Re: [netmod] RFC7952 annotation to identify leaf encryption/hashing format

Andy Bierman <andy@yumaworks.com> Mon, 22 May 2017 23:22 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15CE1129443 for <netmod@ietfa.amsl.com>; Mon, 22 May 2017 16:22:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dHABBdOe-HEz for <netmod@ietfa.amsl.com>; Mon, 22 May 2017 16:22:56 -0700 (PDT)
Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 031D3126CC4 for <netmod@ietf.org>; Mon, 22 May 2017 16:22:55 -0700 (PDT)
Received: by mail-wm0-x235.google.com with SMTP id b84so8285837wmh.0 for <netmod@ietf.org>; Mon, 22 May 2017 16:22:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=ELcLBLVxDpV2Pl9Pl8Z/8Mdm9kglPgXg8VHQeug/K+8=; b=1SWzs0cMyMLURIwYVrjfsEWaYKciXC9Jutoa6s5IxXjEumBMpNCEQ5IlhNJQoSYHa3 xKe0IMbNo/s0riTJINtbu5RvG2lH5TAlKdml7yu/kBy8v0bu4+8PID700p66+HNeqUsN TiCG0oJ9HURlsmsEB73kXoYmcpHjnamfwoRh8nDSuYaAjwKG9o9s22p3Hu9TrVxJlWiu NFddAIbTai8vgPL1vXohE8iElFB7pk9gwxlRkmJkiuxL58ziVWU+6XyHIrSnYQtgMEAO nV9IK+DX6dmOU2QxudSXnmIJidjR6p4UEiItdp/KDTxjUJVn6vebEJEDduum7sXsAOym 8FXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=ELcLBLVxDpV2Pl9Pl8Z/8Mdm9kglPgXg8VHQeug/K+8=; b=dTRiBHMpqrHyGt1m40YTJ/xDnbiz+d1bPqtjT1oXAkshG+VE19QtePqUUMfQdmqLaI 46RpNqBePwjIg0wXN+NaIBinzxCp+/orAIidxbbFRAIkDMxxw53HHpXWMuffR7ieLO6K r+KP9nHAhFL1eYPf9EQFRiw5Dj7AudMVMpVWWzrh7WeyZ6oF1pj+FFlN7HGjDYlw9792 pJSYdkYSP6I5oN2s9SpLKsXR9WLJQUUWC5xIUiXSP82OVe5aFPAeebC3V/mXI1LYvcZI tLgxdu1a6VbeFQ9LWlF7Z/B6wbP4seMPwJekhcUXqt/yr9Mh3nfAbcdSS8N8ArqN4ySs Q3iQ==
X-Gm-Message-State: AODbwcBiS4t4pWWMvavU5Gy5yU7L4p11SFTZabAWk7M2H+RH3bfmehJa dbVvY+Fah9Rb6pPTv5oSeSNRUiUuD1fg
X-Received: by 10.28.6.82 with SMTP id 79mr128163wmg.124.1495495374474; Mon, 22 May 2017 16:22:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.155.2 with HTTP; Mon, 22 May 2017 16:22:53 -0700 (PDT)
In-Reply-To: <20170522215613.GA4271@elstar.local>
References: <HE1PR07MB0843F3616FA7398A29599A749BF80@HE1PR07MB0843.eurprd07.prod.outlook.com> <20170522215613.GA4271@elstar.local>
From: Andy Bierman <andy@yumaworks.com>
Date: Mon, 22 May 2017 16:22:53 -0700
Message-ID: <CABCOCHQC+KNk5trCMH+GaJ_nCpNVaFR9vEERzVEQw0sU8p7XvQ@mail.gmail.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, "Sterne, Jason (Nokia - CA/Ottawa)" <jason.sterne@nokia.com>, "netmod@ietf.org" <netmod@ietf.org>
Content-Type: multipart/alternative; boundary="001a114421e68f231b055025261d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/bu27Nfp1Kq6qw69oU61Tpnfh0Gs>
Subject: Re: [netmod] RFC7952 annotation to identify leaf encryption/hashing format
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 May 2017 23:22:58 -0000

On Mon, May 22, 2017 at 2:56 PM, Juergen Schoenwaelder <
j.schoenwaelder@jacobs-university.de> wrote:

> RFC 7952 says:
>
>    4.  Annotations sent by a server should not break clients that don't
>        support them.
>
> If the client is expected to understand which hash function has been
> used to generate a hash value, then I think the hash function should
> be communicated as proper YANG data and not as metadata.
>
>
Agreed.

Also, the annotation extension cannot constrain the usage of the XML
attribute.
It is supposed to apply to any data node (clearly hash-function does not
apply to
every data node.) Since it is data-node specific, it is not metadata; just
more data.



> /js
>

Andy


>
> On Mon, May 22, 2017 at 05:16:36PM +0000, Sterne, Jason (Nokia -
> CA/Ottawa) wrote:
> > Hi all,
> >
> > Does anyone see any reasons why RFC7952 annotations couldn't/shouldn't
> be used to identify the encryption/hashing format of an encrypted/hashed
> leaf ?
> >
> > There are a number of approaches out there for encrypted/hashed leafs
> (e.g. RFC7317 crypt-hash which encodes the hash function by prepending $x$
> to the password, using multiple leafs for the value/algorithm, etc).
> >
> > These are leafs that can be typically written in cleartext or
> encrypted/hashed format, but return only an encrypted/hashed format when
> retrieved from a device.
> >
> > I think RFC7952 annotation could also be used as an approach to this
> problem.
> >
> > Annotation definition:
> >
> >      md:annotation hash-format {
> >        type enumeration {
> >          enum md5l
> >          enum sha-256
> >          ...
> >        }
> >      }
> >
> > An 'auth-key' leaf that is hashed:
> >
> >     <auth-key hash-format="sha-256">
> >       QsdsEWfjKAowjjhQHHslJSHHll
> >     </auth-key>
> >
> >
> > Regards,
> > Jason
> >
> > Note - I don't believe this statement in section 9 would point anyone
> away from using annotations for encryption/hashing information (since the
> encrypted leafs are data nodes):  "It is RECOMMENDED that
> security-sensitive or privacy-sensitive data be modeled as regular YANG
> data nodes rather than annotations."
> >
> >
> >
>
> > _______________________________________________
> > netmod mailing list
> > netmod@ietf.org
> > https://www.ietf.org/mailman/listinfo/netmod
>
>
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>
>
> _______________________________________________
> netmod mailing list
> netmod@ietf.org
> https://www.ietf.org/mailman/listinfo/netmod
>