Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-netconf-sztp-csr-11
Russ Housley <housley@vigilsec.com> Mon, 29 November 2021 16:46 UTC
Return-Path: <housley@vigilsec.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 314173A0796 for <secdir@ietfa.amsl.com>; Mon, 29 Nov 2021 08:46:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cOlU0iwjZ801 for <secdir@ietfa.amsl.com>; Mon, 29 Nov 2021 08:46:06 -0800 (PST)
Received: from mail.smeinc.net (mail.smeinc.net [209.135.209.11]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B2F13A0C05 for <secdir@ietf.org>; Mon, 29 Nov 2021 08:46:06 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mail.smeinc.net (Postfix) with ESMTP id 6964B300C1B for <secdir@ietf.org>; Mon, 29 Nov 2021 11:38:42 -0500 (EST)
X-Virus-Scanned: amavisd-new at mail.smeinc.net
Received: from mail.smeinc.net ([127.0.0.1]) by localhost (mail.smeinc.net [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id kcgx_OJnXlee for <secdir@ietf.org>; Mon, 29 Nov 2021 11:38:35 -0500 (EST)
Received: from a860b60074bd.fios-router.home (pool-141-156-161-153.washdc.fios.verizon.net [141.156.161.153]) by mail.smeinc.net (Postfix) with ESMTPSA id 09928300B30; Mon, 29 Nov 2021 11:38:35 -0500 (EST)
From: Russ Housley <housley@vigilsec.com>
Message-Id: <9BF6DBF5-9394-4CFE-A8E5-E064AFE3A76D@vigilsec.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F8B832BD-0538-4803-8053-23DD31DE5E6A"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.21\))
Date: Mon, 29 Nov 2021 11:38:31 -0500
In-Reply-To: <003BF754-E414-384E-91DA-47BFB117C0CE@hxcore.ol>
Cc: "last-call@ietf.org" <last-call@ietf.org>, Kent Watsen <kent+ietf@watsen.net>, "draft-ietf-netconf-sztp-csr.all@ietf.org" <draft-ietf-netconf-sztp-csr.all@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>, IETF SecDir <secdir@ietf.org>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
References: <163717559932.18384.2156774121641934785@ietfa.amsl.com> <0100017d49a045e3-d1919799-0247-4fb5-abe6-d0c661f80f6a-000000@email.amazonses.com> <D87EF8A3-D81B-E84E-9B87-EBFE775A2A7D@hxcore.ol> <FE65FFDF-B64F-4586-8FDE-416C94A390B4@vigilsec.com> <8EC1807D-C357-DB41-8D94-FF8F0A2EF13C@hxcore.ol> <CCDE993E-1BCE-426C-80BF-B49152853BC2@vigilsec.com> <003BF754-E414-384E-91DA-47BFB117C0CE@hxcore.ol>
X-Mailer: Apple Mail (2.3445.104.21)
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/o1BgQ2rdTfmHPQl0mr9270WdrjI>
Subject: Re: [secdir] [Last-Call] Secdir last call review of draft-ietf-netconf-sztp-csr-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2021 16:46:10 -0000
Yaron: Perhaps the word "regenerate" is the thing that is causing confusion. Suggestion: In cases where the SZTP-client does not possess an HSM, or otherwise is unable to use an HSM for the private key, it is RECOMMENDED that the device periodically reset the configuration to the factory default and repeat the SZTP protocol. Repeating the SZTP protocol may cause the device to generate a fresh private key (and associated identity certificates). Details for how to generate a new private key and associate a new identity certificate are outside the scope of this document. Russ > On Nov 28, 2021, at 3:22 PM, Yaron Sheffer <yaronf.ietf@gmail.com> wrote: > > Hi Russ, > > Thank you for the quick response. > > We are in agreement re: PKCS #10 and randomness. > > In the third point below (certificate rotation), I understand why the editors see it as out of scope. But we are still leaving implementers with no guidance, and we’ve all seen enough real world cases where this leads to people ignoring the vague “regenerate the private key”. Let me try to offer an alternative. > > Old: > > In cases where the SZTP-client does not possess an HSM, or otherwise is unable to use an HSM for the private key, it is RECOMMENDED to regenerate the private key (and associated identity certificates) periodically. Details for how to generate a new private key and associate a new identity certificate are outside the scope of this document. > > New: > > In cases where the SZTP-client does not possess an HSM, or otherwise is unable to use an HSM for the private key, it is RECOMMENDED to regenerate the private key (and associated identity certificates) periodically. If CMP or CMC was used for initial certificate provisioning, it is RECOMMENDED to reuse the protocol (CMC or CMP) for periodic certificate registration. Similarly, implementations SHOULD also reuse the initial origin authentication method. > > Thanks, > Yaron > > > From: Russ Housley <housley@vigilsec.com <mailto:housley@vigilsec.com>> > Date: Sunday, November 28, 2021 at 20:10 > To: Yaron Sheffer <yaronf.ietf@gmail.com <mailto:yaronf.ietf@gmail.com>> > Cc: Kent Watsen <kent+ietf@watsen.net <mailto:kent+ietf@watsen.net>>, IETF SecDir <secdir@ietf.org <mailto:secdir@ietf.org>>, draft-ietf-netconf-sztp-csr.all@ietf.org <mailto:draft-ietf-netconf-sztp-csr.all@ietf.org> <draft-ietf-netconf-sztp-csr.all@ietf.org <mailto:draft-ietf-netconf-sztp-csr.all@ietf.org>>, last-call@ietf.org <mailto:last-call@ietf.org> <last-call@ietf.org <mailto:last-call@ietf.org>>, netconf@ietf.org <mailto:netconf@ietf.org> <netconf@ietf.org <mailto:netconf@ietf.org>> > Subject: Re: Secdir last call review of draft-ietf-netconf-sztp-csr-11 > > Yaron: > > > Thank you for addressing