LURK WG | D. Migault |
Internet-Draft | Ericsson |
Intended status: Standards Track | February 9, 2018 |
Expires: August 13, 2018 |
LURK Protocol version 1
draft-mglt-lurk-lurk-00
This document describes the Limited Usage of Remote Key (LURK) Architecture, the LURK Protocol as well as the LURK Extensions that enables remote interactions with cryptographic material. The specificities of these interactions are expected to be closely tied to some context and thus be defined in LURK Extensions.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 13, 2018.
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
The Limited Usage of Remote Key (LURK) Architecture enables services to outsource the cryptographic related part of the service into a dedicated Cryptographic Service. Isolation of the Cryptographic Operations into a dedicated service is expected to enhance the security of the Cryptographic Material for example by limiting the boundaries to be controlled, by providing more control on its usage, by limiting wide spreading the sensitive data, or by preventing leakage in case of a software vulnerabilities [HEART] in the service, or in case of cryptographic attacks.
For example, in large TLS deployment [I-D.mglt-lurk-tls-use-cases] TLS servers both handle the networking operations and the Cryptographic Operations. This often results in a large number of nodes exposed to the Internet and hosting the necessary Cryptographic Material. The LURK Architecture is expected to split these services into two subservices: the networking service responsible for terminating the sessions and a Cryptographic Service responsible for Cryptographic Operations. The network service - designated as Service Instance in the document - communicates with the Cryptographic Service using the LURK Protocol and associated LURK Extensions. Enabling remote access to the Cryptographic Service is expected to prevent or reduce the distribution exposure to various attacks of the Cryptographic Material. In addition, this favors the use of hardware security enforcement as it limits the number of hardware security modules that should be deployed.
This document defines the LURK Architecture as well as the LURK Protocol. The LURK Protocol is expected to be a placeholder for LURK Extensions, which are expected to specific to a given usage or protocol.
In addition to the terminology defined in [I-D.mglt-lurk-tls-use-cases], this document introduces the following terminology:
The LURK Architecture depicted in Figure 1 shows multiple Service Instances remotely accessing a Cryptographic Service. The two services communicate via a LURK Client and a LURK Server, using the LURK Protocol and an appropriated LURK Extensions. The LURK Protocol is a place holder for LURK Extensions that are expected to fit the needs associated to a specific context, a specific Service Instance and a specific Cryptographic Service. For example [I-D.mglt-lurk-tls] defines the interactions by a service terminating TLS 1.2 session and a Cryptographic Service that is responsible for the associated Cryptographic operations.
When the Service Instance requires Cryptographic Operations to be performed, the LURK Client sends a request with associated inputs to the LURK Server of the Cryptographic Service. Upon receiving a query the Cryptographic Service may process the received input to format appropriately the material for a low level cryptographic operations such as signing, encrypting, decrypting. Such processing is designated as LURK Server Cryptographic Operations in Figure 1. Additional operations may be added to the low level cryptographic operations before responding to the LURK Client.
The LURK Architecture improves the security associated to the Cryptographic Material by limiting its dissemination and improving the control of the its usage.
The communications between the LURK Client and the LURK Server are expected to be authenticated and encrypted with TLS or IPsec due to the expected sensitivity of the information exchanged.
LURK Protocol + LURK Extensions <-------------> +---------------------+ +-----------------------------+ | Service Instance | | Cryptographic Service | +------------+--------+ +-------------+---------------+ | | | | | | | Service | LURK |<------------->| LURK Server | LURK Server | | processing | Client | +------->| Interface | Cryptographic | | | | | | | Operations | +------------+--------+ | | | | ... | | | Cryptographic | | | | Material | +---------------------+ | | | (private key) | | Service Instance | | | | | +------------+--------+ | +-------------+---------------+ | | | | | Service | LURK |<-----+ | processing | Client | | | | +------------+--------+
Figure 1: LURK Architecture
The remaining of this section intends to provide a high level overview of the pros and cons provided by the LURK Architecture.
The LURK Architecture is expected to provide the following advantage:
On the other hand, the LURK Architecture also comes with some drawbacks and challenges:
The primary purpose of an Hardware Security Module (HSM) is to prevent tampering the Cryptographic Material. In most of the cases, HSM provides a generic PKCS11 cryptographic interface instead of a interface specific to a Service Instance. In addition, PKCS11 does not provide remote access facilities and rely on proprietary protocols which does not for example favor interoperability between different service providers.
