Re: [netconf] ietf crypto types - permanently hidden

Balázs Kovács <balazs.kovacs@ericsson.com> Mon, 25 March 2019 13:00 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A9071203EF for <netconf@ietfa.amsl.com>; Mon, 25 Mar 2019 06:00:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.023
X-Spam-Level:
X-Spam-Status: No, score=-1.023 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MgOZHtx39x1Y for <netconf@ietfa.amsl.com>; Mon, 25 Mar 2019 06:00:52 -0700 (PDT)
Received: from EUR02-VE1-obe.outbound.protection.outlook.com (mail-ve1eur02on0628.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe06::628]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 119BE1203E7 for <netconf@ietf.org>; Mon, 25 Mar 2019 06:00:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8LJKPuiK2mVaOn6bh2l/HBhnTt5bu+YEPWw2gw3/V9A=; b=jOqgd2QiruwXcmFKXqg2iviLlbsYXZoapu3NA5faHo9e7+MqRBIwI/kl5d7Q/TjzWt8XYkz9st3TrtDCJoDgSDwcggjXTV3cHaGzuojyGx6zL9b7/vkjvsc/gPTEp/lFVODStR74hu6Jh+BzFuTk+HRhOo0gCFk1eiRhj0mQVRI=
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com (20.177.57.146) by VI1PR07MB6176.eurprd07.prod.outlook.com (20.178.9.85) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1750.14; Mon, 25 Mar 2019 13:00:49 +0000
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::807b:cd48:c48:cf03]) by VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::807b:cd48:c48:cf03%4]) with mapi id 15.20.1750.014; Mon, 25 Mar 2019 13:00:49 +0000
From: =?utf-8?B?QmFsw6F6cyBLb3bDoWNz?= <balazs.kovacs@ericsson.com>
To: Kent Watsen <kent+ietf@watsen.net>, tom petch <ietfc@btconnect.com>
CC: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] ietf crypto types - permanently hidden
Thread-Index: AdTf8DCbvspujhISQkyURJOX9ReFpABvbIeAAFYG6nA=
Date: Mon, 25 Mar 2019 13:00:49 +0000
Message-ID: <VI1PR07MB47351FF76BBF6C56AC6E64B5835E0@VI1PR07MB4735.eurprd07.prod.outlook.com>
References: <VI1PR07MB4735863E79020AD84C4FDF9483420@VI1PR07MB4735.eurprd07.prod.outlook.com> <20190321152920.jdkny7szk7ik3sp4@anna.jacobs.jacobs-university.de> <VI1PR07MB47355E3E3C5D703122258C2583430@VI1PR07MB4735.eurprd07.prod.outlook.com> <00b701d4e0cb$e79e9660$4001a8c0@gateway.2wire.net> <01000169ac01ff08-27f75526-1e78-461a-be8e-9737cf762edf-000000@email.amazonses.com>
In-Reply-To: <01000169ac01ff08-27f75526-1e78-461a-be8e-9737cf762edf-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2a02:ab88:2cb8:5600:7166:7f58:c11f:5c24]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8ebdecd8-63fa-41be-7040-08d6b121e7a5
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020); SRVR:VI1PR07MB6176;
x-ms-traffictypediagnostic: VI1PR07MB6176:
x-ms-exchange-purlcount: 2
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-microsoft-antispam-prvs: <VI1PR07MB6176AA23FDA3CE5398FD2CC1835E0@VI1PR07MB6176.eurprd07.prod.outlook.com>
x-forefront-prvs: 0987ACA2E2
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(366004)(346002)(376002)(136003)(396003)(13464003)(51444003)(199004)(189003)(8936002)(14454004)(186003)(53546011)(6506007)(102836004)(966005)(8676002)(76176011)(6116002)(85182001)(81166006)(81156014)(6436002)(25786009)(478600001)(105586002)(7696005)(85202003)(106356001)(6246003)(99286004)(316002)(54906003)(110136005)(52536014)(74316002)(55016002)(7736002)(305945005)(53936002)(5660300002)(33656002)(6306002)(9686003)(229853002)(68736007)(2906002)(93886005)(4326008)(256004)(14444005)(97736004)(46003)(71200400001)(486006)(71190400001)(446003)(66574012)(11346002)(476003)(86362001); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB6176; H:VI1PR07MB4735.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: WvlOKabOS1yjX7A7rdFEd+MZoSAJi+qvF8/8mK5a70JdFhG3/v6SbAAbv5Of0t/eLzmdh+Az1Aehls2+W8DfCfMO6DWMAZJor26uAYjItgwf8c8MwvJYs8izJbyprv6jk92UOIQGcYfrx5tYkjvDSRVoP0WBQ9QdnywJ0Ws3+Ml5JQg9GTCaMIAtjsb9dxXm8f6tJ4oUI+eNVbWdmK1flMvDoJYgoCCoGiS2Bg7PjIQvaxZ1xI8G4IzdvgpfRJOWy0LTYEHt4B66YHdA76lIJZzhchFafzdWjOcEE2iDAcgAbmLUYk9cU151UnLr0DCKC+HzdwzAs7mcKqjrUgdb6rlq7ZYg3aHtLxjYKW9I4D/0K2RnkcJSnAk4c46Bv10ASIbhI6V8DbjGSCvqfIqyqXKOcWBDTNQ4RZ/4D0Ug/yU=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8ebdecd8-63fa-41be-7040-08d6b121e7a5
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Mar 2019 13:00:49.5918 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB6176
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/qhMfTLeZSbGkdlA6Es_nXgxXrew>
Subject: Re: [netconf] ietf crypto types - permanently hidden
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Mar 2019 13:00:56 -0000

