Re: [secdir] (Early) Secdir review of draft-ietf-netconf-keystore

Kent Watsen <kent+ietf@watsen.net> Tue, 11 August 2020 01:26 UTC

Return-Path: <01000173db1fc8cc-e5530e7a-c300-4f8f-8068-0fbe7fd51926-000000@amazonses.watsen.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5FFCB3A0E96; Mon, 10 Aug 2020 18:26:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.775
X-Spam-Level:
X-Spam-Status: No, score=-0.775 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, MPART_ALT_DIFF_COUNT=1.112, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_FILL_THIS_FORM_SHORT=0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F6M-AWu_gD6B; Mon, 10 Aug 2020 18:26:05 -0700 (PDT)
Received: from a8-31.smtp-out.amazonses.com (a8-31.smtp-out.amazonses.com [54.240.8.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7065E3A0E90; Mon, 10 Aug 2020 18:26:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1597109162; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=+pu/ICJW+qXIqb1sBpeYmdw/d3D1GaQQF9OCyh14zjM=; b=OLqvdlFntFKpEsCfsTiDv54UP03g+GLCNTJwUfnaOZwVFSqa1GxLJfrA4O28pZ49 ahi0mGcSFjw4iBRDd3Y9C0gwuhedxecHaMQTNRoqp6Z661rcGKeTRycrQ5JX5MIWAn9 3xwecuDDaC2MWWoME1/wsnM1zYF4W+V9fVX5dcsQ=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <01000173db1fc8cc-e5530e7a-c300-4f8f-8068-0fbe7fd51926-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_518AADA0-8A96-4313-A9A2-A4525C31C72F"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Tue, 11 Aug 2020 01:26:00 +0000
In-Reply-To: <CADajj4Zw+Js8neUujMbekReVdMMFcz46NDwdHsMdWXob6Upc_w@mail.gmail.com>
Cc: secdir@ietf.org, draft-ietf-netconf-keystore@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>
To: =?utf-8?Q?Magnus_Nystr=C3=B6m?= <magnusn@gmail.com>
References: <CADajj4ZQnWkjKdWpBgsB0oyX8_Kzj6HOL-Vkm=TrByBQMEJfPw@mail.gmail.com> <CADajj4bCTF5EeF6DZkCHpP0_GTnUYQtqa0OE3qf3Z5_AmKWfyA@mail.gmail.com> <CADajj4YxgdNXkWX7dLP0nBDWXLSKFa8M_KWWCPCgfCibYtWkAw@mail.gmail.com> <CADajj4Yw13QWbSqF_hd+P_fcNA4_YvdwqF=OgJ4pdS_1vrWphA@mail.gmail.com> <CADajj4Zw+Js8neUujMbekReVdMMFcz46NDwdHsMdWXob6Upc_w@mail.gmail.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-SES-Outgoing: 2020.08.11-54.240.8.31
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/0_V9lcD37utj_sDUx2ANrJLzI2M>
Subject: Re: [secdir] (Early) Secdir review of draft-ietf-netconf-keystore
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2020 01:26:11 -0000

[CC-ing netconf-chairs]


Hi Magnus,

Thank you for the review.  Below are some comments, as well as a link to the GitHub commit, and an updated plain-text version of the draft.

Thanks,
Kent


> On Aug 10, 2020, at 1:29 AM, Magnus Nyström <magnusn@gmail.com> wrote:
> 
> I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.
> 
> This document describes a new YANG model for centralized configuration of cryptographic keys in the context of NETCONF and RESTCONF.
> Section 4 describes a process to encrypt all "private" keys in a configuration. It is unclear if this refers only to the asymmetric keys in the configuration (as "private keys" normally refer to asymmetric keys) or also symmetric keys. It appears to apply to all cryptographic keys, and it therefore seems better to replace this usage of "private" with "symmetric and asymmetric private keys."

Good catch.  r/all the private keys/both the symmetric and asymmetric keys/


> Likewise, the use of the term "root key" is a bit unclear. A "root key" normally refers to an asymmetric key, but in this text it could be either.
> 
> More broadly, it may be advantageous to consider a hierarchy, where a key encryption key is used to encrypt all keys in a configuration and this key encryption key in turn is protected by a root (or master) key. This way, two instances only need to share the key encryption key and there's no need for shared root keys (which may present an issue). Likewise, one can rotate or renew the key encryption key if desired, whereas this usually is harder for root keys.

What you say is the intention, but the terminology used seems to be off.   The alignment needed is:

  Root key —> Master Encryption Key (MEK)
  Shared root key —> Key Encryption Key (KEK)



> Section 5.2 first states: "The NACM "default-deny-all" extension has not been set for any data nodes defined in this module," ostensibly because "none of the readable data notes ... are considered sensitive." I note here that meta-data about keys oftentimes can provide valuable information about those keys and suggest considering if the default-deny-all extension should be set by default after all.

I think there is a subtly you may be missing.  The keystore module uses the key definitions defined in the crypt-types draft.  In that draft, the key data *is* flagged with the “nacm:default-deny-all” extension.  So the key data itself (e.g., an ECPrivateKey or AESKey, in OpenSSL parlance) is protected.  Is that sufficient to protect the key metadata mentioned...or are you concerned about the “key-format” and/or “public-key” nodes being readable?


> Editorial:
> 
> ( A few nits that I found )
> 
> Section 1: 
> Substitute "Trusted Protection Module" with "Trusted Platform Module"
> The term "HSM" is used without explanation
Both fixed in my local copy - thanks!

> Last sentence (starting: "It is also possible...") is garbled

Now reads:

          "It is also possible that a 
          system implementing this module possesses a multiplicity of
          operating system level keystore utilities and/or HSMs."

Better?



> Section 1.1:
> Sentence starting "Links the each" is garbled
> Section 3:
> Second sentence starts "Built-in built-in keys..."

Both fixed in my local copy - thanks!




The GitHub commit enacting the updates is here: https://github.com/netconf-wg/keystore/commit/5b3b9f3db0d6b7027ddf5f0e983ab958e8802251 <https://github.com/netconf-wg/keystore/commit/5b3b9f3db0d6b7027ddf5f0e983ab958e8802251>

The plain-text version of the updated draft is attached.

Thanks again!
Kent


> /M