$30 off During Our Annual Pro Sale. View Details »

IYK4 and So Can You

Duo Security
September 29, 2016
260

IYK4 and So Can You

Securing Dev/Ops with Hardware-Backed Keys

Duo Security

September 29, 2016
Tweet

More Decks by Duo Security

Transcript

  1. I YK4 and So
    Can You
    Securing Dev/Ops with
    Hardware-Backed Keys

    View Slide

  2. Hardware-Backed Keys?
    Vs.

    View Slide

  3. What's the difference between...
    Vs.

    View Slide

  4. Hardware-Backed Keys
    Keys stored on specialized, trusted
    hardware that:
    ● Can perform crypto operations
    (decrypt / sign data) with the
    keys, but
    ● Will resist all attempts to retrieve
    the keys themselves

    View Slide

  5. Project 1: Bastion Host Hardening

    View Slide

  6. Production
    Systems
    Bastion
    Host
    Ops Team

    View Slide

  7. Review: SSH Keys
    user@client:~$ ssh-keygen -f ./id_foo -t rsa -b 2048
    Generating public/private rsa key pair.
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in ./id_foo.
    Your public key has been saved in ./id_foo.pub.
    The key fingerprint is:
    SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I foo@localhost
    ...

    View Slide

  8. Review: SSH Keys
    user@server:~$ cat >> ~/.ssh/authorized_keys
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHrlOXRWYZJI7RHcfGbOvaFc5/6u+LDfv/0gpfvtv5
    qX5Vjyb4S6DaBFG3DamVa5XGuX5D/Xqq6YxkhMMDYkav1zAgnThg8jHkKTrDw0m1WcqhIpTTkEBMIGIO
    Fk3ehyrsagGsPqAK/52MVs7IaTtTB6pNSPVQNBzjypcpkI+7MQsKNLwUUHcMoD42E52xR/DVNy2tgYaE
    AI/7CufZc2ViYBzqipiEazoARc4JzYA//umhWWSL9ZyMUj3Q3rsl2SEHwM9UBLxjvQXDTUUzYdlFd/JR
    F94DFbKaWBOqd4C4hfAMUIBT+nitj/d1/DD3asVjtCroqrZIQnQgNOvXLuyR foo@localhost

    View Slide

  9. Review: SSH Keys
    user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216
    OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
    ...
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: ./id_rsa
    debug1: Server accepts key: pkalg ssh-rsa blen 277
    ...
    Enter passphrase for key './id_rsa':
    ...
    debug1: Authentication succeeded (publickey).
    ...
    user@server:~$

    View Slide

  10. Review: SSH Keys
    user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216
    OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
    ...
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: ./id_rsa
    debug1: Server accepts key: pkalg ssh-rsa blen 277
    ...
    Enter passphrase for key './id_rsa':
    ...
    debug1: Authentication succeeded (publickey).
    ...
    user@server:~$

    View Slide

  11. Review: SSH Keys
    user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216
    OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
    ...
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: ./id_rsa
    debug1: Server accepts key: pkalg ssh-rsa blen 277
    ...
    Enter passphrase for key './id_rsa':
    ...
    debug1: Authentication succeeded (publickey).
    ...
    user@server:~$

    View Slide

  12. Review: SSH Keys
    user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216
    OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
    ...
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: ./id_rsa
    debug1: Server accepts key: pkalg ssh-rsa blen 277
    ...
    Enter passphrase for key './id_rsa':
    ...
    debug1: Authentication succeeded (publickey).
    ...
    user@server:~$

    View Slide

  13. Review: SSH Keys
    user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216
    OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
    ...
    debug1: Next authentication method: publickey
    debug1: Offering RSA public key: ./id_rsa
    debug1: Server accepts key: pkalg ssh-rsa blen 277
    ...
    Enter passphrase for key './id_rsa':
    ...
    debug1: Authentication succeeded (publickey).
    ...
    user@server:~$

    View Slide

  14. SSHv2 Protocol - Pubkey Signature
    The value of 'signature' is a signature by the corresponding
    private key over the following data, in the following order:
    string session identifier
    byte SSH_MSG_USERAUTH_REQUEST
    string user name
    string service name
    string "publickey"
    boolean TRUE
    string public key algorithm name
    string public key to be used for authentication

    View Slide

  15. ssh-agent
    user@client:~$ eval $(ssh-agent)
    Agent pid 10610
    user@client:~$ ssh-add id_rsa
    Enter passphrase for id_rsa:
    user@client:~$ ssh-add -l
    2048 SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I id_foo (RSA)
    user@client:~$ ssh some_server
    ...

    View Slide

  16. ssh-agent
    ssh
    ssh-agent
    unix
    socket
    sshd
    Server
    Client
    ssh → agent: gimme your pubkeys
    agent → ssh:
    ...
    ssh → agent: sign this data with
    agent → ssh:

    View Slide

  17. ssh-agent + pkcs#11
    ssh
    ssh-agent
    unix
    socket
    sshd
    Server
    Client
    opensc-pkcs11.so
    epass2003 Hardware
    Keystore

    View Slide

  18. epass2003

    View Slide

  19. Rube-Goldberg Machine
    pcscd
    libccid
    opensc-pkcs11.so
    ssh-agent
    epass2003
    {

    View Slide

  20. Card? Reader?

    View Slide

  21. Production
    Systems
    Bastion
    Host
    Ops Team
    epass2003

    View Slide

  22. So, in practice, something like...
    user@client:~$ sudo yum install opensc pcsc-lite-ccid pcsc-lite
    ...
    user@client:~$ eval $(ssh-agent)
    Agent pid 10610
    user@client:~$ ssh-add -s /usr/lib/pkcs11/opensc-pkcs11.so
    Enter passphrase for PKCS#11:
    Card added: /usr/lib/pkcs11/opensc-pkcs11.so
    user@client:~$ ssh-add -l
    2048 SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I
    /usr/lib/pkcs11/opensc-pkcs11.so (RSA)

    View Slide

  23. Problem: Exclusivity
    Problem: Only one process can talk to the epass2003 at a time
    Solution: Share one ssh-agent process across all authorized users on the
    system!
    ...
    Problem: ssh-agent doesn't like that
    Solution: scary hax!

