IETF Logo Mail Archive

Re: [nfsv4] TLS Fingerprint Pinning Needed

Chuck Lever <chuck.lever@oracle.com> Mon, 30 March 2020 14:49 UTC

Return-Path: <chuck.lever@oracle.com>
X-Original-To: nfsv4@ietfa.amsl.com
Delivered-To: nfsv4@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 148C43A16F5 for <nfsv4@ietfa.amsl.com>; Mon, 30 Mar 2020 07:49:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.2
X-Spam-Level:
X-Spam-Status: No, score=-0.2 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=oracle.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nTzVxoHtbWfM for <nfsv4@ietfa.amsl.com>; Mon, 30 Mar 2020 07:49:47 -0700 (PDT)
Received: from aserp2120.oracle.com (aserp2120.oracle.com [141.146.126.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 387893A16F4 for <nfsv4@ietf.org>; Mon, 30 Mar 2020 07:49:47 -0700 (PDT)
Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 02UEhMwX069353; Mon, 30 Mar 2020 14:49:44 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=content-type : mime-version : subject : from : in-reply-to : date : cc : content-transfer-encoding : message-id : references : to; s=corp-2020-01-29; bh=S+9s0zeuiscpTIqr6Vj2QJ7oJ9pyDvY54QRL2kczZz4=; b=XiiGw83HQ2ttlqwym4N6HWiSC2JCGr7PofN1nlzW/Ag05PMq4G03Ip24LcWopuuqHCHp CWR5BYMGDyLzDqSjcSEq/3bt/iJxCgFyGRZaROihq5LRaF4kXM1WbFydPv6S1Vrsr5Jf A/z26CHbe2wuTlebPT9WaYnikrl6apaT8ZSxfx9T+HKjkB7Z66wwnjAWXVS30r1Uvquc ZcNrely9Kki36ZOY/asvVHUw9GHwuTTJ2wmML4VPrJoKG5A+xUzRIrZuCMXB4CntIEqD rWQ2zSpMCS+Brp046dN7UNEWPHS3DN1lAhP1/us20PxDdcjl1FD0p3ILzpS+KinbsZtI qg==
Received: from aserp3020.oracle.com (aserp3020.oracle.com [141.146.126.70]) by aserp2120.oracle.com with ESMTP id 301xhkqap7-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 30 Mar 2020 14:49:44 +0000
Received: from pps.filterd (aserp3020.oracle.com [127.0.0.1]) by aserp3020.oracle.com (8.16.0.42/8.16.0.42) with SMTP id 02UEkv76065258; Mon, 30 Mar 2020 14:49:43 GMT
Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserp3020.oracle.com with ESMTP id 302gc9gwan-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 30 Mar 2020 14:49:43 +0000
Received: from abhmp0010.oracle.com (abhmp0010.oracle.com [141.146.116.16]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id 02UEnfMP001518; Mon, 30 Mar 2020 14:49:41 GMT
Received: from anon-dhcp-153.1015granger.net (/68.61.232.219) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 30 Mar 2020 07:49:41 -0700
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Chuck Lever <chuck.lever@oracle.com>
In-Reply-To: <MN2PR19MB40451B5CBE13E7A19D9C0B1183CB0@MN2PR19MB4045.namprd19.prod.outlook.com>
Date: Mon, 30 Mar 2020 10:49:39 -0400
Cc: "nfsv4@ietf.org" <nfsv4@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A5B4FE44-9E28-4854-9838-2CBF8E0632CD@oracle.com>
References: <CAD2Ti2_Wmqgtm4iRTtoqVKPk8JJw+nP-rim2NjZWa=FDFbK5Bw@mail.gmail.com> <MN2PR19MB40451B5CBE13E7A19D9C0B1183CB0@MN2PR19MB4045.namprd19.prod.outlook.com>
To: grarpamp <grarpamp@gmail.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9576 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 bulkscore=0 spamscore=0 malwarescore=0 mlxlogscore=999 adultscore=0 suspectscore=0 phishscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2003300141
X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9576 signatures=668685
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 impostorscore=0 mlxscore=0 suspectscore=0 mlxlogscore=999 lowpriorityscore=0 malwarescore=0 clxscore=1011 phishscore=0 adultscore=0 priorityscore=1501 bulkscore=0 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2003300140
Archived-At: <https://mailarchive.ietf.org/arch/msg/nfsv4/hcXLQvhVWbWmWf29Y5tZXKu0jGY>
Subject: Re: [nfsv4] TLS Fingerprint Pinning Needed
X-BeenThere: nfsv4@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NFSv4 Working Group <nfsv4.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nfsv4/>
List-Post: <mailto:nfsv4@ietf.org>
List-Help: <mailto:nfsv4-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nfsv4>, <mailto:nfsv4-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Mar 2020 14:49:49 -0000

