Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

DAOSSDE-112 Security: Modifications to use of Cryptography #3923

Merged
merged 5 commits into from
Nov 24, 2020
Merged

DAOSSDE-112 Security: Modifications to use of Cryptography #3923

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
a1bba2d
DAOSSDE-112 Security: Modifications to use of Cryptography
dpquigl Nov 21, 2020
52c3b90
Regenerate golden files since padding for the RSA signatures will be …
dpquigl Nov 23, 2020
079b443
Fix golden file generation since PSS will create random salts for sig…
dpquigl Nov 23, 2020
7a3a961
Merge branch 'master' into dpquigl/DAOSSDE-112
dpquigl Nov 23, 2020
23baa93
Merge branch 'master' into dpquigl/DAOSSDE-112
dpquigl Nov 23, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 7 additions & 4 deletions doc/admin/deployment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -143,7 +143,10 @@ The DAOS security framework relies on certificates to authenticate
components and administrators in addition to encrypting DAOS control plane
communications. A set of certificates for a given DAOS system may be
generated by running the `gen_certificates.sh` script provided with the DAOS
software if there is not an existing TLS certificate infrastructure.
software if there is not an existing TLS certificate infrastructure. The
`gen_certificates.sh` script uses the `openssl` tool to generate all of the
necessary files. We highly recommend using OpenSSL Version 1.1.1h or higher as
keys and certificates generated with earlier versions are vulnerable to attack.

When DAOS is installed from RPMs, this script is provided in the base `daos` RPM, and
may be invoked in the directory to which the certificates will be written. As part
Expand Down Expand Up @@ -312,14 +315,14 @@ $ journalctl --unit daos_server.service
```

After RPM install, `daos_server` service starts automatically running as user
"daos". The server config is read from `/etc/daos/daos_server.yml` and
"daos". The server config is read from `/etc/daos/daos_server.yml` and
certificates are read from `/etc/daos/certs`.
With no other admin intervention other than the loading of certificates,
`daos_server` will enter a listening state enabling discovery of storage and
network hardware through the `dmg` tool without any I/O Servers specified in the
configuration file. After device discovery and provisioning, an updated
configuration file with a populated per-server section can be stored in
`/etc/daos/daos_server.yml`, and after reestarting the `daos_server` service
`/etc/daos/daos_server.yml`, and after reestarting the `daos_server` service
it is then ready for the storage to be formatted.

#### Kubernetes Pod
Expand Down Expand Up @@ -944,7 +947,7 @@ $ daos_agent -i -o <'path to agent configuration file/daos_agent.yml'> &
```

Alternatively, the DAOS Agent can be started as a systemd service. The DAOS Agent
unit file is installed in the correct location when installing from RPMs.
unit file is installed in the correct location when installing from RPMs.
If you want to run the DAOS Agent without certificates (not recommended in production
deployments), you need to add the `-i` option to the systemd `ExecStart` invocation
(see below).
Expand Down
2 changes: 0 additions & 2 deletions src/control/security/grpc_cert_configs.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,6 @@ func serverTLSConfig(cfg *TransportConfig) *tls.Config {
MaxVersion: tls.VersionTLS12,
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
},
VerifyConnection: func(cs tls.ConnectionState) error {
Expand Down Expand Up @@ -81,7 +80,6 @@ func clientTLSConfig(cfg *TransportConfig) *tls.Config {
MaxVersion: tls.VersionTLS12,
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
},
// InsecureSkipVerify disables the default verifier and instead
Expand Down
2 changes: 0 additions & 2 deletions src/control/security/grpc_cert_configs_pre1.15.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,6 @@ func serverTLSConfig(cfg *TransportConfig) *tls.Config {
MaxVersion: tls.VersionTLS12,
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
},
}
Expand All @@ -51,7 +50,6 @@ func clientTLSConfig(cfg *TransportConfig) *tls.Config {
MaxVersion: tls.VersionTLS12,
PreferServerCipherSuites: true,
CipherSuites: []uint16{
tls.TLS_RSA_WITH_AES_128_GCM_SHA256,
tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
},
}
Expand Down
4 changes: 2 additions & 2 deletions src/control/security/signature.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ func (s *TokenSigner) Sign(key crypto.PrivateKey, data []byte) ([]byte, error) {
switch signingKey := key.(type) {
// TODO: Support key types other than RSA
case *rsa.PrivateKey:
return rsa.SignPKCS1v15(s.randPool, signingKey, crypto.SHA512, digest)
return rsa.SignPSS(s.randPool, signingKey, crypto.SHA512, digest, nil)
default:
return nil, &UnsupportedKeyError{}
}
Expand All @@ -95,7 +95,7 @@ func (s *TokenSigner) Verify(key crypto.PublicKey, data []byte, sig []byte) erro
switch signingKey := key.(type) {
// TODO: Support key types other than RSA
case *rsa.PublicKey:
return rsa.VerifyPKCS1v15(signingKey, crypto.SHA512, digest, sig)
return rsa.VerifyPSS(signingKey, crypto.SHA512, digest, sig, nil)
default:
return &UnsupportedKeyError{}
}
Expand Down
Binary file modified src/control/security/testdata/certs/RSA.golden
View file
Open in desktop
Binary file not shown.
12 changes: 6 additions & 6 deletions utils/certs/gen_certificates.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,10 +115,10 @@ extendedKeyUsage = clientAuth
function generate_ca_cert () {
echo "Generating Private CA Root Certificate"
# Generate Private key and set permissions
openssl genrsa -out "${PRIVATE}/daosCA.key" 4096
openssl genrsa -out "${PRIVATE}/daosCA.key" 3072
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why the drop in key size?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To be honest I'm not entirely sure. This was the guidance from the crypto team. I'd imagine its due to the fact that 3072 bit keys are computationally difficult enough to break and since its software not hardware that we can update the number if that turns out not to be true in the future.

