Upgrade to Pro — share decks privately, control downloads, hide ads and more …

IYK4 and So Can You

A02711a8124144850ed0076dfcc3f4a2?s=47 Duo Security
September 29, 2016
220

IYK4 and So Can You

Securing Dev/Ops with Hardware-Backed Keys

A02711a8124144850ed0076dfcc3f4a2?s=128

Duo Security

September 29, 2016
Tweet

Transcript

  1. I YK4 and So Can You Securing Dev/Ops with Hardware-Backed

    Keys
  2. Hardware-Backed Keys? Vs.

  3. What's the difference between... Vs.

  4. Hardware-Backed Keys Keys stored on specialized, trusted hardware that: •

    Can perform crypto operations (decrypt / sign data) with the keys, but • Will resist all attempts to retrieve the keys themselves
  5. Project 1: Bastion Host Hardening

  6. Production Systems Bastion Host Ops Team

  7. Review: SSH Keys user@client:~$ ssh-keygen -f ./id_foo -t rsa -b

    2048 Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ./id_foo. Your public key has been saved in ./id_foo.pub. The key fingerprint is: SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I foo@localhost ...
  8. Review: SSH Keys user@server:~$ cat >> ~/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHrlOXRWYZJI7RHcfGbOvaFc5/6u+LDfv/0gpfvtv5 qX5Vjyb4S6DaBFG3DamVa5XGuX5D/Xqq6YxkhMMDYkav1zAgnThg8jHkKTrDw0m1WcqhIpTTkEBMIGIO

    Fk3ehyrsagGsPqAK/52MVs7IaTtTB6pNSPVQNBzjypcpkI+7MQsKNLwUUHcMoD42E52xR/DVNy2tgYaE AI/7CufZc2ViYBzqipiEazoARc4JzYA//umhWWSL9ZyMUj3Q3rsl2SEHwM9UBLxjvQXDTUUzYdlFd/JR F94DFbKaWBOqd4C4hfAMUIBT+nitj/d1/DD3asVjtCroqrZIQnQgNOvXLuyR foo@localhost
  9. Review: SSH Keys user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216 OpenSSH_6.6.1,

    OpenSSL 1.0.1e-fips 11 Feb 2013 ... debug1: Next authentication method: publickey debug1: Offering RSA public key: ./id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 ... Enter passphrase for key './id_rsa': ... debug1: Authentication succeeded (publickey). ... user@server:~$
  10. Review: SSH Keys user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216 OpenSSH_6.6.1,

    OpenSSL 1.0.1e-fips 11 Feb 2013 ... debug1: Next authentication method: publickey debug1: Offering RSA public key: ./id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 ... Enter passphrase for key './id_rsa': ... debug1: Authentication succeeded (publickey). ... user@server:~$
  11. Review: SSH Keys user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216 OpenSSH_6.6.1,

    OpenSSL 1.0.1e-fips 11 Feb 2013 ... debug1: Next authentication method: publickey debug1: Offering RSA public key: ./id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 ... Enter passphrase for key './id_rsa': ... debug1: Authentication succeeded (publickey). ... user@server:~$
  12. Review: SSH Keys user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216 OpenSSH_6.6.1,

    OpenSSL 1.0.1e-fips 11 Feb 2013 ... debug1: Next authentication method: publickey debug1: Offering RSA public key: ./id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 ... Enter passphrase for key './id_rsa': ... debug1: Authentication succeeded (publickey). ... user@server:~$
  13. Review: SSH Keys user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216 OpenSSH_6.6.1,

    OpenSSL 1.0.1e-fips 11 Feb 2013 ... debug1: Next authentication method: publickey debug1: Offering RSA public key: ./id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 ... Enter passphrase for key './id_rsa': ... debug1: Authentication succeeded (publickey). ... user@server:~$
  14. SSHv2 Protocol - Pubkey Signature The value of 'signature' is

    a signature by the corresponding private key over the following data, in the following order: string session identifier byte SSH_MSG_USERAUTH_REQUEST string user name string service name string "publickey" boolean TRUE string public key algorithm name string public key to be used for authentication
  15. ssh-agent user@client:~$ eval $(ssh-agent) Agent pid 10610 user@client:~$ ssh-add id_rsa