Hello!

> On Mar 30, 2020, at 9:40 AM, Black, David <David.Black@dell.com> wrote:
> 
> This looks interesting - is there a BCP (Best Current Practice) RFC or similar reference on what MUST/SHOULD to be implemented and how implementers ought to think about this to make good choices?  Or is there one being prepared?  For example, such a document ought to cover the tradeoffs among the four validation options, and how a safe default be chosen.   In general, this looks like a good direction as trust anchors and trust anchor management have always been a weak point in the web PKI

I agree with David that this seems like excellent guidance for
implementations of RPC-TLS.

However, I don't see how it directly effects the protocol described in
draft-ietf-nfsv4-rpc-tls, as that document simply defines a STARTTLS
mechanism. I'm trying to understand what textual changes might be needed.
I'm guessing some adjustment of the Security Considerations section? Or
would we make a recommendation for certificate pinning only in protocols
that consume RPC (eg NFS)?

Note that without an RFC or other published standards-like document to
reference, I don't see that direct mention in our Standards Track
documents would be possible.


> The OWASP pages are a good start, but leave revocation for future work and are weak on certificate replacement - in particular, the comment that the  "application would need to be updated regularly" appears to punt the underlying app validation problem upward to the app store operators (e.g., to defend against a rogue app that accesses the server via an MITM proxy server), which doesn't mesh well with "An application which pins a certificate or public key no longer needs to depend on others - such as DNS or CAs".  Some dependence on the app store operator may be unavoidable for first-use.
> 
> Thanks, --David
> 
>> -----Original Message-----
>> From: nfsv4 <nfsv4-bounces@ietf.org> On Behalf Of grarpamp
>> Sent: Sunday, March 29, 2020 5:49 PM
>> To: nfsv4@ietf.org
>> Subject: [nfsv4] TLS Fingerprint Pinning Needed
>> 
>> 
>> [EXTERNAL EMAIL]
>> 
>> https://tools.ietf.org/html/draft-ietf-nfsv4-rpc-tls
>> 
>> People appear to be talking about using and
>> "authenticating / verifying" TLS certs now with at least
>> perhaps this NFSv4, and certainly with other apps.
>> 
>> If so, it's required critical thing for the admins and users to have
>> the option to pin the certificate pubkey fingerprints in four ways...
>> 
>> - Ignore the CA chain / expiry / etc, validate only the fingerprint.
>> - Validate the CA chain / expiry / etc, and validate the fingerprint.
>> - Validate the CA chain / expiry / etc, ignore the fingerprint.
>> - A TOFU mode, with some management by fingerprint options.
>> 
>> No application that uses TLS should be considered completely
>> featured and security capable without fingerprint pinning functions.
>> 
>> The "SHOULD implement" loophole in 5.5.2 will end up with many OS
>> and implementations lacking such basic security feature option.
>> 
>> For some background reasons on why pubkey fingerprint pinning
>> implementations are now showing up in softwares that speak TLS,
>> and for sample code, and related infos, see the links...
>> 
>> https://owasp.org/www-
>> community/controls/Certificate_and_Public_Key_Pinning
>> https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html
>> 
>> https://curl.haxx.se/libcurl/c/CURLOPT_PINNEDPUBLICKEY.html
>> --pinnedpubkey <hashes | file>
>> Tells curl to use the specified public key file (or hashes) to verify the
>> peer. This can be a path to a file which contains a single public key in PEM
>> or DER format, or any number of base64 encoded sha256 hashes preceded by
>> 'sha256//' and separated by ';'.
