1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
|
Internet Engineering Task Force (IETF) S. Hartman
Request for Comments: 7029 M. Wasserman
Category: Informational Painless Security
ISSN: 2070-1721 D. Zhang
Huawei
October 2013
Extensible Authentication Protocol (EAP) Mutual Cryptographic Binding
Abstract
As the Extensible Authentication Protocol (EAP) evolves, EAP peers
rely increasingly on information received from the EAP server. EAP
extensions such as channel binding or network posture information are
often carried in tunnel methods; peers are likely to rely on this
information. Cryptographic binding is a facility described in RFC
3748 that protects tunnel methods against man-in-the-middle attacks.
However, cryptographic binding focuses on protecting the server
rather than the peer. This memo explores attacks possible when the
peer is not protected from man-in-the-middle attacks and recommends
cryptographic binding based on an Extended Master Session Key, a new
form of cryptographic binding that protects both peer and server
along with other mitigations.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It represents the consensus of the IETF community. It has
received public review and has been approved for publication by the
Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7029.
Hartman, et al. Informational [Page 1]
^L
RFC 7029 Mutual Crypto Binding October 2013
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction ....................................................3
1.1. Keywords for Requirement Levels ............................5
2. An Example Problem ..............................................5
3. The Server Insertion Attack .....................................6
3.1. Conditions for the Attack ..................................7
3.2. Mitigation Strategies ......................................8
3.2.1. Server Authentication ...............................8
3.2.2. Server Policy .......................................9
3.2.3. Existing Cryptographic Binding .....................12
3.2.4. Introducing EMSK-Based Cryptographic Binding .......12
3.2.5. Mix Key into Long-Term Credentials .................14
3.3. Intended Intermediates ....................................14
4. Recommendations ................................................15
4.1. Mutual Cryptographic Binding ..............................15
4.2. State Tracking ............................................15
4.3. Certificate Naming ........................................16
4.4. Inner Mixing ..............................................16
5. Survey of Tunnel Methods .......................................16
5.1. Tunnel EAP (TEAP) Method ..................................16
5.2. Flexible Authentication via Secure Tunneling (FAST) .......17
5.3. EAP Tunneled Transport Layer Security (EAP-TTLS) ..........17
6. Security Considerations ........................................17
7. Acknowledgements ...............................................18
8. References .....................................................18
8.1. Normative References ......................................18
8.2. Informative References ....................................18
Hartman, et al. Informational [Page 2]
^L
RFC 7029 Mutual Crypto Binding October 2013
1. Introduction
The Extensible Authentication Protocol (EAP) [RFC3748] provides
authentication between a peer (a party accessing some service) and a
authentication server. Traditionally, peers have not relied
significantly on information received from EAP servers. However,
facilities such as EAP channel binding [RFC6677] provide the peer
with confirmation of information about the resource it is accessing.
Other facilities such as EAP Posture Transport [PT-EAP] permit a peer
and EAP server to discuss the security properties of accessed
networks. Both of these facilities provide peers with information
they need to rely on and provide attackers who are able to
impersonate an EAP server to a peer with new opportunities for
attack.
Instead of adding these new facilities to all EAP methods, work has
focused on adding support to tunnel methods [RFC6678]. There are
numerous tunnel methods, including [RFC4851] and [RFC5281], and work
on building a Standards Track tunnel method [TEAP]. These tunnel
methods are extensible. By adding an extension to support a facility
such as channel binding to a tunnel method, an extension can be used
with any inner method carried in the tunnel.
Tunnel methods need to be careful about man-in-the-middle attacks.
See [RFC6678] (Sections 3.2 and 4.6.3) and [TUNNEL-MITM] for a
detailed description of these attacks. For example, an attack can
happen when a peer is willing to perform authentication inside and
outside a tunnel. An attacker can impersonate the EAP server and
offer the inner method to the peer. However, on the other side, the
attacker acts as a man-in-the-middle and opens a tunnel to the real
EAP server. Figure 1 illustrates this attack. At the end of the
attack, the EAP server believes it is talking to the peer. At the
inner method level, this is true. At the outer method level,
however, the server is talking to the attacker.
