Re: [netconf] ietf crypto types - permanently hidden

Kent Watsen <kent+ietf@watsen.net> Wed, 24 April 2019 16:07 UTC

Return-Path: <0100016a5019d7f9-7f737c63-d07c-4c7f-b12e-c5b19d50eeaf-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 71C0312001B for <netconf@ietfa.amsl.com>; Wed, 24 Apr 2019 09:07:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Level:
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MLQ745YYZLWI for <netconf@ietfa.amsl.com>; Wed, 24 Apr 2019 09:07:14 -0700 (PDT)
Received: from a8-88.smtp-out.amazonses.com (a8-88.smtp-out.amazonses.com [54.240.8.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B247E120004 for <netconf@ietf.org>; Wed, 24 Apr 2019 09:07:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1556122032; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=wE0ihBB//Q7YQLdbGK8nv1v+0/qnzhmTo+91mav0M2w=; b=R9eeE1weB8LH4DXXIMkMiSQtgXhYAexIvr2zLXiNIWBMhTLIuX4GN2vR9Wf+B8dz 55Gq6F+/2MZ737DGApnv68CN92eSyLon2XKnRBFSfjtx9s3hFlZ5n4deqBl1ojz4EM4 zQajo2T3H4Duxx5U8ugmMP5EZenGFOkRV+M85OWE=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016a5019d7f9-7f737c63-d07c-4c7f-b12e-c5b19d50eeaf-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_631C2BF9-43E4-43E4-B197-5BD005697797"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Wed, 24 Apr 2019 16:07:12 +0000
In-Reply-To: <VI1PR07MB4735949BE61335ACC8A975E7833C0@VI1PR07MB4735.eurprd07.prod.outlook.com>
Cc: =?utf-8?Q?Bal=C3=A1zs_Lengyel?= <balazs.lengyel@ericsson.com>, Martin Bjorklund <mbj@tail-f.com>, "ietfc@btconnect.com" <ietfc@btconnect.com>, "netconf@ietf.org" <netconf@ietf.org>
To: =?utf-8?B?QmFsw6F6cyBLb3bDoWNz?= <balazs.kovacs@ericsson.com>
References: <20190404164929.fsfga7s4izn7ucx5@anna.jacobs.jacobs-university.de> <20190404.194623.1178346313710501110.mbj@tail-f.com> <01dd01d4eb9c$b9a04160$4001a8c0@gateway.2wire.net> <20190405.142201.707949273328784535.mbj@tail-f.com> <413d5725-9c27-e50b-2622-1b0e2f35cdb1@ericsson.com> <VI1PR07MB4735949BE61335ACC8A975E7833C0@VI1PR07MB4735.eurprd07.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.102.3)
X-SES-Outgoing: 2019.04.24-54.240.8.88
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/JtEZuE1efNWTkw9Z7uST1FSl1cg>
Subject: Re: [netconf] ietf crypto types - permanently hidden
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2019 16:07:16 -0000

Regarding #1, per previous discussion, the 'permanently-hidden' text regarding such keys not being backed up or restored has been replaced (see below).  With regards to permanently hidden keys, I think the current solution with the 'generate-hidden-key' and 'install-hidden-key' is nearly ideal, if not so.

        type enumeration {
          enum permanently-hidden {
            description
              "The private key is inaccessible due to being
               protected by the system (e.g., a cryptographic
               hardware module).

               How such keys may be backed-up and restored,
               if at all, is application specific.
               
               Servers MUST fail any attempt by a client to
               configure this value directly.  This value is
               not set by clients, but rather is set by the
               'generate-hidden-key' action.";
          }
        }

 
Regarding #2, I'm unclear how a different name would be any better than "hidden".  From the above description text, the key surely seems "hidden" (from the YANG-driven management engine) to me...

Regarding #3, firstly note that the description text doesn't necessitate use of a TPM, it is merely suggestive that may a motivating reason.  Second, I'm unsure if "new actions" are needed so much as a "new approach" or maybe "different actions" (is this what you meant?). 

To dig into this again, it is common best practice to have a device generate a private key that is considered configuration, albeit protected by access-control.  The reason for this best practice is that it supports the private key never having to exist outside the device (backups and HA-replication withstanding) and, in particular, the client doesn't touch the key (there are no remnants on the client computer needing to be scrubbed).  

In addition to the best-practice angle, there's also a simplicity aspect in that invoking an action is much easier (and perhaps safer) than the client using a crypto-library.  In fact, the only reason a client might not want the server generate the private key is because of a lack of confidence in the server's key-generation implementation (e.g., the strength of the entropy, though TPM-generated entropy is rather excellent).   

To be clear, I also support enabling clients to generate private keys themselves, as there are times when it is important, but feel that it should be viewed as a special case rather than common procedure.

My recommendation is to modify the "generate/install-hidden-key" (renamed to just "generate/install-key") actions to have a flag indicating if the key should be "permanently hidden" (perhaps by using a TPM) or not, in which case configuration is created, same as if the client had used <edit-config>, but without needing to touch the key.

Yes, having an action generate config is a taboo subject, the general reasoning for which is understood [1], but it seems that exceptions should be made in special circumstances, such as this one.

