overall, this document is in very good shape.  Kudos to the authors.

A comment on EAP header protection (Section 4.2.3) and Type code modification (Section 6.3):

4.2.3. EAP Header Protection

   A tunnel method SHOULD provide protection of the outer EAP header
   information when possible to make sure the outer EAP header is not
   modified by the intermediaries.

6.3.  Outer EAP Method Header

   There are several existing EAP methods which use a similar packet
   format to EAP-TLS.  Often for the initial portions of the exchange
   the execution of the method is identical except for the method ID.
   Protection of the outer EAP header helps to avoid vulnerabilities
   that may arise when an attacker attempts to modify packets to make
   one EAP message look like one from a different method.

[BA] The EAP header defined in RFC 3748 looks like this: 

    0                   1                   2                   3
    0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |     Code      |  Identifier   |            Length             |
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |    Type ...
   +-+-+-+-+

Section 6.3 refers to modification of the Type field which can potentially
enable an attacker to make one TLS-based EAP method look like another one.  It's worth
noting that such an attack can be addressed without necessarily requiring EAP
header protection, as described in Section 4.2.3. 

For example, a Type field modification attack will only enable an EAP peer to subsequently
connect to an authenticator if the peer and server were able to derive the same MSK/EMSK. 

To prevent such an attack, it is highly desirable for TLS-based EAP methods to utilize
key derivation formulas unique to the method.  As an example, EAP-TLS and EAP-TTLSv0
utilize different key derivation formulas:

EAP-TLS:   
   Key_Material = TLS-PRF-128(master_secret, "client EAP encryption",
                     client.random || server.random)
EAP-TTLSv0:  
      Keying Material = TLS-PRF-128(master_secret, 
                "ttls keying material", client_random || server_random) 

Assuming that this approach is taken, the Type modification threat described in Section 6.3 can be
addressed without EAP header protection. 

Given this, it seems to me that EAP header protection is really about protection of the Code, Identifier
and Length fields of the EAP header.   However, the behavior of these fields is fairly rigidly specified
in RFC 3748, so that a well written implementation should only be vulnerable to DoS attack, which
would be the case even if EAP header protection were implemented.  

For example, an attacker modifying the Code field might be able to cause an EAP peer or server to
drop the packet.  However, the same thing would happen if EAP header protection were implemented,
and the packet failed the MIC check. 


Via modification of the Identifier field, it might be possible to cause the peer or server to abort the EAP
session in progress.  However, in TLS-based methods, failure of TLS integrity check is also a terminal
error, so that I'm not sure if anything is gained here either. 


Modification of the Length field might have as its objective the inducement of a buffer overflow on 
either the peer or the server, so it's aims are somewhat more nefarious than attacks on the Code or
Identifier fields.  However, implementation of EAP header protection would not be likely to address 
such an implementation bug since the MIC could not be computed until the EAP packet was fully received,
by which time the buffer overflow would have already occurred. 


In summary, I am not clear that EAP header protection as described in Section 4.2.3 really brings much value 
beyond addressing the EAP Type Code attack described in Section 6.3.  I would therefore recommend that this
section be deleted, or at least justified in more depth.  

_______________________________________________
Emu mailing list
Emu at ietf.org
https://www.ietf.org/mailman/listinfo/emu