Re: [netconf] latest update to crypto-types and keystore drafts

Kent Watsen <> Wed, 26 June 2019 23:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1850C12019C for <>; Wed, 26 Jun 2019 16:37:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id X6fwxi9NfMmy for <>; Wed, 26 Jun 2019 16:37:50 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 00300120164 for <>; Wed, 26 Jun 2019 16:37:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw;; t=1561592268; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=XWLY242m49pkjX2LLqM5Vqdg8Pf35vS9kHaLgbHrmCE=; b=KU0dv2ce0SBWygVRxQRTlbFK9rszOpoVOt8N2r5Tx55qEKzP537NnTZ7L0bIj8xs k2IYn1DzNknWmo700c5g1lep3dI0wWNiEE6c8Lt4QZ+VYaGr3b93CMNym44bsg5aog3 l95+XO5taacvR5Gs0BI9NghDYI/AXSQTe86PK6ME=
From: Kent Watsen <>
Message-ID: <>
Content-Type: multipart/alternative; boundary="Apple-Mail=_5E97E031-8771-4779-999E-F6652A25ACBB"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 26 Jun 2019 23:37:48 +0000
In-Reply-To: <>
Cc: "" <>
To: Martin Bjorklund <>
References: <> <>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.06.26-
Archived-At: <>
Subject: Re: [netconf] latest update to crypto-types and keystore drafts
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Jun 2019 23:37:52 -0000

>> 2) privileged admin copies manufacturer generated key from
>> <operational> to <running>
> The device could also store this key (or rather just the name) in its
> factory configuration.

Sure, but only if it's immutable.  To be clear, users are not able to delete the manufacturer generated key(s), at least not those use to support the device's cryptographic identity.  This is true even when wiping the device for sale...

> I don't think the public key and alg needs to go into the config.

> Or in general, if the key is configured as hidden, I think it should
> NOT have a public key and alg in the config (can be ensured with
> "must").  However, they must be present in the operational state.

Okay, but in thinking about going down that route, I'd rather use a special enum/union type values to denote the absence of these fields than to mark the nodes mandatory false.  Personally, I think it's better to duplicate the values into configuration as it does no harm and it makes them easier and more consistent to work with (e.g., clients need the public key in order to encrypt data destined to the device).  Really, I don't want any keys in <operational>, but feel that we have to make an exception for the manufacturer-generated keys (unless, to your comment above, we could mark them as immutable in the configuration).  [PS: in a previous life, I used per instance metadata when a node was immutable.]

>> 3) privileged admin encrypts a well-known (secret to the organization)
>> symmetric key using the public key from the manufacturer generated
>> asymmetric key, and stores the result (i.e., <edit-config> into
>> keystore.
> Ok.  However, if the device doesn't have a hidden
> manufacturer-supplied key from step 1 (no tpm), it would be useful if
> the admin could install this symmetric key so that it becomes hidden.
> But that action is no longer present in the model.

True, but it seems strange that a device would have the ability to store hidden keys without itself being shipped with a hidden key.  We could add a set of RPCs to manage the life-cycle of hidden keys, but I'd rather steer folks to using NACM in such cases, as I don't think it makes sense to either have 1) persistent user-created operational state or 2) persistent configuration that isn't configuration.

> Or does this model *require* the device to have such a key?  If no tpm
> exists, then it can exist on disk?

Not required.  For devices that don't have hidden keys, plain old NACM could protect the encryption-key used to protect all the other keys in the configuration.  The primary benefit would still be present, that keys subsequently generated by the device would be protected by the encryption key.  The downside would be that the encryption key itself, when generated, could not be protected in the same way.  For such situations, it would be recommended that this key be installed from a known-safe connection (i.e., via an air-gapped system).

>> 4) if replacing a device, load previous configuration.  Since all keys
>> should be encrypted to the same symmetric key, it should load without
>> error.
> Before loading the previous config, the admin must do steps 2-3 on the
> new device, right?

Correct.  To be more clear, all steps except (4) would occur on a first device and then, when an RMA is necessary, steps (1-3) would occur on a second device, following by step (4) to migrate the configuration from the first device to the second device, and then the remaining steps (5+) would be business as usual on the second device.

>> [note: one issue here with the secret symmetric key itself
>> being loaded again, but since it was encrypted using to old device's
>> manufacturer generated asymmetric key, the logic should be able to
>> handle it.]
> Hmm, can you elaborate?  It seems to me to be a problem; it needs to
> be re-installed so that it is encrypted with the new device's public
> key.

What is meant is that the symmetric key would be created once on the second device, in step (3), but because the old encrypted symmetric key was stored in configuration (on the first device), when loading the configuration here in step (4), it is as if the symmetric key is being created again on the second device.  But the logic on the second device should be able to detect this anomaly (because the key would've been encrypted by the first device's private key, and hence decryption should fail on the second device) and thus the "duplicate" symmetric key would be discarded.

>> Runtime:
>> 5) whenever a regular admin wishes to use a new key, they call the
>> generate-symmetric-key or generate-asymmetric-key RPC, requesting the
>> device to generate a key for them, encrypting the result using the
>> secret organization key.
>> 6) The RPC output returns the key value (encrypted).
>> 7) The regular admin uses e.g., <edit-config> to store the key into
>> <running>.
>> Use cases: 
>>  0: normal (just NACM-protected) keys:  supported.
>>  1: manufacturer-generated permanently hidden keys: supported.
>>  2: device-generated keys: supported.
>>  3: device-generated keys in config: supported
>>  4: permanently hidden keys: not recommended nor directly
>>     supported, but one could always encrypt a key with the
>>     device's public key, thus generating a key that only the
>>     device can decrypt, and hence effectively permenently
>>     hidden.
>> Please let me know soon if you object to any aspect of this or,
>> better, support it, as I need to update the remaining drafts to
>> reflect these changes at some point soon.
> Also, if we go this route, this draft (keystore) needs more text, and
> also explain the use cases described above.

Agreed.   I also never documented the "generate-symmetric-key" and "generate-asymmetric-key" RPCs...

Regarding "going this route", your response thus far seems to be on the level so, would it be fair to say that you're leaning towards thinking that it might be okay?

> Then there are some details, e.g. why do we have 
>    identity asymmetric-key-algorithm {
>      description
>        "Base identity from which all asymmetric key
>         encryption Algorithm.";
>    }
> vs
>    identity encryption-algorithm {
>      description
>        "A base identity for encryption algorithm.";
>    }
> Why isn't the latter called "symmetric-key-algorithm"?

These identities (now enumerations) are coming from the crypto-types module in a section maintained by my co-author from Huawei who has even more crypto-clue than I.   My guess is that this is what they're called in IANA registries for historical reasons.

> /martin

Kent // contributor