    View Slide

  24. Scary Hax
    $ diff -u openssh-6.2p1-orig/ssh-agent.c openssh-6.2p1/ssh-agent.c
    --- openssh-6.2p1-orig/ssh-agent.c 2011-06-03 00:14:16.000000000 -0400
    +++ openssh-6.2p1/ssh-agent.c 2013-04-04 14:58:34.364412927 -0400
    @@ -1022,13 +1022,14 @@
    close(sock);
    break;
    }
    - if ((euid != 0) && (getuid() != euid)) {
    - error("uid mismatch: "
    - "peer euid %u != uid %u",
    - (u_int) euid, (u_int) getuid());
    - close(sock);
    - break;
    - }
    +// CRAZY @akgood HACKS SO EVERYONE CAN SHARE ONE SSH-AGENT
    + //if ((euid != 0) && (getuid() != euid)) {
    + // error("uid mismatch: "
    + // "peer euid %u != uid %u",

    View Slide

  25. Securing Dev/Ops with Hardware-Backed Keys

    View Slide

  26. Production
    Systems
    Bastion
    Host
    Ops Team
    epass2003

    View Slide

  27. 95%
    Top two failures causing data breaches
    Source: Verizon 2015 Data Breach Investigations Report
    75%

    View Slide

  28. Along Comes Yubico...

    View Slide

  29. Project 2: Hardware-Backed Keys for
    Everyone!

    View Slide

  30. View Slide

  31. "Applets"

    View Slide

  32. PIV is dead...

    View Slide

  33. ... long live PIV!

    View Slide

  34. PIV is Complicated
    ● 3 different access-control
    mechanisms
    ○ PIN
    ○ PUK
    ○ Management Key
    ● 4 key slots
    ○ Slot 9a: PIV Authentication
    ○ Slot 9c: Digital Signature
    ○ Slot 9d: Key Management
    ○ Slot 9e: Card Authentication
    ● Configurable policy
    ○ PIN / PUK retries
    ○ pin policy
    ○ touch policy (yk4-specific)

    View Slide

  35. Touch Policy
    Problem: Even if malware can't steal your SSH key, it still
    could ask the YK4 to sign things!
    Mitigation: YK4s can be configured to require a physical tap
    for every single crypto operation.

    View Slide

  36. PIV Access Control

    View Slide

  37. Provisioning PIV at Duo:
    ● Disable the PUK
    ● Generate random PIN (8 chars, alphanumeric)
    ● Set pin-retries=5
    ● Generate 2048-bit key in slot 9a + self-signed certificate
    ● "touch-policy=always"

    View Slide

  38. Basic Usage (OS X)
    user@client:~$ ssh-add -s /opt/yubico-piv-tool/lib/libykcs11.dylib
    Enter passphrase for PKCS#11:
    Card added: /opt/yubico-piv-tool/lib/libykcs11.dylib
    user@client:~$ ssh-add -l
    2048 SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I
    /opt/yubico-piv-tool/lib/libykcs11.dylib (RSA)

    View Slide

  39. Multiple YK4 taps
    Problem: Some source-control operations require multiple SSH connections.
    Solution: ControlMaster!
    Host svn.whatever.org git.whatever.org
    ControlMaster auto
    ControlPath ~/.ssh/cm_socket_%r@%h:%p
    ControlPersist 1m

    View Slide

  40. Sleep / Wake on OS X
    Problem: YK4 PIV applet drops your PIN-auth when your laptop goes to sleep
    Solution: I hacked up some ObjC code to listen for "wake" events and nudge the
    ssh-agent back into functioning properly:
    https://github.com/duosecurity/ykpiv-ssh-agent-helper

    View Slide

  41. ChromeOS

    View Slide

  42. ChromeOS Secure Shell

    View Slide

  43. ChromeOS SSH Agent

    View Slide

  44. ChromeOS Smart Cards
    {
    {

    View Slide

  45. Out-MacGyver'ing "MacGyver"
    Problem: chrome.certificateProvider extensions can do everything we need, but
    other extensions aren't allowed to call their API.
    Solution: Shove the 'MacGyver' ssh-agent code into one of the
    chrome.certificateProvider smartcard middleware extensions itself!
    https://github.com/duosecurity/chromeos-ssh-smartcard-hack

    View Slide

  46. Possibilities that excite me
    ● SSH CA
    ○ See e.g.
    https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-with-ssh/
    ● YK4 "Attestation"
    ○ https://developers.yubico.com/PIV/Introduction/PIV_attestation.html

    View Slide

  47. A note about U2F
    Hardware-Backed Keys for the Web!
    Really nice protocol overview here:
    https://developers.yubico.com/U2F/
    Protocol_details/Overview.html

    View Slide

  48. Would you like to know more?
    [email protected]
    @akgood

    View Slide