Tang and Clevis: shackling secrets to the network

Slide 1

Slide 1 text

Tang and Clevis Shackling Secrets to the Network Fraser Tweedale @hackuador May 25, 2016

Slide 2

Slide 2 text

Intro

Slide 3

Slide 3 text

CC BY-SA 3.0 https://commons.wikimedia.org/wiki/File:Laptop-hard-drive-exposed.jpg

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

No content

Slide 6

Slide 6 text

Demo

Slide 7

Slide 7 text

Tang Simple provisioning of encryption for secrets Automated decryption when Tang server is available secret is bound to network Secret never leaves the client

Slide 8

Slide 8 text

Tang - assumptions Tang server only accessible from “secure network” Secrets and keys are safe in client memory

Slide 9

Slide 9 text

Diﬃe-Hellman exchange Key agreement protocol Alice and Bob agree on a shared secret Eve cannot learn shared key

Slide 10

Slide 10 text

Integrated Encryption Scheme Encryption protocol based on DH Derive symmetric key from shared secret Alice encrypts a message to Bob’s public key; sends it Bob can decrypt the message, Eve cannot

Slide 11

Slide 11 text

McCallum-Relyea exchange Encryption protocol based on IES due to Nathaniel McCallum and Robert Relyea: https://marc.info/?m=144173814525805 Alice encrypts a message to Bob’s public key; doesn’t send it To decrypt, Alice asks Bob to encrypt an ephemeral key uses reply to recover secret Eve cannot decrypt the message and neither can Bob!

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

McCallum-Relyea - parameters cyclic group G of order n, with hard problem Z∗ p (discrete log) elliptic curve E(Fq ) (point factorisation) generator g ∈ G key derivation function KDF symmetric encryption algorithm Enc message m to be encrypted

Slide 14

Slide 14 text

McCallum-Relyea - encryption Client Server A ∈R [1, n − 1] B ∈R [1, n − 1] b ← gB ← b K ← KDF(bA) = KDF(gAB) a ← gA, c ← Enc(K, m) ∅ ← A, K

Slide 15

Slide 15 text

McCallum-Relyea - decryption Client Server X ∈R [1, p − 1] x ← a · gX = gA · gX x → x ← xB = gAB · gXB ← x K ← KDF(x · (bX )−1) = KDF(gAB · gXB · g−XB) = KDF(gAB) m ← Enc−1(K, c)

Slide 16

Slide 16 text

Tang - implementation Server-side daemon and Clevis pin C Extensive test suite Small and fast (>30k req/sec)

Slide 17

Slide 17 text

Tang - protocol UDP ASN.1 (DER) No encryption (none needed) Trust On First Use (TOFU) Signed messages allow key rotation OOB ﬁngerprint validation / key pinning are possibilities

Slide 18

Slide 18 text

Tang - threats and caveats MitM during provisioning Tang server is DoS target Good entropy needed for ephemeral key X Quantum computing

Slide 19

Slide 19 text

Mission accomplished

Slide 20

Slide 20 text

???

Slide 21

Slide 21 text

To what other things can we bind secrets? Trusted Platform Module (TPM) Smartcard Bluetooth LE beacon Biometrics “Master unlock key”

Slide 22

Slide 22 text

Unlock policy Security is not binary Policy should be driven by business needs, not technology How can we support arbitrarily complex unlock policy? e.g. stage1 ← S ⊂ {pwd, tang, smartcard, ﬁngerprint}, |S| ≥ 2 stage2 ← {stage1, tpm} unlock ← S ⊂ {stage2, pwd}, |S| ≥ 1

Slide 23

Slide 23 text

Shamir’s Secret Sharing k points describe a polynomial of degree k − 1 Free coeﬃcient ← secret, other coeﬃcients ←R Distribute n points (n ≥ k, x = 0) Given k points, compute Lagrange polynomial secret ← f (0)

Slide 24

Slide 24 text

Shamir’s Secret Sharing CC BY-SA 3.0 https://en.wikipedia.org/wiki/File:Lagrange_polynomial.svg

Slide 25

Slide 25 text

Demo

Slide 26

Slide 26 text

Clevis Client-side, pluggable key management based on SSS pins (plugins) tang, password, . . . JSON conﬁguration C; minimal dependencies (openssl, libjansson)

Slide 27

Slide 27 text

History Feb ’15: Deo project begins (δεω, to bind) Used TLS for privacy and X.509 encryption cert (complexity!) Server decrypts and returns secret (thus learning it; bad!) Sep ’15: McCallum-Relyea discovered; rewrite begins Dec ’15: Project split into Tang and Clevis

Slide 28

Slide 28 text

LUKS integration Linux Uniﬁed Key Setup LUKS (v1) integration: Tang only LUKSMeta library LUKS2 (future) Designed for extensibility Full Clevis support (hopefully!)

Slide 29

Slide 29 text

USBGuard integration Automatic encryption/decryption of USB storage media Allow only Tang-provisioned volumes to be accessed Can’t be accessed outside network perimeter

Slide 30

Slide 30 text

Ongoing development Key rotation Audit logging

Slide 31

Slide 31 text

Stuﬀ I wish I had time to do right now TPM Clevis pin Let’s Encrypt integration (encrypt private keys) Blog post on Apache integration: https://is.gd/hQcpuM

Slide 32

Slide 32 text

Availability Fedora 24 COPR (unoﬃcial package repo): npmccallum/tang Source code (GPLv3+) https://github.com/latchset/tang https://github.com/latchset/clevis

Slide 33

Slide 33 text

You can help! Crypto / protocol / code review Try it out! Tell us your use cases Contribute Clevis pins

Slide 34

Slide 34 text

Fin © 2016 Red Hat, Inc. Except where otherwise noted this work is licensed under http://creativecommons.org/licenses/by/4.0/ Blog blog-ftweedal.rhcloud.com Email ftweedal@redhat.com Twitter @hackuador