Re: [secdir] Secdir last call review of draft-ietf-netconf-sztp-csr-11
Yaron Sheffer <yaronf.ietf@gmail.com> Sun, 28 November 2021 20:23 UTC
Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1AB183A096C; Sun, 28 Nov 2021 12:23:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VJ1MZPei1j1U; Sun, 28 Nov 2021 12:23:05 -0800 (PST)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3715C3A096B; Sun, 28 Nov 2021 12:23:05 -0800 (PST)
Received: by mail-ed1-x52e.google.com with SMTP id t5so63300556edd.0; Sun, 28 Nov 2021 12:23:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:date:from:subject:thread-topic:in-reply-to:message-id :references:to:cc:content-transfer-encoding; bh=IQCuWtZe20FWcu7mYhHLJQ2psYQwDN4cDtGXphk6qWI=; b=L0mpGM7HAEx6cw0v21nv5RvMpxocDRUERfbT5KzBGVJ6yc3NPAXF+YNRfTFyE+HW5S 1nnM4PZsQeyAUW9JsDfs1hL+VSW+Ey01+xDzoscisBG/Guckd72MJE1SpyN7EvlUIe42 Bk8B7cAgHphdqnM06vHd92pBH7HV4IHJCJuB5RJIS63h9ld6XhRgXrdPlO3fPuXbVeNy yolsyhH/UyeoP16BRmKcL3Bx03mlZ7piN48ZKfEQavSYL8oi897yy54JfrxtWK0J4jHU TNXZwTpvENMb8oho03mHDxxENB9Mp9KDRCwdIfa55Q7eKPs3YlhW/FfNLZyxOwc4Y/Ge yopQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:date:from:subject:thread-topic :in-reply-to:message-id:references:to:cc:content-transfer-encoding; bh=IQCuWtZe20FWcu7mYhHLJQ2psYQwDN4cDtGXphk6qWI=; b=1Hd5C8gsNuzph6jXxRR5CbbncNVs1Rughv6Rd5cyeMiYyNRTMr3NjajhWM6vSbsP9m J66hZpbZTX4rtjOMhM2JGNUZWf1N6ZS78Ul7B8CF60avPhEf3WeMD1jO7dDClL5v184Z iwlAVaFGAUR0vANs8foKFxj/glmQKycB4tlAZBsyyOjsZilegaB9TRLFBFinVYydz6bS nkPNvXJjXjsaGhzYzzats4LMXaWWHK0IqrZQIkuzM/wJa++phpZyYalSGELrD8B3Lxs0 D5w5RH1o21qBuP7AYL+u2itd3Wtt5yI/lzOZ0Cbvtf/SwqNx9An0Z0f8zuYzpzUZPmBv snhg==
X-Gm-Message-State: AOAM532nq6Kc+1evgw3scs9xe5EIw2n29RQWhABugNQHq2oDMlSLotWy 2ZTOu1u9ml7aG93n1sYgznFJGowv+iQ=
X-Google-Smtp-Source: ABdhPJw64XQ0QC3U4qg8e8UEiaua1GkoS6zGR7cUbnkAgBB9v2A7n9FMaBO5MEKxh0ic3JXJmtH+oA==
X-Received: by 2002:a05:6402:445:: with SMTP id p5mr68578548edw.110.1638130978683; Sun, 28 Nov 2021 12:22:58 -0800 (PST)
Received: from MacBook-Pro.local (IGLD-84-229-147-189.inter.net.il. [84.229.147.189]) by smtp.gmail.com with ESMTPSA id d18sm7931129edj.23.2021.11.28.12.22.57 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sun, 28 Nov 2021 12:22:58 -0800 (PST)
MIME-Version: 1.0
Date: Sun, 28 Nov 2021 22:22:54 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Thread-Topic: Re: Secdir last call review of draft-ietf-netconf-sztp-csr-11
In-Reply-To: <CCDE993E-1BCE-426C-80BF-B49152853BC2@vigilsec.com>
Message-ID: <003BF754-E414-384E-91DA-47BFB117C0CE@hxcore.ol>
References: <163717559932.18384.2156774121641934785@ietfa.amsl.com> <0100017d49a045e3-d1919799-0247-4fb5-abe6-d0c661f80f6a-000000@email.amazonses.com> <D87EF8A3-D81B-E84E-9B87-EBFE775A2A7D@hxcore.ol> <FE65FFDF-B64F-4586-8FDE-416C94A390B4@vigilsec.com> <8EC1807D-C357-DB41-8D94-FF8F0A2EF13C@hxcore.ol>, <CCDE993E-1BCE-426C-80BF-B49152853BC2@vigilsec.com>
To: Russ Housley <housley@vigilsec.com>
Cc: Kent Watsen <kent+ietf@watsen.net>, IETF SecDir <secdir@ietf.org>, "draft-ietf-netconf-sztp-csr.all@ietf.org" <draft-ietf-netconf-sztp-csr.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/MF4GEeKTQLHIu5o6wPVTPWqP-j4>
Subject: Re: [secdir] Secdir last call review of draft-ietf-netconf-sztp-csr-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 28 Nov 2021 20:23:11 -0000
Hi Russ,
Thank you for the quick response.
We are in agreement re: PKCS #10 and randomness.
In the third point below (certificate rotation), I understand why the editors see it as out of scope. But we are still leaving implementers with no guidance, and we’ve all seen enough real world cases where this leads to people ignoring the vague “regenerate the private key”. Let me try to offer an alternative.
Old:
In cases where the SZTP-client does not possess an HSM, or otherwise is unable to use an HSM for the private key, it is RECOMMENDED to regenerate the private key (and associated identity certificates) periodically. Details for how to generate a new private key and associate a new identity certificate are outside the scope of this document.