    Enter passphrase for id_rsa: user@client:~$ ssh-add -l 2048 SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I id_foo (RSA) user@client:~$ ssh some_server ...
  16. ssh-agent ssh ssh-agent unix socket sshd Server Client ssh →

    agent: gimme your pubkeys agent → ssh: <list of public keys> ... ssh → agent: sign this data with <k> agent → ssh: <signature>
  17. ssh-agent + pkcs#11 ssh ssh-agent unix socket sshd Server Client

    opensc-pkcs11.so epass2003 Hardware Keystore
  18. epass2003

  19. Rube-Goldberg Machine pcscd libccid opensc-pkcs11.so ssh-agent epass2003 {

  20. Card? Reader?

  21. Production Systems Bastion Host Ops Team epass2003

  22. So, in practice, something like... user@client:~$ sudo yum install opensc

    pcsc-lite-ccid pcsc-lite ... user@client:~$ eval $(ssh-agent) Agent pid 10610 user@client:~$ ssh-add -s /usr/lib/pkcs11/opensc-pkcs11.so Enter passphrase for PKCS#11: Card added: /usr/lib/pkcs11/opensc-pkcs11.so user@client:~$ ssh-add -l 2048 SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I /usr/lib/pkcs11/opensc-pkcs11.so (RSA)
  23. Problem: Exclusivity Problem: Only one process can talk to the

    epass2003 at a time Solution: Share one ssh-agent process across all authorized users on the system! ... Problem: ssh-agent doesn't like that Solution: scary hax!
  24. Scary Hax $ diff -u openssh-6.2p1-orig/ssh-agent.c openssh-6.2p1/ssh-agent.c --- openssh-6.2p1-orig/ssh-agent.c 2011-06-03

    00:14:16.000000000 -0400 +++ openssh-6.2p1/ssh-agent.c 2013-04-04 14:58:34.364412927 -0400 @@ -1022,13 +1022,14 @@ close(sock); break; } - if ((euid != 0) && (getuid() != euid)) { - error("uid mismatch: " - "peer euid %u != uid %u", - (u_int) euid, (u_int) getuid()); - close(sock); - break; - } +// CRAZY @akgood HACKS SO EVERYONE CAN SHARE ONE SSH-AGENT + //if ((euid != 0) && (getuid() != euid)) { + // error("uid mismatch: " + // "peer euid %u != uid %u",
  25. Securing Dev/Ops with Hardware-Backed Keys

  26. Production Systems Bastion Host Ops Team epass2003

  27. 95% Top two failures causing data breaches Source: Verizon 2015

    Data Breach Investigations Report 75%
  28. Along Comes Yubico...

  29. Project 2: Hardware-Backed Keys for Everyone!

  30. None
  31. "Applets"

  32. PIV is dead...

  33. ... long live PIV!

  34. PIV is Complicated • 3 different access-control mechanisms ◦ PIN

    ◦ PUK ◦ Management Key • 4 key slots ◦ Slot 9a: PIV Authentication ◦ Slot 9c: Digital Signature ◦ Slot 9d: Key Management ◦ Slot 9e: Card Authentication • Configurable policy ◦ PIN / PUK retries ◦ pin policy ◦ touch policy (yk4-specific)
  35. Touch Policy Problem: Even if malware can't steal your SSH

    key, it still could ask the YK4 to sign things! Mitigation: YK4s can be configured to require a physical tap for every single crypto operation.
  36. PIV Access Control

  37. Provisioning PIV at Duo: • Disable the PUK • Generate

    random PIN (8 chars, alphanumeric) • Set pin-retries=5 • Generate 2048-bit key in slot 9a + self-signed certificate • "touch-policy=always"
  38. Basic Usage (OS X) user@client:~$ ssh-add -s /opt/yubico-piv-tool/lib/libykcs11.dylib Enter passphrase

    for PKCS#11: Card added: /opt/yubico-piv-tool/lib/libykcs11.dylib user@client:~$ ssh-add -l 2048 SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I /opt/yubico-piv-tool/lib/libykcs11.dylib (RSA)
  39. Multiple YK4 taps Problem: Some source-control operations require multiple SSH

    connections. Solution: ControlMaster! Host svn.whatever.org git.whatever.org ControlMaster auto ControlPath ~/.ssh/cm_socket_%r@%h:%p ControlPersist 1m
  40. Sleep / Wake on OS X Problem: YK4 PIV applet

    drops your PIN-auth when your laptop goes to sleep Solution: I hacked up some ObjC code to listen for "wake" events and nudge the ssh-agent back into functioning properly: https://github.com/duosecurity/ykpiv-ssh-agent-helper
  41. ChromeOS

  42. ChromeOS Secure Shell

  43. ChromeOS SSH Agent

  44. ChromeOS Smart Cards { {

  45. Out-MacGyver'ing "MacGyver" Problem: chrome.certificateProvider extensions can do everything we need,

    but other extensions aren't allowed to call their API. Solution: Shove the 'MacGyver' ssh-agent code into one of the chrome.certificateProvider smartcard middleware extensions itself! https://github.com/duosecurity/chromeos-ssh-smartcard-hack
  46. Possibilities that excite me • SSH CA ◦ See e.g.

    https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-with-ssh/ • YK4 "Attestation" ◦ https://developers.yubico.com/PIV/Introduction/PIV_attestation.html
  47. A note about U2F Hardware-Backed Keys for the Web! Really

    nice protocol overview here: https://developers.yubico.com/U2F/ Protocol_details/Overview.html
  48. Would you like to know more? akgood@duosecurity.com @akgood