IYK4 and So Can You

I YK4 and So
Can You
Securing Dev/Ops with
Hardware-Backed Keys

View Slide

Hardware-Backed Keys?
Vs.

View Slide

What's the difference between...
Vs.

View Slide

Hardware-Backed Keys
Keys stored on specialized, trusted
hardware that:
● Can perform crypto operations
(decrypt / sign data) with the
keys, but
● Will resist all attempts to retrieve
the keys themselves

View Slide

Project 1: Bastion Host Hardening

View Slide

Production
Systems
Bastion
Host
Ops Team

View Slide

Review: SSH Keys
user@client:~$ ssh-keygen -f ./id_foo -t rsa -b 2048
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ./id_foo.
Your public key has been saved in ./id_foo.pub.
The key fingerprint is:
SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I foo@localhost
...

View Slide

Review: SSH Keys
user@server:~$ cat >> ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDHrlOXRWYZJI7RHcfGbOvaFc5/6u+LDfv/0gpfvtv5
qX5Vjyb4S6DaBFG3DamVa5XGuX5D/Xqq6YxkhMMDYkav1zAgnThg8jHkKTrDw0m1WcqhIpTTkEBMIGIO
Fk3ehyrsagGsPqAK/52MVs7IaTtTB6pNSPVQNBzjypcpkI+7MQsKNLwUUHcMoD42E52xR/DVNy2tgYaE
AI/7CufZc2ViYBzqipiEazoARc4JzYA//umhWWSL9ZyMUj3Q3rsl2SEHwM9UBLxjvQXDTUUzYdlFd/JR
F94DFbKaWBOqd4C4hfAMUIBT+nitj/d1/DD3asVjtCroqrZIQnQgNOvXLuyR foo@localhost

View Slide

Review: SSH Keys
user@client:~$ ssh -vvv -i ./id_rsa 172.16.134.216
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
...
debug1: Next authentication method: publickey
debug1: Offering RSA public key: ./id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 277
...
Enter passphrase for key './id_rsa':
...
debug1: Authentication succeeded (publickey).
...
user@server:~$

View Slide

SSHv2 Protocol - Pubkey Signature
The value of 'signature' is a signature by the corresponding
private key over the following data, in the following order:
string session identifier
byte SSH_MSG_USERAUTH_REQUEST
string user name
string service name
string "publickey"
boolean TRUE
string public key algorithm name
string public key to be used for authentication

View Slide

ssh-agent
user@client:~$ eval $(ssh-agent)
Agent pid 10610
user@client:~$ ssh-add id_rsa
Enter passphrase for id_rsa:
user@client:~$ ssh-add -l
2048 SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I id_foo (RSA)
user@client:~$ ssh some_server
...

View Slide

ssh-agent
ssh
ssh-agent
unix
socket
sshd
Server
Client
ssh → agent: gimme your pubkeys
agent → ssh:
...
ssh → agent: sign this data with
agent → ssh:

View Slide

ssh-agent + pkcs#11
ssh
ssh-agent
unix
socket
sshd
Server
Client
opensc-pkcs11.so
epass2003 Hardware
Keystore

View Slide

epass2003

View Slide

Rube-Goldberg Machine
pcscd
libccid
opensc-pkcs11.so
ssh-agent
epass2003
{

View Slide

Card? Reader?

View Slide

Production
Systems
Bastion
Host
Ops Team
epass2003

View Slide

So, in practice, something like...
user@client:~$ sudo yum install opensc pcsc-lite-ccid pcsc-lite
...
user@client:~$ eval $(ssh-agent)
Agent pid 10610
user@client:~$ ssh-add -s /usr/lib/pkcs11/opensc-pkcs11.so
Enter passphrase for PKCS#11:
Card added: /usr/lib/pkcs11/opensc-pkcs11.so
2048 SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I
/usr/lib/pkcs11/opensc-pkcs11.so (RSA)

View Slide

Problem: Exclusivity
Problem: Only one process can talk to the epass2003 at a time
Solution: Share one ssh-agent process across all authorized users on the
system!
...
Problem: ssh-agent doesn't like that
Solution: scary hax!