Copy link
Contributor

@GitHuaKuang GitHuaKuang Nov 23, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think probably a balance between performance and security.
This is what I got on boro-59, there is no option for rsa 3072 size, but it shows the CPU time for the key size:

[boro-59:/home/huakuang]$ openssl speed rsa2048 rsa4096
sign verify sign/s verify/s
rsa 2048 bits 0.000791s 0.000033s 1264.8 30152.7
rsa 4096 bits 0.007899s 0.000121s 126.6 8276.1

chmod 0400 "${PRIVATE}/daosCA.key"
# Generate CA Certificate
openssl req -new -x509 -config "${CA_HOME}/ca.cnf" -days 1095 -sha512 \
openssl req -new -x509 -config "${CA_HOME}/ca.cnf" -days 365 -sha512 \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is the CA cert only valid for a year?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this is considered best practice for internally run and managed CAs.

-key "${PRIVATE}/daosCA.key" \
-out "${CERTS}/daosCA.crt" -batch
# Reset the the CA index
Expand All @@ -131,7 +131,7 @@ function generate_ca_cert () {
function generate_agent_cert () {
echo "Generating Agent Certificate"
# Generate Private key and set its permissions
openssl genrsa -out "${CERTS}/agent.key" 4096
openssl genrsa -out "${CERTS}/agent.key" 3072
chmod 0400 "${CERTS}/agent.key"
# Generate a Certificate Signing Request (CRS)
openssl req -new -config "${CONFIGS}/agent.cnf" -key "${CERTS}/agent.key" \
Expand All @@ -151,7 +151,7 @@ function generate_agent_cert () {
function generate_admin_cert () {
echo "Generating Admin Certificate"
# Generate Private key and set its permissions
openssl genrsa -out "${CERTS}/admin.key" 4096
openssl genrsa -out "${CERTS}/admin.key" 3072
chmod 0400 "${CERTS}/admin.key"
# Generate a Certificate Signing Request (CRS)
openssl req -new -config "${CONFIGS}/admin.cnf" -key "${CERTS}/admin.key" \
Expand All @@ -171,7 +171,7 @@ function generate_admin_cert () {
function generate_server_cert () {
echo "Generating Server Certificate"
# Generate Private key and set its permissions
openssl genrsa -out "${CERTS}/server.key" 4096
openssl genrsa -out "${CERTS}/server.key" 3072
chmod 0400 "${CERTS}/server.key"
# Generate a Certificate Signing Request (CRS)
openssl req -new -config "${CONFIGS}/server.cnf" \
Expand All @@ -196,7 +196,7 @@ function generate_test_cert () {

echo "Generating Test Certificate"
# Generate Private key and set its permissions
openssl genrsa -out "${CERTS}/test.key" 4096
openssl genrsa -out "${CERTS}/test.key" 3072
chmod 0400 "${CERTS}/test.key"
# Generate a Certificate Signing Request (CRS)
openssl req -new -config "${CONFIGS}/test.cnf" -key "${CERTS}/test.key" \
Expand Down