Network Working Group | P. Hallam-Baker |
Internet-Draft | Comodo Group Inc. |
Intended status: Informational | March 21, 2016 |
Expires: September 22, 2016 |
Limited Use of Remote Keys, Protocol and Reference.
draft-hallambaker-lurk-01
The Limited Use of Remote Keys (LURK) BOF has been scheduled with the objective of discussing approaches to mitigating security risks to TLS private keys. In particular in situations where a Content Delivery Network (CDN) is used to deliver content and thus the party that is being authenticated is not the party that the user is attempting to authenticate.
Three classes of solution are considered, short term credentials, a remote service offering to perform private key operations and a remote service that is further constrained through the use of some form of threshold approach. A JSON/HTTP protocol implementing the second and third protocol is demonstrated and documented.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 22, 2016.
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
[Please note that due to work in progress to support the new RFC format etc, some of the formatting features are not currently working as they should. These will be fixed in the next version.]
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
This protocol is makes use of technology described in the following specifications
JSON [RFC7159]
For encoding of message data structures.
JOSE [RFC7515] [RFC7516] [RFC7518]
Formats for cryptographic messages and keys in JSON.
JSON Web Service [draft-hallambaker-json-web-service-02]
Describes the approach used for Web Service discovery and the encapsulation of JSON messages as HTTP payloads with the necessary authentication and encryption services.
Uniform Data Fingerprint [draft-hallambaker-udf-03]
Describes the mechanism used to create identifiers for cryptographic keypairs from the public key.
In addition, the following specifications are closely related but not required for implementation:
Transport Layer Security [RFC5246]
The use of TLS to protect the confidentiality and integrity of all protocol communications is of course highly recommended. It is however highly undesirable for a cryptographic protocol such as LURK should rely on transport layer security enhancements alone.
The Mathematical Mesh [draft-hallambaker-mesh-architecture-01] [draft-hallambaker-mesh-reference-02]
MAY be used to establish trust relationships between the parties in the protocol.
CFRG Elliptic Curves and Algorithms [RFC7748]
The threshold and proxy re-encryption schemes described are likely to be of most interest in conjunction with the emerging elliptic curve based cryptography.
JSON-BCD [draft-hallambaker-jsonbcd-05]
JSON-B or JSON-C encoding may be used if an efficient binary or compressed encoding is required. Alternatively, message structures MAY be encoded according to TLS conventions.
One piece of technology that is not currently implemented but would be usefully factored out as a separate document is a mechanism to support agreement of symmetric keys and related tickets for use in the payload authentication mechanism.
The following words and phrases are used as defined terms in this specification:
Private Key
Any secret information required to perform a Public Key operation. This includes complete keys and partial keys.
Partial Key
In cases where a threshold key scheme is in use, a private partial key is the private key information used to participate in the threshold scheme by one participant.
Complete Key
A private key that is sufficient to perform the private key operation without any additional information being provided.
The Limited Use of Remote Keys (LURK) BOF has been scheduled with the objective of discussing approaches to mitigating security risks to TLS private keys. This objective was initially motivated by the need to achieve site authentication in a scenario where the actual content is delivered by a third party (aka Content Delivery Networks). But as is demonstrated in the following, almost any solution to this problem will have much broader application.
In evaluating proposals, it is important to consider the following constraints:
Security
The security of a public key cryptosystem depends on the secrecy of the private keys. A service that accepts unauthorized requests to perform private key operations completely demolishes the security of the cryptosystem.
While the introduction of a remote key service provides a new potential point of failure into a Web site deployment, a system that has two points of vulnerability that are well protected is usually more secure than one that has a single point of vulnerability that is unguarded. LURK may provide a solution to one of the principal causes of compromise of code signing infrastructures, the disclosure of insecurely held private keys.
Infrastructure Impact (Deployability)
The Web is supported by a large and complex eco-system. A single Web transaction secured by TLS typically depends on at least a dozen parties and may depend on twice that number. It is not just the user and the content provider that are participants. Both use software applications provided by third parties for access which may in turn be the product of collaboration between tens or hundreds of collaborators. Site maintenance is typically outsourced to a specialist in the field who will in turn typically outsource hosting of the site itself. This hosting may in turn be augmented by a content Delivery Network or DDoS mitigation service.