View Slide

Scary Hax
$ diff -u openssh-6.2p1-orig/ssh-agent.c openssh-6.2p1/ssh-agent.c
--- openssh-6.2p1-orig/ssh-agent.c 2011-06-03 00:14:16.000000000 -0400
+++ openssh-6.2p1/ssh-agent.c 2013-04-04 14:58:34.364412927 -0400
@@ -1022,13 +1022,14 @@
close(sock);
break;
}
- if ((euid != 0) && (getuid() != euid)) {
- error("uid mismatch: "
- "peer euid %u != uid %u",
- (u_int) euid, (u_int) getuid());
- close(sock);
- break;
- }
+// CRAZY @akgood HACKS SO EVERYONE CAN SHARE ONE SSH-AGENT
+ //if ((euid != 0) && (getuid() != euid)) {
+ // error("uid mismatch: "
+ // "peer euid %u != uid %u",

View Slide

Securing Dev/Ops with Hardware-Backed Keys

View Slide

Production
Systems
Bastion
Host
Ops Team
epass2003

View Slide

95%
Top two failures causing data breaches
Source: Verizon 2015 Data Breach Investigations Report
75%

View Slide

Along Comes Yubico...

View Slide

Project 2: Hardware-Backed Keys for
Everyone!

View Slide

View Slide

"Applets"

View Slide

PIV is dead...

View Slide

... long live PIV!

View Slide

PIV is Complicated
● 3 different access-control
mechanisms
○ PIN
○ PUK
○ Management Key
● 4 key slots
○ Slot 9a: PIV Authentication
○ Slot 9c: Digital Signature
○ Slot 9d: Key Management
○ Slot 9e: Card Authentication
● Configurable policy
○ PIN / PUK retries
○ pin policy
○ touch policy (yk4-specific)

View Slide

Touch Policy
Problem: Even if malware can't steal your SSH key, it still
could ask the YK4 to sign things!
Mitigation: YK4s can be configured to require a physical tap
for every single crypto operation.

View Slide

PIV Access Control

View Slide

Provisioning PIV at Duo:
● Disable the PUK
● Generate random PIN (8 chars, alphanumeric)
● Set pin-retries=5
● Generate 2048-bit key in slot 9a + self-signed certificate
● "touch-policy=always"

View Slide

Basic Usage (OS X)
user@client:~$ ssh-add -s /opt/yubico-piv-tool/lib/libykcs11.dylib
Enter passphrase for PKCS#11:
Card added: /opt/yubico-piv-tool/lib/libykcs11.dylib
2048 SHA256:hd6NfiXuxRkRUwfisdSyUeAfTlYgS+623BA7ouKyE4I
/opt/yubico-piv-tool/lib/libykcs11.dylib (RSA)

View Slide

Multiple YK4 taps
Problem: Some source-control operations require multiple SSH connections.
Solution: ControlMaster!
Host svn.whatever.org git.whatever.org
ControlMaster auto
ControlPath ~/.ssh/cm_socket_%r@%h:%p
ControlPersist 1m

View Slide

Sleep / Wake on OS X
Problem: YK4 PIV applet drops your PIN-auth when your laptop goes to sleep
Solution: I hacked up some ObjC code to listen for "wake" events and nudge the
ssh-agent back into functioning properly:
https://github.com/duosecurity/ykpiv-ssh-agent-helper

View Slide

ChromeOS

View Slide

ChromeOS Secure Shell

View Slide

ChromeOS SSH Agent

View Slide

ChromeOS Smart Cards
{
{

View Slide

Out-MacGyver'ing "MacGyver"
Problem: chrome.certificateProvider extensions can do everything we need, but
other extensions aren't allowed to call their API.
Solution: Shove the 'MacGyver' ssh-agent code into one of the
chrome.certificateProvider smartcard middleware extensions itself!
https://github.com/duosecurity/chromeos-ssh-smartcard-hack

View Slide

Possibilities that excite me
● SSH CA
○ See e.g.
https://code.facebook.com/posts/365787980419535/scalable-and-secure-access-with-ssh/
● YK4 "Attestation"
○ https://developers.yubico.com/PIV/Introduction/PIV_attestation.html

View Slide

A note about U2F
Hardware-Backed Keys for the Web!
Really nice protocol overview here:
https://developers.yubico.com/U2F/
Protocol_details/Overview.html

View Slide

Would you like to know more?
[email protected]
@akgood

View Slide

IYK4 and So Can You

IYK4 and So Can You

Duo Security

More Decks by Duo Security

Featured

Transcript