Topics

next steps with CII -- focus on crypto_credential_agility


Tony Hansen
 

This message focuses on [crypto_credential_agility].

 

Reminder about the CII text:

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

My take is that this one covers both the credentials needed to access remote services by the application AND the credentials used for authentication of others connecting to the application.

 

  1. Correct, no hard coding of passwords within the source code.
  2. Good questions on containers. I’m not sure what the answers are.
    1. Kubernetes secrets would probably satisfy the requirement.
  3. It seems that AAF would be a perfectly reasonable way to satisfy this requirement.

 

One aspect is that if you have passwords (or hashes of the passwords, etc), should be saved in the a different file from where other configuration values are stored.

 

Additional discussion is welcome.

 

                Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 6:45 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII

 

Question(s), Tony,

 

. . .

 

Agility

  1. Are you talking about storing Credentials, etc, of the App itself, or Clients

a.      By “Compile” are you talking about not Hard Coding Passwords in Source (i.e. .js, java, .c, .cpp, whatever) files.

b.      Or are we realizing that Containers essentially Freeze what used to be dynamic configs, so you have to plan for updates.

                                                      i.      Does “Use docker/kubectl Container Copy instructions” meet this goal?

                                                    ii.      The constant Top priority of “Start from Scratch” makes this difficult, of course.

    1. If Client Creds, it should be pointed out that Apps can use Externalization of Client Creds, which is, of course, the point of AAF (sorry for the plug)

 

. . .

     

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Tuesday, June 18, 2019 at 11:49 AM
To: "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: next steps with CII

 

Here are the next few items that I think we need to work on with respect to moving forward with CII badging. These three have lots of projects marked [?] under the Silver level.

 

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

[crypto_verification_private]

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

As discussed at DDF, the idea is that we would

 

Week 1

Introduce a topic at the PTL meeting with instructions.

We give stats on how many projects that have answered this question already.

Week 2

One week later, we check to see what progress there is.

Give kudos to those who have made progress.

We file JIRA tickets on those projects that have not given any answer.

Introduce the next topic, etc

Week 3

We bump up the priority on those tickets.

 

So, for next week’s meeting, here are instructions for [crypto certificate verification]. Comments are welcome.

 

  • This week’s CII issue is

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  • Visit your project page, and login. (If necessary, go to bestpractices.coreinfrastructure.org and do a search.)
  • Click on the silver button near the top where it says “You can also view your [silver] or [gold] level criteria.”
  • Click the [Edit] button at the top.
  • Scroll to the bottom and click on the v Security banner. Search for “The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS”
  • This question is about places in your software where you invoke external APIs, such as HTTP REST calls or database queries or LDAP.
    • If your project software does not make any external API calls, then select “not applicable”
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes its architecture.
    • If your project software does NOT use TLS for ANY of your external API calls, then select “not applicable”.
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, and its default mode is to do certification verification against a locally maintained list of Certificate Authority certificates.
      • Click [Met]
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
      • Click [Unmet]
      • FILE A JIRA against your project
      • In the description, explain what you don’t do
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
      • Include the JIRA ticket number(s) in your answer.
    • If some of your software meets the above but other parts do not:
      • Select [Unmet]
      • Include an explanation in the description for each part, following the above instructions.
    • If some of your software meets the above, but other parts do not use TLS,
      • Select [Met]
      • Include an explanation in the description for each part, following the aboe instructions.
  • VERY IMPORTANT: Click one of the green buttons that say [Save (and exit)] or [Save (and continue)]


natacha.mach@...
 

Hello 

Thanks for these informations.

i have 2 comments / questions:
- The storage of password must be hashed.
- regarding the following statement:
If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
  • Click [Unmet]
  • FILE A JIRA against your project
  • In the description, explain what you don’t do
  • Include the current date at the end of your explanation, as in [2019/06/24]
  • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
  • Include the JIRA ticket number(s) in your answer.