A proposal that requires changes to be made by many parties in the eco-system will be harder to deploy than a change which can be applied bilaterally or unilaterally.
Latency
Delivery of Web Content is a competitive business where time is literally money. Protocol proposals that delay the perceived loading speed of Web sites are likely to be unacceptable.
Transparency and Audit
Besides limiting access to the use of a private key, the LURK protocol potentially provides a mechanism for auditing the use of the key.
Algorithm Agility
Any scheme should be capable of supporting arbitrary public key algorithms and operations. At minimum, support for RSA, Diffie Hellman and the new CFRG Elliptic Curve algorithms is required.
Besides Decryption and Digital Signature operations, it would be highly advantageous for any protocol to support Proxy Re-Encryption operations. In particular, support for 'vintage editions' of recryption technology that avoids subsequent IPR encumbrances is highly desirable.
Leverage Bound Private Keys
The term 'Trustworthy Computing' covers a wide range of hardware based security measures that are now ubiquitously available on mobile devices and increasingly supported on desktop and server hardware. For purposes of limiting exposure of keys, the
While the LURK acronym specifies 'Limited Use', it is important to note that the core objective raised by the use scenario at issue is to limit the window of vulnerability for keys which may be achieved by other means than remote access.
In particular, we can limit exposure to the risk of abuse of a credentialed private key by limiting the validity of the credential, either by severely limiting the validity period of the credential or by employing effective mechanisms for revocation. Since the latter has been attempted many times with little success, we concentrate on the first approach.
One of the chief concerns when using a CDN is that a machine that might only host a site for a few days or even a few hours requires access to a private key whose credential is typically valid for a year or even more. Hosts that have serviced a site in the past may be rented to other customers for very different purposes before the credentials have expired. The new customer might well have privileged access to the machine and be able to examine disks and memory to recover confidential data including keys.
Reducing the validity interval of the credential to match that of the host makes good sense. The chief obstacles to this approach being (1) the need to gracefully handle time synchronization errors in Web clients attempting to access the site. And (2) the administrative burden of frequently installing certificate updates.
Practical experience demonstrates that there is little difficulty incurred by setting certificate the validity interval to 25 hours and that even validity intervals of a few hours incur little inconvenience.
Automatic issue of certificates is already the subject of the ACME working group and is therefore not considered here except to the extent that it might reduce the significance of the proposed use scenario.
A private key service performs private key operations in response to properly authenticated and authorized requests. At minimum, such a service requires mechanisms to:
Determine the private key whose use is requested.
Authenticate and authorize the request.
Protect the integrity of requests.
Protect the integrity and confidentiality of responses.
Such a service might prove insufficient for certain applications for reasons of performance and/or security.
Batching of requests may be desirable.
The ability to pre-request operations may be desirable.
The minimal approach is also unsatisfactory on security grounds. A mechanism that relies on correct configuration of the system alone to prevent unauthorized use is likely to be fragile.
One approach that could be used to mitigate such risk is to limit the application to specific cryptographic protocols rather than providing unrestricted key exchange or signature capabilities. For example, the service might perform a TLS 1.2 master secret derivation rather than the RSA private key operation on which the exchange is based.
While this approach has the benefit of limiting the consequences of a breach in theory, the practical effect is likely to be limited as good cryptographic hygiene requires that a key used for one purpose not be used for any other.
Another disadvantage of this approach is that it provides more information to the Key Service and thus provides more opportunity for a malicious side channel attack. A malicious HSM that knows the origin of the requests that it is dealing can choose to only defect on requests that come from the correct counter-party. A well designed protocol that keeps the HSM ignorant of the source and context of the requests cannot restrict the instances in which it defects and is thus at greater risk of exposure.
The best way to mitigate the risk of unauthorized service is to make use of some form of key splitting 'threshold' cryptography scheme such that the use of private key information held at the client side must be combined with use of private key information held at the LURK service to effect the desired result.
This approach uses cryptography to enforce the authorization criteria.
