Re: [nfsv4] TLS Fingerprint Pinning Needed
Chuck Lever <chuck.lever@oracle.com> Mon, 30 March 2020 14:49 UTC
Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 148C43A16F5 for <nfsv4@ietfa.amsl.com>; Mon, 30 Mar 2020 07:49:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.2
X-Spam-Level:
X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nTzVxoHtbWfM for <nfsv4@ietfa.amsl.com>; Mon, 30 Mar 2020 07:49:47 -0700 (PDT)
Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 387893A16F4 for <nfsv4@ietf.org>; Mon, 30 Mar 2020 07:49:47 -0700 (PDT)
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 02UEhMwX069353; Mon, 30 Mar 2020 14:49:44 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2020-01-29; bh=S+9s0zeuiscpTIqr6Vj2QJ7oJ9pyDvY54QRL2kczZz4=; b=XiiGw83HQ2ttlqwym4N6HWiSC2JCGr7PofN1nlzW/Ag05PMq4G03Ip24LcWopuuqHCHp CWR5BYMGDyLzDqSjcSEq/3bt/iJxCgFyGRZaROihq5LRaF4kXM1WbFydPv6S1Vrsr5Jf A/z26CHbe2wuTlebPT9WaYnikrl6apaT8ZSxfx9T+HKjkB7Z66wwnjAWXVS30r1Uvquc ZcNrely9Kki36ZOY/asvVHUw9GHwuTTJ2wmML4VPrJoKG5A+xUzRIrZuCMXB4CntIEqD rWQ2zSpMCS+Brp046dN7UNEWPHS3DN1lAhP1/us20PxDdcjl1FD0p3ILzpS+KinbsZtI qg==
Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by aserp2120.oracle.com with ESMTP id 301xhkqap7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 30 Mar 2020 14:49:44 +0000
Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 02UEkv76065258; Mon, 30 Mar 2020 14:49:43 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserp3020.oracle.com with ESMTP id 302gc9gwan-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 30 Mar 2020 14:49:43 +0000
Received: from abhmp0010.oracle.com (abhmp0010.oracle.com [141.146.116.16]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 02UEnfMP001518; Mon, 30 Mar 2020 14:49:41 GMT
Received: from anon-dhcp-153.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 30 Mar 2020 07:49:41 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <MN2PR19MB40451B5CBE13E7A19D9C0B1183CB0@MN2PR19MB4045.namprd19.prod.outlook.com>
Date: Mon, 30 Mar 2020 10:49:39 -0400
Cc: "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A5B4FE44-9E28-4854-9838-2CBF8E0632CD@oracle.com>
References: <CAD2Ti2_Wmqgtm4iRTtoqVKPk8JJw+nP-rim2NjZWa=FDFbK5Bw@mail.gmail.com> <MN2PR19MB40451B5CBE13E7A19D9C0B1183CB0@MN2PR19MB4045.namprd19.prod.outlook.com>
To: grarpamp <grarpamp@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9576 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 spamscore=0 malwarescore=0 mlxlogscore=999 adultscore=0 suspectscore=0 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2003300141
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9576 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 impostorscore=0 mlxscore=0 suspectscore=0 mlxlogscore=999 lowpriorityscore=0 malwarescore=0 clxscore=1011 phishscore=0 adultscore=0 priorityscore=1501 bulkscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2003300140
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/hcXLQvhVWbWmWf29Y5tZXKu0jGY>
Subject: Re: [nfsv4] TLS Fingerprint Pinning Needed
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2020 14:49:49 -0000
Hello! > On Mar 30, 2020, at 9:40 AM, Black, David <David.Black@dell.com> wrote: > > This looks interesting - is there a BCP (Best Current Practice) RFC or similar reference on what MUST/SHOULD to be implemented and how implementers ought to think about this to make good choices? Or is there one being prepared? For example, such a document ought to cover the tradeoffs among the four validation options, and how a safe default be chosen. In general, this looks like a good direction as trust anchors and trust anchor management have always been a weak point in the web PKI I agree with David that this seems like excellent guidance for implementations of RPC-TLS. However, I don't see how it directly effects the protocol described in draft-ietf-nfsv4-rpc-tls, as that document simply defines a STARTTLS mechanism. I'm trying to understand what textual changes might be needed. I'm guessing some adjustment of the Security Considerations section? Or would we make a recommendation for certificate pinning only in protocols that consume RPC (eg NFS)? Note that without an RFC or other published standards-like document to reference, I don't see that direct mention in our Standards Track documents would be possible. > The OWASP pages are a good start, but leave revocation for future work and are weak on certificate replacement - in particular, the comment that the "application would need to be updated regularly" appears to punt the underlying app validation problem upward to the app store operators (e.g., to defend against a rogue app that accesses the server via an MITM proxy server), which doesn't mesh well with "An application which pins a certificate or public key no longer needs to depend on others - such as DNS or CAs". Some dependence on the app store operator may be unavoidable for first-use. > > Thanks, --David > >> -----Original Message----- >> From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of grarpamp >> Sent: Sunday, March 29, 2020 5:49 PM >> To: nfsv4@ietf.org >> Subject: [nfsv4] TLS Fingerprint Pinning Needed >> >> >> [EXTERNAL EMAIL] >> >> https://tools.ietf.org/html/draft-ietf-nfsv4-rpc-tls >> >> People appear to be talking about using and >> "authenticating / verifying" TLS certs now with at least >> perhaps this NFSv4, and certainly with other apps. >> >> If so, it's required critical thing for the admins and users to have >> the option to pin the certificate