==> is TLS is available, the certificate verification should be mandatory.

What do you think?

Regards
Natacha






De : onap-seccom@... [onap-seccom@...] de la part de Tony Hansen [tony@...]
Envoyé : jeudi 20 juin 2019 05:34
À : GATHMAN, JONATHAN C; onap-seccom@...
Cc : PAWLAK Pawel O-PL; ZWARICO, AMY; CLOSE, PIERRE
Objet : Re: [Onap-seccom] next steps with CII -- focus on crypto_credential_agility

This message focuses on [crypto_credential_agility].

 

Reminder about the CII text:

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

My take is that this one covers both the credentials needed to access remote services by the application AND the credentials used for authentication of others connecting to the application.

 

  1. Correct, no hard coding of passwords within the source code.
  2. Good questions on containers. I’m not sure what the answers are.
    1. Kubernetes secrets would probably satisfy the requirement.
  3. It seems that AAF would be a perfectly reasonable way to satisfy this requirement.

 

One aspect is that if you have passwords (or hashes of the passwords, etc), should be saved in the a different file from where other configuration values are stored.

 

Additional discussion is welcome.

 

                Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 6:45 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII

 

Question(s), Tony,

 

. . .

 

Agility

  1. Are you talking about storing Credentials, etc, of the App itself, or Clients

a.      By “Compile” are you talking about not Hard Coding Passwords in Source (i.e. .js, java, .c, .cpp, whatever) files.

b.      Or are we realizing that Containers essentially Freeze what used to be dynamic configs, so you have to plan for updates.

                                                      i.      Does “Use docker/kubectl Container Copy instructions” meet this goal?

                                                    ii.      The constant Top priority of “Start from Scratch” makes this difficult, of course.

    1. If Client Creds, it should be pointed out that Apps can use Externalization of Client Creds, which is, of course, the point of AAF (sorry for the plug)

 

. . .

     

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Tuesday, June 18, 2019 at 11:49 AM
To: "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: next steps with CII

 

Here are the next few items that I think we need to work on with respect to moving forward with CII badging. These three have lots of projects marked [?] under the Silver level.

 

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

[crypto_verification_private]

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

As discussed at DDF, the idea is that we would

 

Week 1

Introduce a topic at the PTL meeting with instructions.

We give stats on how many projects that have answered this question already.

Week 2

One week later, we check to see what progress there is.

Give kudos to those who have made progress.

We file JIRA tickets on those projects that have not given any answer.

Introduce the next topic, etc

Week 3

We bump up the priority on those tickets.

 

So, for next week’s meeting, here are instructions for [crypto certificate verification]. Comments are welcome.

 

  • This week’s CII issue is

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  • Visit your project page, and login. (If necessary, go to bestpractices.coreinfrastructure.org and do a search.)
  • Click on the silver button near the top where it says “You can also view your [silver] or [gold] level criteria.”
  • Click the [Edit] button at the top.
  • Scroll to the bottom and click on the v Security banner. Search for “The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS”
  • This question is about places in your software where you invoke external APIs, such as HTTP REST calls or database queries or LDAP.
    • If your project software does not make any external API calls, then select “not applicable”
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes its architecture.
    • If your project software does NOT use TLS for ANY of your external API calls, then select “not applicable”.
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, and its default mode is to do certification verification against a locally maintained list of Certificate Authority certificates.
      • Click [Met]
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
      • Click [Unmet]
      • FILE A JIRA against your project
      • In the description, explain what you don’t do
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
      • Include the JIRA ticket number(s) in your answer.
    • If some of your software meets the above but other parts do not:
      • Select [Unmet]
      • Include an explanation in the description for each part, following the above instructions.
    • If some of your software meets the above, but other parts do not use TLS,
      • Select [Met]
      • Include an explanation in the description for each part, following the aboe instructions.
  • VERY IMPORTANT: Click one of the green buttons that say [Save (and exit)] or [Save (and continue)]
_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


Jonathan Gathman <jonathan.gathman@...>
 

I have thought about this over the years doing “AAF/CADI”.  Hopefully, the solution that exists with AAF/CADI may help frame the thoughts.