New:
In cases where the SZTP-client does not possess an HSM, or otherwise is unable to use an HSM for the private key, it is RECOMMENDED to regenerate the private key (and associated identity certificates) periodically. If CMP or CMC was used for initial certificate provisioning, it is RECOMMENDED to reuse the protocol (CMC or CMP) for periodic certificate registration. Similarly, implementations SHOULD also reuse the initial origin authentication method.
Thanks,
Yaron
From: Russ Housley <housley@vigilsec.com>
Date: Sunday, November 28, 2021 at 20:10
To: Yaron Sheffer <yaronf.ietf@gmail.com>
Cc: Kent Watsen <kent+ietf@watsen.net>, IETF SecDir <secdir@ietf.org>, draft-ietf-netconf-sztp-csr.all@ietf.org <draft-ietf-netconf-sztp-csr.all@ietf.org>, last-call@ietf.org <last-call@ietf.org>, netconf@ietf.org <netconf@ietf.org>
Subject: Re: Secdir last call review of draft-ietf-netconf-sztp-csr-11
Yaron:
Thank you for addressing my comments, I am happy with most of your responses but I do have a few remaining questions:
· The commit that removes the dependency on IDevID and LDevID does not fix the issue of non-orthogonality. There is very detailed description for CMP and CMC, but nothing for PKCS #10 (p10-csr). Does it mean “use PKCS#10 out of the box and it’ll just work”? Or does it mean “the usage of PKCS#10 for these certs is still TBD”?
PKCS#10 is pretty simple. Are you aware of anything more that ought to be said?
I think we should explicitly mention what this method *cannot* provide. As far as I can tell, none of the origin authentication methods are available when using PKCS #10 directly without wrapping it further.
That is reasonable. I will talk with my co-authors and see if we can come up with a brief summary.
· I suggest to add the following reference to the paragraph on quality randomness, as a strong proof that this is a real world concern:
Heninger, N., Durumeric, Z., Wustrow, E., and J. Halderman, "Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices", Proceedings of the 21st USENIX Security Symposium , August 2012, <https://factorable.net/" rel="nofollow">https://factorable.net/>.
In another thread, something like this was suggested for another document:
Implementations must randomly generate nonces and private keys.
The use of inadequate pseudo-random number generators (PRNGs) to
generate cryptographic keys can result in little or no security. An attacker
may find it much easier to reproduce the PRNG environment that
produced the keys, searching the resulting small set of possibilities,
rather than brute force searching the whole key space. As example for
predictable random numbers see CVE-2008-0166 […]. The generation
of quality random numbers is difficult. ISO/IEC 20543:2019 […],
NIST SP 800-90A Rev.1 […], BSI AIS 31 V2.0 […], BCP 106 [RFC4086], and
others offers valuable guidance in this area.
If this approach works for you, we'll dig up the appropriate references.
Yes, but the Heninger et al. reference is a better fit than the Debian CVE because (1) it discusses network devices rather than servers and (2) it shows how even less broken RNGs can be exploited by a network attacker that only sees the public keys.
I just read the Abstract of the paper, and I see your point about the attacker only observing the public keys. How about:
Implementations must randomly generate nonces and private keys.
The use of inadequate pseudo-random number generators (PRNGs) to
generate cryptographic keys can result in little or no security. An attacker
may find it much easier to reproduce the PRNG environment that
produced the keys, searching the resulting small set of possibilities,
rather than brute force searching the whole key space. As an example of
predictable random numbers see CVE-2008-0166 […], and some consequences
of low-entropy random numbers are discussed in Mining Your Ps and Qs [...].
The generation of quality random numbers is difficult. ISO/IEC 20543:2019 […],
NIST SP 800-90A Rev.1 […], BSI AIS 31 V2.0 […], BCP 106 [RFC4086], and
others offers valuable guidance in this area.
· I understand that key generation is out of scope and maybe this needs to be a separate work item, but recommending periodic replacement of the certs without recommending a suitable mechanism leaves this solution with a big hole.
I do not agree. It does offer the protocol for obtaining replacement certificates for devices that are able to generating a fresh public/private key pair. Getting more detailed would be algorithm specific, which is not appropriate in this document.
Not really, because the “protocol” described here is: Client sends a CSR, Server responds with a complete client configuration blob. This obviously doesn’t work for an already deployed client.
I am really confused. The document is an addition to the Secure Zero Touch Provisioning (SZTP). As such, it is technique to securely provision a networking device when it is booting in a factory-default state. That should happen at the initial deployment or after the device is reset to the factory configuration. This is not the protocol for use with an already deployed client.
Russ
- [secdir] Secdir last call review of draft-ietf-ne… Yaron Sheffer via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Kent Watsen
- Re: [secdir] Secdir last call review of draft-iet… Yaron Sheffer
- Re: [secdir] Secdir last call review of draft-iet… Russ Housley
- Re: [secdir] Secdir last call review of draft-iet… Yaron Sheffer
- Re: [secdir] Secdir last call review of draft-iet… Russ Housley
- Re: [secdir] Secdir last call review of draft-iet… Yaron Sheffer
- Re: [secdir] [Last-Call] Secdir last call review … Russ Housley
- Re: [secdir] [Last-Call] Secdir last call review … Yaron Sheffer
- Re: [secdir] Secdir last call review of draft-iet… Kent Watsen
- Re: [secdir] Secdir last call review of draft-iet… Yaron Sheffer
- Re: [secdir] [Last-Call] Secdir last call review … Benjamin Kaduk