pubkey fingerprints in four ways... >> >> - Ignore the CA chain / expiry / etc, validate only the fingerprint. >> - Validate the CA chain / expiry / etc, and validate the fingerprint. >> - Validate the CA chain / expiry / etc, ignore the fingerprint. >> - A TOFU mode, with some management by fingerprint options. >> >> No application that uses TLS should be considered completely >> featured and security capable without fingerprint pinning functions. >> >> The "SHOULD implement" loophole in 5.5.2 will end up with many OS >> and implementations lacking such basic security feature option. >> >> For some background reasons on why pubkey fingerprint pinning >> implementations are now showing up in softwares that speak TLS, >> and for sample code, and related infos, see the links... >> >> https://owasp.org/www- >> community/controls/Certificate_and_Public_Key_Pinning >> https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html >> >> https://curl.haxx.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html >> --pinnedpubkey <hashes | file> >> Tells curl to use the specified public key file (or hashes) to verify the >> peer. This can be a path to a file which contains a single public key in PEM >> or DER format, or any number of base64 encoded sha256 hashes preceded by >> 'sha256//' and separated by ';'. >> When negotiating a TLS or SSL connection, the server sends a certificate >> indicating its identity. A public key is extracted from this certificate and >> if it does not exactly match the public key provided to this option, curl will >> abort the connection before sending or receiving any data. >> >> Please note this option is rightly very specific covering only the >> isolated pubkey, not the DER form of the entire "CA signed" cert >> (ie: not the typically referenced coverage of "openssl x509 -fingerprint"). >> This allows additional adaptability to some cert environments. >> >> Complete fingerprint implementations need both modes: pubkey, and cert DER. >> >> Also note the use of sha-256, not the broken and now deprecated sha-1, >> sha-3 could function as a backstop. >> >> When fully implemented, fingerprint pinning enables a local admin and >> user environment of more flexible certificate validation service cababilities >> and security model hardening when subject to various third party things >> and adversaries like... >> >> - Environment of rogue / forced / spy MITM CA's, TLS termination / proxy >> cloud MITM, VPN / overlay / WiFi networks MITM, etc. >> - Annoying "expired" certs awaiting tax revenue from their captured audience. >> - Assigning pinned trust to intermediate CA's such as Lets Encrypt, Google, >> and corporate schemes, to let edge server certs they sign be freely >> rotated and or freshly signed without need to update pin. >> - Avoid need to update pin every "expiry" period. >> - Avoid CA's by using cert owners publicly available and out of band self >> certified hash attestations found on keybase, social, observatories, PGP, etc. >> - As mentioned above, optionally in combination with other CA / expiry / etc >> checks, or ignoring the CA altogether. >> - CRL checks are a massive metadata privacy and user monetization >> leak that some users might not want exposed to. >> - Pinning one or both of: pubkey (herein) and or CA (openssl x509 -fingerprint) >> >> Another very useful security feature to have is a trust on first use TOFU >> mode that stores, pins, and subsequently validates against those fingerprints, >> similar to SSH model. This is useful for both known comms partners such as >> client-server model, and in more distributed group or even p2p applications >> to help keep things a bit more locked down by default. >> >> Defense (like this pubkey fingerprint pinning) in depth... you can use it :) >> >> >> References (obviously TLS_1.3 is todays version to use)... >> >> https://www.netcraft.com/internet-data-mining/ssl-survey/ >> https://www.ssllabs.com/ssl-pulse/ >> https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end- >> support-for-20-year-old-tls-1-0/ >> https://www.bleepingcomputer.com/news/security/ietf-approves-tls-13-as- >> internet-standard/ >> https://en.wikipedia.org/wiki/Transport_Layer_Security >> https://tools.ietf.org/html/rfc8446 >> >> https://github.com/OWASP/www- >> community/blob/master/pages/controls/Certificate_and_Public_Key_Pinning.m >> d >> https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Pinning >> _Cheat_Sheet.md >> >> https://github.com/curl/curl/blob/master/docs/cmdline-opts/pinnedpubkey.d >> https://github.com/curl/curl/blob/deb9462ff2de8e955c67ed441f5f48619a3119 >> 8d/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3 >> https://github.com/curl/curl/blob/51fde337471c9125e7bf425e7ce0a0bf536919 >> 92/docs/TODO#L728 >> >> _______________________________________________ >> nfsv4 mailing list >> nfsv4@ietf.org >> https://www.ietf.org/mailman/listinfo/nfsv4 > > _______________________________________________ > nfsv4 mailing list > nfsv4@ietf.org > https://www.ietf.org/mailman/listinfo/nfsv4 -- Chuck Lever
- [nfsv4] TLS Fingerprint Pinning Needed grarpamp
- Re: [nfsv4] TLS Fingerprint Pinning Needed Black, David
- Re: [nfsv4] TLS Fingerprint Pinning Needed Chuck Lever
- Re: [nfsv4] TLS Fingerprint Pinning Needed grarpamp
- Re: [nfsv4] TLS Fingerprint Pinning Needed grarpamp
- Re: [nfsv4] TLS Fingerprint Pinning Needed Chuck Lever
- Re: [nfsv4] TLS Fingerprint Pinning Needed Benjamin Kaduk
- Re: [nfsv4] TLS Fingerprint Pinning Needed grarpamp