While there are many threshold schemes that could be used in theory, for purposes of LURK it is only necessary to split a key into some number of parts (typically two) such that all the parts are required to perform a private key operation. Thus
[Note that in the foregoing examples, a technical limitation in the implementation prevents inclusion of the authentication wrapper used to authenticate protocol requests and responses. Removal of this limitation prior to IETF 95 is anticipated.]
The LURK protocol has three parties:
LURK Service [Key Holder]
The holder of the key material. Responds to requests to create, use and destroy key pair. Optionally keeps audit logs of all operations.
LURK Client [Key User]
The party authorized to direct requests to use the key material.
Administrator [Authenticated Party]
The party that authorizes LURK Clients to use key material and is authorized to issue creation, and destruction requests for the keys they have created.
Establishing the Service and Administrator as separate parties is important as it allows the LURK service to be specified in a form that can be readily implemented on a HSM.
The LURK protocol requires two trust relationships to be managed:
Between the Administrator and the LURK Service
Between the Client and the LURK Service
The means of configuration of these relationships is outside the scope of this protocol but it is assumed that each of these parties can authenticate messages from the other using digital signatures and public key exchange.
The necessary trust relationships MAY be established manually. This presents something of a challenge in the Content Delivery Network scenario as LURK Clients are being constantly added and removed.
One mechanism that MAY be used to establish the necessary authentication information is the Mathematical Mesh [draft-hallambaker-mesh-architecture-01]. This provides a means of automating the necessary administration processes without needing to add support for these processes in the core LURK specification.
To begin configuration of a LURK deployment using the Mesh, the administrator:
Creates a Mesh profile (if they haven't already done so).
Connects the LURK Service to their profile as an application with configuration privilege.
Connects the LURK Client to their profile as an application with use privilege.
[The Mesh application profile for the service will be added to this document as an appendix in due course.]
Once these steps are complete, all three parties have knowledge of the root of trust from which to accept control instructions (i.e. the Administrator's Mesh Profile fingerprint) and a means of authenticating messages from any of the three parties.
The administrator MAY configure additional LURK Clients and/or Services in the same fashion.
A client MAY use the Hello transaction to determine the protocol version(s), encodings and other features that are supported.
To facilitate interoperability, a LURK service MUST support use of the JSON encoding for the Hello transaction.
The request message takes no parameters:
POST /.well-known/lurk/HTTP/1.1 Host: example.com Content-Length: 23 { "HelloRequest": {}}
The response describes the protocol version (0.1) and the encodings its supports.
HTTP/1.1 200 OK Date: Mon 21 Mar 2016 08:07:47 Content-Length: 403 { "HelloResponse": { "Status": 200, "StatusDescription": "OK", "Version": { "Major": 0, "Minor": 1, "Encodings": [{ "ID": "application/json"}, { "ID": "application/json-b"}, { "ID": "application/json-c", "Dictionary": ["MAK5Z-PEEEQ-PWT53-GRR55-MTBSF-UDVGM"]}, { "ID": "application/tls-schema"}]}}}
The reference service supports four encodings:
The JSON-C encoding provides an additional parameter 'Dictionary' that identifies the tag compression dictionaries that the service knows. This allows the dictionary to be quoted by reference rather than being sent in channel.
Services MAY provide additional encodings at their option.
Key pair creation is a function reserved for the administrator. To create a key pair, the administrator sends an authenticated request to the service. Note that while message layer encryption MAY be used, it is not actually required in this case.
The request specifies the algorithm, key parameters and intended cryptographic uses. The following shows the complete HTTP request for creation of an RSA signature key with 2048 bit length:
[Yes, I know there are no authentication wrappers on the following messages. Just pretend they are there, OK? I have had all of two days to work on this.]