Hi,

In some implementations I can understand that backup/restore is via YANG interface, but backup/restore is possible by other methods too. On the other hand, the private key material should be created and kept on the owner device according to best security practices and certification done by for example a certificate signing request.

In that sense the generate-hidden-key action and the CSR creation action are solving the most common need for handling keys, and that is really regardless if the key is stored in a TPM, a file system, or centralized KMS.

I personally was fine with 'hidden' and I was also ok with the current actions, it was only the descriptions that seemed to be restrictive to TPM usage, thus I was asking some clarification. However, if 'hidden' is not true this way, then just call it 'generate-key'. Would that then create a binary string for the 'private-key' in operational too instead of 'permanently-hidden' thus you are referring to a 3rd option?

Br,
Balazs

-----Original Message-----
From: Kent Watsen <kent+ietf@watsen.net>; 
Sent: Saturday, March 23, 2019 8:23 PM
To: tom petch <ietfc@btconnect.com>;
Cc: Balázs Kovács <balazs.kovacs@ericsson.com>;; Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>;; netconf@ietf.org
Subject: Re: [netconf] ietf crypto types - permanently hidden


[top-posting for convenience]

At first we had an RPC to create a key-pair (protected or not) so as to support the best practice of the private key never leaving a device.  But backup/restore became an issue, and Martin made a persuasive argument that the private key SHOULD be configuration (not operational state).  Thusly, we relegated the RPC (now called “generate-hidden-key”) to the special case where the system generates a key that is operational-state and inaccessible (at least, not in its raw form; it may be accessible in a shrouded form) and, for all other cases, the client MUST configure the key pair (transmitted over the wire, not best practice, oh well).

Currently there are only these two options, based on the accessibility of the private key. Is the request to introduce a third option, but isn’t the intent better supported by access-control?  [the “private-key” leaf is nacm:default-deny-all]. 

Renaming “hidden” to “inaccessible” seems okay albeit, in both cases, it’s the unspecified subject (client vs system) that matters (i.e., hidden/inaccessible to whom?).  

