IETF Logo Mail Archive

Re: [netconf] latest update to crypto-types and keystore drafts

Kent Watsen <kent+ietf@watsen.net> Fri, 28 June 2019 14:36 UTC

Return-Path: <0100016b9e83cb7e-2fe6c750-56d9-4e46-8b4a-2ef94a67c2c0-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55C34120123 for <netconf@ietfa.amsl.com>; Fri, 28 Jun 2019 07:36:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BZL6of_dybpX for <netconf@ietfa.amsl.com>; Fri, 28 Jun 2019 07:36:07 -0700 (PDT)
Received: from a8-33.smtp-out.amazonses.com (a8-33.smtp-out.amazonses.com [54.240.8.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F13C1200C5 for <netconf@ietf.org>; Fri, 28 Jun 2019 07:36:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1561732566; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=hMRBBNGqQoOEB4EL+3Gi9hT3j/e6gAyGUaovloXFVNQ=; b=SnF4bUphA++Rmsj28k8z6krSjvoHzUKptyETcqB8EVtuU0MvxNKvgSpwr920vRms FA7QNKc1SH8yPIJxRbhegKi8cx8pLo9H/4NIGqUsHPopMSzePeOQ18tqXfdSswrsgtz yMr/UFfFSh+n/7pMX3yLuTgD5LpP/2wN7ww2sPIc=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016b9e83cb7e-2fe6c750-56d9-4e46-8b4a-2ef94a67c2c0-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_51CB4354-33B5-4E34-B8B3-C85487FAAEEF"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Fri, 28 Jun 2019 14:36:06 +0000
In-Reply-To: <20190628.142225.1179923611746773969.mbj@tail-f.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>
To: Martin Bjorklund <mbj@tail-f.com>
References: <0100016b962706ee-c3b245b6-a9ad-45cb-a7a2-b9fe44dd33c3-000000@email.amazonses.com> <20190627.173012.789366833379165040.mbj@tail-f.com> <0100016b9b765508-5742ab05-ca2b-4d94-b040-75a2eed52d42-000000@email.amazonses.com> <20190628.142225.1179923611746773969.mbj@tail-f.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.06.28-54.240.8.33
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/xSEV-nynT7xYYSw32TO0MgTGuGw>
Subject: Re: [netconf] latest update to crypto-types and keystore drafts
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 Jun 2019 14:36:10 -0000

> It is enough if just the name and "hidden" enum is present in
> factory-defaults, and thus just these fields are copied to running.

Maybe.  The public key and algorithm must be available somehow.  I know that you're pushing for them to be pulled from <operational>, which I'm okay with in theory, but in doing so you're implying that the 3-tuple values should not be mandatory true, which is a show stopper for me.  A possible compromise would be to let the algorithm and public-key nodes also take values like <hidden-value/>.  But I feel even this is unnecessary, as explained next.

You seem to worry about special case handling, but then how to you propose the device defend against the client setting a completely different set of new/different 3-tuple values for the tpm-protected-key?  My view is that the device will detect that the key is a system-configured and (unlike other NMDA scenarios) must not let configuration overwrite it.  That sounds like special handing to me and my view is, if a device can do that, then it can also detect/prevent modification to any of the three values, hence why I feel there is not need to hide or shroud the algorithm and public-key values in the configuration.




>> Now, when this configuration from the first device is loaded onto the
>> second device, one of two things might happen:
>> 
>>  1) if the manufacturer gives the same name to each device's
>>  TPM-protected keys (i.e., <name>tpm-protected-key</name>)
>> 
>>      a) <running> (copied from <factory-default>), would contain a key
>>      having the 'key' value as the incoming key.
>>      b) this should fail, because it's not possible to change the
>>      <public-key> for a key having <hidden-private-key/>.
> 
> This would be special treatment.  And IMO it is not needed; if the
> public key and alg are not present in the config this is not an
> issue.

Even if the public key and alg fields are removed, it merge attempt would still fail, specifically, device B would fail to decrypt the operator-protected-key encrypted by device A.