POST /.well-known/lurk/HTTP/1.1 Host: example.com Content-Length: 122 { "CreateRequest": { "Parameters": { "ParametersRSA": { "Signature": true, "KeySize": 2048}}}}
The response is likewise authenticated and returns the private key:
HTTP/1.1 200 OK Date: Mon 21 Mar 2016 08:07:47 Content-Length: 612 { "CreateResponse": { "Status": 200, "StatusDescription": "OK", "KeyId": "MAKV7-WMGZG-5RTD7-74BCP-OU6O6-5FOMK", "PublicKey": { "PublicKeyRSA": { "kid": "MAKV7-WMGZG-5RTD7-74BCP-OU6O6-5FOMK", "n": " 5luc9_gri61VWomUGQ2KaH_6xjTMTWHuCjgdt0ukRCy8lpKMV_iLIt1JsHaq5vuQ _6dtpJOKxwkIPIgaA9kguyiZo7Pf6UuxOHEy9Mtx90Re_FWdrWmaD7Jt5Cc7qEib ekE5nKkGt_MMvCQHVBXboN_UA1ad5EpUsqJJiCzGk1IQmFr77cmVOfZ7F6e3CW5e xYtIsn2U0Qv1Y-bFyAeACoouPO1Twhkr-1HVbxRXE9KBhUdGflqgNIfgwCixwSzC RHRpq8kvilDoIjyzCB2huj3El_uogvGES2N2HwyEzS4Z39yy9lEESoshqnf56sBq O_k9FbYG2yIjIY_bYV4-hw", "e": " AQAB"}}}}
The process id repeated to create keypairs for encryption and key agreement.
Note that even though it is possible to use a key agreement algorithm for encryption and vice versa, the use of these cryptographic primitives in protocols is very different. Hence it is best to treat these as entirely separate for the purposes of this protocol.
Key agreement key request (payload only)
{ "CreateRequest": { "Parameters": { "ParametersECDH": { "Agreement": true, "Curve": "p256", "Algorithm": "cfrg"}}}}
Key agreement key response (payload only)
{ "CreateResponse": { "Status": 406, "StatusDescription": "Unsupported key parameter"}}
Encryption key request (payload only)
{ "CreateRequest": { "Parameters": { "ParametersECDH": { "Agreement": true, "Curve": "p256", "Algorithm": "cfrg"}}}}
Encryption key response (payload only)
{ "CreateResponse": { "Status": 406, "StatusDescription": "Unsupported key parameter"}}
The message "This information is very secret" has been encrypted using AES 128 in CBC mode and the session key encrypted under the encryption key creates earlier.
To decrypt the message, the LurkClient sends an authenticated request that specifies the key identifer, wrapped key and encrypted data as follows:
POST /.well-known/lurk/HTTP/1.1 Host: example.com Content-Length: 571 { "DecryptRequest": { "KeyId": "MAIEF-MR3IJ-QMU2U-JRD3H-T2KCU-6D5XM", "BulkAlg": "aescbc256", "Data": " EiA8s4xajTHNt66EyI6-yeSojYpZ6IV7J4m5I9PxtzA", "IV": " lLcctJ0-5HYy0XgpkGe36A", "WrappedKey": " lY8VZFXV1wWXVQIUrXJygIEge-_UQF3jJiCgF9UdY9vKCD-6k37PkoExH_MfEsTa h8fqgfb2OTFGugy6HhX8L1u5dpY-ERqaQyVREFV0DQwn4cgWpd07iIG3hQ8wlHvk jE-R9m8K9eMkpMXBjcN5upLmuQQ5UFIpKsLbOJT7uVKZtykSL_0waNHj77N4IKZ7 MXG1B8UWFTaY3kSNitW1YXnSs16I-AMa9AqSQ1x4uKWsjB0kQMSJqtzQl3z79aYL B1QaT7RfqhQp9XbCnoNDJhu7LADKplFUlHhkpeWfIVcxz89lb4pWQyYSsSw8n3Hp G7iQM8YACMV6uFhDZS14vw"}}
The service returns the decrypted message as an encrypted payload:
HTTP/1.1 200 OK Date: Mon 21 Mar 2016 08:07:47 Content-Length: 135 { "DecryptResponse": { "Status": 200, "StatusDescription": "OK", "Value": " VGhpcyBpbmZvcm1hdGlvbiBpcyB2ZXJ5IHNlY3JldA"}}
[Yes, it isn't encrypted yet, patience, patience. Was Rome built in a day?]
The inner payload is:
{ "DecryptResponse": { "Status": 200, "StatusDescription": "OK", "Value": " VGhpcyBpbmZvcm1hdGlvbiBpcyB2ZXJ5IHNlY3JldA"}}
Alternatively, the client could send just the wrapped key for decryption and then apply the bulk cipher locally.
