IETF Logo Mail Archive

Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-netconf-crypto-types-20

Kent Watsen <kent+ietf@watsen.net> Fri, 27 August 2021 20:51 UTC

Return-Path: <0100017b89613006-504db539-c16c-4c87-8772-2b6676e9c295-000000@amazonses.watsen.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 42B813A18B5; Fri, 27 Aug 2021 13:51:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YvHCZZbTgZiU; Fri, 27 Aug 2021 13:50:56 -0700 (PDT)
Received: from a48-90.smtp-out.amazonses.com (a48-90.smtp-out.amazonses.com [54.240.48.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FA713A18B4; Fri, 27 Aug 2021 13:50:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1630097453; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=xR1YvpEQ+4dJZZdDiGLE8SloqxEIwTbteEvkVtHfv0M=; b=dMH1tJR8aiff5tKURsk6SIdwZJfEqiiOdyRDVLHdyDgSTOgbHDFiPZO4XkbJ2IFl A5ERO8NK+WrA+C70kMe2JSS3NP4PZHf/C99bI1TJVXRkSDAz1hef8jqF7D3eTlPbHMM 5JkDy5IrC6um3YKhSk7SR0YKg3nsDU4WQcf5AeBM=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100017b89613006-504db539-c16c-4c87-8772-2b6676e9c295-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D0AC81A2-385D-463C-937B-5ED5A7C76C38"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Fri, 27 Aug 2021 20:50:53 +0000
In-Reply-To: <017c01d79b5e$a00a0000$e01e0000$@smyslov.net>
Cc: secdir@ietf.org, draft-ietf-netconf-crypto-types.all@ietf.org, "netconf@ietf.org" <netconf@ietf.org>
To: Valery Smyslov <valery@smyslov.net>
References: <162982978380.3381.17549750696257276827@ietfa.amsl.com> <0100017b8819bf19-1f20d528-72e4-462c-884a-6c29eff0769b-000000@email.amazonses.com> <017c01d79b5e$a00a0000$e01e0000$@smyslov.net>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2021.08.27-54.240.48.90
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/2dG_v_KgLZUqD4OKICsYa6LJOHE>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-netconf-crypto-types-20
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 Aug 2021 20:51:04 -0000

Hi Valery,


> On Aug 27, 2021, at 12:14 PM, Valery Smyslov <valery@smyslov.net> wrote:
> 
> Hi Kent,
>  
> thank you for addressing my comments. A bit more inline.

All good.  
 

> [removing “last-call” alias]
>  
>  
> Hello Valery.  
>  
> Thank you for your SecDir review, it is very much appreciated and never too late!
>  
> More comments below.
>  
> Thanks,
> Kent
>  
> 
> 
> On Aug 24, 2021, at 2:29 PM, Valery Smyslov via Datatracker <noreply@ietf.org <mailto:noreply@ietf.org>> wrote:
>  
> Reviewer: Valery Smyslov
> Review result: Has Issues
> 
> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by the IESG.  These
> comments were written primarily for the benefit of the security area directors.
> Document editors and WG chairs should treat these comments just like any other
> last call comments.
> 
> When I was re-assigned to review this draft the indicated deadline was already
> missed by 8 months, so I don't know how relevant the review is. I reviewed
> the latest -20 version of the draft instead of -18, that was requested.
>  
> Perfect.
>  
> 
> 
> The draft defines common YANG data types and groupings useful for cryptography.
> I din't try to check the YANG module itself. 
> 
> Issues:
> 
> Shouldn't a Privacy Considerations section be added to the draft?
> The draft defines quite a lot of privacy-sensitive information (like certificates)
> with no restriction on read access (as far as I understand).
>  
>  
> Both the "trust-anchor-cert-grouping” and “end-entity-cert-grouping” groupings have "nacm:default-deny-write” that, to your point, does not restrict reads.  That said, only management protocols having mutual authentication (e.g., SSH and/or TLS based transport) can access the data.  
>  
> Is your concern that the certificate’s content would be visible to the administrators?  Is your comment on end-entity certificates (containing personally-identifying information), more than trust-anchor-certificates?
>  
>           Yes, it’s mostly on end-entity certificates, however there may be quite a lot of interesting
>           private information besides certificates.
>  
>           If this information is only visible to the administrators and the used management protocols must 
>           have mutual authentication, then it’s probably not a big deal. I would have still added
>           a sentence about privacy of the stored data (i.e. that persons, that are allowed to access this data
>           are able to learn quite a lot of private information from it). I don’t insist though, it’s up to you.


