Re: [secdir] (Early) Secdir review of draft-ietf-netconf-keystore

Kent Watsen <kent+ietf@watsen.net> Thu, 13 August 2020 19:09 UTC

Return-Path: <01000173e93a78c8-35cdcae2-405d-4c42-8f77-a8176753fa0e-000000@amazonses.watsen.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B86A53A104C; Thu, 13 Aug 2020 12:09:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T0QXx37KgW0x; Thu, 13 Aug 2020 12:09:51 -0700 (PDT)
Received: from a48-93.smtp-out.amazonses.com (a48-93.smtp-out.amazonses.com [54.240.48.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FBF33A0746; Thu, 13 Aug 2020 12:09:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1597345790; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=1sqKpbQz3A7G4AZXFPcodZrpBGMxWvdxC9qQePuPOK4=; b=hyxxihy1c+dGwnFQj0DxjG/5IAaHoIhSWwIQNJVk4qyZbkB2HfjeIN0U7CWRQgBr mL+gay0xNpoWs3rfdsXwt/JI3oK5uvYlGq9e3WNzuY/hadVxEEGhen3lCpzSLAcbxVy aqXwSi8Q2OOWUbmfEtXbXhp+egDCJMkg39t2tpGM=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <01000173e93a78c8-35cdcae2-405d-4c42-8f77-a8176753fa0e-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_3F708979-73AB-424E-B64F-77F6DB76E5A7"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Thu, 13 Aug 2020 19:09:50 +0000
In-Reply-To: <CD3DA2C2-006F-46ED-A9A8-615B6C15E1D2@tislabs.com>
Cc: =?utf-8?Q?Magnus_Nystr=C3=B6m?= <magnusn@gmail.com>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, draft-ietf-netconf-keystore@ietf.org, secdir@ietf.org
To: Sandra Murphy <sandy@tislabs.com>
References: <CADajj4ZQnWkjKdWpBgsB0oyX8_Kzj6HOL-Vkm=TrByBQMEJfPw@mail.gmail.com> <CADajj4bCTF5EeF6DZkCHpP0_GTnUYQtqa0OE3qf3Z5_AmKWfyA@mail.gmail.com> <CADajj4YxgdNXkWX7dLP0nBDWXLSKFa8M_KWWCPCgfCibYtWkAw@mail.gmail.com> <CADajj4Yw13QWbSqF_hd+P_fcNA4_YvdwqF=OgJ4pdS_1vrWphA@mail.gmail.com> <CADajj4Zw+Js8neUujMbekReVdMMFcz46NDwdHsMdWXob6Upc_w@mail.gmail.com> <01000173db1fc8cc-e5530e7a-c300-4f8f-8068-0fbe7fd51926-000000@email.amazonses.com> <CD3DA2C2-006F-46ED-A9A8-615B6C15E1D2@tislabs.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-SES-Outgoing: 2020.08.13-54.240.48.93
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/3acrCSDfBDijMKWEg_0mu8Ihxso>
Subject: Re: [secdir] (Early) Secdir review of draft-ietf-netconf-keystore
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Aug 2020 19:09:54 -0000

Hi Sandy,

I think you’re making two comments, but there may be more!


1) is there support for key-lifetime/expiration?

The answer is “no” (or, perhaps, “not yet”), for the simple reason that key file formats (e.g., OpenSSL RSAPrivateKey, ECPrivateKey, AESKey, etc.) do not have fields for validity periods.  Do you think this module should add such a field (like RFC 8177)? - if it did, then the module certainly could also define a key-expiration notification.  Please advise.


2) Can KEKs be renewed / rolled over?

Yes, but not like in RFC 8177.  I’m not a routing person, but my understanding to that RFC 8177’s approach is visible in routing protocol messages...

In contrast, configuration is being set and there may only be the “current” key.  That said, a renew/rollover might be implemented as follows:

   - crypto-officer generates a new KEK
   - for each device having the same KEK (e.g., primary/failover devices):
        - crypto-officer encrypts the KEK with the device’s MEK
        - crypto-officer hands off the encrypted-KEK to a regular admin
        - regular-admin loads the encrypted KEK into the device
            - note that, at this time, no switchover has occurred yet
        - for each key on the device encrypted by expiring KEK:
            - regular-admin requests the device to encrypt the key using
               the new KEK (no switchover has occurred yet).  In pseudocode:
               new-encrypted-key = new-kek.encrypt(cleartext-key) (see [1])
            - regular-admin replaces the key (encrypted by the expiring
              KEK) with the new (really the same) key (encrypted by
              The new KEK).
                           
[1] this entails the regular admins knowing the cleartext clears, which is NOT best practice, but a necessary(?) consequence of the decision discussed here: https://tools.ietf.org/html/draft-ietf-netconf-crypto-types-17#section-3.2.   

To be clear, there were before two RPCs: generate-symmetric-key() and generate-asymmetric-key().  If IETF were to rescind this decision, or when a future effort fills in the missing piece, then it would make sense to additional RPC called, perhaps, reencrypt-symmetric-key() and reencrypt-asymmetric-key().

[Update, due to second-guessing myself] Hmmm, the reasons for why the two “generate” RPCs couldn’t be defined may not apply/limit the creation of said “reencrypt” RPCs…is this something you think should be added?

Regardless if said “reencrypt” RPCs are added or not, do you think the draft should extend “Encrypting Keys in Configuration” section with the above sketch of steps?


Please let me know if there were more than these two questions in your comment.

Thanks,
Kent



> On Aug 13, 2020, at 10:44 AM, Sandra Murphy <sandy@tislabs.com> wrote:
> 
> I interpreted the “shared root key” as a key encryption key — I don’t think you eliminate any issues.
> 
> (The term is common, but I haven’t found an ietf definition to reference, so I can’t say it *is* a key encryption key.)
> 
> wrt: “one can rotate or renew the key encryption key” 
> 
> I thought the migration process might work to rotate the root key, not the “shared root key”.  So the “first server” is server Bob with root key Bob.Tues-key and “second server” is server Bob with root key Bob.Wed-key.  Do you think that works?
> 
> Magnus’ mention of “renew” brings up the topic of key lifetimes, which I realize I did not think to mention.  (Yep, out of all those words, I did not mention something I should have.)  This draft includes expiration times for the certificate, but no key lifetimes, here or in the crypto-types draft.  RFC8177 does include lifetimes for keys, for the purpose of establishing valid intervals of use and key rollover.  Was key lifetime considered?
> 
> —Sandy
> 
>> On Aug 10, 2020, at 9:26 PM, Kent Watsen <kent+ietf@watsen.net> wrote:
>> 
>>> 
>>> Likewise, the use of the term "root key" is a bit unclear. A "root key" normally refers to an asymmetric key, but in this text it could be either.
>>> 
>>> More broadly, it may be advantageous to consider a hierarchy, where a key encryption key is used to encrypt all keys in a configuration and this key encryption key in turn is protected by a root (or master) key. This way, two instances only need to share the key encryption key and there's no need for shared root keys (which may present an issue). Likewise, one can rotate or renew the key encryption key if desired, whereas this usually is harder for root keys.
>> 
>> What you say is the intention, but the terminology used seems to be off.   The alignment needed is:
>> 
>>  Root key —> Master Encryption Key (MEK)
>>  Shared root key —> Key Encryption Key (KEK)
>> 
>