[This is not currently implemented due to lack of the necessary library to implement the new CFRG algorithms.]
To request a key agreement operation, the LurkClient specifies the public key of the counter party and the identifier of the private key to use. A LurkClient MAY specify the digest algorithm and construction mechanism to be used to convert the result of the key agreement into a key.
Request:
Response:
The LurkClient requires the message "Very important this is not changed" be signed under the signature key created earlier.
Request:
{ "SignRequest": { "KeyId": "MAKV7-WMGZG-5RTD7-74BCP-OU6O6-5FOMK", "DigestAlg": "sha256", "Data": " VmVyeSBpbXBvcnRhbnQgdGhpcyBpcyBub3QgY2hhbmdlZA"}}
Response:
{ "SignResponse": { "Status": 200, "StatusDescription": "OK", "Value": " Iv_W58JBoOPAUaPFVmRPYXrYjLRpDEzHntu1lrickw8oSYZPUTrEt7cSwAgKw1jj QBHz9oZEfbgKS8tmcHL7a9cheYC_p9QsEOiFzDLuQYU4zZZZFXq69gxqiE3BaPFU IxpLDQr7ZkVg4CsPn__B_E1D_3s90w8aWafomEUA9h-afXOi9qDK7CPuDFedbLV5 lKaZpPFD5F9ABj_ipR_YHJzDexpQoGimAf2q7YczjzJXSG6fLqnCpGUnIvpU2kw2 7ABtqiC8aY3nwEQpbxhrdYWvB-cMadjNOwXpYKjt3bkUD-JXTUsg5n77PlLRJVIH _uQ3N0PhGphFh9PcttXvHw"}}
After a key pair is no longer required, it SHOULD be deleted. A HSM supporting the LURK protocol SHOULD ensure that some form of secure erase is used to assure destruction of the data.
Request:
{ "DisposeRequest": { "KeyId": "MAKV7-WMGZG-5RTD7-74BCP-OU6O6-5FOMK"}}
Response:
{ "DisposeResponse": { "Status": 200, "StatusDescription": "OK"}}
SRV Prefix:
HTTP Well Known Service Prefix:
The LURK key service provides access to a remote key service. The remote service performs private key related operations in response to authenticated requests.
A LURK request payload consists of a payload object that inherits from the LurkRequest class.
Note that the request payload is the subject of the presentation layer authentication wrapper. Thus the authantication wrapper is not part of the request payload.
Base class for all request messages.
[None]
Base class for all key request messages.
[None]
Base class for all responses. Contains only the status code and status description fields.
A service MAY return either the response message specified for that transaction or any parent of that message. Thus the LurkResponse message MAY be returned in response to any request.
Status: Integer (Optional)
StatusDescription: String (Optional)
The following response codes are returned when a transaction has completed successfully.
[201] SuccessOK
The following response codes are returned when a transaction did not complete because the target service has been redirected.
In the case that a redirect code is returned, the StatusDescription field contains the URI of the new service. Note however that the redirect location indicated in a status response might be incorrect or even malicious and cannot be considered trustworthy without appropriate authentication.
[303] RedirectPermanent
[307] RedirectTemporary
A response code in the range 400-499 is returned when the service was able to process the transaction but the transaction resulted in an error.
[401] ClientUnauthorized
[404] NotFound
[406] NotAcceptable
Describes a protocol version.
Major: Integer (Optional)
Minor: Integer (Optional)
Encodings: Encoding [0..Many]
URI: String [0..Many]
Describes a message content encoding.
ID: String (Optional)
Dictionary: String [0..Many]
Specifies a cryptographic algorithm and related parameters. Note that while the parameters structures allows a key to be specified that supports multiple operations each key SHOULD only specify exactly one operation.
Encrypt: Boolean (Optional)
Agreement: Boolean (Optional)
Signature: Boolean (Optional)
Uses: String (Optional)
Describes parameters for the RSA algorithm
KeySize: Integer (Optional)
Padding: String [0..Many]
Specifies parameters for the Diffie Hellman algorithm. These are the prime and the generator which may be specified by name (for known IETF defined curves) or by the parameters.
