Re: next steps with CII -- focus on crypto_certificate_verification


Tony Hansen
 

Great summary, Jonathan. I like it. :)

 

I realized that this statement hadn’t been explicitly listed before:

 

If the remote API has both non-TLS and TLS endpoints/options available, make certain that the TLS endpoint is being used. For example, if the remote API can be invoked either with HTTP or HTTPS, make certain that HTTPS is being used.

 

Thanks again for the discussion on this CII issue. It will make the conversation with the PTLs easier.

 

Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 8:50 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII -- focus on crypto_certificate_verification

 

Great Answers, Tony,

  If I could summarize, it is about validating that TLS is 1) used where possible 2) is not disabled (since it is easy in some mechanisms.

 

Appreciate it

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Wednesday, June 19, 2019 at 7:46 AM
To: "GATHMAN, JONATHAN C" <jonathan.gathman@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII -- focus on crypto_certificate_verification

 

Thank you all for your responses.

 

Jonathan, the answer to most of these questions SHOULD lie in the realm of no brainers / standard use. But let’s look at [crypto_certificate_verification] for a moment.

 

  • This is about machine-to-machine calls to remote services from within the project’s code to an external service, and not about calls INTO a project’s code (either machine-to-machine or user-to-machine).

 

  • Trust chain (aka CA Server Certificate Chain):
    • If the server on the other end is using a cert from a public trusted CA, then you need a trust chain for that CA.
    • If the server on the other end is using a cert from another CA, then you need a trust chain for that CA.
    • The key is that you need the right trust chain for whatever language you’re dealing with to reach the servers you’re going to.
    • This one should seriously be in the no-brainer category.
    • But what if they turned off verification because they didn’t have access to the remote site’s trust chain? Or didn’t know how to add support for it in the language that they are using?

 

  • Language issues:
    • If Java makes it hard to avoid verification, that’s a good thing.
      • The PTL should check their code base to see if they did it the right way or not.
    • With curl, it is SO easy to just toss the -k into your scripts and forget that you did it.
      • The PTL should check their code base to see if they did it the right way or not.
    • With the python requests library (which most people use these days), you can similarly use a -k-equivalent or do it the right way.
      • The PTL should check their code base to see if they did it the right way or not.
    • The same thing goes for other languages.
      • The PTL should check their code base to see if they did it the right way or not.
    • The PTL can also delegate the code checking.

 

It would be useful for the PTLs to know what to look for in the code. For example, guidance like this would be useful:

If you know your code uses shell scripts and invokes curl or wget, make certain that curl does not use the -k or --insecure option and that wget does not use the --no-check-certificate option.

 

The end result is that if they are NOT doing the right thing with their trust chain OR avoiding verification for any of a myriad of reasons, they need to write JIRA tickets to fix their code.

 

Bottom line: our job is to get them to improve their code. Getting the silver star or gold star from the CII badge is truly secondary.

 

I’ll address the other CII issues separately.

 

                Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 6:45 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII

 

Question(s), Tony,

 

First, I’m curious as to context.  Are you specifically drawing our Person to App or App to App communications?  Or, given the nature of what ONAP addresses, are you trying to leave room for Communications are a more network level?  When I’m reading these, some of them seen either no-brainers or are standard use for out-of-the-box Client/Server solutions i.e. Java (HTTP/S) with TLS. 

 

Are we trying to codify  what might be stated more baldly “Use the security provided with valid CA structure and don’t disable it” and “Don’t hardcode credentials in Source, and realize that Containers ultimately compiled… you need to provide methods for changing creds”?

 

Here are more detailed questions that I’m hoping will draw out the intentions.

 

Verification

  1. When you are saying TLS verification, are you talking mostly about making sure TLS is running normally, default behavior?    What I mean is that

a.      In Java, for instance, the TLS connections validate all the Certificates in a Trust Chain against Trusted CAs in your Truststore.  You have to go to great pains to, for instance, turn off DNS checking, etc.

b.      In “curl” (do we use curl other than as a convenient Client?) you have to disable TLS Trust with “-k”…

  1. Are you talking about only using Certificates with a Trust Chain to an established CA (or public Trusted CAs)?

 

Agility

  1. Are you talking about storing Credentials, etc, of the App itself, or Clients

a.      By “Compile” are you talking about not Hard Coding Passwords in Source (i.e. .js, java, .c, .cpp, whatever) files.

b.      Or are we realizing that Containers essentially Freeze what used to be dynamic configs, so you have to plan for updates.

                                                      i.      Does “Use docker/kubectl Container Copy instructions” meet this goal?

                                                    ii.      The constant Top priority of “Start from Scratch” makes this difficult, of course.

    1. If Client Creds, it should be pointed out that Apps can use Externalization of Client Creds, which is, of course, the point of AAF (sorry for the plug)

 

Verification

  1. This seems to be back to TLS focus, specifically Client.

a.      Are you saying that Client Software needs to first determine if the underyling connection (typically invisible to the top-level client code) is TLS? 

b.      Clients can only Communicate in the manner that the Service Side dictates.

c.       Given this is done at (to quote OSI Level), at a lower communication Layer, what is the practical way for an App to ensure this.

d.      Example: Is it enough to reject any URLs as a client that start with “http:” but not “https”?

 

 

 

     

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Tuesday, June 18, 2019 at 11:49 AM
To: "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: next steps with CII

 

Here are the next few items that I think we need to work on with respect to moving forward with CII badging. These three have lots of projects marked [?] under the Silver level.

 

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

[crypto_verification_private]

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

As discussed at DDF, the idea is that we would

 

Week 1

Introduce a topic at the PTL meeting with instructions.

We give stats on how many projects that have answered this question already.

Week 2

One week later, we check to see what progress there is.

Give kudos to those who have made progress.

We file JIRA tickets on those projects that have not given any answer.

Introduce the next topic, etc

Week 3

We bump up the priority on those tickets.

 

So, for next week’s meeting, here are instructions for [crypto certificate verification]. Comments are welcome.

 

  • This week’s CII issue is

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  • Visit your project page, and login. (If necessary, go to bestpractices.coreinfrastructure.org and do a search.)
  • Click on the silver button near the top where it says “You can also view your [silver] or [gold] level criteria.”
  • Click the [Edit] button at the top.
  • Scroll to the bottom and click on the v Security banner. Search for “The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS”
  • This question is about places in your software where you invoke external APIs, such as HTTP REST calls or database queries or LDAP.
    • If your project software does not make any external API calls, then select “not applicable”
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes its architecture.
    • If your project software does NOT use TLS for ANY of your external API calls, then select “not applicable”.
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, and its default mode is to do certification verification against a locally maintained list of Certificate Authority certificates.
      • Click [Met]
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
      • Click [Unmet]
      • FILE A JIRA against your project
      • In the description, explain what you don’t do
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
      • Include the JIRA ticket number(s) in your answer.
    • If some of your software meets the above but other parts do not:
      • Select [Unmet]
      • Include an explanation in the description for each part, following the above instructions.
    • If some of your software meets the above, but other parts do not use TLS,
      • Select [Met]
      • Include an explanation in the description for each part, following the aboe instructions.
  • VERY IMPORTANT: Click one of the green buttons that say [Save (and exit)] or [Save (and continue)]

Join onap-seccom@lists.onap.org to automatically receive all group messages.