Re: [netconf] latest update to crypto-types and keystore drafts

Martin Bjorklund <mbj@tail-f.com> Wed, 26 June 2019 08:56 UTC

Return-Path: <mbj@tail-f.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 254CA12022E for <netconf@ietfa.amsl.com>; Wed, 26 Jun 2019 01:56:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UU0lY7spFt-j for <netconf@ietfa.amsl.com>; Wed, 26 Jun 2019 01:56:10 -0700 (PDT)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id AE935120225 for <netconf@ietf.org>; Wed, 26 Jun 2019 01:56:10 -0700 (PDT)
Received: from localhost (h-4-215.A165.priv.bahnhof.se [158.174.4.215]) by mail.tail-f.com (Postfix) with ESMTPSA id 603CC1AE0351; Wed, 26 Jun 2019 10:56:08 +0200 (CEST)
Date: Wed, 26 Jun 2019 10:56:08 +0200
Message-Id: <20190626.105608.121899679021225720.mbj@tail-f.com>
To: kent+ietf@watsen.net
Cc: netconf@ietf.org
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <0100016b68794a39-0d934910-4b4b-4801-8d56-27f678081e93-000000@email.amazonses.com>
References: <0100016b68794a39-0d934910-4b4b-4801-8d56-27f678081e93-000000@email.amazonses.com>
X-Mailer: Mew version 6.7 on Emacs 25.2 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/kHjsaffV1PwrLe_rX9w5ez_zCFo>
Subject: Re: [netconf] latest update to crypto-types and keystore drafts
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2019 08:56:14 -0000

Hi,

Kent Watsen <kent+ietf@watsen.net> wrote:
> 
> I started off trying to create a variation of "#2" but, as got into
> it, I realized that *encrypting* the keys would solve most problems.
> Note that we really don't want "hidden" keys at all, as them not being
> part of configuration causes backup/restore problems.  What we want
> are values that can be treated like config, but are non-sensical
> without the decryption key.  Values MAY be encrypted using a
> manufacturer-generated key (which locks the value to the device), or a
> key generated by a *privileged* admin, which opens up the possibility
> for the key to float between devices.
> 
> Specifically, imagine the following:
> 
> Precondition:
> 1) devices are shipped from manufacturer with a hidden asymmetric key
> in <operational>
> 
> Post-SZTP Onboarding:
> 2) privileged admin copies manufacturer generated key from
> <operational> to <running>

The device could also store this key (or rather just the name) in its
factory configuration.

I don't think the public key and alg needs to go into the config.

Or in general, if the key is configured as hidden, I think it should
NOT have a public key and alg in the config (can be ensured with
"must").  However, they must be present in the operational state.

> 3) privileged admin encrypts a well-known (secret to the organization)
> symmetric key using the public key from the manufacturer generated
> asymmetric key, and stores the result (i.e., <edit-config> into
> keystore.

Ok.  However, if the device doesn't have a hidden
manufacturer-supplied key from step 1 (no tpm), it would be useful if
the admin could install this symmetric key so that it becomes hidden.
But that action is no longer present in the model.

Or does this model *require* the device to have such a key?  If no tpm
exists, then it can exist on disk?


> Device Swap:
> 4) if replacing a device, load previous configuration.  Since all keys
> should be encrypted to the same symmetric key, it should load without
> error.

Before loading the previous config, the admin must do steps 2-3 on the
new device, right?

> [note: one issue here with the secret symmetric key itself
> being loaded again, but since it was encrypted using to old device's
> manufacturer generated asymmetric key, the logic should be able to
> handle it.]

Hmm, can you elaborate?  It seems to me to be a problem; it needs to
be re-installed so that it is encrypted with the new device's public
key.

> Runtime:
> 5) whenever a regular admin wishes to use a new key, they call the
> generate-symmetric-key or generate-asymmetric-key RPC, requesting the
> device to generate a key for them, encrypting the result using the
> secret organization key.
> 6) The RPC output returns the key value (encrypted).
> 7) The regular admin uses e.g., <edit-config> to store the key into
> <running>.
> 
> 
> Use cases: 
>   0: normal (just NACM-protected) keys:  supported.
>   1: manufacturer-generated permanently hidden keys: supported.
>   2: device-generated keys: supported.
>   3: device-generated keys in config: supported
>   4: permanently hidden keys: not recommended nor directly
>      supported, but one could always encrypt a key with the
>      device's public key, thus generating a key that only the
>      device can decrypt, and hence effectively permenently
>      hidden.
> 
> 
> Please let me know soon if you object to any aspect of this or,
> better, support it, as I need to update the remaining drafts to
> reflect these changes at some point soon.

Also, if we go this route, this draft (keystore) needs more text, and
also explain the use cases described above.

Then there are some details, e.g. why do we have 

    identity asymmetric-key-algorithm {
      description
        "Base identity from which all asymmetric key
         encryption Algorithm.";
    }

vs

    identity encryption-algorithm {
      description
        "A base identity for encryption algorithm.";
    }

Why isn't the latter called "symmetric-key-algorithm"?




/martin


> 
> 
> Below are the change log entries.
> 
> crypto-types:
> 
>    o  Removed the 'generate-key and 'hidden-key' features.
> 
>    o  Added grouping symmetric-key-grouping
> 
>    o  Modified 'asymmetric-key-pair-grouping' to have a 'choice'
>       statement for the keystone module to augment into, as well as
>       replacing the 'union' with leafs (having different NACM settings.
> 
>    o Diffs:
>    https://www.ietf.org/rfcdiff?url2=draft-ietf-netconf-crypto-types-08
>    <https://www.ietf.org/rfcdiff?url2=draft-ietf-netconf-crypto-types-08>
> 
> 
> keystore:
> 
>    o  Replaced typedef asymmetric-key-certificate-ref with grouping
>       asymmetric-key-certificate-ref-grouping.
> 
>    o  Added feature feature 'key-generation'.
> 
>    o  Cloned groupings symmetric-key-grouping, asymmetric-key-pair-
>       grouping, asymmetric-key-pair-with-cert-grouping, and asymmetric-
>       key-pair-with-certs-grouping from crypto-keys, augmenting into
>       each new case statements for values that have been encrypted by
>       other keys in the keystore.  Refactored keystore model to use
>       these groupings.
> 
>    o  Added new 'symmetric-keys' lists, as a sibling to the existing
>       'asymmetric-keys' list.
> 
>    o  Added RPCs (not actions) 'generate-symmetric-key' and 'generate-
>       asymmetric-key' to *return* a (potentially encrypted) key.
> 
>    o Diffs:
>    https://www.ietf.org/rfcdiff?url2=draft-ietf-netconf-keystore-11
>    <https://www.ietf.org/rfcdiff?url2=draft-ietf-netconf-keystore-11>
> 
> 
> 
> 
> Kent // contributor
> 
> 
> 
> 
> 
>