 

AXIOM: All decryption must start from initializing information

COROLLARY 1: This initializing information must take the form of Something You Have, or Something You Know

COROLLARY 2: It is impractical to query a person each and every time a Process in a system needs to start.

COROLLARY 3: Since a Computer doesn’t “have” anything but access to storage, ultimately, you must put some sort of key on disk/chip *

 

Given this Axiom and these Corollaries, AAF/CADI solves this in this way. 

 

For any given Namespace (Application) configuration, we can generate a “keyfile”.

 

Ex: org.onap.aai.keyfile

 

This contains a AES-256 level key which is, of course Symmetrical.  Immediately upon creation, is set to “400” for Unix Systems, which denies access to any User on a UNIX based system except the User himself and root (O/S level Access Control)

 

This keyfile is used to encrypt/decrypt passwords contained in Property Files

 

These can be put in manually, or can be generated, as we do with AAF Certman Generation

 

Ex: When AAF Agent generates Certs, typical scenario is to encase the Private key and Trust Chain into a PKCS12 file (.p12)

 

Therefore, Agent (real time) for aai

 

  1. Gets Cert and Private Key from Certman Process
  2. Generates a Password
  3. Creates the org.onap.aai.p12 file using Password
  4. Adds Private Key and Certs (Trust Chain)
  5. Writes to disk
  6. Encrypts the Password using org.onap.aai.keyfile
  7. Saves the Encrypted password into org.onap.aai.cred.props in the form “key_password=enc:<encrypted key>”

 

What exists, therefore, is a set of files on the disk, in a well known configuration directory (In ONAP K8S, I have standardized on “/opt/app/osaaf/etc”)

If you watched one of the demos, these are what were created.

400   org.onap.aai.keyfile

640   org.onap.aai.p12

640   org.onap.aai.cred.props

 

(more generated, but these are the only ones outlined)

 

*NOTE: There are some efforts to expand the list of “Something a Computer Has”.

  • Intel has provided ONAP with Chip level storage based on PKCS11.  I personally do not know how this can be applied to Kubernetes, whose main function is to remove Services from any direct access to hardware or dependency on it.
  • Intel has provide the SMS service to ONAP.  However, in order to securely access, the App still needs to be able to get an initial key from disk, so it solves some issues, but still requires something like the above to get the APP’s Credentials.

 

 

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Wednesday, June 19, 2019 at 10:34 PM
To: "GATHMAN, JONATHAN C" <jonathan.gathman@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII -- focus on crypto_credential_agility

 

This message focuses on [crypto_credential_agility].

 

Reminder about the CII text:

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

My take is that this one covers both the credentials needed to access remote services by the application AND the credentials used for authentication of others connecting to the application.

 

  1. Correct, no hard coding of passwords within the source code.
  2. Good questions on containers. I’m not sure what the answers are.
    1. Kubernetes secrets would probably satisfy the requirement.
  3. It seems that AAF would be a perfectly reasonable way to satisfy this requirement.

 

One aspect is that if you have passwords (or hashes of the passwords, etc), should be saved in the a different file from where other configuration values are stored.

 

Additional discussion is welcome.

 

                Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 6:45 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII

 

Question(s), Tony,

 

. . .

 

Agility

  1. Are you talking about storing Credentials, etc, of the App itself, or Clients

a.      By “Compile” are you talking about not Hard Coding Passwords in Source (i.e. .js, java, .c, .cpp, whatever) files.

b.      Or are we realizing that Containers essentially Freeze what used to be dynamic configs, so you have to plan for updates.

                                                      i.      Does “Use docker/kubectl Container Copy instructions” meet this goal?

