IYK4 and So Can You

Transcript

1. I YK4 and So Can You Securing Dev/Ops with Hardware-Backed

   Keys

2. Hardware-Backed Keys? Vs.

3. What's the difference between... Vs.

4. Hardware-Backed Keys Keys stored on specialized, trusted hardware that: •

   Can perform crypto operations (decrypt / sign data) with the keys, but • Will resist all attempts to retrieve the keys themselves

5. Project 1: Bastion Host Hardening

6. Production Systems Bastion Host Ops Team

7. Review: SSH Keys user@client:~$ ssh-keygen -f ./id_foo -t rsa -b

   2048 Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in ./id_foo. Your public key has been saved in ./id_foo.pub. The key fingerprint is: SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I foo@localhost ...

8. Review: SSH Keys user@server:~$ cat >> ~/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHrlOXRWYZJI7RHcfGbOvaFc5/6u+LDfv/0gpfvtv5 qX5Vjyb4S6DaBFG3DamVa5XGuX5D/Xqq6YxkhMMDYkav1zAgnThg8jHkKTrDw0m1WcqhIpTTkEBMIGIO

   Fk3ehyrsagGsPqAK/52MVs7IaTtTB6pNSPVQNBzjypcpkI+7MQsKNLwUUHcMoD42E52xR/DVNy2tgYaE AI/7CufZc2ViYBzqipiEazoARc4JzYA//umhWWSL9ZyMUj3Q3rsl2SEHwM9UBLxjvQXDTUUzYdlFd/JR F94DFbKaWBOqd4C4hfAMUIBT+nitj/d1/DD3asVjtCroqrZIQnQgNOvXLuyR foo@localhost

9. Review: SSH Keys user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216 OpenSSH_6.6.1,

   OpenSSL 1.0.1e-fips 11 Feb 2013 ... debug1: Next authentication method: publickey debug1: Offering RSA public key: ./id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 ... Enter passphrase for key './id_rsa': ... debug1: Authentication succeeded (publickey). ... user@server:~$

10. Review: SSH Keys user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216 OpenSSH_6.6.1,

    OpenSSL 1.0.1e-fips 11 Feb 2013 ... debug1: Next authentication method: publickey debug1: Offering RSA public key: ./id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 ... Enter passphrase for key './id_rsa': ... debug1: Authentication succeeded (publickey). ... user@server:~$

11. Review: SSH Keys user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216 OpenSSH_6.6.1,

    OpenSSL 1.0.1e-fips 11 Feb 2013 ... debug1: Next authentication method: publickey debug1: Offering RSA public key: ./id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 ... Enter passphrase for key './id_rsa': ... debug1: Authentication succeeded (publickey). ... user@server:~$

12. Review: SSH Keys user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216 OpenSSH_6.6.1,

    OpenSSL 1.0.1e-fips 11 Feb 2013 ... debug1: Next authentication method: publickey debug1: Offering RSA public key: ./id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 ... Enter passphrase for key './id_rsa': ... debug1: Authentication succeeded (publickey). ... user@server:~$

13. Review: SSH Keys user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216 OpenSSH_6.6.1,

    OpenSSL 1.0.1e-fips 11 Feb 2013 ... debug1: Next authentication method: publickey debug1: Offering RSA public key: ./id_rsa debug1: Server accepts key: pkalg ssh-rsa blen 277 ... Enter passphrase for key './id_rsa': ... debug1: Authentication succeeded (publickey). ... user@server:~$

14. SSHv2 Protocol - Pubkey Signature The value of 'signature' is

    a signature by the corresponding private key over the following data, in the following order: string session identifier byte SSH_MSG_USERAUTH_REQUEST string user name string service name string "publickey" boolean TRUE string public key algorithm name string public key to be used for authentication

15. ssh-agent user@client:~$ eval $(ssh-agent) Agent pid 10610 user@client:~$ ssh-add id_rsa

    Enter passphrase for id_rsa: user@client:~$ ssh-add -l 2048 SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I id_foo (RSA) user@client:~$ ssh some_server ...