Hartman, et al. Informational [Page 3]
^L
RFC 7029 Mutual Crypto Binding October 2013
Peer Attacker Service AAA Server
| | | |
| | | |
|Peer Initiates Connection to a Service | |
|---------------------+-------X-------->| |
| (Intercepted by an Attacker) | |
| | | |
| | Tunnel Establishment |
| |<-------------------------------->|
| | | |
| |..................................|
| | Tunnel |
| Non-Tunneled | | |
| Method | Tunneled Authentication Method |
|<===================>|<================================>|
| | | |
| |..................................|
| | | |
| | Attacker |<--- MSK keys --|
| | Connected as | |
| | Peer | |
| |<--------------->| |
A classic tunnel attack where the attacker inserts an extra tunnel
between the attacker and EAP server.
Figure 1: Classic Tunnel Attack
There are two mitigation strategies for this classic attack. First,
security policy can be set up so that the same method is not offered
by a server both inside and outside a tunnel. Second, a technical
solution is available if the inner method is sufficiently strong:
cryptographic binding is a security property of a tunnel method under
which the EAP server confirms that the inner and outer parties are
the same. Cryptographic binding is typically implemented by
requiring the outer party (the other end of the tunnel) to prove
knowledge of the Master Session Key (MSK) of the inner method. This
proves to the server that the inner and outer exchanges are with the
same party. RFC 3748's definition of cryptographic binding allows
for an optional proof to the peer that the inner and outer exchanges
are with the same party. As discussed below, proving knowledge of
the MSK is insufficient to prove to the peer that the inner and outer
exchanges are with the same party.
Hartman, et al. Informational [Page 4]
^L
RFC 7029 Mutual Crypto Binding October 2013
1.1. Keywords for Requirement Levels
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
2. An Example Problem
The GSS-EAP (Generic Security Service Extensible Authentication
Protocol) mechanism [GSS-EAP] provides application authentication
using EAP. A peer could reasonably trust some applications
significantly more than others. If the peer sends confidential
information to some applications, an attacker may gain significant
value from convincing the peer that the attacker is the trusted
application. Channel bindings are used to provide information to the
peer about the application service to which the peer connects. Prior
to channel bindings, peers could not distinguish one Network Access
Service (NAS) from another, so attacks where one NAS impersonated
another were out of scope. However, channel bindings add this
capability and thus expands the threat model of EAP. The GSS-EAP
mechanism requires distinguishing one service from another.
Consider the following example. A relatively untrusted service, say
a print server, has been compromised. A user is attempting to
connect to a trusted service such as a financial application. Both
the print server and the financial application use an Authentication,
Authorization, and Accounting protocol (AAA) to transport EAP
authentication back to the user's EAP server. The print server
mounts a man-in-the-middle attack on the user's connection to the
financial application and claims to be the application.
The print server offers a tunnel method towards the peer. The print
server extracts the inner method from the tunnel and sends it on
towards the AAA server. Channel binding happens at the tunnel method
though. So, the print server is happy to confirm that it is the
financial application. After the inner method completes, the EAP
server sends the MSK to the print server over the AAA protocol. If
only the MSK is needed for cryptographic binding, then the print
server can successfully perform cryptographic binding and may be able
to impersonate the financial application to the peer.
Hartman, et al. Informational [Page 5]
^L
RFC 7029 Mutual Crypto Binding October 2013
Peer Attacker Service AAA Server
| | | |
| | | |
|Peer Initiates Connection to a Service | |
|---------------------+----X----------->| |
| (Intercepted by an Attacker) | |
| | | |
| | | |
| Tunnel Establishment| | |
|<------------------->| | |
|.....................| | |
| Tunnel | | |
| | |
| Tunneled | Non-Tunneled |
| Method | Authentication Method |
|<===================>|<================================>|
| |(Same as Inner Method from Tunnel)|
|.....................| | |
| | | |
| Peer | | |
| Connected to |<----------------------MSK keys --|
| Attacker | | |
|<------------------->| | |
| | | |
A modified tunnel attack when an extra server rather than extra
client is inserted.
