[nfsv4] TLS Fingerprint Pinning Needed

grarpamp <grarpamp@gmail.com> Sun, 29 March 2020 21:49 UTC

Return-Path: <grarpamp@gmail.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD54A3A0DA1 for <nfsv4@ietfa.amsl.com>; Sun, 29 Mar 2020 14:49:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id POMhcyb4urxB for <nfsv4@ietfa.amsl.com>; Sun, 29 Mar 2020 14:49:03 -0700 (PDT)
Received: from mail-io1-xd43.google.com (mail-io1-xd43.google.com [IPv6:2607:f8b0:4864:20::d43]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61DD83A0D9E for <nfsv4@ietf.org>; Sun, 29 Mar 2020 14:49:02 -0700 (PDT)
Received: by mail-io1-xd43.google.com with SMTP id q9so15697283iod.4 for <nfsv4@ietf.org>; Sun, 29 Mar 2020 14:49:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=zMDyIIRgjgPyROp0mWp2vGbEGOr9F+/3eqwY4OF0A14=; b=PSKx1GVMFwjqTde9jcrUF79w+88tJG0RTcRMYCadSb7w2F90g0XtETvaDEBCC8SMpS lp4J3+OdkKh4rfrPbBtJXc6WF1uMtu27a2p7Ai88oZQyZeOUOYTQWmM/uKqyIyhcQYWa f5yF6F/mdnze4T3a9Li1WrG5k0xDVRLWyXXBwJ9/mdp5JDx2Dh4di0V4T7i4SoM41Gon /CCXxRC8OfGuOhotTkxphxQZVR+7ubE7aHTXLdeQzCnpHvKoVqcWc2FTxTKek2QhmX1S CWyGcJt2rYhgoGb1jIRpGjJFWApABXKcQpKIUWBf/d/SxQLPVd21GALt0QRZRy7gw/8x XTRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=zMDyIIRgjgPyROp0mWp2vGbEGOr9F+/3eqwY4OF0A14=; b=kIPCrve3s58bsJIDzo4FsPIxmlRLDIez95JNjVidcBvBZJuNVtbTwhYXmdjWDhMVs/ l9d4v8vNxNI8Q5m+HBxLb1hqc+lfxhMyXuj9HPvCQqm6qWBjhoFhSwBZrt9RSfUa6ZJ1 Aegs1h7FCq48+MS8VFvijw0MY2SHDMGKDNIz2yH5mJanQapftgXa8EWe4NOJGCFyahLL fXotDsgdg2L1VZuB/3S9oVM4woedgi0WQFajF89Ze/zYM5DMRptuZZtx+Ppx4U7D68Je wn6gdHDVBf1Vy+J4l6h5GAtfC2C3AY9iSHtXyh+UaGEIve799oHtu+omqFaFGG4bi3yr uF3g==
X-Gm-Message-State: ANhLgQ2FSh0qEFkWhi45EKmegf+VJD/p5xdAqNZu58bPswocfLMeHVhK cBHfg9EZzSu+2QBrTZegSMnOwwu/7SqRJz/TpyAmmHku
X-Google-Smtp-Source: ADFU+vuxWotpCYHN2gg4+oJZUMKRNx/UUcnwXmQDEsy797xRU9iQ0LCnbgfxndb2E4jVaOsd+vnZF723RqLZ4BRkQ9o=
X-Received: by 2002:a5e:c70b:: with SMTP id f11mr7963839iop.28.1585518541309; Sun, 29 Mar 2020 14:49:01 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a02:bc7:0:0:0:0:0 with HTTP; Sun, 29 Mar 2020 14:49:00 -0700 (PDT)
From: grarpamp <grarpamp@gmail.com>
Date: Sun, 29 Mar 2020 17:49:00 -0400
Message-ID: <CAD2Ti2_Wmqgtm4iRTtoqVKPk8JJw+nP-rim2NjZWa=FDFbK5Bw@mail.gmail.com>
To: nfsv4@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/SLTNqWbjE-H8JshLk0HwlwxArrI>
Subject: [nfsv4] TLS Fingerprint Pinning Needed
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Mar 2020 22:05:15 -0000

https://tools.ietf.org/html/draft-ietf-nfsv4-rpc-tls

People appear to be talking about using and
"authenticating / verifying" TLS certs now with at least
perhaps this NFSv4, and certainly with other apps.

