IETF Logo Mail Archive

Re: Kathleen Moriarty's Discuss on draft-ietf-rtgwg-yang-key-chain-20: (with DISCUSS and COMMENT)

Alia Atlas <akatlas@gmail.com> Thu, 27 April 2017 04:02 UTC

Return-Path: <akatlas@gmail.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEE9F129577; Wed, 26 Apr 2017 21:02:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.698
X-Spam-Level:
X-Spam-Status: No, score=-2.698 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wMYSXzzv82gJ; Wed, 26 Apr 2017 21:02:16 -0700 (PDT)
Received: from mail-wm0-x22f.google.com (mail-wm0-x22f.google.com [IPv6:2a00:1450:400c:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 775FF12426E; Wed, 26 Apr 2017 21:02:16 -0700 (PDT)
Received: by mail-wm0-x22f.google.com with SMTP id u65so5903384wmu.1; Wed, 26 Apr 2017 21:02:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=oJ+S3O9WpUwtErfpZBh4Agf8ErXCC7tfNAeL7ph9+Ok=; b=SRtYjgHw2xfC5iq15tMuRBtMJAcVUYB/sSrH2rz1xiVZyegjTUfoU/6vdja7p5seMv F2+SyQivd7QttsCU8YJYIU0iKlJi+8vRPl8crpw8CFiva3bUwlzD6kFkMXDDNaA0v+zn TQ26j8vfXOpZg0u2nWq82F+nnRUDjRWCifSsgqf6Xyy27nJQOf6I7GJGJRUco7HoLlKB 7h1Hh6xhcoWbrV4gypWEVcupj8TQQSCF5dCAaCz7Tm8Ie/UET9aqvXCE8hXq14qdhdiW Xs1xJvb9dFhk38mJo11KhDpFjH8NJehpcCk2//811nV0oIATOozdOH2NdhfoIfBEZpvp HwzQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=oJ+S3O9WpUwtErfpZBh4Agf8ErXCC7tfNAeL7ph9+Ok=; b=m5LKD+Ap7b3G93CXnwr7QAoLxYiAM5vDCC1dV97wTWU9RPjp2lT7HWua5tSrmMi2Jd 8+QCXkUci0vQanJASlZfL5tOD8DEk8c0MrDY7edvHH+y6EbuHn+StJ20zvatae0NqqIT ntSU/Hze2CFZu6j6D/8yYYrdDCWlCtzgXFD51n8m39q9v86TiWFrsMZMqH9kND/2b2Lz UiJhuw9O5nH7Yh5cfg/OExVfyyV4L0auxjHG74EEnugLGWrej4i8BR52HWTCfwy6ZKAg 5mxutoCA0IBRjI5EKuTBySQaPsTJzXUILcaZlhGZVm5k6DKZtVxHyBvEEsdltWxPHYn/ gJlw==
X-Gm-Message-State: AN3rC/4hv5uEfh3/yLpFYZ+taMVpJSQpZM/PUGZjI1HRdKl9sVlwZTLt 7ddJvDXiqpWrvI0otLqstP+jRHHJfw==
X-Received: by 10.28.182.69 with SMTP id g66mr769829wmf.112.1493265734717; Wed, 26 Apr 2017 21:02:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.223.135.120 with HTTP; Wed, 26 Apr 2017 21:02:14 -0700 (PDT)
In-Reply-To: <0c744357-0d94-62a8-c16b-81a02ef5db45@nostrum.com>
References: <149322447211.30122.5870367500760951821.idtracker@ietfa.amsl.com> <f366eb05-b82c-123e-d0ca-8701fe16a469@nostrum.com> <CAHbuEH5vDjZ5tSt=314Dquju7N26XSOqQPNjV=jO6D8Xn7QVdQ@mail.gmail.com> <89d1c702-7830-1f5a-1176-0b894e2d99e9@nostrum.com> <CAHbuEH5OX-GiwF7zqWmks5k6yLj5SXvXwYVFjCChrsa_ckokwQ@mail.gmail.com> <f6ac64b0-1e50-b02f-7043-8cae2cd56020@nostrum.com> <CAHbuEH7B=bzknZnfF_qsE435peOOd8XYjd=YKREeXw0RW18aGA@mail.gmail.com> <0c744357-0d94-62a8-c16b-81a02ef5db45@nostrum.com>
From: Alia Atlas <akatlas@gmail.com>
Date: Thu, 27 Apr 2017 00:02:14 -0400
Message-ID: <CAG4d1reMAu0YmTfPnStYFx1DotDpwnuGP3BM8ks5-YA1XxrKtA@mail.gmail.com>
Subject: Re: Kathleen Moriarty's Discuss on draft-ietf-rtgwg-yang-key-chain-20: (with DISCUSS and COMMENT)
To: Adam Roach <adam@nostrum.com>
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Jeff Tantsura <jefftant.ietf@gmail.com>, "rtgwg-chairs@ietf.org" <rtgwg-chairs@ietf.org>, The IESG <iesg@ietf.org>, draft-ietf-rtgwg-yang-key-chain@ietf.org, "rtgwg@ietf.org" <rtgwg@ietf.org>
Content-Type: multipart/alternative; boundary="001a114b108cac5b66054e1e058e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/vKjK6zFpTPtv-nJiZvPTWP9qD60>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2017 04:02:19 -0000