The LURK Architecture is not incompatible with the use of an HSM. Typically the HSM can be used by the Cryptographic Service in order to protect the Cryptographic Material as depicted in Figure 2. Low level cryptographic operations are performed by the HSM, the LURK Server Processing is intended to perform additional operation in order to match the expected format defined by the LURK Protocol and LURK Extensions. The combination of the LURK Architecture and the HSM provides the following advantages:
+-------------------------------------------------+ | Cryptographic Service | +--------------+---------------+------------------+ | | | HSM | | LURK Server | LURK Server PKCS11 Cryptographic | | Interface | processing <---> Material | | | | (private key) | | | | | +--------------+---------------+------------------+
Figure 2: Cryptographic Function with HSM
The purpose of the LURK Protocol and the LURK Extensions is to provide an interfaces between a Service Instance and a Cryptographic Service. The number of Cryptographic Service is expected to evolve over time and these requirements are expected to be fulfilled by a specific LURK Extension, while the LURK Protocol is designed as a placeholder for these LURK Extensions.
As a placeholder for LURK Extensions, the main functionality of the LURK Protocol is to steer requests from the LURK Client to the appropriated LURK Extension, and then steer back the response to the LURK Client. Such interactions define exchanges when the request cannot be handled by the LURK Extension as well as when the LURK Extension is not enabled on the LURK Server. This is expected to ease the development of future LURK Extensions limited to specific operations requested by the LURK Client.
In addition, the LURK Protocol is also expected to enable a very limited and generic set of interactions between the LURK Client and the LURK Server. These interactions are typically defined by operations requested by the LURK Client, and this document defines two type of requests. A request of type capabilities request defined in Section 6.1 that enables the LURK Client to discover the supported LURK Extensions of the LURK Server. In addition, a request of type ping defined in Section 6.2 enables connectivity check. These interactions are considered as part of the LURK Protocol but could also be seen as a specific LURK Extension: the "lurk" LURK Extension. This document treats both the LURK Extension "lurk" as the LURK Protocol. The distinction is expected to be implementation dependent.
Figure 3 describes how the LURK Protocol and the LURK Extensions interacts each others. When the LURK Client interacts with a LURK Server, it is expected to designates the specific Cryptographic Operation to be performed within the designated LURK Extension as well as the necessary parameters for the extension to perform its operation. Upon performing the Cryptographic Operation, the LURK Extension returns the output of the operation with an return code. These output are handled by the LURK Protocol and returned to the LURK Client.
+--------------------------------------------------+ | LURK Server | +----------------+----------------+----------------+ | | | | | LURK Extension | LURK Extension | LURK Extension | | (A) | (B) | (C) | | | | | +--------------------------------------------------+ | | | LURK Protocol | | | +--------------------------------------------------+
Figure 3: LURK Protocol and LURK Extension
Messages exchanged between the LURK Client and the LURK Server are composed of a LURK Header and LURK Payload as depicted in Figure 4. The LURK Extensions are designed to process the LURK Payloads - eventually void -, while the LURK Header contains the necessary information for the LURK Server to steer the LURK Payload to the appropriated LURK Extension. In that sense, the LURK Protocol could be interpreted as the processing of the LURK Header while the LURK Extension 'lurk' is processing the (void) LURK Payloads. This document treats both the LURK Extension 'lurk' as the LURK Protocol.
+----------------------------------+ | | | LURK Header | | | +----------------------------------+ | | | LURK Payload | | | +----------------------------------+
Figure 4: LURK Message Description
As detailed in Section 4.3, upon receiving an request from the LURK Client, the LURK Protocol may:
This section treats the two latest aspects while Section 6 describes the requests specific to the LURK Protocol.
The LURK Header structure is as follows:
enum { lurk (0), (255) } Designation; enum { request (0), success (1), undefined_error (2), invalid_format (3), invalid_extension (4), invalid_type (5), invalid_status (6), temporary_failure (6), (255) } LURKStatus enum { capabilities (0), ping (1), (255) } LURKType; struct { Designation designation = "lurk"; int8 version = 1; } Extension; struct { Extension extension; select( Extension ){ case ("lurk", 1): LURKType; } type; select( Extension ){ case ("lurk", 1): LURKStatus; } status; uint64 id; unint32 length; } LURKHeader;
The LURK Client is only able to send requests and MUST set the status header field to "request". The extension (designation, version) and the type characterizes the request. The id is expected to be unpredictable and SHOULD be randomly generated. The length is computed once the LURK Payload has been inserted and includes the number of bytes of the LURK Header as well as those of the LURK Payload.
