Re: [netconf] latest update to crypto-types and keystore drafts

Balázs Kovács <balazs.kovacs@ericsson.com> Tue, 06 August 2019 07:11 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC8AE12013B for <netconf@ietfa.amsl.com>; Tue, 6 Aug 2019 00:11:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ayM4qwKmrsDn for <netconf@ietfa.amsl.com>; Tue, 6 Aug 2019 00:11:19 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50083.outbound.protection.outlook.com [40.107.5.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78418120137 for <netconf@ietf.org>; Tue, 6 Aug 2019 00:11:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PwZ51exejsKjWA50gndiQ5KgC7Z2OywJPAVoUI/hW/XDxDecrGTXpjkSnGDM7IWyOMnLzWPWMce6WvNBTSkMDXCmGQHGF59+fLOTBNzp4vpTLI5aS5We8lLcZ/aYisqY+JIshM79B/mjYLnN27VdrvN47Uo9i5yfZO58Xkl5K/NPwoPG5MI3qN15pEGtHttKq9vuABa6jrlo92qxz/QUtRmIfpO+fxSpY5HERTPhZa4JLAbyrKpP6iWgDPlfTPzbNwhUh7+QyLiy0osryw2egWq3+hhRP+kjKzm7bcpLzogzfmZbPEB6+jwzJA693wODcvTmdUFWNGu2KlaU/HfHHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kuAFQcIXFPAR4kxko7pxj2J7b7xHebKwMXCeQ1lmBBE=; b=FFU1h3NGfWhiaQxU8EvdxIUXdtFcaebQCznQVnuXVoI3BSW14jAfrz2nIuJzepfqOrA2atsN8FxC1xLHvBYPVC6+llKYDEbJqKVdlJSUYGZLzfD0/MAVuc6uO9694h8RRkC58ngqMN18zXbsR3rOhmYyGyvRF5c2YGnxnFJxPlGTUSjBhw+f2PxJvZyZ5p8yZCleCG+04FnrnAcYdVM7kVfbFo6UseSdztwJ27krSZhdhqQnTXKNUPBI7/LgDdMATc86uGuEc1RqcAy1p/oqwIY/6ulJTuvjryqQFhuz4M3RxLg/Wf9rGVaXuK3UJTg+BQ5+7Nq8KrgCLpyWuIVswg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kuAFQcIXFPAR4kxko7pxj2J7b7xHebKwMXCeQ1lmBBE=; b=UR1tCaTVWGF34NgvufPrufDEnxNTf5RvTXsYSqeIMJcoPcFLpgNHIo2WiEL4BjU6BH7PWwyNLy0R4ar0RO/tLw0vlI6mlMjz9T43E3CTq9af+1twOnCcKTFV0RRg3xM3qMZuvsP67+2d3oDmI7iu+RvbM/qu4WtHhbwGFy5QDRQ=
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com (20.177.57.146) by VI1PR07MB4622.eurprd07.prod.outlook.com (20.177.57.78) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2157.9; Tue, 6 Aug 2019 07:11:14 +0000
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::4d62:fa38:f8a5:9299]) by VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::4d62:fa38:f8a5:9299%6]) with mapi id 15.20.2157.011; Tue, 6 Aug 2019 07:11:14 +0000
From: =?utf-8?B?QmFsw6F6cyBLb3bDoWNz?= <balazs.kovacs@ericsson.com>
To: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] latest update to crypto-types and keystore drafts
Thread-Index: AdUuSuzipKZ4tapKQ5qFcPhBDiZorQC3hTeABgDDVnAAGCnzgAB1K0EwABcsygAAGX6kcA==
Date: Tue, 6 Aug 2019 07:11:14 +0000
Message-ID: <VI1PR07MB4735A5E44BC4ED30BC4D696D83D50@VI1PR07MB4735.eurprd07.prod.outlook.com>
References: <B8F9A780D330094D99AF023C5877DABAA49BA5A2@nkgeml513-mbx.china.huawei.com> <0100016bb4e4e11b-6cbb1c43-dea2-4c3f-a908-4a9ecfc69589-000000@email.amazonses.com> <VI1PR07MB4735C489562D237D5A72B24383D90@VI1PR07MB4735.eurprd07.prod.outlook.com> <0100016c54bba638-1b5714c0-bd81-473a-b6f7-71f5ab0033ba-000000@email.amazonses.com> <VI1PR07MB4735AE58A2FC2778EE03DD7E83DA0@VI1PR07MB4735.eurprd07.prod.outlook.com> <0100016c631aac91-86a67985-7e50-47ef-924d-8477383fd479-000000@email.amazonses.com>
In-Reply-To: <0100016c631aac91-86a67985-7e50-47ef-924d-8477383fd479-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-originating-ip: [89.135.192.225]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 01995637-5976-4b38-9286-08d71a3d4509
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:VI1PR07MB4622;
x-ms-traffictypediagnostic: VI1PR07MB4622:
x-microsoft-antispam-prvs: <VI1PR07MB4622C3B33CCC04C7A996927C83D50@VI1PR07MB4622.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0121F24F22
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(39860400002)(346002)(376002)(396003)(136003)(199004)(189003)(102836004)(64756008)(66446008)(66556008)(81166006)(81156014)(2906002)(66476007)(66946007)(9326002)(15650500001)(85202003)(66574012)(6506007)(53546011)(8676002)(256004)(14454004)(2501003)(5660300002)(26005)(446003)(76176011)(186003)(7110500001)(2420400007)(11346002)(8936002)(3846002)(6116002)(790700001)(14444005)(486006)(76116006)(86362001)(66066001)(229853002)(7696005)(476003)(6306002)(55016002)(7736002)(110136005)(33656002)(6436002)(53936002)(54896002)(9686003)(236005)(85182001)(99286004)(71200400001)(71190400001)(25786009)(74316002)(6246003)(68736007)(478600001)(316002)(52536014); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB4622; H:VI1PR07MB4735.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: JLlKiacv8HWtFNhtlraLK4wampC5IT7W5TmMQBAYkEdlEFOfFNQv0BSGVwPXAbvgT0d16UbErkDqiYpq72sPVvxiSfOdbV/lutxnUoDtlx8AlR4bkKwUG1GczekO8Xzd7v6bz+Qc2rhhdyLh/sigWvUZUUN4rBMH5L7mvR5FeJkFeXxJf1uwnl5LzuHoSmqzeCudadHuQGOA8Y9Peuk8CPr9CC26DNH/adSawJBCMfLduyBU4dHdTq+vyNR422O3B7K1CvHMsMHkyXIyie7V1WLOrlVfZLpMG+Tz5ObmcXS+cu6WrFDpcRFx7QwDbLutCgUlcnWTy4LG0YDP6RJpoF/VHcamDm47nFTPLfvi9N75JLTlcmO5wfVu+Vv66W0d8VaujBxCyqLAWddZd2dEzFPLKbTPAThwD5LLPg0qiVo=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_VI1PR07MB4735A5E44BC4ED30BC4D696D83D50VI1PR07MB4735eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 01995637-5976-4b38-9286-08d71a3d4509
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Aug 2019 07:11:14.8297 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: k1cnnRgOCNsBBrsoxVdF+qd6yQSgUX+jZ/txjaYX5up7ffHQzfrLkScOkGyWMoXsJ5u6mPkcemppf5JJckRhbY6DSPpq4+0ZgDi9sd0lR/I=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB4622
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/QvUmceqJsXcH7wvU2jAT8tIqc_c>
Subject: Re: [netconf] latest update to crypto-types and keystore drafts
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 07:11:22 -0000