Figure 2: Channel Binding Requires More than Cryptographic Binding
This attack is not specific to GSS-EAP. The channel bindings
specification [RFC6677] describes a number of situations where
channel bindings are important for network access. In these
situations, one NAS could impersonate another by using a similar
attack.
3. The Server Insertion Attack
The previous section described an example of the server insertion
attack. In this attack, one party adds a layer of tunneling such
that from the perspective of the EAP peer, there are more methods
than from the perspective of the EAP server. This attack is most
beneficial when the party inserting the extra tunnel is a legitimate
NAS, so mitigations need to be able to prevent a legitimate NAS from
inappropriately adding a layer of tunneling. Some deployments
utilize an intentional intermediary that adds an extra level of EAP
tunneling between the peer and the EAP server; see Section 3.3 for a
discussion.
Hartman, et al. Informational [Page 6]
^L
RFC 7029 Mutual Crypto Binding October 2013
3.1. Conditions for the Attack
For an inserted server attack to have value, the attacker needs to
gain an advantage from its attack. An attacker could gain an
advantage in the following ways:
o The attacker can send information to a peer that the peer would
trust from the EAP server but not the attacker. Examples of this
include channel-binding responses.
o The peer sends information to the attacker that was intended for
the EAP server. For example, the inner user identity may disclose
privacy-sensitive information. The channel-binding request may
disclose what service the peer wishes to connect to.
o The attacker may influence session parameters. For example, if
the attacker can influence the MSK, then the attacker may be able
to read or influence session traffic and mount an attack on the
confidentiality or integrity of the resulting session.
o An attacker may impact availability of the session. In practice
though, an attacker that can mount a server insertion attack is
likely to be able to impact availability in other ways.
For this attack to be possible, the following conditions need to
hold:
1. The attacker needs to be able to establish a tunnel method with
the peer over which the peer will authenticate.
2. The attacker needs to be able to respond to any inner
authentication. For example, an attacker who is a legitimate NAS
can forward the inner authentication over AAA towards the EAP
server. Note that the inner authentication may not be EAP.
3. Typically, the attacker needs to be able to complete the tunnel
method after inner authentication. This may not be necessary if
the attacker is gaining advantage from information sent by the
peer over the tunnel.
4. In some cases, the attacker may need to complete a Secure
Association Protocol (SAP) or otherwise demonstrate knowledge of
the MSK after the tunnel method successfully completes.
Attackers who are legitimate NASes are the primary focus of this
memo. Previous work has provided mitigation against attackers who
are not NASes; these mitigations are briefly discussed.
Hartman, et al. Informational [Page 7]
^L
RFC 7029 Mutual Crypto Binding October 2013
3.2. Mitigation Strategies
3.2.1. Server Authentication
If the peer confirms the identity of the party that the tunnel method
is established with, the peer prevents the first condition (attacker
establishing a tunnel method). Many tunnel methods rely on Transport
Layer Security (TLS) [RFC5281] [TEAP]. The specifications for these
methods tend to encourage or mandate certificate checking. If the
TLS certificate is validated back to a trust anchor and the identity
of the tunnel method server confirmed, then the first attack
condition cannot be met.
Many challenges make server authentication difficult. There is not
an obvious name by which to identify a tunnel method server. It is
not obvious where in the tunnel server certificate the name should be
found. One particularly problematic practice is to use a certificate
that names the host on which the tunnel server runs. Given such a
name, it is very difficult for a peer to understand whether that
server is intended to be a tunnel method server for the realm.