I added the following to Section 3.8 (The "ietf-crypto-types" YANG Module).

             The "cert-data" node:

                   The "cert-data" node, defined in both the "trust-anchor-cert-grouping"
                    and "end-entity-cert-grouping" groupings, is additionally sensitive to
                    read operations, as certificates sometimes convey personally identifying
                    information (especially end-entity certificates).  However, as it is
                    commonly understood that certificates are "public", the NACM extension
                    "nacm:default-deny-write" (not "default-deny-all") has been applied. It
                    is RECOMMENDED that implementations adjust read-access to certificates
                    to comply with local policy.

Is this okay?

Separately, I thought about if there are any other values in the module that may have privacy concerns but was unable to locate any.


>> Section 3.5.
>> While I understand and support the idea, expressed in this section, I think that
>> the way it is expressed makes it difficult to follow in practice. In general, it's
>> not always obvious how to estimate the "strength" of the underlying secure transport.
>> For this reason it's not clear for me how it is supposed to "compare" the 
>> "strength" of the transport with the "strength" of the keys being transported.


All comments from this point to the end regard the Security Consideration "Strength of Keys Conveyed” (was "Strength of Keys Configured”).  I rewrote the section as follows.  Can you please check for accuracy?

      Strength of Keys Conveyed

           When accessing key values, it is desireable that implementations
            ensure that the strength of the keys being accessed is not greater
            than the strength of the underlying secure transport connection
            over which the keys are conveyed.  However, comparing key strengths
            can be complicated and difficult to implement in practice.

           That said, expert Security opinion suggests that already it is
            infeasible to break a 128-bit key using a classical computer, and 
            thus the concern for conveying higher-strength keys begins to lose 
            its allure.

            Implementations SHOULD only use transport algorithms to those 
            meeting local policy.  A reasonable policy may, e.g., state that 
            only algorithms listed as "recommended" by the IETF be used.
            Another reasonable policy may be to only use quantum-resistant 
            algorithms.

Thanks!
Kent, as author


>  
> I saw language like this once in a DoD setting.  I agree that it is difficult to implement in practice.  I used “SHOULD” (not MUST) to buy some leeway for implementations to be compliant.  Makes sense?
>  
>           My understanding of using RFC2119 language is that SHOULD is very close to MUST,
>           but allows some exceptions. So, I still think that you put a responsibility to make
>           security-related decisions on implementers, who often are not experts in this area.
>  
> FWIW, my YANG-driven server is able to remember what key the client used for authentication (e.g., RSA 2048) and register a callback to test that no greater keys (e.g., 3072 or 4096) are configured by that client.  Additional 
>  
>           What if the other key configured for the client is X25519? Which is stronger?
>  
> logic would be needed to prevent a low-strength client from *reading* a high-strength key configured by another client…though the issue can be alternatively resolved by configuring the TLS-stack to prevent low-strength algorithms.
>  
>           That was my point. I think that it’s better to require (by SHOULD) that only
>           those ciphersuites that were “vetted” by IETF (i.e. got “Recommended” status) be used.
>           This will make implementers’ life easier.
>  
> In addition, the requirement, that "Implementations SHOULD fail the write-request if ever
> the strength of the private key is greater then the strength of the
> underlying transport" looks wrong to me. You don't need to have
> 1024 bits transport protocol strength to transfer 1024 bit key, since
> even for say 256 bits it's infeasible to break.
>  
> IDK about this.  Again, I saw this constraint once in a DoD setting.  
>  
>           My (another) point was that there is generally no point to increase
>           security strength beyond some level. Currently it is believed
>           that 128 bit of symmetric key is infeasible to break (provided the algorithm is not broken itself),
>           If you are lucky have full-sized Post Quantum computer, it’ll be 256 bits.
>           It’s enough to transfer symmetric keys with say 1024 bits of entropy
>           (FWIW). So the requirement that the strength of transport must
>           be always greater than the strength of transported key 
>           seems not a good requirement to me. Instead require that
>           the strength of transport be sufficient to make
>           infeasible for an attacker to break it.
>           
> I think that the better approach would be to advise using strong
> ciphersuites for transport protocols defined in corresponding RFCs.
> For example, for TLS 1.3 there are ciphersuites marked as "recommended",
> that were evaluated by IETF crypto community.
>  
> I added this sentence:
>  
>           Implementations SHOULD configure allowed transport 
>           algorithms to include only those meeting local
>           policy (e.g., listed as "recommended" by the IETF).
>  
> Good?
>  
>           Perfect.
>  
>           Regards,
>           Valery.
>

v2.23.0 | Report a Bug | By Email