<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Le 14/03/2017 à 10:16, Janos
Mattyasovszky a écrit :<br>
</div>
<blockquote
cite="mid:VuRUNDtLfn0WiIrmfmNTvUesVAIgKR3S0OmZIkObP2MK7_ShEGG9j29TH6HzMxPktIYaXSSPnhrU43FSvCPtX-qNZM46s3nSIzM7qGuHEs4=@matya.eu"
type="cite">
<div>Hi dear Rudder Community, <br>
</div>
<div><br>
</div>
<div><u>The issue:</u></div>
<div>The policy generated by the Root server is transmitted
encrypted via the Relay servers, but this provides only
transport encryption between the endpoints, and the Relays
basically are by-design MITM hosts, which have the ability to
modify policy files and reports going back through them (the
inventories are signed - so they would break). This requires
that every relay has a high need for <i>integrity</i>, since
there is no real way to determine from a Rudder-Root-Server
point of view if any of the relay behaves rogue and injects
bogus policy and modifies the reports stream back to represent
that all nodes are good, even if they are not and are executing
an attacker-provided modified policy.<br>
</div>
<div><br>
</div>
<div><u>Proposed solution:</u><br>
</div>
<div>Use cryptographic signature on the generated policy with the
Root Server's RSA key.<br>
</div>
<div><br>
</div>
<div>With the usage of PKI a client can validate the policy
received from the Master before executing it by trusting the
public key of it. This would require the pubkey of the Root
Server to be known to the Nodes. Currently if you have any
Relays in between, they become the effective policy server for
the nodes, and the nodes will not know anything about the Relay
not being the root server (they just behave identical as if they
would be connected to a root server in the POW of an
end-of-the-leaf node).<br>
</div>
</blockquote>
<br>
Does that mean you think the signature should be done by the relay ?<br>
<br>
<blockquote
cite="mid:VuRUNDtLfn0WiIrmfmNTvUesVAIgKR3S0OmZIkObP2MK7_ShEGG9j29TH6HzMxPktIYaXSSPnhrU43FSvCPtX-qNZM46s3nSIzM7qGuHEs4=@matya.eu"
type="cite">
<div><br>
</div>
<div>By using a logic like "trust on first use", where the root
server includes it's pubkey in any policy being generated, and
then the node would trust the first key that it would receive if
it has no policy yet, it could establish a trust until a "rudder
agent reset/reinit" would be issued. After that the node could
verify any further policy by checking the signature of a file
containing the hashes of all the policy files.<br>
</div>
<div><br>
</div>
<div>This would work as long the nodes are not connecting
initially to a compromised relay, or if the Pubkey of the Root
Server is also deployed out-of-band at the time the rudder-agent
package is installed and policy_server.dat is configured, so
basically the node has already an initial knowledge of the root
server's pubkey, and would as of that only trust policy signed
by that root server, regardless of the path the policy would
travel.<br>
</div>
</blockquote>
<br>
Distributing the public key out of band is a possibility,
distributing a CA and checking signature may be better for long term
key management.<br>
This CA could be managed locally by rudder or be managed by
Normation for its clients.<br>
<br>
<blockquote
cite="mid:VuRUNDtLfn0WiIrmfmNTvUesVAIgKR3S0OmZIkObP2MK7_ShEGG9j29TH6HzMxPktIYaXSSPnhrU43FSvCPtX-qNZM46s3nSIzM7qGuHEs4=@matya.eu"
type="cite">
<div><br>
</div>
<div>This would raise the overall security level and reducing the
criticality of a relay to "only" require <i>confidentiality</i>,
since any compromise would result in worst case the nodes behind
a relay not executing the compromised policy and if the relay
was faking the expected reports the nodes would have to send
through the relays, so we'd go from "<i>compromising all nodes
below the relay to execute our code</i>" down to "<i>cutting
off the nodes from any new policy update without being
detected by the Root server</i>", which is still a great
improvement, and if you have out-of-Rudder monitoring for policy
updates (#7282), you could detect this by having nodes not
receiving policy updates as scheduled.<br>
</div>
<div><br>
</div>
<div>A second step could be not to send the reports via
unencrpyted UDP Syslog, but use the same method as sending the
inventories: one file with the current run's reports, signed by
the node's key, this would also solve the issue of not being
able to detect any compromised relay.</div>
</blockquote>
<br>
We took a step forward having signature everywhere, since the 4.1 we
have a relay api to share files between hosts. This API uses the
same signature mechanism as inventories that is checked everywhere.<br>
This API could also be used in place of syslog to transmit signed
reporting to the server.<br>
<br>
<blockquote
cite="mid:VuRUNDtLfn0WiIrmfmNTvUesVAIgKR3S0OmZIkObP2MK7_ShEGG9j29TH6HzMxPktIYaXSSPnhrU43FSvCPtX-qNZM46s3nSIzM7qGuHEs4=@matya.eu"
type="cite">
<div><br>
</div>
<div>Thanks for reading,<br>
</div>
<div><br>
</div>
<div>Best Regards,<br>
</div>
<div class="protonmail_signature_block ">
<div class="protonmail_signature_block-user ">
<div>Janos Mattyasovszky<br>
</div>
</div>
<div class="protonmail_signature_block-proton
protonmail_signature_block-empty"><br>
</div>
</div>
<div><br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
rudder-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:rudder-users@lists.rudder-project.org">rudder-users@lists.rudder-project.org</a>
<a class="moz-txt-link-freetext" href="http://www.rudder-project.org/mailman/listinfo/rudder-users">http://www.rudder-project.org/mailman/listinfo/rudder-users</a>
</pre>
</blockquote>
<br>
<p><br>
</p>
<div class="moz-signature">-- <br>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
<style type="text/css">
<!--
a.redlink:link { color: #1782E6; }
a.redlink:visited { color: #1782E6; }
.sig { font-family: 'Century Gothic', CenturyGothic, AppleGothic, sans-serif; font-size: small; }
.sigsmall { font-family: 'Century Gothic', CenturyGothic, AppleGothic, sans-serif; font-size: x-small; }
-->
</style>
<table border="0" cellpadding="0" cellspacing="2" width="380">
<tbody>
<tr>
<td colspan="2">
<hr></td>
</tr>
<tr>
<td colspan="2"><b><img alt="Logo Normation"
src="cid:part1.BB210E2C.A6B16308@normation.com"
align="left" height="50" hspace="10" width="50"> <span
class="sig">Benoît Peccatte</span></b><br>
<span class="sig"><i>Architecte</i></span><br>
<span class="sig"><a class="redlink"
href="http://www.normation.com">Normation</a></span> </td>
</tr>
<tr>
<td colspan="2">
<hr></td>
</tr>
<tr>
<td colspan="2"><span class="sigsmall"><b>87, Rue de
Turbigo, 75003 Paris, France</b></span></td>
</tr>
<tr>
<td><span class="sigsmall">Phone:</span></td>
<td><span class="sigsmall">+33 (0)1 85 08 48 96</span></td>
</tr>
<tr>
<td colspan="2">
<hr> </td>
</tr>
</tbody>
</table>
</div>
</body>
</html>