It's not clear what trust anchors to use for tunnel servers. Using
commercial Certificate Authorities (CAs) is probably undesirable
because tunnel servers often operate in a closed community and are
often provisioned with certificates issued by that community. Using
commercial CAs can be particularly problematic with peers that
support hostnames in certificates. Then anyone who can obtain a
certificate for any host in the domain being contacted can
impersonate a tunnel server.
These difficulties lead to poor deployment of good certificate
validation. Many peers make it easy to disable certificate
validation. Other peers validate back to trust anchors but do not
check names of certificates. What name types are supported and what
configuration is easy to perform depend significantly on the peer in
question.
Specifications also make the problem worse. For example, [RFC5281]
indicates that the only impact of failing to perform certificate
validation is that the inner method can be attacked. Administrators
and implementors believing this claim may believe that protection
from passive attacks is sufficient.
In addition, some deployments such as provisioning or strong inner
methods are designed to work without certificate validation.
Section 3.9 of the tunnel requirements document [RFC6678] discusses
this requirement.
Hartman, et al. Informational [Page 8]
^L
RFC 7029 Mutual Crypto Binding October 2013
3.2.2. Server Policy
Server policy can potentially prevent the second condition (attacker
being able to respond to inner authentication) from being possible.
If the server only performs a particular inner authentication within
a tunnel, then the attacker cannot gain a response to the inner
authentication without there being such a tunnel. The attacker may
be able to add a second layer of tunnels; see Figure 3. The inner
tunnel may limit the attacker's capabilities; for example, if channel
binding is performed over tunnel t2 in the figure, then an attacker
cannot observe or influence it.
Peer Attacker Service AAA Server
| | | |
| | | |
|Peer Initiates Connection to a Service | |
|---------------------+----X----------->| |
| (Intercepted by an Attacker) | |
| | | |
| | | |
| Tunnel Establishment| | |
|<------------------->| | |
|.....................| | |
| Tunnel t1 | | |
| | | |
|.......................................... .............|
| Tunnel t2 |
| |
| |
| Inner Method |
|<======================================================>|
| |
|.......................................... .............|
| | | |
|.....................| | |
| | | |
| Peer | | |
| Connected to |<----------------------MSK keys --|
| Attacker | | |
|<------------------->| | |
| | | |
A tunnel t1 from the peer to the attacker contains a tunnel t2 from
the peer to the home EAP server. Inside tunnel t2 is an inner
authentication.
Figure 3: Multiple Layered Tunnels
Hartman, et al. Informational [Page 9]
^L
RFC 7029 Mutual Crypto Binding October 2013
Peer policy can be combined with this server policy to help prevent
conditions 1 (attacker can establish a tunnel the peer will use) and
2 (attacker can respond to inner authentication). If the peer
requires exactly one tunnel of a particular type and the EAP server
only performs inner authentication over a tunnel of this type, then
the attacker cannot establish tunnel t1 in the figure above.
Configuring this peer policy may be more challenging than configuring
policy on the EAP server.
An attacker may be able to mount a more traditional man-in-the-middle
attack in this instance; see Figure 4. This policy on the peer and
EAP server combined with a tunnel method that supports cryptographic
binding will allow the EAP server to detect the attacker. This means
the attacker cannot act as a legitimate NAS and, in particular, does
not obtain the MSK. So, if the tunnel between the attacker and peer
also requires cryptographic binding and if the cryptographic binding
requires both the EAP server and peer to prove knowledge of the inner
MSK, then the authentication will fail. If cryptographic binding is
not performed, then this attack may succeed.
