Closed kr15tyk closed 10 months ago
I see a few potential ways to address this, none of which seem too hard:
PP-Module for WLAN Access System (https://www.niap-ccevs.org/Profile/Info.cfm?PPID=464&id=464) includes TLS_PSK* ciphers in FCS_RADSEC_EXT, as such introducing "only use PSKs in TLS1.3" would result in a conflict with the base PP.
Currently NDcPPv2.2e does not allow PSK ciphersutes and says no other ciphersuites are allowed. FCS_RADSEC_EXT.1.2 clearly ties the RadSec channel to either FCS_TLSC_EXT.2 (X.509 auth) from the NDcPP or FCS_RADSEC_EXT.2 (PSK auth); so the PP-Module addresses the potential conflict with SFRs.
Currently NDcPPv2.2e does not allow PSK ciphersutes and says no other ciphersuites are allowed.
Did you intend to say "base NDcPPv2.2e does not include PSK TLS ciphersuites" ? Because my understanding that PSK ciphersuites are not explicitly prohibited in NDcPPv2.2e.
TL;DR - I think agree with @KSinitski here. TLS_PSK* cipher suites 'seem' to be allowed when WLAN MOD is introduced...
_FTP_ITC.1.1 (WLAN MOD refined SFR) > FCS_RADSEC_EXT.1 (were .1.2 element allows for the selection of "pre-shared keys") > must then select FCS_RADSEC_EXT.2 (where the TLS_PSK cipher suites are introduced) and FIA_PSK_EXT.1 (further associates the selection of PSK cipher suites in RADsec with PSK generation requirements) > FCS_RADSEC_EXT.3 (required if TLSPSK* is selected; no impact the current argument).
"This SFR defines the implementation of RadSec when pre-shared key authentication with RSA is used. This functionality is outside the original scope of the Base-PP, but it relies on the TLS client protocol implementation, cryptographic algorithms, and random bit generation functions defined by the Base-PP."
Conclusion: If we accept the above argument, then, to @kenji-lightship 's point, the statement of "and no other ciphersuites" in the base PP must be qualified when WLAN MOD is included.
This is how I currently see things. I am always open to be corrected :D
I would agree with Michael's conclusion. Additionally, AUTHSRV MOD v1.0 contains an optional allowance for (D)TLS 1.2 PSK ciphersuite. From the App Note for FIA_PSK_EXT.1/AuthSvr:
"RadSec is claimed in FIA_PSK_EXT.1.1/AuthSvr, if RadSec is selected in FTP_ITC.1/NAS and the (D)TLS implementation in RadSec allows server-only authentication or supports a PSK ciphersuite."
Currently all the refinements and explanations to allow PSKs are contained in the MODs that support PSK. Why would we change that for NDcPPv3.0? While WLAN MOD section 6.1.4 says "This functionality is outside the original scope of the Base-PP, but it relies on the TLS client protocol implementation...defined by the Base-PP," this appears to be inconsistent with FCS_RADSEC_EXT.2 which appears to be a TLS client protocol implementation independent of the definition in the Base-PP.
@sheepbaron Re # 3 FCS_RADSEC_EXT.2.1 says "when acting as a RADIUS over TLS client," so I don't see you would apply this SFR to an audit server.
Since this is not a change from NDcPPv2.2e and a conscious decision to not support out of band PSKs was made when developing the requirements (so we did not need to consider the security implications); this should be a future enhancement, not a change during the comments phase.
NDcPPv2.2e did not explicitly prohibit PSK use with TLS, it only limited TLS to a defined set of allowed ciphersuites, which cold be amended via MOD to add TLS_PSK ciphers. NDcPPv3 was intentionally altered to explicitly disallow that for unclear reasons.
It is not possible to use a PSK without a PSK cipher suite. NDcPP2.2e does not allow PSK ciphersuites; therefore, the base PP does not allow PSKs.
this appears to be inconsistent with FCS_RADSEC_EXT.2 which appears to be a TLS client protocol implementation independent of the definition in the Base-PP.
I don't see where the TLS implementation/protocol as described in MOD_WLAN is defined to be or expected to be independent from that of its description in the NDcPP. Maybe I am overlooking something?
My understanding of RadSec, as it pertains to TLS, is that RadSec can be directly compared to HTTPS; where in HTTPS - HTTP is encapsulated by TLS, whereas in RadSec - RADIUS is encapsulated by TLS....and in both cases, TLS is implemented as per the typical TLS RFCs. This conclusion is supported by the following SFR chain from MOD_WLAN:
_FCS_RADSEC_EXT.1.1 (do RadSec according to RFC 6614) >> RFC 6614 (do TLS according to RFC 5246 [TLS 1.2] -or- RFC 4346 [TLSv1.1] - these are the same TLS RFCs referenced in NDcPP and MODWLAN).
