[External] : Re: RFD: Services lockdown for security providers
Martin Balao
mbalao at redhat.com
Fri Oct 6 16:55:53 UTC 2023
Hi Tony,
Thanks for having a look at our proposal.
The main motivation for this enhancement is related to cryptographic
policy enforcement and, in particular, the following capabilities: 1)
enforcing that cryptographic services are provided by chosen security
providers only, and 2) allowing or disallowing selected algorithms or
service types across all Java Security APIs.
None of this is entirely new. In regards to capability #1, users can
install or uninstall security providers already, or rely on priorities
and algorithms shadowing. However, we deem this insufficient for the
purposes of policy enforcement, lacking in flexibility, and at risk of
introducing dependencies on implementation details. Some more details
are provided under the section "What is the current limitation?" of the
8315487 ticket [1]. As for capability #2, there is partial support
currently: algorithms can be blocked from TLS or certificate paths
validation uses but not across all JCA APIs. Thus, we share some of the
motivations that led to existing features but intend to have a more
powerful, comprehensive and flexible solution. As documented in our
proposal, both solutions were combined in a multi-layer model.
The FIPS case is interesting because it requires a combination of
capabilities #1 and #2. However, there are other cases that could
benefit from different policies. I have described some of them below,
providing a summary rationale for why a user might want to adopt the
given policy, a filter conforming to the proposal that would achieve the
desired outcome, and a comparison with how the same outcome might be met
(or potentially be hard/impossible to meet) with the status quo. See
Appendix #1.
As with most security properties, a specific configuration may render an
application completely or partially unusable, and require a
sysadmin/developer/security-expert to perform an assessment. This effect
may be a desired outcome and trigger a remediation action. Other
applications may react in a more resilient way and smoothly adapt to the
policy enforced: use cryptography from an allowed security provider,
skip the use of algorithms that are not allowed, ask the user to take
action, etc. Our concern is that the lack of strong policy enforcement
capabilities may lead to non-compliance issues going unnoticed.
Existing security capabilities such as the one to install or uninstall
security providers, or even the one that allows to select preference per
algorithm, require the knowledge of what these security providers
implement and what applications require to use. Our proposal allows
better granularity but is not different in terms of relying on public
documentation or sysadmin/developer/security-expert knowledge.
While we don't necessarily share the view of the syntax as hard to use
or error-prone, we concede that it leans more towards the expert UI side
of all security properties. We designed the syntax with the ideas of
consistency, similarity to the serialization filter —to the extent
possible—, simplicity for trivial cases and powerfulness for complex
ones. We want to make sure that it's not only tailored to our needs
today but generic enough for other current or future uses. We tried to
explain the use cases and desirable properties underneath the proposed
design, but at the same time we would like to know if there is any
aspect in particular that is of your concern and if you have any
improvements to suggest so it's more accessible to less experienced
users. We are open to considering specification, implementation and/or
documentation changes.
Thanks,
Martin.-
--
Appendix #1
1) A policy that only authorizes the storage of certificates and keys in
PKCS #11 devices, or in a specific instance managed by the
CentralKeysProvider security provider:
*.KeyStore.PKCS11; !*.KeyStore; *
or
CentralKeysProvider.KeyStore; !*.KeyStore; *
In this scenario, a system administrator is concerned about how
applications store sensitive cryptographic keys and intends to enforce a
centralized or more restricted management. This policy aims to mitigate
security risks and drawbacks associated with local file-based key
storage. In the event of a key update, if centralized management is
applied, applications have access to the latest key without any key
population hassle. While this policy imposes restrictions on key
storage, any security provider (including OpenJDK default ones) can use
these keys after retrieval. This latter observation is relevant when,
for example, PKCS #11 token devices with limited performance or
algorithms availability are used.
We deem this type of policy useful for scenarios where centralized key
management is feasible and desirable, or scenarios where keys are stored
in hardware devices.
Enforcing this policy without the Security Provider Filter would be
hard. While changing the default key store type by means of the
keystore.type security property is possible, that configuration does not
make other key store types unavailable. In addition, this security
property lets users choose a key store algorithm but not its provider.