Hi Kent,

Yes, sorry. This addition of symmetric-key is still to new to me. I meant the equivalent of clear and NACM protected key under symmetric keys. Which is just called ‘key’ in draft-ietf-netconf-keystore-12.

The reasons could be: the TPM or equivalent key may not exist or may not be present in keystore (which are roughly the same); or since the encryption of the operator-key is all up to the client, the client may just not implement encryption with the TPM or equivalent hidden public key as the client does not see extra security gains with that (the operator-key was created outside anyhow so it is already known by the client).

Br,
Balazs

From: Kent Watsen <kent+ietf@watsen.net>;
Sent: Monday, August 5, 2019 8:46 PM
To: Balázs Kovács <balazs.kovacs@ericsson.com>;
Cc: netconf@ietf.org
Subject: Re: [netconf] latest update to crypto-types and keystore drafts




On Aug 5, 2019, at 3:58 AM, Balázs Kovács <balazs.kovacs@ericsson.com<mailto:balazs.kovacs@ericsson.com>> wrote:

Hi Kent,

Yes, it makes.

I assume the “secret” symmetric key could be just equally configured as normal private-key since the key is coming from outside, depending on the taste of the client if it is just a NACM protected normal private-key or an encrypted key.

Since a symmetric key have "secret" value more so than "private" value, if we replace "private-key" with "secret-key" above, then yes, I agree.  Stated more plainly, a platform that doesn't have a TPM (or equivalent) protected asymmetric key, could instead protect the operator's symmetric key using NACM (i.e., only the crypto-officer/ restore-session can access it).  Is this what you mean?




Br,
Balazs


Kent