AES-GCM

[Pieter Hulshoff]

On Friday, May 24, 2013 12:21:47 PM Phil Mayers wrote:
> On 24/05/13 11:44, Pieter Hulshoff wrote:
> > Hello all,
> > 
> > Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in
> > the
> > documentation, the wiki or the mailinglist archives, but perhaps I'm
> > looking in the wrong place?
> 
> Typically this is down the TLS libraries; it's not usually the case that
> the application needs to do anything.

It seems I have a lot to learn yet about what is and is not a part of 
FreeRADIUS. My apologies for pushing (slightly) OT subjects onto the 
mailinglist.

> That said, EAP-TLS is typically TLS 1.0. AIUI, AEAD ciphers require TLS
> 1.2 - see section 4 of RFC 5288. But again, FreeRADIUS doesn't involve
> itself in this level of detail - that's an aspect of the TLS library
> (OpenSSL) we use, and whatever the EAP-TLS client is using.

I guess that if we want to use AEAD cyphers we'll need to find another TLS 
library or adapt/contribute to OpenSSL?

> Note also that EAP-TLS (unlike other TLS-based EAP methods, such as PEAP
> or TTLS) never actually sends any data over the TLS session;
> essentially, it consists solely of the handshake. In TLS terms, EAP-TLS
> never sends any TLS records of type=23 (application data). So, the
> negotiated cipher is not used for very much.

The EAP-TLS Finished (type=20) are secured/signed with this negotiated cipher 
though, correct?

> Slightly OT, there seems to be some degree of uncertainty about GCM in
> general, and whether it's a sensible cipher mode - for example, see
> http://www.imperialviolet.org/2013/01/13/rwc03.html

Interesting article nontheless. I guess I've been working as a hardware 
engineer for too long; I haven't been bothered by timing side-channel attacks 
too much. :) It's something to take into consideration though.

Kind regards,

Pieter Hulshoff