Uninstalling security providers that offer unwanted KeyStore service
types is not always an option because other service types they offer
might be legitimately required. In other words, this option lacks
granularity. The only way to enforce a policy such as the one described
in this case is to audit the application and library sources,
configurations or logs and check how keys are managed. This approach
would require manual actions and rechecks after each application or
library change.
The Security Provider Filter makes the enforcement of this policy easy,
even under the circumstances of an application or library update, or
after the deployment of a new application. The policy can also be
updated to include other key store algorithms, security providers or
combinations of both.
2) A policy that enforces the use of PKCS #12 key stores only:
*.KeyStore.PKCS12; !*.KeyStore; *
In this scenario, a system administrator is concerned about applications
using key stores with non-standard formats such as JKS, JCEKS, BKS
(Bouncy Castle) or BCFKS (Bouncy Castle) among others. These key store
algorithms may introduce interoperability issues and require unwanted
file conversions at some point. Thus, the system administrator enforces
a policy that only authorizes the PKCS #12 standard for key storage.
As in case #1, the security property for controlling the default key
store type is not enough to prevent applications from using other
formats; uninstalling security providers is not always an option; and
auditing application or libraries source code, configurations or logs to
check how key storage is done could be inconvenient or unfeasible.
The Security Provider Filter provides flexibility to change the approved
key store type or authorize more than one. Third-party security
providers may refer to the PKCS #12 standard by different algorithm
names but that should not be a problem either. For example, the filter
may authorize algorithm name variations such as PKCS12, BCPKCS12 (Bouncy
Castle) and PKCS12-3DES-3DES (Bouncy Castle): "*.KeyStore.PKCS12;
*.KeyStore.BCPKCS12; *.KeyStore.PKCS12-3DES-3DES; ...", or more simply
"*.KeyStore.*PKCS12*; ...".
3) A policy that does not allow algorithms considered insecure:
!*.*.MD5; !*.*.MD2; !*.*.SHA-1; *
Security concerns are the motivation behind this type of policy. A
system administrator may enforce it with a deny-list —as done in the
example— or even with a more strict allow-list one. This type of policy
can be applied with algorithms considered secure today or algorithms
that will be required in the future. The latter serves for the purpose
of identifying potential compatibility issues and providing applications
advanced notice to adapt.
While the Security Provider Filter is platform-independent, Linux
crypto-policies is one of the motivations related to this case. Many
Linux distributions, such as RHEL [2], have system-wide crypto-policies
enabled by default. Different crypto-policies profiles (LEGACY, DEFAULT,
FIPS, FUTURE, etc.) define sets of algorithms authorized for different
software packages, including OpenJDK. Our intention is that
crypto-policies for OpenJDK define, according to each profile, the set
of algorithms allowed for all security APIs.
Before the Security Provider Filter, algorithms can be restricted for
some uses with a deny-list type of configuration. However, not all uses
are under scope and applications may use unauthorized algorithms by
calling, for example, Signature.getInstance("<unauthorized-algorithm>")
and using the service directly. Other approaches such as auditing
application and libraries source code, configurations or logs to check
which algorithms are used may not be practical, as pointed out in case #1.
The Security Provider Filter allows a system administrator to keep sets
of authorized algorithms updated and apply its policy widely to all JCA
service types.
4) A policy in which some uses of MD5 are acceptable (e.g.
MessageDigest) but others are not:
!*.Signature.MD5*; !*.Mac.*MD5; !*.Cipher.*MD5*; *
or
*.MessageDigest.MD5; !*.*.*MD5*; *
Some algorithms may be secure for some uses but not for others. In this
case, a system administrator authorizes MD5 for UUIDs, redundancy-check
codes or other hashes, but prohibits its use for signatures, message
authentication, and for deriving encryption keys (PBE).
This type of policy enforcement is possible because the Security
Provider Filter lets users specify the service type, in addition to the
algorithm. A system administrator can easily adjust the algorithms and
service types that are allowed or disallowed.
For the same reasons explained in case #3, implementing this policy
without the Security Provider Filter would not be possible or practical.
5) A policy in which only algorithms implemented by the FastProvider
security provider are authorized for encryption:
FastProvider.Cipher; !*.Cipher; *
In this case, a system administrator is concerned about performance and
wants applications to only do cipher operations in FastProvider.