Upon receiving a message, the LURK Client checks:
Upon receiving a message the LURK Server checks
Once the message header has been validated, the LURK Payload is extracted to be processed by the appropriated extension. If any error occurs before the LURK Payload can be steered to the extension, the LURK Server SHOULD respond with an "invalid_format" or "undefined_error".
When overloaded, the LURK Server SHOULD send a "temporary_failure" error to indicate its inability to treat the request.
When an error is returned before the LURK Payload is being processed, the LURK Server sets the extension to "lurk". When multiple versions are served, and match the error, the LURK Server SHOULD set the version to a version known to be supported by the LURK Client. When this information is not available, the LURK Server SHOULD chose the minimum supported value. The status is set to the error code, the type and id are copied from the request and the length is computed according to the ErrorPayload.
Once the LURK header has been validated, the LURK Server is able to request the treatment of the LURK Payload to a specific operation to the appropriated LURK Extension identified by (extension, type). In return, the LURK Extension is expected to returns the corresponding response LURK Payload, and eventually an error code.
The LURK Server SHOULD return error message when possible to inform the LURK Client on the reasons the exchange fails. However, in some cases, the LURK Server MAY discard the request without returning the error.
The error code is indicated by the status when its value differs from "request" or "success".
Error message MAY have no Payload. Error message MAY also carry a state value that indicates a change in the configuration of the LURK Server. The state is expected to reflect any change of the configuration associated to the extension. Generation of the state is implementation dependent and out of the scope of this document. It can typically be implemented as a counter that is incremented any time the extension configuration is updated, or as the hash function of the configuration file.
Upon reception of the state, if the LURK Client has stored the previous value, it is expected to compare the two values. A mismatch indicates that extension configuration change and the LURK Client SHOULD perform some capability discoveries. If the two values match an capability discovery SHOULD NOT be performed. The absence of ErrorPayload is considered as a mismatch.
struct { opaque lurk_state<32> ; }ErrorPayload;
Error Payload Description
While Section 5 details how the LURK Protocol steers a request from the LURK Client to an appropriated LURK Extension, this section details the specific requests associated to the LURK Protocol that can be initiated by the LURK Client. As exposed in Section 4.3, this section could be seen as a LURK Extension 'lurk'. However this document does not makes such distinction and the LURK Extension 'lurk' and the LURK Protocol are considered as the same.
The LURK Protocol provides some basic reachability and discovery interactions between LURK Client and LURK Servers.
The LURK Header is expected to have the extension's designation set to "lurk" and the extension's version set to 1. The type of the exchange is indicated by the type field.
A LURK "capabilities" request has no payload.
The "capabilities" response payload consists in a list of the supported Extensions structures.
struct { LURKSupportedExtension supported_extensions_list<2..2^16-2>; LURKSupportedType supported_type<2..2^16-2>; opaque lurk_state<32>; }LURKCapabilitiesResponsePayload;
LURK Capability Payload Description
The LURK Client sends a "capabilities" request in a "lurk" extension to discover the various extensions and versions supported by the LURK Server.
The LURK Server lists the supported extensions and version the requester is authorized to request and sends the response.
A LURK "ping" request has no payload.
A LURK "ping" response has no payload.
The LURK Client sends a "ping" request to test the reachability of the LURK Server. The reachability is performed within a LURK relation.
The LURK Server sends the corresponding response.
A LURK Server MAY raise a "invalid_payload_format" or a "undefined_error" if for example a unexpected payload is provided.
This document has provided a security analysis of the LURK Architecture.
LURK message can be carried over UDP, and some responses MAY present significant larger response payloads than the request payloads. The messages responded by the LURK Protocol can be be a capabilities response, a ping response or an error. The ping response does not represent any size message increase. An error response MAY carry an error payload of 32 bits that represents the state. Such increase does not seems sufficient to motivate amplification attacks, and the payload MAY be omitted. The capabilities responses carry a payload whose size increases with the number of supported LURK Extension and version. Similarly, the number of LURK Extension supported by a Cryptographic Service is expected to remain quite low, and as such the additional size is not expected to represent a significant threat.
While the LURK Protocol does not provide a significant packet size increase, the LURK Protocol may be used carry response payloads associated to a LURK Extension, and as such, the applicator factor associated to each supported LURK Extension MUST be considered.
The LURK Protocol does not define any mechanisms to authenticate the LURK Client and the LURK Server nor to protect the data channel between the LURK Client and the LURK Server. It is RECOMMENDED to protect LURK exchanges by protecting the communication between the LURK Client and the LURK Server using for example IPsec [RFC4301], TLS 1.2 [RFC5246], TLS 1.3 [I-D.ietf-tls-tls13] DTLS 1.2 [RFC6347] or DTLS !.3 [I-D.ietf-tls-dtls13].