Hartman, et al. Informational [Page 10]
^L
RFC 7029 Mutual Crypto Binding October 2013
Peer Attacker Service AAA Server
| | | |
| | | |
|Peer Initiates Connection to a Service | |
|---------------------+----X----------->| |
| (Intercepted by an Attacker) | |
| | | |
| | | |
| Tunnel Establishment| Tunnel Establishment |
|<------------------->|<-------------------------------->|
|.....................|.................... .............|
| Tunnel t1 | Tunnel t2 |
| | |
| Tunneled | |
| Method | Tunneled Method |
|<===================>|<================================>|
| | |
|.....................|..................................|
| | | |
| Peer | | |
| Connected to | | |
| Attacker | | |
|<------------------->| | |
| | | |
A tunnel t1 extends from the peer to the attacker. A tunnel t2
extends from the attacker to the home EAP server. An inner EAP
authentication is forwarded unmodified by the attacker from tunnel t1
to tunnel t2. The attacker can observe this inner authentication.
Figure 4: A Traditional Man-in-the-Middle Attack
Cryptographic binding is only a valuable component of a defense if
the inner authentication is a key-deriving EAP method. Most tunnel
methods also support non-EAP inner authentication such as Microsoft
CHAP version 2 [RFC2759]. This may undermine cryptographic binding
in a number of ways. An attacker may be able to convert an EAP
method into a compatible non-EAP form of the same credential to
suppress cryptographic binding. In addition, an inner authentication
may be available through an entirely different means. For example, a
Lightweight Directory Access Protocol [RFC4510] or other directory
server may provide an attacker a way to get challenges and provide
responses for an authentication mechanism entirely outside of the
AAA/EAP context. An attacker with this capability may be able to get
around server policy requiring an inner authentication be used only
in a given type of tunnel.
Hartman, et al. Informational [Page 11]
^L
RFC 7029 Mutual Crypto Binding October 2013
To recap, the following policy conditions appear sufficient to
prevent a server insertion attack:
1. Peer and EAP server require a particular inner EAP method used
within a particular tunnel method.
2. The inner EAP method's authentication is only available within
the tunnel and through no other means including non-EAP means.
3. The inner EAP method produces a key.
4. The tunnel method uses cryptographic binding and the peer
requires the other end of the tunnel to prove knowledge of the
inner MSK.
3.2.3. Existing Cryptographic Binding
The most advanced examples of cryptographic binding today work at two
levels. First, the server and peer prove to each other knowledge of
the inner MSK. Then, the inner MSK is combined with some outer key
material to form the tunnel's EAP keys. This is sufficient to detect
an inserted server or peer provided that the attacker does not learn
the inner MSK. This seems sufficient to defend against attackers who
cannot act as a legitimate NAS.
The definition of cryptographic binding in [RFC3748] does not require
these steps. To meet that definition, it would be sufficient for a
peer to prove knowledge of the inner key to the EAP server. This
would open some additional attacks. For example, by indicating
success, an attacker might be able to mask a cryptographic binding
failure. The peer is unlikely to be able to detect the failure,
especially if only the tunnel key material is used for the final
keys.
As discussed in the previous section, cryptographic binding is only
effective when the inner method is EAP.
3.2.4. Introducing EMSK-Based Cryptographic Binding
Cryptographic binding can be strengthened when the inner EAP method
supports an Extended Master Session Key (EMSK). The EMSK is never
disclosed to any party other than the EAP server or peer, so even a
legitimate NAS cannot learn the EMSK. So, if the same techniques
currently applied to the inner MSK are applied to the inner EMSK,
then condition 3 (completing tunnel authentication) will not hold
because the attacker cannot complete this new form of cryptographic
binding. This does not prevent the attacker from learning
Hartman, et al. Informational [Page 12]
^L
RFC 7029 Mutual Crypto Binding October 2013
confidential information such as a channel-binding request sent over
the tunnel prior to cryptographic binding.
Obviously, as with all forms of cryptographic binding, cryptographic
binding only works for key-deriving inner EAP methods. Also, some
deployments (see Section 3.3) insert intermediates between the peer
and the EAP server. EMSK-based cryptographic binding is incompatible
with these deployments because the intermediate cannot learn the
EMSK.
Formally, EMSK-based cryptographic binding is a security claim for
EAP tunnel methods that holds when:
1. The peer proves to the server that the peer participating in any
inner method is the same as the peer for the tunnel method.