16. ssh-agent ssh ssh-agent unix socket sshd Server Client ssh →

    agent: gimme your pubkeys agent → ssh: <list of public keys> ... ssh → agent: sign this data with <k> agent → ssh: <signature>

17. ssh-agent + pkcs#11 ssh ssh-agent unix socket sshd Server Client

    opensc-pkcs11.so epass2003 Hardware Keystore

18. epass2003

19. Rube-Goldberg Machine pcscd libccid opensc-pkcs11.so ssh-agent epass2003 {

20. Card? Reader?

21. Production Systems Bastion Host Ops Team epass2003

22. So, in practice, something like... user@client:~$ sudo yum install opensc

    pcsc-lite-ccid pcsc-lite ... user@client:~$ eval $(ssh-agent) Agent pid 10610 user@client:~$ ssh-add -s /usr/lib/pkcs11/opensc-pkcs11.so Enter passphrase for PKCS#11: Card added: /usr/lib/pkcs11/opensc-pkcs11.so user@client:~$ ssh-add -l 2048 SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I /usr/lib/pkcs11/opensc-pkcs11.so (RSA)

23. Problem: Exclusivity Problem: Only one process can talk to the

    epass2003 at a time Solution: Share one ssh-agent process across all authorized users on the system! ... Problem: ssh-agent doesn't like that Solution: scary hax!

24. Scary Hax $ diff -u openssh-6.2p1-orig/ssh-agent.c openssh-6.2p1/ssh-agent.c --- openssh-6.2p1-orig/ssh-agent.c 2011-06-03

    00:14:16.000000000 -0400 +++ openssh-6.2p1/ssh-agent.c 2013-04-04 14:58:34.364412927 -0400 @@ -1022,13 +1022,14 @@ close(sock); break; } - if ((euid != 0) && (getuid() != euid)) { - error("uid mismatch: " - "peer euid %u != uid %u", - (u_int) euid, (u_int) getuid()); - close(sock); - break; - } +// CRAZY @akgood HACKS SO EVERYONE CAN SHARE ONE SSH-AGENT + //if ((euid != 0) && (getuid() != euid)) { + // error("uid mismatch: " + // "peer euid %u != uid %u",

25. Securing Dev/Ops with Hardware-Backed Keys

26. Production Systems Bastion Host Ops Team epass2003

27. 95% Top two failures causing data breaches Source: Verizon 2015

    Data Breach Investigations Report 75%

28. Along Comes Yubico...

29. Project 2: Hardware-Backed Keys for Everyone!

30. None

31. "Applets"

32. PIV is dead...

33. ... long live PIV!

34. PIV is Complicated • 3 different access-control mechanisms ◦ PIN

    ◦ PUK ◦ Management Key • 4 key slots ◦ Slot 9a: PIV Authentication ◦ Slot 9c: Digital Signature ◦ Slot 9d: Key Management ◦ Slot 9e: Card Authentication • Configurable policy ◦ PIN / PUK retries ◦ pin policy ◦ touch policy (yk4-specific)

35. Touch Policy Problem: Even if malware can't steal your SSH

    key, it still could ask the YK4 to sign things! Mitigation: YK4s can be configured to require a physical tap for every single crypto operation.

36. PIV Access Control

37. Provisioning PIV at Duo: • Disable the PUK • Generate

    random PIN (8 chars, alphanumeric) • Set pin-retries=5 • Generate 2048-bit key in slot 9a + self-signed certificate • "touch-policy=always"

38. Basic Usage (OS X) user@client:~$ ssh-add -s /opt/yubico-piv-tool/lib/libykcs11.dylib Enter passphrase

    for PKCS#11: Card added: /opt/yubico-piv-tool/lib/libykcs11.dylib user@client:~$ ssh-add -l 2048 SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I /opt/yubico-piv-tool/lib/libykcs11.dylib (RSA)

39. Multiple YK4 taps Problem: Some source-control operations require multiple SSH

    connections. Solution: ControlMaster! Host svn.whatever.org git.whatever.org ControlMaster auto ControlPath ~/.ssh/cm_socket_%r@%h:%p ControlPersist 1m

40. Sleep / Wake on OS X Problem: YK4 PIV applet

    drops your PIN-auth when your laptop goes to sleep Solution: I hacked up some ObjC code to listen for "wake" events and nudge the ssh-agent back into functioning properly: https://github.com/duosecurity/ykpiv-ssh-agent-helper

41. ChromeOS

42. ChromeOS Secure Shell

43. ChromeOS SSH Agent

44. ChromeOS Smart Cards { {

45. Out-MacGyver'ing "MacGyver" Problem: chrome.certificateProvider extensions can do everything we need,

    but other extensions aren't allowed to call their API. Solution: Shove the 'MacGyver' ssh-agent code into one of the chrome.certificateProvider smartcard middleware extensions itself! https://github.com/duosecurity/chromeos-ssh-smartcard-hack

46. Possibilities that excite me • SSH CA ◦ See e.g.

    https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-with-ssh/ • YK4 "Attestation" ◦ https://developers.yubico.com/PIV/Introduction/PIV_attestation.html

47. A note about U2F Hardware-Backed Keys for the Web! Really

    nice protocol overview here: https://developers.yubico.com/U2F/ Protocol_details/Overview.html

48. Would you like to know more? [email protected] @akgood