my comments, I am happy with most of your responses but I do have a few remaining questions: > > · The commit that removes the dependency on IDevID and LDevID does not fix the issue of non-orthogonality. There is very detailed description for CMP and CMC, but nothing for PKCS #10 (p10-csr). Does it mean “use PKCS#10 out of the box and it’ll just work”? Or does it mean “the usage of PKCS#10 for these certs is still TBD”? > > PKCS#10 is pretty simple. Are you aware of anything more that ought to be said? > > I think we should explicitly mention what this method *cannot* provide. As far as I can tell, none of the origin authentication methods are available when using PKCS #10 directly without wrapping it further. > > That is reasonable. I will talk with my co-authors and see if we can come up with a brief summary. > > > · I suggest to add the following reference to the paragraph on quality randomness, as a strong proof that this is a real world concern: > > Heninger, N., Durumeric, Z., Wustrow, E., and J. Halderman, "Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices", Proceedings of the 21st USENIX Security Symposium , August 2012, <https://factorable.net/ <https://factorable.net/>>. > > In another thread, something like this was suggested for another document: > > Implementations must randomly generate nonces and private keys. > The use of inadequate pseudo-random number generators (PRNGs) to > generate cryptographic keys can result in little or no security. An attacker > may find it much easier to reproduce the PRNG environment that > produced the keys, searching the resulting small set of possibilities, > rather than brute force searching the whole key space. As example for > predictable random numbers see CVE-2008-0166 […]. The generation > of quality random numbers is difficult. ISO/IEC 20543:2019 […], > NIST SP 800-90A Rev.1 […], BSI AIS 31 V2.0 […], BCP 106 [RFC4086], and > others offers valuable guidance in this area. > > If this approach works for you, we'll dig up the appropriate references. > > Yes, but the Heninger et al. reference is a better fit than the Debian CVE because (1) it discusses network devices rather than servers and (2) it shows how even less broken RNGs can be exploited by a network attacker that only sees the public keys. > > I just read the Abstract of the paper, and I see your point about the attacker only observing the public keys. How about: > > > Implementations must randomly generate nonces and private keys. > The use of inadequate pseudo-random number generators (PRNGs) to > generate cryptographic keys can result in little or no security. An attacker > may find it much easier to reproduce the PRNG environment that > produced the keys, searching the resulting small set of possibilities, > rather than brute force searching the whole key space. As an example of > predictable random numbers see CVE-2008-0166 […], and some consequences > of low-entropy random numbers are discussed in Mining Your Ps and Qs [...]. > The generation of quality random numbers is difficult. ISO/IEC 20543:2019 […], > NIST SP 800-90A Rev.1 […], BSI AIS 31 V2.0 […], BCP 106 [RFC4086], and > others offers valuable guidance in this area. > > > > > · I understand that key generation is out of scope and maybe this needs to be a separate work item, but recommending periodic replacement of the certs without recommending a suitable mechanism leaves this solution with a big hole. > > I do not agree. It does offer the protocol for obtaining replacement certificates for devices that are able to generating a fresh public/private key pair. Getting more detailed would be algorithm specific, which is not appropriate in this document. > > Not really, because the “protocol” described here is: Client sends a CSR, Server responds with a complete client configuration blob. This obviously doesn’t work for an already deployed client. > > I am really confused. The document is an addition to the Secure Zero Touch Provisioning (SZTP). As such, it is technique to securely provision a networking device when it is booting in a factory-default state. That should happen at the initial deployment or after the device is reset to the factory configuration. This is not the protocol for use with an already deployed client. > > Russ > > -- > last-call mailing list > last-call@ietf.org <mailto:last-call@ietf.org> > https://www.ietf.org/mailman/listinfo/last-call <https://www.ietf.org/mailman/listinfo/last-call>
- [secdir] Secdir last call review of draft-ietf-ne… Yaron Sheffer via Datatracker
- Re: [secdir] Secdir last call review of draft-iet… Kent Watsen
- Re: [secdir] Secdir last call review of draft-iet… Yaron Sheffer
- Re: [secdir] Secdir last call review of draft-iet… Russ Housley
- Re: [secdir] Secdir last call review of draft-iet… Yaron Sheffer
- Re: [secdir] Secdir last call review of draft-iet… Russ Housley
- Re: [secdir] Secdir last call review of draft-iet… Yaron Sheffer
- Re: [secdir] [Last-Call] Secdir last call review … Russ Housley
- Re: [secdir] [Last-Call] Secdir last call review … Yaron Sheffer
- Re: [secdir] Secdir last call review of draft-iet… Kent Watsen
- Re: [secdir] Secdir last call review of draft-iet… Yaron Sheffer
- Re: [secdir] [Last-Call] Secdir last call review … Benjamin Kaduk