2. The server proves to the peer that the server for any inner
method is the same as the server for the tunnel method.
3. The MSK and EMSK for the tunnel depend on the MSK and EMSK of
inner methods.
4. The peer MUST be able to force the authentication to fail if the
peer is unable to confirm the identity of the server.
5. Proofs offered need to be secure even against attackers who know
the inner method MSK.
If EMSK-based cryptographic binding is not an optional facility, it
provides a strong defense against server insertion attacks and other
tunnel man-in-the-middle (MITM) attacks for inner methods that
provide an EMSK. The strength of the defense is dependent on the
strength of the inner method. EMSK-based cryptographic binding MAY
be provided as an optional facility. The value of EMSK-based
cryptographic binding is reduced somewhat if it is an optional
feature. It permits configurations where a peer uses other means to
authenticate the server if the peer has sufficient information
configured to validate the certificate and identity of an EAP server
while using EMSK-based cryptographic binding for deployments where
that is possible.
If EMSK-based cryptographic binding is an optional facility, the
negotiation of whether to use it MUST be protected by the inner MSK
or EMSK. Typically, the MSK will be used because the primary
advantage of making EMSK-based cryptographic binding an optional
facility is to permit intermediates who know only the MSK to decline
to use EMSK-based cryptographic binding. The peer MUST have an
Hartman, et al. Informational [Page 13]
^L
RFC 7029 Mutual Crypto Binding October 2013
opportunity to fail the authentication after the server declines to
use EMSK-based cryptographic binding.
3.2.5. Mix Key into Long-Term Credentials
Another defense against tunnel MITM attacks, potentially including
server insertion attacks, is to use a different credential for
tunneled methods from other authentications. This may prevent the
second condition (attacker being able to respond to inner
authentication) from taking place. For example, if key material from
the tunnel is mixed into a shared secret or password that is the
basis of the inner authentication, then the second condition will not
hold unless the attacker already knows this shared secret. The
advantage of this approach is that it seems to be the only way to
strengthen non-EAP inner authentications within a tunnel.
There are several disadvantages. Choosing a function to mix the
tunnel key material into the inner authentication will be very
dependent on the inner authentication. In addition, this appears to
involve a layering violation. However, exploring the possibility of
providing a solution like this seems important because it can
function for inner authentications where no other approach will work.
3.3. Intended Intermediates
Some deployments introduce a tunnel server separate from the EAP
server; see [RFC5281] for an example of this style of deployment.
The tunnel server is between the NAS and the EAP server. The only
difference between such an intermediate and an attacker is that the
intermediate provides some function valuable to the peer or EAP
server and that the intermediate is trusted by the peer. If peers
are configured with the necessary information to validate
certificates of these intermediates and to confirm their identity,
then tunnel MITM and inserted server attacks can be defended against.
The intermediates need to be trusted with regard to channel binding
and other services that the peer depends on.
Support for trusted intermediates is not a requirement according to
the tunnel method requirements.
It seems reasonable to treat trusted intermediates as a special case
if they are supported and to focus on the security of the case where
there are not intermediates in the tunnel as the common case.
Hartman, et al. Informational [Page 14]
^L
RFC 7029 Mutual Crypto Binding October 2013
4. Recommendations
4.1. Mutual Cryptographic Binding
The Tunnel EAP method [TEAP] should gain support for EMSK-based
cryptographic binding.
As channel-binding support is added to existing EAP methods, EMSK-
based cryptographic binding or some other form of cryptographic
binding that protects against server insertion should also be added
to these methods. Mutual cryptographic binding may also be valuable
when other services are added to EAP methods that may require a peer
trust an EAP server.
4.2. State Tracking
Today, mutual authentication in EAP is thought of as a security claim
about a method. However, in practice, it's an attribute of a
particular exchange. Mutual authentication can be obtained via
checking certificates, through mutual cryptographic binding, or in
very controlled cases through carefully crafted peer and server
policy combined with existing cryptographic binding. Using services
like channel binding that involve the peer trusting the EAP server
should require mutual authentication be present in the session.
