Hi,
I have reviewed draft-ietf-emu-tls-eap-types-01. Looks good. Two crypto related
comments below:
- "MAC is the MAC function negotiated in TLS 1.3."
There is no MAC function negotiated in TLS 1.3. Also, a modern TLS
implementation would not negotiate any MAC funtion in TLS 1.2 as they would use
an AEAD. There is however a cipher suite hash algorithms that is used in HMAC
mode. Maybe something like
"Compound-MAC = HMAC( CMK, BUFFER )
Where HMAC uses the Hash algorithm for the handshake."
or
"Compound-MAC = HMAC( CMK, BUFFER )
Where the Hash function used by HKDF is the cipher suite hash algorithm"
This raises the question what TEAP TLS 1.2 implementations do today? Are they
only using outdated and non-secure cipher suites or are they doing something
unspecified to derive Compound-MAC with an AEAD cipher suite?
Anyway, how to calculate Compound-MAC with an AEAD algorithm needs to be
specified for TLS 1.2 as well. I think the scope of the document need to be
expanded slightly.
- "For PEAP, some derivation use HMAC-SHA1 [PEAP-MPPE]. There are no
known security issues with HMAC-SHA1. In the interests of
interoperability and minimal changes, we do not change that
definition here."
While it is true that there are no known practical attacks against HMAC-SHA1,
most modern protocols like TLS 1.3 forbid all uses of SHA-1, governments are
recommending phasing out use of HMAC-SHA1 in e.g. IKEv2, and many buyers of
security equipment thinks that everything with SHA-1 is very weak. To me it
feels strange to force future implementations to continue support of SHA-1 when
it is completely removed from TLS 1.3. Enforcing SHA-256 when TLS 1.3 is used
seems like the easy way forward. It is probably much harder to do at a later
stage.
Editorials:
- "in Section Those"
- formatting of the list in section 5
Cheers,
John
-----Original Message-----
From: Emu <emu-boun...@ietf.org> on behalf of "internet-dra...@ietf.org"
<internet-dra...@ietf.org>
Reply to: "emu@ietf.org" <emu@ietf.org>
Date: Wednesday, 29 July 2020 at 23:04
To: "i-d-annou...@ietf.org" <i-d-annou...@ietf.org>
Cc: "emu@ietf.org" <emu@ietf.org>
Subject: [Emu] I-D Action: draft-ietf-emu-tls-eap-types-01.txt
A New Internet-Draft is available from the on-line Internet-Drafts
directories.
This draft is a work item of the EAP Method Update WG of the IETF.
Title : TLS-based EAP types and TLS 1.3
Author : Alan DeKok
Filename : draft-ietf-emu-tls-eap-types-01.txt
Pages : 12
Date : 2020-07-29
Abstract:
EAP-TLS [RFC5216] is being updated for TLS 1.3 in [EAPTLS]. Many
other EAP [RFC3748] and [RFC5247] types also depend on TLS, such as
FAST [RFC4851], TTLS [RFC5281], TEAP [RFC7170], and possibly many
vendor specific EAP methods. This document updates those methods in
order to use the new key derivation methods available in TLS 1.3.
Additional changes necessitated by TLS 1.3 are also discussed.
The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-emu-tls-eap-types/
There are also htmlized versions available at:
https://tools.ietf.org/html/draft-ietf-emu-tls-eap-types-01
https://datatracker.ietf.org/doc/html/draft-ietf-emu-tls-eap-types-01
A diff from the previous version is available at:
https://www.ietf.org/rfcdiff?url2=draft-ietf-emu-tls-eap-types-01
Please note that it may take a couple of minutes from the time of submission
until the htmlized version and diff are available at tools.ietf.org.
Internet-Drafts are also available by anonymous FTP at:
ftp://ftp.ietf.org/internet-drafts/
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
