Hello all, Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in the documentation, the wiki or the mailinglist archives, but perhaps I'm looking in the wrong place? Kind regards, Pieter Hulshoff
On 24/05/13 11:44, Pieter Hulshoff wrote:
Hello all,
Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in the documentation, the wiki or the mailinglist archives, but perhaps I'm looking in the wrong place?
Typically this is down the TLS libraries; it's not usually the case that the application needs to do anything. That said, EAP-TLS is typically TLS 1.0. AIUI, AEAD ciphers require TLS 1.2 - see section 4 of RFC 5288. But again, FreeRADIUS doesn't involve itself in this level of detail - that's an aspect of the TLS library (OpenSSL) we use, and whatever the EAP-TLS client is using. Note also that EAP-TLS (unlike other TLS-based EAP methods, such as PEAP or TTLS) never actually sends any data over the TLS session; essentially, it consists solely of the handshake. In TLS terms, EAP-TLS never sends any TLS records of type=23 (application data). So, the negotiated cipher is not used for very much. PEAP and TTLS have "inner" EAP exchanges, that are protected with the TLS session, and sent as TLS type=23 records. Slightly OT, there seems to be some degree of uncertainty about GCM in general, and whether it's a sensible cipher mode - for example, see http://www.imperialviolet.org/2013/01/13/rwc03.html
On Friday, May 24, 2013 12:21:47 PM Phil Mayers wrote:
On 24/05/13 11:44, Pieter Hulshoff wrote:
Hello all,
Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in the documentation, the wiki or the mailinglist archives, but perhaps I'm looking in the wrong place?
Typically this is down the TLS libraries; it's not usually the case that the application needs to do anything.
It seems I have a lot to learn yet about what is and is not a part of FreeRADIUS. My apologies for pushing (slightly) OT subjects onto the mailinglist.
That said, EAP-TLS is typically TLS 1.0. AIUI, AEAD ciphers require TLS 1.2 - see section 4 of RFC 5288. But again, FreeRADIUS doesn't involve itself in this level of detail - that's an aspect of the TLS library (OpenSSL) we use, and whatever the EAP-TLS client is using.
I guess that if we want to use AEAD cyphers we'll need to find another TLS library or adapt/contribute to OpenSSL?
Note also that EAP-TLS (unlike other TLS-based EAP methods, such as PEAP or TTLS) never actually sends any data over the TLS session; essentially, it consists solely of the handshake. In TLS terms, EAP-TLS never sends any TLS records of type=23 (application data). So, the negotiated cipher is not used for very much.
The EAP-TLS Finished (type=20) are secured/signed with this negotiated cipher though, correct?
Slightly OT, there seems to be some degree of uncertainty about GCM in general, and whether it's a sensible cipher mode - for example, see http://www.imperialviolet.org/2013/01/13/rwc03.html
Interesting article nontheless. I guess I've been working as a hardware engineer for too long; I haven't been bothered by timing side-channel attacks too much. :) It's something to take into consideration though. Kind regards, Pieter Hulshoff
On 24/05/13 12:47, Pieter Hulshoff wrote:
I guess that if we want to use AEAD cyphers we'll need to find another TLS library or adapt/contribute to OpenSSL?
I think they're supported as of OpenSSL 1.0.1, so merely compiling against that should be sufficient, but both ends then need to use TLS v1.2 and, as I say, most do not. (I'm also not sure if FreeRADIUS explicitly forces a specific TLS version - it might, check the source code)
The EAP-TLS Finished (type=20) are secured/signed with this negotiated cipher though, correct?
Off the top of my head, everything after the change cipher spec is encrypted with the negotiated symmetric cipher, yes.
On Friday, May 24, 2013 01:47:36 PM Pieter Hulshoff wrote:
I guess that if we want to use AEAD cyphers we'll need to find another TLS library or adapt/contribute to OpenSSL?
It seems some people are way ahead of me: http://en.wikipedia.org/wiki/Comparison_of_TLS_Implementations#Encryption_Al... Support for AES-GCM was added in v1.0.1 Kind regards, Pieter Hulshoff
participants (2)
-
Phil Mayers -
Pieter Hulshoff