Kent // contributor



Sent from my iPad
> On Mar 22, 2019, at 5:28 PM, tom petch <ietfc@btconnect.com>; wrote:
> 
> ----- Original Message -----
> From: "Balázs Kovács" <balazs.kovacs@ericsson.com>;
> Sent: Friday, March 22, 2019 12:44 PM
> 
> Hi,
> 
> I would really prefer the definition for 'hidden' as 'not accessible 
> via YANG protocols'. The explanation is that regardless of what method 
> I use to create/store the private keys, I still might not want the 
> operator to generate keys outside of the device or configure binary secret strings.
> 
> <tp>
> 
> I think that the meaning of the term 'hidden' varies depending on 
> which part of the I-D you are reading.  The term is absent from the 
> referenced RFC, 8017 and 5915, which is probably not a coincidence.  
> Rather, the terminology of the literature is of a key pair, made up of 
> a public and private key so the action generate-hidden-key { probably 
> means generate-key-pair; but, in other places, the word 'hidden' 
> clearly has different semantics and would probably best be replaced by 
> something else, such as inaccessible.
> 
> Tom Petch
> 
> I considered TPM protection for hidden keys is an option or example so 
> far, which adds limitations or additional complexity for moving keys, 
> but should not be the only option for hidden keys. The descriptions 
> mention TPM as example, then the rest of the text should align also to 
> keep that as example.
> 
> Br,
> Balazs
> 
> -----Original Message-----
> From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>;
> Sent: Thursday, March 21, 2019 4:29 PM
> To: Balázs Kovács <balazs.kovacs@ericsson.com>;
> Cc: netconf@ietf.org; Kent Watsen <kent@watsen.net>;
> Subject: Re: [netconf] ietf crypto types - permanently hidden
> 
> I agree, I do not understand the second sentence either. My problem is 
> that I do not know what a 'real' private key is, are hidden keys 
> somewhat unreal? Or is "not hidden" = "real"?
> 
> The last sentence can probably be fixed; I think the intention was to 
> say that you can't backup and restore hidden keys by retrieving 
> configuration and restoring the configuration.
> 
> In general, I think we need a definition what a hidden key is. Is 
> something not exposed via a YANG interface a hidden key (but it may be 
> a regular key when using other device access methods)? Or do we 
> require that a hidden key is generally protected? I assume some people 
> want to have flexibility here but from the viewpoint of a security 
> administrator it matters a lot whether 'hidden' means 'generally not 
> accessible' or only 'not accessible via YANG protocols'.
> 
> The description of install-hidden-key seems to indicate a key is 
> already 'hidden' if it only exists in <operational>. Is this really a 'hidden'
> key or more an 'ephemeral' key?
> 
> /js
> 
>> On Thu, Mar 21, 2019 at 02:23:27PM +0000, Balázs Kovács wrote:
>> Hi,
>> 
>> The 'generate-hidden-key' action is meant for cases when the key must
> be generated in the device and not the operator is configuring it. The 
> 'generate-hidden-key' is said to produce a 'permanently-hidden'
> asymmetric key. The description of 'permanently-hidden' is as follows:
>> 
>>                "The private key is inaccessible due to being
>>                  protected by the system (e.g., a cryptographic
>>                  hardware module).  It is not possible to
>>                  configure a permanently hidden key, as a real
>>                  private key value must be set.  Permanently
>>                  hidden keys cannot be archived or backed up.";
>> 
>> Th second sentence doesn't sound right. I can create a permanently
> hidden key any time by calling the 'generate-hidden-key' action, or if 
> the device or the model allows I could even switch to non-hidden key, 
> I believe, by providing the binary. So I find the second sentence 
> irrelevant in this description.
>> 
>> More importantly, I find the "Permanently hidden keys cannot be
> archived or backed up" statement false. Isn't that implementation 
> specific how archiving is done? If a device puts the hidden keys on 
> some storage, it may still be possible to back them up. I would prefer 
> to remove this sentence and leave backup considerations to implementations.
>> 
>> Could these changes be done?
>> 
>> Br,
>> Balazs
> 
>> _______________________________________________
>> netconf mailing list
>> netconf@ietf.org
>> https://www.ietf.org/mailman/listinfo/netconf
> 
> 
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> 
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf
>