If so, it's required critical thing for the admins and users to have
the option to pin the certificate pubkey fingerprints in four ways...

- Ignore the CA chain / expiry / etc, validate only the fingerprint.
- Validate the CA chain / expiry / etc, and validate the fingerprint.
- Validate the CA chain / expiry / etc, ignore the fingerprint.
- A TOFU mode, with some management by fingerprint options.

No application that uses TLS should be considered completely
featured and security capable without fingerprint pinning functions.

The "SHOULD implement" loophole in 5.5.2 will end up with many OS
and implementations lacking such basic security feature option.

For some background reasons on why pubkey fingerprint pinning
implementations are now showing up in softwares that speak TLS,
and for sample code, and related infos, see the links...

https://owasp.org/www-community/controls/Certificate_and_Public_Key_Pinning
https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html

https://curl.haxx.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html
--pinnedpubkey <hashes | file>
Tells curl to use the specified public key file (or hashes) to verify the
peer. This can be a path to a file which contains a single public key in PEM
or DER format, or any number of base64 encoded sha256 hashes preceded by
'sha256//' and separated by ';'.
When negotiating a TLS or SSL connection, the server sends a certificate
indicating its identity. A public key is extracted from this certificate and
if it does not exactly match the public key provided to this option, curl will
abort the connection before sending or receiving any data.

Please note this option is rightly very specific covering only the
isolated pubkey, not the DER form of the entire "CA signed" cert
(ie: not the typically referenced coverage of "openssl x509 -fingerprint").
This allows additional adaptability to some cert environments.

Complete fingerprint implementations need both modes: pubkey, and cert DER.

Also note the use of sha-256, not the broken and now deprecated sha-1,
sha-3 could function as a backstop.

When fully implemented, fingerprint pinning enables a local admin and
user environment of more flexible certificate validation service cababilities
and security model hardening when subject to various third party things
and adversaries like...

- Environment of rogue / forced / spy MITM CA's, TLS termination / proxy
cloud MITM, VPN / overlay / WiFi networks MITM, etc.
- Annoying "expired" certs awaiting tax revenue from their captured audience.
- Assigning pinned trust to intermediate CA's such as Lets Encrypt, Google,
and corporate schemes, to let edge server certs they sign be freely
rotated and or freshly signed without need to update pin.
- Avoid need to update pin every "expiry" period.
- Avoid CA's by using cert owners publicly available and out of band self
certified hash attestations found on keybase, social, observatories, PGP, etc.
- As mentioned above, optionally in combination with other CA / expiry / etc
checks, or ignoring the CA altogether.
- CRL checks are a massive metadata privacy and user monetization
leak that some users might not want exposed to.
- Pinning one or both of: pubkey (herein) and or CA (openssl x509 -fingerprint)

Another very useful security feature to have is a trust on first use TOFU
mode that stores, pins, and subsequently validates against those fingerprints,
similar to SSH model. This is useful for both known comms partners such as
client-server model, and in more distributed group or even p2p applications
to help keep things a bit more locked down by default.

Defense (like this pubkey fingerprint pinning) in depth... you can use it :)


References (obviously TLS_1.3 is todays version to use)...

https://www.netcraft.com/internet-data-mining/ssl-survey/
https://www.ssllabs.com/ssl-pulse/
https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-support-for-20-year-old-tls-1-0/
https://www.bleepingcomputer.com/news/security/ietf-approves-tls-13-as-internet-standard/
https://en.wikipedia.org/wiki/Transport_Layer_Security
https://tools.ietf.org/html/rfc8446

https://github.com/OWASP/www-community/blob/master/pages/controls/Certificate_and_Public_Key_Pinning.md
https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Pinning_Cheat_Sheet.md

https://github.com/curl/curl/blob/master/docs/cmdline-opts/pinnedpubkey.d
https://github.com/curl/curl/blob/deb9462ff2de8e955c67ed441f5f48619a31198d/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3
https://github.com/curl/curl/blob/51fde337471c9125e7bf425e7ce0a0bf53691992/docs/TODO#L728