I am just catching up on this conversation.

First, the YANG model is primarily for information in motion - either for
configuration to the device
or to read from the device.   It is much less likely to represent the data
structure and storage in the device.
I believe that this draft's context is strictly for information in motion.

This YANG model, as with all, is intended for transport over NetConf or
RestConf, which are confidential
transports.  Thus, any keys sent in the YANG model are already protected in
flight.

However, to allow for the limited cases (as I understand it) where that
isn't viewed as sufficient protection,
the key might be sent encrypted (via KEK) so it is encrypted before being
handed to the model, the configuration
action would be with the encrypted key, and then the device would have to
know how to decrypt it, which is all
out-of-band behavior as far as the YANG model and associated protocols go.

The gotcha - and why, as I understand it, that encrypted keys are even
mentioned is that it alters the data type
used for transmitting the key as in the snippet below.  Normally the
keystring would be a string, but if encrypted,
it is a hex-string - so arbitrary bytes.

"+--rw key-string

            |  +--rw (key-string-style)?
            |     +--:(keystring)
            |     |  +--rw keystring?            string
            |     +--:(hexadecimal) {hex-key-string}?
            |        +--rw hexadecimal-string?   yang:hex-string
"

This draft isn't trying to describe how or whether to use KEK.  It's just
making sure the YANG model is sufficient
general to transmit the key if it is previously encrypted.

Does that make sense and help clarify?

Regards,
Alia


On Wed, Apr 26, 2017 at 11:00 PM, Adam Roach <adam@nostrum.com> wrote:

> On 4/26/17 9:34 PM, Kathleen Moriarty wrote:
>
>> The final paragraph, I believe is referring to how the key is stored -
>> either  a KEK is used and it's encrypted or it's not and it's advising
>> obfuscation at a minimum.
>>
>
> That's how I read it too: it's talking about how the key is stored. If
> it's encrypted with a real crypto operation, it's going to have a KEK
> (which isn't necessarily the same KEK as is used to decrypt the information
> received from a remote node, right?); and, if it's obfuscated, it doesn't
> even necessarily have a key at all, just some kind of reversible
> transformation.
>
> Let's focus on the "obfuscation" case, because I think it's easier to
> reason about (and less likely to get conflated with other operations), and
> then we can extend that reasoning to the crypto case if we come to
> agreement. I'm making certain assumptions here which you may have a
> different read on (and, as before, this is your area, so I'd take your
> assumptions over my own) -- please correct me where I'm overstating or
> misstating things.
>
> In the obfuscation case -- and barring any advanced anti-debugger and
> anti-ICE defenses -- reverse-engineering the obfuscation technique would be
> a fairly straightforward exercise. So I think we can safely assume that any
> such obfuscation performed by popular routers will be reversible by your
> average black-hat hacker.
>
> That seems to negate most of the benefit obtained by obfuscation.
>
> At the same time, an administrator observing that the stored value is not
> the same as the actual key may make the erroneous assumption that the
> on-disk value itself is not particularly high value, and may take steps
> that make it more likely to fall into the hands of an attacker than if the
> administrator saw the literal key present in the configuration.
>
> That seems to make the obfuscation potentially harmful.
>
> Little benefit with possible harm would, to me, indicate that obfuscation
> should not be employed.
>
>
>
> Does that help?  I'll defer to the authors and AD and get back to the
>> part of the thread where I'm hoping we can add the KEK back into the
>> draft.
>>
>
> I hope so too. As a process point: removing this from the document seems
> like a material change. If this went through WGLC and IETF LC with the KEK
> as part of the data model, I would think its removal would require WG
> buy-in, and running through IETF LC again.
>
> /a
>
>

v2.23.0 | Report a Bug | By Email