[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [kmip] Comments about access control proposal
Michael,
You raise some excellent questions, and likewise, I
claim no particular insight or authority and mostly stay in listen
mode.
I tend to agree that simple reads of keys should not change
key metadata state and should not be specified to do so in the protocol.
Accesses/actions by clients and adminstrators should always or often be logged,
but they should not necessarily change the object state. For
example, if I as administrator view a key name, that should not change
the key state, or even necessarily be logged. Client/server activity
logging is an excellent alternative to complicating KMIP messaging and
conformance.
Log/activity monitoring is an important aspect of any
operational security controls. KMIP should not attempt
to predict/limit/control what types of API attacks or legitimate accesses
are possible; that belongs in another controls layer. We do not need
to solve all possible problems in the KMIP spec.
I would agree and prefer re-using the KMIP Links, if
possible, to support the proposed Ancestor and Dependent
attributes.
I agree that Conformance requiring any particular Server
Policy is problematical. KMIP should be supporting various user policy
controls; end-users should be controlling their specific securioty Policy
settings.
Thank you,
--Steve W.
HP From: Michael Allen [mailto:mallen@pgp.com] Sent: Tuesday, March 09, 2010 5:38 PM To: kmip@lists.oasis-open.org Subject: [kmip] Comments about access control proposal As I read through it, the basic access policy made a lot of sense and seems
relatively straightforward to implement. The strict access control policy,
though, I have some concerns about. While I think it would address the
problem at hand (confounding the so-called API attack), I'm wondering if that's
a problem worth us solving in the protocol itself.
The API attack as described in the presentation goes something like this
(and fill in any blanks where I get things wrong, TC experts!):
The attack scenario here is one where the system grants permission for a
user to see and use one key without understanding its relationships to other
cryptographic material in the same system. Marko's proposal details a
solution to this problem that involves tracking which roles have read which keys
under particular circumstances, so that the security system can make particular
assertions about who should be able to read keys.
The solution presented has a couple of things right off the bat that I find
a bit weird:
It strikes me that this concern might not be a real-world worry. I
would love to hear from the rest of you how often this attack might really
happen against known use cases. As I think about it, if you have a
symmetric key like SK-WRAP above, you would guard who you handed it out to
rather religiously (i.e. with much ceremony and pomp). As an administrator
of a key management system, you've probably given Bob access to SK-WRAP because
he, as a high security officer-type person, needs to have access to all the keys
on all the tapes so that he can recover their material in case of a disaster.
You're not going to hand that access out willy-nilly. If Mary gets
access to SK-WRAP, she probably has it for a reason.
In KMIP, you can basically ask for any key to be wrapped under any other
key. Maybe *that's* the security assumption we should be looking at to
attack this problem. Do we need to have some notions about which keys are
allowed to wrap others, and who can perform those operations, rather than trying
to solve this rather more tricky problem of tracking who has read what?
Thanks, I'd love critical feedback about my thinking here. I've been
kind of quiet on the calls so far, as I was coming in at the tail-end of the 1.0
spec, so if some of my questions have already been discussed, please let me
know.
- Mike |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]