[Mathmesh] Configure SSH with UDF key...
Phillip Hallam-Baker <firstname.lastname@example.org> Sat, 28 September 2019 22:16 UTC
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91C271200A3 for <email@example.com>; Sat, 28 Sep 2019 15:16:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Status: No, score=-1.662 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.001, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, HTML_OBFUSCATE_05_10=0.26, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.026, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([22.214.171.124]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gOEy5XB3Smtr for <firstname.lastname@example.org>; Sat, 28 Sep 2019 15:16:34 -0700 (PDT)
Received: from mail-oi1-f193.google.com (mail-oi1-f193.google.com [126.96.36.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C06712009E for <email@example.com>; Sat, 28 Sep 2019 15:16:34 -0700 (PDT)
Received: by mail-oi1-f193.google.com with SMTP id t84so8079346oih.10 for <firstname.lastname@example.org>; Sat, 28 Sep 2019 15:16:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=SbFHBygOyZnElPR3q2z5T8Hh7ojemUGm6MIdDqxnN4s=; b=EwyGT+0BMyt4ax8aE6OtCXCzYQG+pYdjlqZGdwEPcIpCwXv+yixrlQaiaNktVYmKoH 84DYR/ORmz6Pf0+0e3cqu2P9b3hbapZw4c9y4CO+fdnGyflS80z0/9Mh7nxVm2JlOyA/ PHkJ2bFEr73Av2180gUygP8reNdVJmbppdMleJlXh3e7XFE3UDSq0uUET8G/e1G8PH7l pyQ7Rg8O/9sllfqPMYi4Di90XrOzllNc9/5LS0VMEHVNX/KhcCAMC4Xg046SfzSyjbEw PrlOLTCPUNl6RUYfnyg1DKY8pGE6S33fE+1oPVSICnxqofE/C8FlVKjyYWX+dsKaEozR EaBg==
X-Gm-Message-State: APjAAAVUh+ZjgMBp13KT/fuIbloG85KJ8hso/Y87QWaEjanMrgrfiJ5y 77/agunaF6oG5IlaOz2xLIzpJCIG67kP0yKnBPEnIpWTGyA=
X-Received: by 2002:aca:c458:: with SMTP id u85mr12793248oif.100.1569708993568; Sat, 28 Sep 2019 15:16:33 -0700 (PDT)
From: Phillip Hallam-Baker <email@example.com>
Date: Sat, 28 Sep 2019 18:16:23 -0400
Content-Type: multipart/alternative; boundary="000000000000f664080593a45a9a"
Subject: [Mathmesh] Configure SSH with UDF key...
List-Unsubscribe: <https://www.ietf.org/mailman/options/mathmesh>, <mailto:firstname.lastname@example.org?subject=unsubscribe>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mathmesh>, <mailto:email@example.com?subject=subscribe>
X-List-Received-Date: Sat, 28 Sep 2019 22:16:37 -0000
I am just writing a series of presentations on the Mesh to put out to podcast to explain the concepts and the technology. The Mesh presents four technologies that in combinations can solve a large number of difficult problems. UDF is the one Mesh technology that does not depend on any other and I keep finding new uses. And the latest of these is to configure SSH. The biggest hassle with SSH is how to install your private key on each of the devices that you want to use it from. In theory of course, you want to have an independent key for each device so that you are not completely hosed if you lose one of them or you are passing through an airport and someone demands you login to your laptop. But most people have one private key and they move it from one machine to another in email. Oh and 'most people' probably isn't most of the people here. It only takes one pinhead to bust a hole in your corporate defenses. So I have been looking at recovery mechanisms for Mesh profiles. And one very promising approach is to use a KDF and a strong password to generate them. KDF ("ZAA2-UJUY-H7TF-SFLK-CWAW-TKC4-O5HQ-GIYA", "mmm_master_signature") KDF ("ZAA2-UJUY-H7TF-SFLK-CWAW-TKC4-O5HQ-GIYA", "mmm_master_escrow") So the encryption and signature keys are generated from Z AR2-UJUY-H7TF-SFLK-CWAW-TKC4-O5HQ-GIYA All we need to do now is to escrow ZAR2-UJUY-H7TF-SFLK-CWAW-TKC4-O5HQ which we can do by Shamir Secret sharing. What if we could also do KDF ("ZAA5-7VB6-IJXJ-WKHX-NZQF-OKGZ-EWVN-AQQE", "ssh_client") Now we have a really quick way to reconstitute the authentication key on each of the user's devices. What I was thinking of for implementation is to define a new type code, probably 200 which gives an initial letter of Z. Then make the following two bytes a 16 bit registry code saying what the key is to be used for (Mesh, SSH, etc.) Comments? As with passwords, we might well need to help people follow their current workflow in a not quite so stupid fashion before we try to change it.