Curve: String (Optional)
Prime: Binary (Optional)
Generator: Binary (Optional)
Specifies parameters for Elliptic Curve Diffie Hellman algorithm
Curve: String (Optional)
Algorithm: String (Optional)
Request: HelloRequest
Response:HelloResponse
Report service and version information.
The Hello transaction provides a means of determining which protocol versions, message encodings and transport protocols are supported by the service.
[None]
Always reports success. Describes the configuration of the Mesh portal service.
Version: Version (Optional)
Alternates: Version [0..Many]
Request: CreateRequest
Response:CreateResponse
Create a new public key pair for the specified algorithm and cryptographic parameters.
Request creation of a new key pair
[None]
Returns the identifier of a key pair
KeyId: String (Optional)
Request: DisposeRequest
Response:DisposeResponse
Dispose of the specified key pair.
Request creation of a new key pair
KeyId: String (Optional)
Reports result of an attempt to dispose of a key pair.
[None]
Request: SignRequest
Response:SignResponse
Request signature of a data value or digest
Describe the data to be signed
KeyId: String (Optional)
DigestAlg: String (Optional)
Data: Binary (Optional)
Digest: Binary (Optional)
Returns the signature response.
Value: Binary (Optional)
Request: AgreeRequest
Response:AgreeResponse
Perform a key agreement operation.
Specify the key agreement parameters.
KeyId: String (Optional)
Returns the result of the key agreement
Value: Binary (Optional)
Request: DecryptRequest
Response:DecryptResponse
Perform a decryption operation.
Request a decryption operation.
KeyId: String (Optional)
BulkAlg: String (Optional)
Data: Binary (Optional)
IV: Binary (Optional)
WrappedKey: Binary (Optional)
Returns the result of the decryption request
Value: Binary (Optional)
The functions described in this document are not intended to be an exhaustive list of all the possible features that a HSM providing LURK services might be expected to provide. Possible additional features commonly supported by HSM devices that are not necessarily within the scope of the LURK objectives include:
Ability to securely transfer key pairs to other LURK devices for backup purposes.
Maintaining logs of all device operations. Such logs MAY be append only so as to prevent tampering or destruction.
Constraining the use of a private key to specific protocol uses such as a specific TLS key exchange.
More interestingly however, we can take advantage of the transition to new cipher suites based on Diffie Hellman to take advantage of some of the interesting properties of this crypto system.
For example, in any Diffie Hallman type crypto scheme, the shared parameters are a cyclic group G, the private key is an integer n that is less than the order of the group and the public key is |e^n|G where e is a non zero point in G.
It follows therefore that given two Diffie Hellman key pairs (x, e^x) and (y, e^y), and we can generate a new key pair (x+y, e^x . e^y). This feature permits the co-operative key generation and threshold key agreement schemes described below.
An extension to the current protocol supports the use of co-operative key generation techniques. In this approach, a generated Key Pair can be shown to have been derived from specific inputs that guarantee certain properties of the final Key Pair.
Before requesting key pair generation by the LURK Service, the administrator generates a Key Pair and sends both parts of the key pair to the service. The service then generates a new key pair internally and then combines it in the manner described above to generate the final key pair. The service then returns the public component of both the initial and the derived key pair to allow the administrator to verify that the construction did in fact use the material provided.
This approach guarantees that the final key pair has at least as much randomness as either of the input key pairs. This provides certain protections against both the use of a faulty number generator by one party or the other and the use of a HSM using a maliciously constructed key pair.
Another interesting possibility is that the use of the private key be split between the LURK Client and LURK Service using a threshold cryptography scheme.
While there are many threshold schemes in the literature, only some of these are generally considered to be practical. Fortunately, the Diffie Hellman key combination effect described above provides a very simple and practical scheme for the case where there are n shares and all n shares are required to perform a key agreement operation.
Surprisingly perhaps, the use of such a scheme does not require any changes to the protocol at all as far as the actual use of the key is concerned. Generation of a keys may require changes however since it is now necessary to generate multiple key pairs and communicate them to the appropriate parties.