While it is possible to insert FastProvider in the first place of the
security providers list, or even use the preferred algorithms security
property, an application that is using an algorithm not available in
FastProvider will silently slide to a slower implementation. As
described for other cases, removing slower security providers may not be
an option, and auditing applications or libraries source code,
configurations or logs may not be practical.
6) A policy that only allows a specific source of randomness,
irrespective of the algorithm:
SunPKCS11-HSM.SecureRandom; !*.SecureRandom; *
A system administrator has security concerns about sources of randomness
and decides to authorize only one of them, irrespective of the
algorithm. In this case, the prioritized list of security providers is
not enough to use SunPKCS11-HSM because applications may try to use
algorithms not implemented there and silently slide into other security
providers.
Enforcing this type of policy without the Security Provider Filter may
require actions such as uninstalling security providers or auditing
source code, configurations or logs that is not always possible or
practical.
7) In CRIU scenarios, it could be beneficial to enforce a policy that
does not allow the use of random values or key generation before a
snapshot is taken. A snapshot can be taken, for example, running the JDK
with the following filter value:
!*.SecureRandom; !*.KeyPairGenerator; !*.KeyGenerator; *
In some cases, a system administrator might want to enforce an even more
strict policy using an allow-list approach:
*.MessageDigest.SHA-1; *.CertificateFactory; !*
When resuming a snapshot, no filter is set.
This example is based on a real case. To achieve the desired effect
without the Security Providers Filter, a system administrator has to
create a custom security provider that only implements authorized
service types and algorithms. This security provider is the only one
installed while taking the snapshot. When resuming snapshots, all
security providers are enabled. This solution is hard to implement and
not easily extensible to other service types and algorithms. With the
Security Providers Filter it is easy to decide what is available while
taking a snapshot, and what is available while resuming it.
This type of policy falls into the category of those that may benefit
the security of a deployment. The reuse of random seeds or keys in
different executions of the same snapshot may weaken or compromise the
security of a system.
8) A policy that allows the use of a 3rd party security provider for a
specific purpose but not for anything else:
3rdPartyProvider.AllowedService; !3rdPartyProvider; *
In this case, a system administrator has concerns of applications
depending on a specific security provider for more service types or
algorithms than what is authorized (AllowedService).
This type of policy is difficult to implement without the Security
Provider Filter because there is no granularity when installing a
security provider: it's an all or nothing decision. Thus, the only way
around to enforce compliance is to check applications or libraries
source code, configurations or logs and understand what they are
depending on.
Examples Summary
Throughout the previous scenarios, we have discussed security,
interoperability and performance concerns that may be addressed by the
Security Providers Filter. What all these cases have in common is policy
enforcement at provider, service type or algorithm level. We think that
the existing providers or algorithms preference configurations miss the
partial or total closure that the Filter offers. In addition, the lack
of granularity makes the installation of a security provider an all or
nothing decision. Thus, policy enforcement can only be applied by
auditing applications or libraries source code, configuration or logs.
This type of enforcement is not always possible or practical: a new
deployment or update of an existing one requires a check. The existing
functionality to block the use of algorithms does not extend to all
security APIs and it's, thus, not enough from a policy enforcement and
compliance perspective. While we have showcased fabricated system
administration scenarios in some cases, others are of general interest,
can be used more widely or represent real cases. On a final note, we
have intentionally left the FIPS use-case out of this Appendix as it has
been discussed in previous comments.
--
[1] - https://bugs.openjdk.org/browse/JDK-8315487
[2] - https://access.redhat.com/articles/3666211
On 9/19/23 16:42, Anthony Scarpino wrote:
> Hi Martin,
>
> Thanks for the proposal. Your documents mostly describe the solution.
> Can you provide more of the motivations and use-cases for the change? Do
> you see non FIPS-140 applications using this feature?
>
> The feature does provide a comprehensive filtering system for JCA. The
> syntax, while powerful, seems like it would be somewhat error-prone and
> hard to use. We are also concerned that using the filter requires the
> sysadmin or developer to know about the service and algorithm details of
> every provider and which is required and which is not, all of which is
> not easily determined.
>
> thanks
>
> Tony
More information about the security-dev
mailing list