                                                    ii.      The constant Top priority of “Start from Scratch” makes this difficult, of course.

    1. If Client Creds, it should be pointed out that Apps can use Externalization of Client Creds, which is, of course, the point of AAF (sorry for the plug)

 

. . .

     

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Tuesday, June 18, 2019 at 11:49 AM
To: "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: next steps with CII

 

Here are the next few items that I think we need to work on with respect to moving forward with CII badging. These three have lots of projects marked [?] under the Silver level.

 

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

[crypto_verification_private]

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

As discussed at DDF, the idea is that we would

 

Week 1

Introduce a topic at the PTL meeting with instructions.

We give stats on how many projects that have answered this question already.

Week 2

One week later, we check to see what progress there is.

Give kudos to those who have made progress.

We file JIRA tickets on those projects that have not given any answer.

Introduce the next topic, etc

Week 3

We bump up the priority on those tickets.

 

So, for next week’s meeting, here are instructions for [crypto certificate verification]. Comments are welcome.

 

  • This week’s CII issue is

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  • Visit your project page, and login. (If necessary, go to bestpractices.coreinfrastructure.org and do a search.)
  • Click on the silver button near the top where it says “You can also view your [silver] or [gold] level criteria.”
  • Click the [Edit] button at the top.
  • Scroll to the bottom and click on the v Security banner. Search for “The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS”
  • This question is about places in your software where you invoke external APIs, such as HTTP REST calls or database queries or LDAP.
    • If your project software does not make any external API calls, then select “not applicable”
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes its architecture.
    • If your project software does NOT use TLS for ANY of your external API calls, then select “not applicable”.
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, and its default mode is to do certification verification against a locally maintained list of Certificate Authority certificates.
      • Click [Met]
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
      • Click [Unmet]
      • FILE A JIRA against your project
      • In the description, explain what you don’t do
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
      • Include the JIRA ticket number(s) in your answer.
    • If some of your software meets the above but other parts do not:
      • Select [Unmet]
      • Include an explanation in the description for each part, following the above instructions.
    • If some of your software meets the above, but other parts do not use TLS,
      • Select [Met]
      • Include an explanation in the description for each part, following the aboe instructions.
  • VERY IMPORTANT: Click one of the green buttons that say [Save (and exit)] or [Save (and continue)]


Tony Hansen
 

Thank you for your email, Natacha.

 

These are both very important considerations, and they are covered under other CII topics:

 

The comment about hashing passwords is covered under the CII topic [crypto_password_storage]:

 

If the software produced by the project causes the storing of passwords for authentication of external users, the passwords MUST be stored as iterated hashes with a per-user salt by using a key stretching (iterated) algorithm (e.g., PBKDF2, Bcrypt or Scrypt).

 

The comment about TLS certification verification is covered under the CII topic [crypto_certificate_verification]:

 

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

There is another thread on the [onap-seccom] mailing list that is focusing on the [crypto_certificate_verification] CII topic. Please take a look there and make sure that your concerns regarding certification verification are being sufficiently addressed.

 

Thank you again for your email, Natacha.

 

                Tony

 

From: "natacha.mach@..." <natacha.mach@...>
Date: Thursday, June 20, 2019 at 5:41 AM
To: "HANSEN, TONY L" <tony@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>, "onap-seccom@..." <onap-seccom@...>
Cc: PAWLAK Pawel O-PL <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: RE:[Onap-seccom] next steps with CII -- focus on crypto_credential_agility

 

Hello 

 

Thanks for these informations.

 

i have 2 comments / questions:

- The storage of password must be hashed.

- regarding the following statement:

If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.

  • Click [Unmet]
  • FILE A JIRA against your project
  • In the description, explain what you don’t do
  • Include the current date at the end of your explanation, as in [2019/06/24]
  • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
  • Include the JIRA ticket number(s) in your answer.

 

==> is TLS is available, the certificate verification should be mandatory.

