I haven't been able to follow all of thread on the impedance mismatch between EAP and TLS, which the EAP-TLS specification is intended to resolve. (I did talk on the phone with Alan yesterday, and he recapped some issues for me. My other qualification is that I implemented EAP-SIM 20 years ago, and I did some EAP over IKEv1 work at one point)
My understanding is that:
1) the TLS Finish message can now occur prior to the client certificate
even being transmitted, let alone validated.
This is a feature in TLS 1.3 that lets application data in the
typical browser->http server occur very early.
2) As such, it is possible to run the TLS-Exporter function prior to
actually having authenticated the client.
This is part of the TLS 1.3 changes that essentially permit either
end to (re-)authenticate at any point in the protocol.
3) The EAP-Success message is not authenticated in any way.
So it seems to be that:
a) The EAP-Success is meaningless. The client needs to process it, but
it should not affect the state machine at all!
b) Success means being able to use the derived keys.
The keys won't be installed by the AAA server into the authenticator
until it has performed appropriate validation of the client.
(e.g, received and validated the client certificate)
c) More important than EAP-Success, is legitimate failure. They need to be
unforgeable by an attacker. Success is easy to determine, and
progress is easy to move forward with. What breaks forward motion are
failure messages. They need to be properly authenticated.
While EAP-TLS does not really do anything with the resulting TLS channel
afterwards, there are some protocols like EAP-TEAP (and BRSKI-TEAP), that
would like to use the channel afterwards. So anything learnt in EAP-TLS 1.3
will get repeated.
My instinct is that the best thing would be to have a TLS-level message which
EAP-TLS 1.3 should define. This is the real success or failure message. TLS
libraries would have to cope.
The application data, byte, vs zero-length data discussion seems to be
basically dancing around this. TLS 1.3 is too flexible, and we can't either
constrain the TLS 1.3 state machine, nor can we depend upon it anymore the
way that one could with 1.2.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