>> When negotiating a TLS or SSL connection, the server sends a certificate
>> indicating its identity. A public key is extracted from this certificate and
>> if it does not exactly match the public key provided to this option, curl will
>> abort the connection before sending or receiving any data.
>> 
>> Please note this option is rightly very specific covering only the
>> isolated pubkey, not the DER form of the entire "CA signed" cert
>> (ie: not the typically referenced coverage of "openssl x509 -fingerprint").
>> This allows additional adaptability to some cert environments.
>> 
>> Complete fingerprint implementations need both modes: pubkey, and cert DER.
>> 
>> Also note the use of sha-256, not the broken and now deprecated sha-1,
>> sha-3 could function as a backstop.
>> 
>> When fully implemented, fingerprint pinning enables a local admin and
>> user environment of more flexible certificate validation service cababilities
>> and security model hardening when subject to various third party things
>> and adversaries like...
>> 
>> - Environment of rogue / forced / spy MITM CA's, TLS termination / proxy
>> cloud MITM, VPN / overlay / WiFi networks MITM, etc.
>> - Annoying "expired" certs awaiting tax revenue from their captured audience.
>> - Assigning pinned trust to intermediate CA's such as Lets Encrypt, Google,
>> and corporate schemes, to let edge server certs they sign be freely
>> rotated and or freshly signed without need to update pin.
>> - Avoid need to update pin every "expiry" period.
>> - Avoid CA's by using cert owners publicly available and out of band self
>> certified hash attestations found on keybase, social, observatories, PGP, etc.
>> - As mentioned above, optionally in combination with other CA / expiry / etc
>> checks, or ignoring the CA altogether.
>> - CRL checks are a massive metadata privacy and user monetization
>> leak that some users might not want exposed to.
>> - Pinning one or both of: pubkey (herein) and or CA (openssl x509 -fingerprint)
>> 
>> Another very useful security feature to have is a trust on first use TOFU
>> mode that stores, pins, and subsequently validates against those fingerprints,
>> similar to SSH model. This is useful for both known comms partners such as
>> client-server model, and in more distributed group or even p2p applications
>> to help keep things a bit more locked down by default.
>> 
>> Defense (like this pubkey fingerprint pinning) in depth... you can use it :)
>> 
>> 
>> References (obviously TLS_1.3 is todays version to use)...
>> 
>> https://www.netcraft.com/internet-data-mining/ssl-survey/
>> https://www.ssllabs.com/ssl-pulse/
>> https://arstechnica.com/gadgets/2018/10/browser-vendors-unite-to-end-
>> support-for-20-year-old-tls-1-0/
>> https://www.bleepingcomputer.com/news/security/ietf-approves-tls-13-as-
>> internet-standard/
>> https://en.wikipedia.org/wiki/Transport_Layer_Security
>> https://tools.ietf.org/html/rfc8446
>> 
>> https://github.com/OWASP/www-
>> community/blob/master/pages/controls/Certificate_and_Public_Key_Pinning.m
>> d
>> https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Pinning
>> _Cheat_Sheet.md
>> 
>> https://github.com/curl/curl/blob/master/docs/cmdline-opts/pinnedpubkey.d
>> https://github.com/curl/curl/blob/deb9462ff2de8e955c67ed441f5f48619a3119
>> 8d/docs/libcurl/opts/CURLOPT_PINNEDPUBLICKEY.3
>> https://github.com/curl/curl/blob/51fde337471c9125e7bf425e7ce0a0bf536919
>> 92/docs/TODO#L728
>> 
>> _______________________________________________
>> nfsv4 mailing list
>> nfsv4@ietf.org
>> https://www.ietf.org/mailman/listinfo/nfsv4
> 
> _______________________________________________
> nfsv4 mailing list
> nfsv4@ietf.org
> https://www.ietf.org/mailman/listinfo/nfsv4

--
Chuck Lever

v2.23.0 | Report a Bug | By Email