Re: [netconf] latest update to crypto-types and keystore drafts

Balázs Kovács <balazs.kovacs@ericsson.com> Fri, 02 August 2019 12:41 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74775120098 for <netconf@ietfa.amsl.com>; Fri, 2 Aug 2019 05:41:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M4jMiPYT2Fvu for <netconf@ietfa.amsl.com>; Fri, 2 Aug 2019 05:41:17 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60059.outbound.protection.outlook.com [40.107.6.59]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC095120033 for <netconf@ietf.org>; Fri, 2 Aug 2019 05:41:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ecOiUAVnbNA6qwAwRoUAp1z1W9u04uQil0h0wWj3ClQqjuryNqpdTiHOwVv3Y46ezL/K5/fk8cD6A+cF0gqHlk5c1QXkcIASgTqCNdNL8uHdWlB+0Hm4y3go6928fTr1CoR4HsUcrVX6aaKCFu+AJTxfYdSJon5DpZlqTHAsi2pIOFBuibwbWLRdsBUZtjh6Y7xuJs9YRc1bxMOwh8NLPA8uBYGApvBaGJxd5FKNnMKdZNH4nzjJQ+d6P2gNqVF2Ma+dNuVvlybZit8j2IUgCaAqTP4BsOGYfJ1IYnFLabjy2bTCczHFLXXawnV4b5KmCtY2cIA9ZO4TMGirA9nhow==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eFbZ2PfHV0eVBdnFpJe7mlumKP55OO7K9paEWNT4eDY=; b=P9HKRZEwcCob2tMNeckiDy00sUGnn/uNMSX0pfxMcadzlgUPACK0yYOHyCS861Y7yagXcdblVdcaWOy+qpfPJjuEo8O70WKckbQeX6G5dfN+DVyt0RhDqzewJ6NzYUkV4bQD9v0pTyPWF3BgaismZ8FCXubQLywsPElEWrUtGt0SdiXcffl7HO5lETH2rbd4wbkwLwg0g1LjULJnOvQEtqnGm26DzbG4X81CealHXp0A/RV2UaE8PqSbm01+zI9pzqunbqnXww4l88zWZB5jZaAwP+cOmWCcaC0cfSp0BnducFSJhS5EvKrWnummkUHKgElr0yl1szWFXw5LgE2NhA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=eFbZ2PfHV0eVBdnFpJe7mlumKP55OO7K9paEWNT4eDY=; b=WDwnhmOPmikuenkrrXUj9LXWmHlWCB/Dx+4JYwa3l0i3Q3doJqUFIEYHyn6+q4ifyJkKTqrlZWDS879W8U8UpGfFmTJBNmI60IgQk0krFxe3Lho2+xIkPt+zg4zoJnx+wndQ25lzvsdgdAS4cmD7BGp4Cc6WB4uaJQBJszavWUc=
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com (20.177.57.146) by VI1PR07MB6429.eurprd07.prod.outlook.com (10.186.160.7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2157.8; Fri, 2 Aug 2019 12:41:14 +0000
Received: from VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::4d62:fa38:f8a5:9299]) by VI1PR07MB4735.eurprd07.prod.outlook.com ([fe80::4d62:fa38:f8a5:9299%6]) with mapi id 15.20.2136.010; Fri, 2 Aug 2019 12:41:14 +0000
From: =?iso-8859-1?Q?Bal=E1zs_Kov=E1cs?= <balazs.kovacs@ericsson.com>
To: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] latest update to crypto-types and keystore drafts
Thread-Index: AdUuSuzipKZ4tapKQ5qFcPhBDiZorQC3hTeABgDDVnA=
Date: Fri, 2 Aug 2019 12:41:14 +0000
Message-ID: <VI1PR07MB4735C489562D237D5A72B24383D90@VI1PR07MB4735.eurprd07.prod.outlook.com>
References: <B8F9A780D330094D99AF023C5877DABAA49BA5A2@nkgeml513-mbx.china.huawei.com> <0100016bb4e4e11b-6cbb1c43-dea2-4c3f-a908-4a9ecfc69589-000000@email.amazonses.com>
In-Reply-To: <0100016bb4e4e11b-6cbb1c43-dea2-4c3f-a908-4a9ecfc69589-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-originating-ip: [192.176.1.80]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a16fbd46-c1cf-4688-402d-08d71746b4c6
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:VI1PR07MB6429;
x-ms-traffictypediagnostic: VI1PR07MB6429:
x-microsoft-antispam-prvs: <VI1PR07MB6429BC4BFB860945D03091E383D90@VI1PR07MB6429.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 011787B9DD