To accomplish this, implementations including channel binding or
other peer services MUST track whether mutual authentication has
happened. They SHOULD default to not permitting these peer services
unless mutual authentication has happened. They SHOULD support a
configuration where the peer fails to authenticate unless mutual
authentication takes place. Discussion of whether this configuration
should be recommended as a default is required.
The Tunnel EAP method [TEAP] should permit peers to force
authentication failure if they are unable to perform mutual
authentication. The protocol should permit this to be deferred until
after mutual cryptographic binding is considered.
Services such as channel binding should be deferred until after
cryptographic binding or mutual cryptographic binding.
An additional complication arises when a tunnel method authenticates
multiple parties such as authenticating both the peer machine and the
peer user to the EAP server. Depending on how mutual authentication
is achieved, only some of these parties may have confidence in it.
For example, if a strong shared secret is used to mutually
authenticate the user and the EAP server, the machine may not have
confidence that the EAP server is the authenticated party if the
Hartman, et al. Informational [Page 15]
^L
RFC 7029 Mutual Crypto Binding October 2013
machine cannot trust the user not to disclose the shared secret to an
attacker. In these cases, the parties that have achieved mutual
authentication need to be considered when evaluating whether to use
peer services.
4.3. Certificate Naming
Work is required to promote interoperable deployment of server
certificate validation by peers. A standard way to name EAP servers
is required. Recommendations for what name forms peers should
implement is required.
4.4. Inner Mixing
More consideration of the proposal to mix some key material into
inner authentications is desired. Currently, the proposal is under-
defined and fairly invasive. Are there versions of this proposal
that would be valuable? Is there a way to view it as something more
abstract so that it does not involve a combinatorial explosion as a
result of considering specific tunnels and inner methods?
5. Survey of Tunnel Methods
5.1. Tunnel EAP (TEAP) Method
The Tunnel EAP method [TEAP] provides several features designed to
limit man-in-the-middle vulnerabilities and provide a safe platform
for peer services.
TEAP implementations support checking the Network Access Identifier
(NAI) realm portion against a DNS subjectAlternativeName in the
certificate of the TEAP server. TEAP supports EMSK-based
cryptographic binding as a way to achieve mutual cryptographic
binding. TEAP also supports MSK-based cryptographic binding for
cases where the EMSK is not available; this cryptographic binding
does not provide sufficient assurance for peer services. TEAP
provides recommendations on conditions that need to be met prior to
using peer services. These recommendations explicitly address when
the MSK-based cryptographic binding is sufficient and when EMSK-based
cryptographic binding is required. TEAP meets the recommendations
for implementations outlined in this memo.
Hartman, et al. Informational [Page 16]
^L
RFC 7029 Mutual Crypto Binding October 2013
5.2. Flexible Authentication via Secure Tunneling (FAST)
EAP-FAST [RFC4851] provides MSK-based cryptographic binding.
EAP-FAST requires that server certificates be validated. However, no
guidance is given on how servers are named, so the specification does
not provide enough guidance to interoperably enforce this
requirement.
EAP-FAST does not support channel binding or other peer services,
although the protocol is extensible and TLVs could be defined for
peer services. If the certificates are actually validated and names
checked, then EAP-FAST would provide security guarantees sufficient
to use these peer services. However, the cryptographic binding in
EAP-FAST is not strong enough to secure peer services if the server
certificate is not validated and name checked.
5.3. EAP Tunneled Transport Layer Security (EAP-TTLS)
The EAP Tunneled Transport Layer Security Version 0 (EAP-TTLS)
[RFC5281] does not support cryptographic binding. It also does not
support peer services such as channel binding although they could be
added using extensible AVPs.