The information exchanged between in the scope of the LURK Protocol may not be considered as confidential. As such exchanges between the LURK Client and the LURK Server may not need to be encrypted. A ping exchange reveals the reachability and the potential scope of the exchange between the two peers. The capabilities exchange reveals the observer the extensions enabled by the LURK Server. This may provide information relative to the function of the LURK Server and the LURK Client.
As the LURK Protocol is a place holder for LURK Extension, the confidentiality of the information depends on the LURK Extension enabled. By default, It is RECOMMENDED to encrypt the LURK exchanges.
The LURK Server can enable multiple LURK Extensions, serve multiple LURK Clients as well as serve multiple Cryptographic Material. In order to increase the protection boundaries, it is expected to limit the scope of a LURK Server. It is RECOMMENDED to limit the scope of the LURK Server to a limited number of Cryptographic Material. As Cryptographic Material is expected to have a limited scope, it is then expected and RECOMMENDED that the LURK Server enables a limited number of LURK Extensions. In addition, it is also RECOMMENDED that the enabled LURK Extension be appropriately configured to provide only the necessary functionalities.
The LURK Protocol and LURK Extension requires the following parameters to be registered by the IANA.
LURK Extension Designation Value Designation Reference Description ------------------------------------------------- 0 lurk [RFC-TBD] LURK Protocol 1-255 UNASSIGNED LURK Protocol Status Value Description Reference ----------------------------------------------------- 0 request [RFC-TBD] 1 success [RFC-TBD] 2 undefined_error [RFC-TBD] 3 invalid_format [RFC-TBD] 4 invalid_extension [RFC-TBD] 5 invalid_type [RFC-TBD] 6 invalid_status [RFC-TBD] 7 temporary_failure [RFC-TBD] 8-255 UNASSIGNED LURK Protocol Type Value Description Reference ---------------------------------------------- 0 capabilities [RFC-TBD] 1 ping [RFC-TBD] 3-255 UNASSIGNED
When a new LURK Extension is created, the designation of the LURK Extension, the associated status and type MUST be provided. The status values 0 to 1 are reserved and cannot be assigned with different meanings. As a result, the template for future LURK extension is defined as follows:
LURK Extension Designation: LURK Extension Reference: LURK Extension Description: LURK Extension Status Value Description Reference ------------------------------------------- 0-1 RESERVED [RFC-TBD] LURK Extension Type Value Description Reference ----------------------------------------------
Registration of LURK Designation for code points 0-127 requires Standard Track, while other code points are RFC Required [RFC8126].
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
[RFC4301] | Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, December 2005. |
[RFC5246] | Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008. |
[I-D.ietf-tls-tls13] | Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", Internet-Draft draft-ietf-tls-tls13-23, January 2018. |
[RFC6347] | Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, January 2012. |
[I-D.ietf-tls-dtls13] | Rescorla, E., Tschofenig, H. and N. Modadugu, "The Datagram Transport Layer Security (DTLS) Protocol Version 1.3", Internet-Draft draft-ietf-tls-dtls13-03, November 2017. |
[RFC8126] | Cotton, M., Leiba, B. and T. Narten, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 8126, DOI 10.17487/RFC8126, June 2017. |
[I-D.mglt-lurk-tls-use-cases] | Migault, D., Ma, K., Salz, R., Mishra, S. and O. Dios, "LURK TLS/DTLS Use Cases", Internet-Draft draft-mglt-lurk-tls-use-cases-02, June 2016. |
[I-D.mglt-lurk-tls] | Migault, D., "LURK Protocol for TLS/DTLS1.2 version 1.0", Internet-Draft draft-mglt-lurk-tls-01, March 2017. |
[I-D.rescorla-tls-subcerts] | Barnes, R., Iyengar, S., Sullivan, N. and E. Rescorla, "Delegated Credentials for TLS", Internet-Draft draft-rescorla-tls-subcerts-02, October 2017. |
[I-D.nir-saag-star] | Nir, Y., Fossati, T. and Y. Sheffer, "Considerations For Using Short Term Certificates", Internet-Draft draft-nir-saag-star-00, October 2017. |
[I-D.sheffer-acme-star-request] | Sheffer, Y., Lopez, D., Dios, O., Pastor, A. and T. Fossati, "Generating Certificate Requests for Short-Term, Automatically-Renewed (STAR) Certificates", Internet-Draft draft-sheffer-acme-star-request-01, June 2017. |
[HEART] | Codenomicon, "The Heartbleed Bug" |