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(346002)(366004)(39860400002)(136003)(376002)(189003)(199004)(186003)(7736002)(476003)(2501003)(11346002)(446003)(74316002)(68736007)(66066001)(76116006)(14454004)(71190400001)(71200400001)(256004)(6506007)(316002)(7696005)(76176011)(99286004)(26005)(110136005)(486006)(86362001)(53936002)(478600001)(8936002)(6246003)(54896002)(9686003)(81156014)(102836004)(8676002)(6306002)(81166006)(6116002)(3846002)(33656002)(790700001)(9326002)(55016002)(66476007)(66556008)(229853002)(66946007)(45776006)(66446008)(52536014)(64756008)(6436002)(5660300002)(2906002)(25786009); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB6429; H:VI1PR07MB4735.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 2l/xHc5GKM5L9Zp27jmrz1R1t8w95s2nyNOix2tASgHm27wFMsvkw7T9mLRzua+0CDP1CmMTGbykXcpylUSN0Xs+odNeWthnwbOw4WMIhUTgYEk3zdzo1fXwsxAOJgOa6rjxRPz40nlIGukYo6EBMp6fb8fzFcYTdjgKvQjyxbzW/p0vVkaXc9RfW5za4TZsELN+uK/QHEcpOd/kFczEMTk61hhBg/7tMiz9ARI7JN/C1ILU2OLk0LCcqs89QtRqNzSzhwZ3A7Yg/WmMR48NxEAi5Fwt4gNmOkmtIqnTPjE4ySUjDlMG4AmAtVFCsliN0XirCRqq7kT3ElFbOtZQSYkrQfvZVyN3Zj4wKzOIxChrdWoUfw6XXB8V4wTD7BPKf7wfHmUGD9jkPgD+J36oVrUuHoARnoVBkg8JhU+pBxE=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_VI1PR07MB4735C489562D237D5A72B24383D90VI1PR07MB4735eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a16fbd46-c1cf-4688-402d-08d71746b4c6
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Aug 2019 12:41:14.2896 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: balazs.kovacs@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB6429
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/4axLqTUpEwOhk7VoVoJQCrzU5N8>
Subject: Re: [netconf] latest update to crypto-types and keystore drafts
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Aug 2019 12:41:20 -0000

Hi,

One question regarding migratable keys. The conversation between Kent and Martin was concluded with this in the list:

"That said, the general recommendation, which would both be correct and avoid any potential failures, would be for the client to remove the device-specific and operator-wide keys first, leaving just the migratable keys in the config uploaded to the second device."

I don't see how migration is possible here. The migratable keys were generated on the first device and are encrypted with the operator key of the first device. Does the second device has a different operator key? If yes, the migrated encrypted keys cannot be decrypted by the second device.

Unless I misunderstand this statement (which I don't see how to achieve in the model):

"3) privileged admin encrypts a well-known (secret to the organization) symmetric key using the public key from the manufacturer generated asymmetric key, and stores the result (i.e., <edit-config> into keystore."

Does this well-known symmetric key mean that the symmetric key was generated externally thus its clear value must be configured to /ks:keystore/ks:asymmetric-keys/ks:asymmetric-key/ct:private-key? How is the operator key configured in clear to the second device so that it gets encrypted with the hidden manufacturer key of the second device?

Br,
Balazs