EAP-TTLS recommends that implementations SHOULD validate certificates
but gives no guidance on how to handle naming. Even if certificates
are validated, EAP-TTLS is not generally suited to peer services. As
an example, EAP-TTLS does not include protected result indication.
So, an unprotected EAP success packet can end the authentication. In
addition, it is difficult for a peer to request services such as
channel binding because the server ends the authentication as soon as
authentication is successful.
A variety of extensions, including EAP-TTLS version 1, improve some
of these concerns. Specification and implementation issues
complicate analysis of these extensions. As an example, most
implementations can be tricked into using EAP-TTLS version 0.
6. Security Considerations
This memo examines the security considerations of providing new
classes of service within EAP methods. Traditionally, the primary
focus of EAP is authenticating the peer to the network. However, as
the peer places trust in the EAP server, mutual authentication
becomes more important. This memo examines the security of mutual
authentication for EAP tunnel methods.
Hartman, et al. Informational [Page 17]
^L
RFC 7029 Mutual Crypto Binding October 2013
7. Acknowledgements
The authors would like to thank Alan DeKok for helping to explore
these attacks. Alan focused the discussion on the importance of
inner authentications that are not EAP and proposed mixing in key
material as a way to resolve these authentications.
Jari Arkko provided a review of the attack and valuable context on
past efforts in developing cryptographic binding.
Sam Hartman's and Margaret Wasserman's work on this memo is funded by
Huawei.
8. References
8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, "Extensible Authentication Protocol (EAP)", RFC
3748, June 2004.
8.2. Informative References
[GSS-EAP] Hartman, S. and J. Howlett, "A GSS-API Mechanism for the
Extensible Authentication Protocol", Work in Progress,
August 2012.
[PT-EAP] Cam-Winget, N. and P. Sangster, "PT-EAP: Posture Transport
(PT) Protocol For EAP Tunnel Methods", Work in Progress,
March 2013.
[RFC2759] Zorn, G., "Microsoft PPP CHAP Extensions, Version 2", RFC
2759, January 2000.
[RFC4510] Zeilenga, K., "Lightweight Directory Access Protocol
(LDAP): Technical Specification Road Map", RFC 4510, June
2006.
[RFC4851] Cam-Winget, N., McGrew, D., Salowey, J., and H. Zhou, "The
Flexible Authentication via Secure Tunneling Extensible
Authentication Protocol Method (EAP-FAST)", RFC 4851, May
2007.
Hartman, et al. Informational [Page 18]
^L
RFC 7029 Mutual Crypto Binding October 2013
[RFC5281] Funk, P. and S. Blake-Wilson, "Extensible Authentication
Protocol Tunneled Transport Layer Security Authenticated
Protocol Version 0 (EAP-TTLSv0)", RFC 5281, August 2008.
[RFC6677] Hartman, S., Clancy, T., and K. Hoeper, "Channel-Binding
Support for Extensible Authentication Protocol (EAP)
Methods", RFC 6677, July 2012.
[RFC6678] Hoeper, K., Hanna, S., Zhou, H., and J. Salowey,
"Requirements for a Tunnel-Based Extensible Authentication
Protocol (EAP) Method", RFC 6678, July 2012.
[TEAP] Zhou, H., Cam-Winget, N., Salowey, J., and S. Hanna,
"Tunnel EAP Method (TEAP) Version 1", Work in Progress,
September 2013.
[TUNNEL-MITM]
Asokan, N., Niemi, V., and K. Nyberg, "Man-in-the-Middle
in Tunnelled Authentication Protocols", Cryptology ePrint
Archive: Report 2002/163, November 2002.
Authors' Addresses
Sam Hartman
Painless Security
EMail: hartmans-ietf@mit.edu
Margaret Wasserman
Painless Security
EMail: mrw@painless-security.com
URI: http://www.painless-security.com/
Dacheng Zhang
Huawei
EMail: zhangdacheng@huawei.com
Hartman, et al. Informational [Page 19]
^L
|