This section is currently mostly a placeholder. It is expected that LURK will support:
The traditional IETF repertoire of cryptographic algorithms (RSA, DH, etc)
The new algorithms developed by CFRG and CURDLE.
The RSA algorithm supports the following padding modes: PKCS#1, OEAP.
A LURK Service MUST NOT support key sizes of less than 2048 bits.
The Diffie Hellman key agreement mechanism described in [RFC2631] with the named groups defined in [RFC4419] and [RFC5114].
Elliptic Curve Diffie Hellman on the following groups:
NIST P256, P384, P521
Curve 25519 and Curve 448 as specified in [RFC7748]
Key use restrictions specify the purposes for which a key may be used. These MAY limit the use of the key to specific key agreement mechanisms (e.g. for TLS, SSH, etc.)
TLS key agreement according to the mechanism described in [draft-erb-lurk-rsalg].
TBS
[This is just a sketch for the present.]
The service provider has access to the private key or a partial key which may therefore be at risk of disclosure if the service is breached.
Best practice dictates that a LURK service employ mechanisms to bind private keys and partial keys to the Host such that extraction is not possible.
A malicious LURK service might intentionally leak a private key or partial key through a side channel. For example the RSA modulus side channel described by Moti Yung.
Another potential vector for side channel attacks is through any mechanism that involves randomness. For example, a service might leak parts of the private key in nonce values it supplied.
A malicious LURK service that has context information that allows it to determine the source of a request might only defect on specific requests. For example, leaking private key material on a request from a co-conspirator or leaking session key material when communication is being made to a specific site to facilitate surveillance.
The patterns of access to a LURK service might reveal information that discloses behaviors of the client using the service.
A LURK service might log metadata relating to requests that would not otherwise be kept and thus expose the data to the possibility of disclosure.
Contrawise, metadata capture might be highly desirable to support logging and audit.
A LURK service might provide private key services to unauthorized parties.
The ability to log and audit use of the service is thus highly desirable.
The long term master secrets established in a TLS key exchange may have a lifetime of hours or even days. A host that no longer has access to the LURK service may nevertheless have the ability to establish TLS channels by using cached connection tickets.
[TBS list out all the code points that require an IANA registration]
[TLS notation schema for use with the TLS encoding redacted for brevity.]
[JSON-C tag dictionary for use with JSON-C encoding redacted for brevity.]
[Not yet implemented.]
[RFC7159] | Bray, T., "The JavaScript Object Notation (JSON) Data Interchange Format", RFC 7159, DOI 10.17487/RFC7159, March 2014. |
[RFC7515] | Jones, M., Bradley, J. and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, DOI 10.17487/RFC7515, May 2015. |
[RFC7516] | Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", RFC 7516, DOI 10.17487/RFC7516, May 2015. |
[RFC7518] | Jones, M., "JSON Web Algorithms (JWA)", RFC 7518, DOI 10.17487/RFC7518, May 2015. |
[RFC5246] | Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008. |
[RFC7748] | Langley, A., Hamburg, M. and S. Turner, "Elliptic Curves for Security", RFC 7748, DOI 10.17487/RFC7748, January 2016. |
[RFC2631] | Rescorla, E., "Diffie-Hellman Key Agreement Method", RFC 2631, DOI 10.17487/RFC2631, June 1999. |
[RFC4419] | Friedl, M., Provos, N. and W. Simpson, "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol", RFC 4419, DOI 10.17487/RFC4419, March 2006. |
[RFC5114] | Lepinski, M. and S. Kent, "Additional Diffie-Hellman Groups for Use with IETF Standards", RFC 5114, DOI 10.17487/RFC5114, January 2008. |
[draft-hallambaker-json-web-service-02] | , , "[Reference Not Found!]" |
[draft-hallambaker-udf-03] | , , "[Reference Not Found!]" |
[draft-hallambaker-mesh-architecture-01] | , , "[Reference Not Found!]" |
[draft-hallambaker-mesh-reference-02] | , , "[Reference Not Found!]" |
[draft-hallambaker-jsonbcd-05] | , , "[Reference Not Found!]" |
[draft-erb-lurk-rsalg] | , , "[Reference Not Found!]" |