>>  2) if the manufacturer gives unique names to the tpm-protected-keys
>>  (i.e., <name>key3124235234</name>)
>> 
>>      a) <running> (copied from <factory-default>), would NOT contain a key
>>      having the 'key' value as the incoming key.
>>      b) this should fail, because it's not possible to config a new key
>>      having <hidden-private-key/>.
> 
> For this use case I think it is a prerequisite that the key has the
> same name.

Why?  I don't know of a technical reason.   Maybe you mean to simplify installation guides, but there are likely not-too-complicated ways to deal with that.  Regardless, the same failure mentioned previously (that device B would fail to decrypt the operator-protected-key encrypted by device A) would be present.



>> The specific failure error isn't as interesting as knowing that it
>> will fail somehow, and implementations will need to handle the
>> possibility.
>> 
>> That said, the general recommendation, which would both be correct and
>> avoid any potential failures, would be for the client to remove the
>> device-specific and operator-wide keys first, leaving just the
>> migratable keys in the config uploaded to the second device.
> 
> THIS IS THE CONFIG FROM THE FIRST DEVICE (A)
> 
> <keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore">
>    <asymmetric-keys>
> 
>        <!-- a device-unique asymmetric key -->
>        <asymmetric-key>
>            <name>tpm-protected-key</name>
>            <hidden-private-key/>
>        </asymmetric-key>
> 
>        <!-- operator-wide symmetric key, protected by the device-specific key
>        -->
>        <!-- this key must be created for each device (i.e., via step #3) -->
>        <symmetric-key>
>            <name>operator-protected-key</name>
>            <algorithm>aes-256-cbc</algorithm>
>            <encrypted-key>
>                <asymmetric-key>tpm-protected-key</asymmetric-key>
>                <value>base64encodedvalue-1==</value>
>            </encrypted-private-key>
>        </symmetric-key>
> 
>        <!-- a migratable key, protected by the operator-wide key -->
>        <asymmetric-key>
>            <name>ex-encrypted-key</name>
>            <algorithm>rsa2048</algorithm>
>            <public-key>base64encodedvalue-2==</public-key>
>            <encrypted-private-key>
>                <symmetric-key>operator-protected-key</symmetric-key>
>                <value>base64encodedvalue-3==</value>
>            </encrypted-private-key>
>        </asymmetric-key>
> 
>    </asymmetric-keys>
> </keystore>
> 
> 
> THIS IS THE CONFIG ON A SECOND DEVICE, AFTER STEP #3 (B)
> 
> <keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore">
>    <asymmetric-keys>
> 
>        <!-- a device-unique asymmetric key -->
>        <asymmetric-key>
>            <name>tpm-protected-key</name>
>            <hidden-private-key/>
>        </asymmetric-key>
> 
>        <!-- operator-wide symmetric key, protected by the device-specific key
>        -->
>        <!-- this key must be created for each device (i.e., via step #3) -->
>        <symmetric-key>
>            <name>operator-protected-key</name>
>            <algorithm>aes-256-cbc</algorithm>
>            <encrypted-private-key>
>                <asymmetric-key>tpm-protected-key</asymmetric-key>
>                <value>base64encodedvalue-4==</value>
>            </encrypted-private-key>
>        </symmetric-key>
> 
>    </asymmetric-keys>
> </keystore>
> 
> 
> If we edit-config (A) into (B), we'll trash "operator-protected-key";
> specifically its "encrypted-private-key/value" leaf must not be
> changed.
> 
> If we remove "operator-protected-key" from (A) we can then merge the
> rest of (A) into (B).
> 
> So this requires the client to pacth the config a bit.  Perhaps this
> is ok.

Okay, we agree that the client should patch the config from device A  prior to merging it into device B.   You feel that just the operator-protected-key can be removed, while I feel that both the tpm-protected-key and operator-protected-key keys should be removed.  My preference for removing both is because is mimics normal configuration updates occurring throughout the device's life.  That is, the CRUD operations would always be on the "ex-encrypted-key" keys, so just having these keys in the configuration loaded from device A would be consistent.



Kent // configuration

v2.23.0 | Report a Bug | By Email