IETF Logo Mail Archive

Re: [homenet] webauthn for routers

Michael Thomas <mike@fresheez.com> Wed, 12 June 2019 22:35 UTC

Return-Path: <mike@fresheez.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5CBA120161 for <homenet@ietfa.amsl.com>; Wed, 12 Jun 2019 15:35:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fresheez.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ps-2-tsRH2Oz for <homenet@ietfa.amsl.com>; Wed, 12 Jun 2019 15:35:18 -0700 (PDT)
Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 29729120099 for <homenet@ietf.org>; Wed, 12 Jun 2019 15:35:18 -0700 (PDT)
Received: by mail-pl1-x635.google.com with SMTP id bh12so7213522plb.4 for <homenet@ietf.org>; Wed, 12 Jun 2019 15:35:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fresheez.com; s=fluffulence; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding:content-language; bh=v9ITMt5k/A2XIJjpJtzKd20VqTVB9mhsPJcBM+0985M=; b=UwJK2EItaPRTaIl1vkfqo7MgiJVopYvKg/OlEJMyMBB1PzA4/ATpBaCmtlnLRpfm9u GYtUyiCQq6lkK86DbPTqaZdETw/tgbyONMFGjqn0tFt3dsDe2rght3Q/PNtrAdY2fCGy LjeHYIO+ldjIDHDaRO6uVmdHaKQAy8hyoOkEM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=v9ITMt5k/A2XIJjpJtzKd20VqTVB9mhsPJcBM+0985M=; b=eEp77qiBm2FZLzLAu45MFS3NFZoJUk1CbXLC5KwT92t5Bm46t5KXudTOqa92PHj+vX Je4Osng3Vg/fOJgnVo7IfBIqY2MGyhHishfgfJjuy0F5kzncGwMX/cBRPEjWZdEMSYlc 9Yw5CCqXNoV1O3lr99/WAXSMuZ0udqOLqVIbM9hyv29P9xYsxis9NtgdEaHk2xghACY8 gZNJRSlH9J9EFTa2v+MJz/w97J45SBdPEud927lCpWimXpzwKmgb+QpP6hpRrObl+0st yEXaMmprHBWGO8A3XAS4GP19o68zPyQlHKEUUjP0jDFQOskqNRUQoZ4Z5PPSk2NJUXoM 0frg==
X-Gm-Message-State: APjAAAXKk6d7s40NXyxZ11mbwplvMvYygd5n2KEEcPKhMOU2MX6uZQEB CmBMyqFD6i9caj80YpSlxHhwsKJntZ8=
X-Google-Smtp-Source: APXvYqyYnlF1DlO8uwXLKPilhtpENbKKUH2ZcaC8SZRBsCB45hDhXw5pjNiFwmxAiAFuXRj3MEaeKQ==
X-Received: by 2002:a17:902:23:: with SMTP id 32mr22324197pla.34.1560378916913; Wed, 12 Jun 2019 15:35:16 -0700 (PDT)
Received: from Michaels-MacBook.local (107-182-42-248.volcanocom.com. [107.182.42.248]) by smtp.gmail.com with ESMTPSA id 10sm522419pfh.179.2019.06.12.15.35.15 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 12 Jun 2019 15:35:15 -0700 (PDT)
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: homenet@ietf.org
References: <CADZyTkkgd8f49V+yoZvPZXx3b-_YRzpgUY1-obroq9QMLnFWNw@mail.gmail.com> <878su8fj24.wl-jch@irif.fr> <2348.1560261275@localhost> <87ftofwqut.wl-jch@irif.fr> <27503.1560302791@localhost> <87ef3zwoew.wl-jch@irif.fr> <4109.1560349340@localhost> <EC7FDA4F-1859-4B35-A8AC-D33E1A96F979@fugue.com> <ff7f2700-3862-59bd-abfb-22589562bddb@mtcc.com> <20218.1560366783@localhost> <288a310b-3b99-748d-74ce-a878ff43ee77@fresheez.com> <6179.1560377924@localhost>
From: Michael Thomas <mike@fresheez.com>
Message-ID: <604b4062-f2c5-30af-73ff-2e97b7541a9b@fresheez.com>
Date: Wed, 12 Jun 2019 15:35:13 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:60.0) Gecko/20100101 Thunderbird/60.7.0
MIME-Version: 1.0
In-Reply-To: <6179.1560377924@localhost>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/homenet/7ogTL5vwhBTOPXRddSI08l1ahiA>
Subject: Re: [homenet] webauthn for routers
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF Homenet WG mailing list <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Jun 2019 22:35:20 -0000

On 6/12/19 3:18 PM, Michael Richardson wrote:
> Michael Thomas <mike@fresheez.com> wrote:
>      >> Secondary admins are encouraged to guard against loss/destruction of mobile
>      >> phone, and it is also possible to enroll a second time, provided the
>      >> manufacturer agrees (this is both a feature and a bug)
>      >>
>      >> The code is at https://github.com/CIRALabs/
>      >>
>
>      > I'm not sure we're talking about the same thing? I'm just talking about the
>      > normal web interface that home routers have to hand configure them. There's
>      > no need for certs at all.
>
> Yes, that's what I'm talking about.
> Yes, there is a need for strong security.
>
> The bad guys are inside already, they send trojans, and if the router has
> passwords ("admin"/"admin"), then the bad guys just change the security
> policy.
>
> They don't do this now, because they don't need to, our home routers are
> basically swiss cheese in the outbound direction, but I'm sure they will
> learn.  Particularly, it will be easy if we have a standard (or
> defacto-standard) API.  At this point, the luci interface is probably easily
> automated.
>
> Modern browsers practically don't let you even type passwords in over HTTP
> now, so you really really really need a certificate for the inside of the
> router, and it needs to be valid.
Oh, sorry, I wasn't thinking about TLS. Obviously you need server certs 
for that. I was thinking about the client side authentication which is 
what webauthn is for, and it doesn't require certs of any kind, iirc.
>
>      > I wrote a blog post which considered the enrollment problem of a
>      > webauthn-like protocol (way before webauthn was even started). I'm not sure
>      > if it works for the special case of a home router though.
>
>      > http://rip-van-webble.blogspot.com/2012/06/using-asymmetric-keys-for-web-joinlogin.html
>
>      > Enrollment, of course, is out of scope for webauthn, per se.
>
> I'll read it.
>
Thanks, it's probably pretty dated by now, especially all of the crypto 
hackery :). The thing that I'm not sure about is whether the out-of-band 
method for adding clients would work in a home router situation. My 
solution required the server (ie, the router) to send email to somebody. 
It could be sms too, but it's not very clear that email from a naked 
router ip address would be very effective since, like, nobody accepts 
email from home net ranges. I guess in theory you could configure an 
mail account for the router, but that seems sort of like a non-starter. 
But there may be other ways to finesse this.

Mike

v2.23.0 | Report a Bug | By Email