Hi everyone, Picking up on some TEAP work again.
&TL;DR need clarity on how crypto-binding TLVs when there is no inner EAP method. Also note the use of request-action.
Key questions: what value to pass for EMSK and MSK in crypto binding response when there is no inner method? Zeros?
Also, can the flags indicate that there is no EMSK or MSK? This would solve our first problem.
Finally, are we cool piggybacking Result and Crypto-binding on a PKCS#7 TLV? Flows follow: Use case 1:Device just wants to use TEAP in the same way one would use EAP-TLS. This would be what I would call "normal operations". That is, we would expect something along the following lines:
,----. ,------.
|Peer| |Server|
`-+--' `--+---'
| 1 EAP-Request/ |
| Identity |
| <---------------------
| |
| 2 EAP-Response/ |
| Type=Identity |
| --------------------->
| |
,----------------------------!.
|Section 3.2 |_\
`------------------------------'
| 3 EAP-Request/ |
| Type=TEAP, |
| TEAP Start, |
| Authority-ID TLV |
| <---------------------
| |
| 4 EAP-Response/ |
| Type=TEAP, |
| TLS(ClientHello) |
| --------------------->
| |
| 5 EAP-Request/ |
| Type=TEAP, |
| TLS(ServerHello, |
| ServerKeyExchange, |
| ServerHelloDone) |
| <---------------------
| |
| 6 EAP-Response/ |
| Type=TEAP, |
| ClientKeyExchange, |
| CertificateVerify, |
| ChangeCipherSpec, |
| Finished) |
| --------------------->
| |
,----------------------------!.
|Section 3.3.3 |_\
`------------------------------'
| 7 EAP-Request/ |
| Type=TEAP, |
| TLS(ChangeCipherSpec,|
| Finished), |
| Result TLV, |
| Crypto-Binding TLV |
| <---------------------
| |
| 8 EAP-Response/ |
| Type=TEAP, |
| Result TLV, |
| Crypto-Binding TLV |
| --------------------->
| |
| 9 EAP-Success |
| <---------------------
,-+--. ,--+---.
|Peer| |Server|
`----' `------'
Note the lack of an Intermediate Result TLV, because the text states
that Intermediate Results are only required upon completion of an inner
EAP method.
The second use case involves the use of PKCS#10/PKCS#7 messages. We think that looks like this:
,----. ,------. ,--.
|Peer| |Server| |CA|
`-+--' `--+---' `+-'
| EAP-Request/ | |
| Identity | |
| <-------------------------------------------------- |
| | |
| EAP-Response/ | |
| Type=Identity | |
| --------------------------------------------------> |
| | |
| EAP-Request/ | |
| Type=TEAP, | |
| TEAP Start, | |
| Authority-ID TLV | |
| <-------------------------------------------------- |
| | |
| EAP-Response/ | |
| Type=TEAP, | |
| TLS(ClientHello) | |
| --------------------------------------------------> |
| | |
| EAP-Request/ | |
| Type=TEAP, | |
| TLS(ServerHello, | |
| ServerKeyExchange, | |
| ServerHelloDone) | |
| <-------------------------------------------------- |
| | |
| EAP-Response/ | |
| Type=TEAP, | |
| ClientKeyExchange, | |
| CertificateVerify, | |
| ChangeCipherSpec, | |
| Finished) | |
| --------------------------------------------------> |
| | |
,---------------------------------------------------------!. |
|Section 4.2.9 |_\ |
`-----------------------------------------------------------' |
| EAP-Request/ | |
| Type=TEAP, | |
| TLS(ChangeCipherSpec, | |
| Finished), | |
| Request Action TLV(Status=Failure | |
| ,Action=Process-TLV,TLV=PKCS#10) | |
| <-------------------------------------------------- |
| | |
| EAP-Response/ | |
| Type=TEAP | |
| {PKCS#10 TLV} | |
| --------------------------------------------------> |
| | |
,---------------------------------------------------------!. |
|Section 4.2.17 |_\ |
`-----------------------------------------------------------' |
| | PKCS#10 |
| | -------------->
| | |
| | PKCS#7 |
| | <--------------
| | |
| EAP-Request/ | |
| Type=TEAP, | |
| {PKCS#7 TLV,Crypto-Binding TLV,Result TLV=Success}| |
| <-------------------------------------------------- |
| | |
,---------------------------------------------------------!. |
|Section 4.2.16 |_\ |
McNext> plantuml -ttxt reenroll-short.uml
McNext> more reenroll-short.atxt
,----. ,------. ,--.
|Peer| |Server| |CA|
`-+--' `--+---' `+-'
| EAP-Request/ | |
| Identity | |
| <-------------------------------------------------- |
| | |
| EAP-Response/ | |
| Type=Identity | |
| --------------------------------------------------> |
| | |
| EAP-Request/ | |
| Type=TEAP, | |
| TEAP Start, | |
| Authority-ID TLV | |
| <-------------------------------------------------- |
| | |
| EAP-Response/ | |
| Type=TEAP, | |
| TLS(ClientHello) | |
| --------------------------------------------------> |
| | |
| EAP-Request/ | |
| Type=TEAP, | |
| TLS(ServerHello, | |
| ServerKeyExchange, | |
| ServerHelloDone) | |
| <-------------------------------------------------- |
| | |
| EAP-Response/ | |
| Type=TEAP, | |
| ClientKeyExchange, | |
| CertificateVerify, | |
| ChangeCipherSpec, | |
| Finished) | |
| --------------------------------------------------> |
| | |
,---------------------------------------------------------!. |
|Section 4.2.9 |_\ |
`-----------------------------------------------------------' |
| EAP-Request/ | |
| Type=TEAP, | |
| TLS(ChangeCipherSpec, | |
| Finished), | |
| Request Action TLV(Status=Failure | |
| ,Action=Process-TLV,TLV=PKCS#10) | |
| <-------------------------------------------------- |
| | |
,---------------------------------------------------------!. |
|Section 4.2.17 |_\ |
`-----------------------------------------------------------' |
| EAP-Response/ | |
| Type=TEAP | |
| {PKCS#10 TLV} | |
| --------------------------------------------------> |
| | |
| | PKCS#10 |
| | -------------->
| | |
| | PKCS#7 |
| | <--------------
| | |
,---------------------------------------------------------!. |
|Section 4.2.16 |_\ |
|Section 3.3.3 | |
`-----------------------------------------------------------' |
| EAP-Request/ | |
| Type=TEAP, | |
| {PKCS#7 TLV,Crypto-Binding TLV,Result TLV=Success}| |
| <-------------------------------------------------- |
| | |
| Eap-Response/ | |
| Type=TEAP | |
| {Crypto-Binding TLV, | |
| Result TLV=Success} | |
| --------------------------------------------------> |
| | |
| EAP-Success | |
| <-------------------------------------------------- |
,-+--. ,--+---. ,+-.
|Peer| |Server| |CA|
`----' `------' `--'
Eliot
_______________________________________________ Emu mailing list [email protected] https://www.ietf.org/mailman/listinfo/emu