[1] https://mailarchive.ietf.org/arch/msg/netconf/ezf5o9GvCsH_hDPiIX-YQKfnxj8

Kent // contributor



> On Apr 24, 2019, at 8:52 AM, Balázs Kovács <balazs.kovacs@ericsson.com>; wrote:
> 
> Hi,
>  
> Is there a conclusion on this thread?
>  
> Alternatives I’ve seen:
>  
> ‘hidden’ actions already solve the problem. 
> Backup of keys won’t be supported or special procedure needed.
> Descriptions need to be updated to generalize use case (not be restricted to TPMs).
> Current actions solve the problem, but new terminology should be needed instead of ‘hidden’ and ‘permanently hidden’.
> Backup of keys won’t be supported or special procedure needed.
> Descriptions to be updated.
> New actions needed that affect configuration for non-TPM use cases
> Backup of keys can be supported
>                                                                i.      Q: how does a restore differ from normal configuration which the generate key action was supposed to circumvent to follow security best practice?
>  
> I guess the latest mails confirm 1) or 2). Would be good to know the way forward.
>  
> Br,
> Balazs
>  
> From: netconf <netconf-bounces@ietf.org <mailto:netconf-bounces@ietf.org>> On Behalf Of Balázs Lengyel
> Sent: Friday, April 5, 2019 4:54 PM
> To: Martin Bjorklund <mbj@tail-f.com <mailto:mbj@tail-f.com>>; ietfc@btconnect.com <mailto:ietfc@btconnect.com>
> Cc: netconf@ietf.org <mailto:netconf@ietf.org>
> Subject: Re: [netconf] ietf crypto types - permanently hidden
>  
> Hello,
> 
> While using actions to configure data nodes instead of edit-config clearly has problems, in some cases it is needed. Ericsson does use it, but we try to be VERY(!) restrictive when it is allowed. IMHO  security best practice could be one case. Also we should not pretend this is the only case where the system itself manipulates configuration:
> 
> security keys
> HW insertion/removal (interface type)
> onboard automation may do it
> server capabilities that need additional configuration (must be in running as it is reference from other parts of the configuration)
> I also hope we will arrive at a solution that works for non-NMDA systems too. AFAIK  we never stated in any RFC that NMDA is a requirement for the solution. (Except for NMDA itself :-)  )
> 
> regards Balazs
> 
> On 2019. 04. 05. 14:22, Martin Bjorklund wrote:
> tom petch <ietfc@btconnect.com>; <mailto:ietfc@btconnect.com> wrote:
>  
> ----- Original Message -----
> From: "Martin Bjorklund" <mbj@tail-f.com>; <mailto:mbj@tail-f.com>
> To: <j.schoenwaelder@jacobs-university.de>; <mailto:j.schoenwaelder@jacobs-university.de>
> Cc: <netconf@ietf.org>; <mailto:netconf@ietf.org>
> Sent: Thursday, April 04, 2019 6:46 PM
>  
> Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>; <mailto:j.schoenwaelder@jacobs-university.de> wrote:
> On Thu, Apr 04, 2019 at 04:23:23PM +0000, Kent Watsen wrote:
>  
>  
> We have always said no, but the reasoning is unclear.  What are
> the
> specific objections and is there anyway to alleviate them?
>  
>  
> If editing of all configuration can be done with a single edit-data
> (or edit-config) operation, you simplify the world and you enable
> generic implementations.
>  
> Once you build silos of data that can only be manipulated with
> special
> purpose operations, you say goodbye to the idea of generic client
> libraries.
>  
> And you can no longer create all required config in one transaction;
> you have to split it into sending multiple special-purpose actions.
> Perhaps also in a certain order, that you have to figure out somehow,
> since config might have refererences to other partf of the config
> etc.
>  
> You can no longer restore a backup with just a copy-config.
>  
> Which is exactly what I have seen customers - think military - do.
>  
> Security-related information - userid, passwords, second factor , ...-
> MUST NOT be backed up like everything else - special procedures -
> authentication, encryption -  must be used.
>  
> Agreed!  BUT, then it should not be modelled as configuration, imo.
>  
> And the current model already handles this case with "hidden" keys.
>  
>  
>  
>  
> /martin
>  
>  
> This is security - it matters.
>  
> Tom Petch
>  
> So I don't think the reasoning is unclear at all.
>  
> /martin
>  
> _______________________________________________
> netconf mailing list
> netconf@ietf.org <mailto:netconf@ietf.org>
> https://www.ietf.org/mailman/listinfo/netconf <https://www.ietf.org/mailman/listinfo/netconf>
>  
>  
>  
> _______________________________________________
> netconf mailing list
> netconf@ietf.org <mailto:netconf@ietf.org>
> https://www.ietf.org/mailman/listinfo/netconf <https://www.ietf.org/mailman/listinfo/netconf>
>  
> -- 
> Balazs Lengyel                       Ericsson Hungary Ltd.
> Senior Specialist
> Mobile: +36-70-330-7909              email: Balazs.Lengyel@ericsson.com <mailto:Balazs.Lengyel@ericsson.com> 
> _______________________________________________
> netconf mailing list
> netconf@ietf.org <mailto:netconf@ietf.org>
> https://www.ietf.org/mailman/listinfo/netconf <https://www.ietf.org/mailman/listinfo/netconf>