In addition: _FCS_RADSEC_EXT.2.1 (same thing; do TLS according to RFC 5246 [TLS 1.2] -or- RFC 4346 [TLSv1.1]) >> if a 'TLS_RSA_PSK' cipher suite is selected here, then FCS_RADSECEXT.3 is required (I found nothing supporting or discounting this argument in this SFR).
To summarize my position:
I think I have a simple solution to clarify PSKs with a minimal risk of unintended consequences.
Edit List 1 to include [assignment: module specific ciphersuites]
Edit the PSK SFRs to read: The TSF shall not permit (D)TLS connections using PSKs with the following exceptions: [selection:
For both edits, include an app note: "module specific uses/ciphersuites" is for modules to assign module specific uses of ciphersuites and PSKs. The ST author shall not use tee assignment to add uses/ciphersuites that are not specified by a module. The module specific uses/ciphersuites may only be used with the trusted channel(s) specified by the module. The module author is responsible for ensuring testing exists for "module specific uses/ciphersuites" added by the module.
Thoughts?
Is there a specific nomenclature we can use to refer to the “modules” that is used consistently elsewhere to make this restriction clear? For example, does the CC standard refer to them as “Protection Profile Modules” or is there some other name that’s consistent and specific?
I think I have a simple solution to clarify PSKs with a minimal risk of unintended consequences.
Edit List 1 to include [assignment: module specific ciphersuites]
Edit the PSK SFRs to read: The TSF shall not permit (D)TLS connections using PSKs with the following exceptions: [selection:
- none
- PSKs in (D)TLS1.3 session resumption with forward secrecy
- [assignment: module specific uses] ].
For both edits, include an app note: "module specific uses/ciphersuites" is for modules to assign module specific uses of ciphersuites and PSKs. The ST author shall not use tee assignment to add uses/ciphersuites that are not specified by a module. The module specific uses/ciphersuites may only be used with the trusted channel(s) specified by the module. The module author is responsible for ensuring testing exists for "module specific uses/ciphersuites" added by the module.
Thoughts?
Brilliant! I would endorse this.
Is there a specific nomenclature we can use to refer to the “modules” that is used consistently elsewhere to make this restriction clear? For example, does the CC standard refer to them as “Protection Profile Modules” or is there some other name that’s consistent and specific?
Yes; I can see something along the lines of the following:
I think modifying cipher list to include [assignment: module specific ciphersuites] would work.
Also, as the stated concern is "The use of out-of-band provisioned pre-shared keys creates a potential security concern since the entropy used to generate the PSK is outside of the control of the TOE. " adapting FIA_PSK_EXT.1 Pre-Shared Key Composition from WLAN modules as a selection-based SFR would be a cleaner solution, as PSKs also used in IPSEC.
I agree with @KSinitski that modifying cipher list to include [assignment: module specific ciphersuites] would work.
Adding PSK SFRs to NDcPPv3.0 has larger implications and is a change I don't think should be made in this final editorial phase. I agree with @kenji-lightship that this seems like it should be a future enhancement.
The set of requirements covering signature_algorithms extension should be examined to determine the impact of using a PSK ciphersuite. There needs to be application notes in the cPP and the Supporting Document explaining the signature_algorithms extension is not required for PSK ciphersuite. Otherwise, it's confusing. The cPP and SD define the signature_algorithms extension to be optional / conditional. It doesn't explain why but it appears this was done for a different reason.
In looking at the cPP and SD in regards to the signature_algorithms extension, this has revealed a separate issue. The cPP and SD currently requires that the [D]TLS client does not need to present the signature_algorithms extension. I believe this was done because RFC 5246 does not require it. If a client does not include the signature_algorithms extension then it will use SHA-1 as the hash function (page 47, RFC 5246). However cPP v3.0 deprecated use of SHA-1 and there are no signature algorithms that use SHA-1 in the NDcPP. In other words, the [D]TLS client needs to include the signature_algorithms extension.
SInce Kenji has already addressed NIAP comments 29-32 with his edits in PR#312, I'm going to move forward with merging his work. If there are separate comments or issue that need to be addressed, please open a separate issue or PR to do so.
Location: NDcPP: p123, B.3.1.1, FCS_DTLSC_EXT.1. NDcPP: p128, B.3.1.1 , FCS_DTLSS_EXT.1.10 NDcPP: p143, B.3.1.5 ,FCS_TLSC_EXT.1.8 NDcPP: p147, B.3.1.5, FCS_TLSS_EXT.1.7
Comment: Sentence 1 seems to be conditional since the TSF may not support DTLS 1.3. Should be its own SFR. Sentence 2 seems to be a different requirement than the first.
Suggested change: None