IETF Logo Mail Archive

Re: Kathleen Moriarty's Discuss on draft-ietf-rtgwg-yang-key-chain-20: (with DISCUSS and COMMENT)

Adam Roach <adam@nostrum.com> Wed, 26 April 2017 20:18 UTC

Return-Path: <adam@nostrum.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8F1E12ECED; Wed, 26 Apr 2017 13:18:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.881
X-Spam-Level:
X-Spam-Status: No, score=-1.881 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, T_SPF_HELO_PERMERROR=0.01, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ScVyF3WrT0zH; Wed, 26 Apr 2017 13:18:02 -0700 (PDT)
Received: from nostrum.com (raven-v6.nostrum.com [IPv6:2001:470:d:1130::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EB851294D8; Wed, 26 Apr 2017 13:18:02 -0700 (PDT)
Received: from Svantevit.roach.at (cpe-70-122-154-80.tx.res.rr.com [70.122.154.80]) (authenticated bits=0) by nostrum.com (8.15.2/8.15.2) with ESMTPSA id v3QKI0KU078280 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NO); Wed, 26 Apr 2017 15:18:01 -0500 (CDT) (envelope-from adam@nostrum.com)
X-Authentication-Warning: raven.nostrum.com: Host cpe-70-122-154-80.tx.res.rr.com [70.122.154.80] claimed to be Svantevit.roach.at
Subject: Re: Kathleen Moriarty's Discuss on draft-ietf-rtgwg-yang-key-chain-20: (with DISCUSS and COMMENT)
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Cc: The IESG <iesg@ietf.org>, Jeff Tantsura <jefftant.ietf@gmail.com>, rtgwg-chairs@ietf.org, draft-ietf-rtgwg-yang-key-chain@ietf.org, rtgwg@ietf.org
References: <149322447211.30122.5870367500760951821.idtracker@ietfa.amsl.com> <f366eb05-b82c-123e-d0ca-8701fe16a469@nostrum.com> <CAHbuEH5vDjZ5tSt=314Dquju7N26XSOqQPNjV=jO6D8Xn7QVdQ@mail.gmail.com>
From: Adam Roach <adam@nostrum.com>
Message-ID: <89d1c702-7830-1f5a-1176-0b894e2d99e9@nostrum.com>
Date: Wed, 26 Apr 2017 15:18:00 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Thunderbird/52.0.1
MIME-Version: 1.0
In-Reply-To: <CAHbuEH5vDjZ5tSt=314Dquju7N26XSOqQPNjV=jO6D8Xn7QVdQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/mpYDXeZnb7fu-ELpw13hZ_XJofY>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 20:18:09 -0000

On 4/26/17 2:36 PM, Kathleen Moriarty wrote:
> On Wed, Apr 26, 2017 at 2:42 PM, Adam Roach <adam@nostrum.com> wrote:
>> On 4/26/17 11:34 AM, Kathleen Moriarty wrote:
>>> Since the following text int he Security Considerations section is a
>>> recommendation, IMO it would be better to drop "or otherwise obfuscated"
>>> from the sentence as encrypting the keys really should be the
>>> recommendation.  Can we make this update?
>>>
>>>      It is RECOMMENDED that keys be encrypted or otherwise obfuscated
>>> when
>>>      stored internally on a network device supporting this specification.
>>>
>>> If obfuscation is what happens more often in practice, maybe mention this
>>> as a fallback from the recommendation, but not make them sound
>>> equivalent?
>>
>>
>> To be clear -- the current guidance from the security area is to perform
>> this kind of encryption, where you have encrypted material living
>> side-by-side with the key necessary to decrypt it?
> We are talking about using a key encrypting key (KEK) and storing
> that, not storing the raw key next to the encrypted data as far as I
> can tell.

Right.

> Additionally, I haven't seen a discussion on the hardware
> this is expected to run on.

That might be appropriate matter for the draft, if it is going to make 
this recommendation.

> Some implementations of KEK solutions use dedicated hardware for the
> KEK and require authentication for access to the key, hence preventing
> generic access and side-by-side storage of the KEK's protected key,
> and encrypted data.  I'd rather see a KEK used than just a key stored
> in any case.  Are you arguing for not using any encryption at all?

I'll defer to you, of course, since you have presumably given the topic 
more thought than I have, but: yes.

Absent something like an HSM or forcing human intervention whenever a 
process starts (or restarts), it seems that the scheme described in 
section 5 doesn't actually deter a competent attacker from obtaining the 
keys. My impression is that storing information in an encrypted form 
that can be trivially decrypted by an attacker provides a false sense of 
security to equipment operators.

If the scheme in section 5 *does* require the kind of prerequisites you 
posit, such as dedicated security hardware, it seems that such 
prerequisites should be mentioned alongside the recommendation.

> For YANG modules, couldn't the application via NETCONF/RESTCONF
> accessing the module provide the credentials to access the key
> protected by the KEK?

That solves the issues with provisioning, but doesn't seem to help the 
processes actually involved in routing.

> Some implementations could store the KEK in
> dedicated hardware as well. In this way, storing the KEK and data
> together is not the same as storing a key right next to the data it is
> protecting.

This makes perfect sense; and it should probably be in the document.

> Use of a KEK is better then not encrypting and can be done
> well.

It can also be done poorly, and the mention of obfuscation (along with 
the exchange I cite below) leads me to believe that -- absent concrete 
guidance to the contrary -- implementors will choose to do it poorly. 
It's not clear that doing this poorly provides any benefit, and it seems 
to me that it may cause harm: if something _looks_ secure but isn't, 
doesn't that have the potential for operators to incorrectly treat it as 
secure? Again, this is more your area than mine and so I will defer to 
your opinion on the topic; but from a lay perspective, this seems likely 
to result in the lack of guarding against compromise of the encrypted 
information under the mistaken impression that it can't be decrypted 
trivially.


> Am I missing something?  Was there something implementation specific
> that has the raw key stored with the encrypted data?

Perhaps the following exchange with the author:

Adam: "By my reading, this is just talking about encrypting 'on the 
disk' storage on the device. Any processes involved in provisioning the 
values or using them to process traffic would have access to the 
plaintext, presumably by reading the encrypted form off disk, reading 
some keying material off disk, and combining them to retrieve the 
plaintext key."

Acee: "This is the correct interpretation."

/a

v2.23.0 | Report a Bug | By Email