On Tue, 3 Jan 2023, at 08:20, Eliot Lear wrote:
> My use case is IOT. I'm interested in two states:
>
> * Nominal: everything looks very similar to EAP-TLS.
> * Exceptional: a new certificate or a new trust anchor or something else is
> needed. In which case, I would expect the server to push a “request action”
> TLV.
> In either case, there is no inner method. So either the calculation should
> not assume S-IMCK[0] exists, or we must define what that means.
>
I think for your use case to send a Request-Action-TLV the server must have
also sent the Result-TLV and Cryptobinding-TLV:
https://datatracker.ietf.org/doc/html/draft-ietf-emu-rfc7170bis-01#section-3.3.4
https://datatracker.ietf.org/doc/html/draft-ietf-emu-rfc7170bis-01#section-4.2.9
https://datatracker.ietf.org/doc/html/draft-ietf-emu-rfc7170bis-01#name-c9-peer-requests-inner-meth
- shows TLS completing and then just a bare Cryptobinding-TLV and Result-TLV
so I figure nothing prevents slipping your Request-Action-TLV in there too
My expectation is that you use the EMSK from the outer-TLS authentication to do
this calculation.
However, I now understand your point about the *value* of doing this.
Generating a Cryptobinding on the outer-TLS authentication does not protect the
inner Request-Action-TLV. Maybe you should re-run the EAP-TLS authentication
done on the outer tunnel again on the inner as the first (and only) method? If
this is an option, we will need to think about the proposed changes for TLSv1.3
where this is (sort of) forbidden.
https://datatracker.ietf.org/doc/html/draft-ietf-emu-tls-eap-types-09#section-2.2.1
> Currently in our POC implementation we are following Jouni's example that he
> used for basic auth. What I am concerned about is leading implementors or
> their users to believe that an operation provides any additional security
> when would does not. So at the very least, we should be considering what to
> put in Security Considerations about this, but i the op really provides not
> value, we should consider the resource consumption of the operation against
> the code complexity.
So maybe to Section 7.4 we need wording such as:
"Integrity of the inner TLVs requires the use of an 'effective'
Cryptobinding-TLV. To be effective, a non-zero MSK or an EMSK from a inner
authentication method is required. If no inner-authentication method is used, a
Cryptobinding-TLV SHOULD still be sent when outer-TLVs are present using the
MSK/EMSK from the outer-TLS tunnel. The use of a non-effective
Cryptobinding-TLV (such as when using the Basic-Password-Auth TLVs) presents
problems around integrity/spoofing."
No doubt someone here can do a better job of the wording to make it less
verbose.
Thanks
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