 

What do you think?

 

Regards

Natacha

 

 

 

 

 


De : onap-seccom@... [onap-seccom@...] de la part de Tony Hansen [tony@...]
Envoyé : jeudi 20 juin 2019 05:34
À : GATHMAN, JONATHAN C; onap-seccom@...
Cc : PAWLAK Pawel O-PL; ZWARICO, AMY; CLOSE, PIERRE
Objet : Re: [Onap-seccom] next steps with CII -- focus on crypto_credential_agility

This message focuses on [crypto_credential_agility].

 

Reminder about the CII text:

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

My take is that this one covers both the credentials needed to access remote services by the application AND the credentials used for authentication of others connecting to the application.

 

  1. Correct, no hard coding of passwords within the source code.
  2. Good questions on containers. I’m not sure what the answers are.
    1. Kubernetes secrets would probably satisfy the requirement.
  1. It seems that AAF would be a perfectly reasonable way to satisfy this requirement.

 

One aspect is that if you have passwords (or hashes of the passwords, etc), should be saved in the a different file from where other configuration values are stored.

 

Additional discussion is welcome.

 

                Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 6:45 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII

 

Question(s), Tony,

 

. . .

 

Agility

1.      Are you talking about storing Credentials, etc, of the App itself, or Clients

a.      By “Compile” are you talking about not Hard Coding Passwords in Source (i.e. .js, java, .c, .cpp, whatever) files.

b.      Or are we realizing that Containers essentially Freeze what used to be dynamic configs, so you have to plan for updates.

                                                      i.      Does “Use docker/kubectl Container Copy instructions” meet this goal?

                                                    ii.      The constant Top priority of “Start from Scratch” makes this difficult, of course.

c.       If Client Creds, it should be pointed out that Apps can use Externalization of Client Creds, which is, of course, the point of AAF (sorry for the plug)

 

. . .

     

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Tuesday, June 18, 2019 at 11:49 AM
To: "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: next steps with CII

 

Here are the next few items that I think we need to work on with respect to moving forward with CII badging. These three have lots of projects marked [?] under the Silver level.

 

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

[crypto_verification_private]

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

As discussed at DDF, the idea is that we would

 

Week 1

Introduce a topic at the PTL meeting with instructions.

We give stats on how many projects that have answered this question already.

Week 2

One week later, we check to see what progress there is.

Give kudos to those who have made progress.

We file JIRA tickets on those projects that have not given any answer.

Introduce the next topic, etc

Week 3

We bump up the priority on those tickets.

 

So, for next week’s meeting, here are instructions for [crypto certificate verification]. Comments are welcome.

 

  • This week’s CII issue is

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  • Visit your project page, and login. (If necessary, go to bestpractices.coreinfrastructure.org and do a search.)
  • Click on the silver button near the top where it says “You can also view your [silver] or [gold] level criteria.”
  • Click the [Edit] button at the top.
  • Scroll to the bottom and click on the v Security banner. Search for “The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS”
  • This question is about places in your software where you invoke external APIs, such as HTTP REST calls or database queries or LDAP.
    • If your project software does not make any external API calls, then select “not applicable”
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes its architecture.
    • If your project software does NOT use TLS for ANY of your external API calls, then select “not applicable”.
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, and its default mode is to do certification verification against a locally maintained list of Certificate Authority certificates.
      • Click [Met]
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
      • Click [Unmet]
      • FILE A JIRA against your project
      • In the description, explain what you don’t do
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
      • Include the JIRA ticket number(s) in your answer.
    • If some of your software meets the above but other parts do not:
      • Select [Unmet]
      • Include an explanation in the description for each part, following the above instructions.
    • If some of your software meets the above, but other parts do not use TLS,
      • Select [Met]
      • Include an explanation in the description for each part, following the aboe instructions.
  • VERY IMPORTANT: Click one of the green buttons that say [Save (and exit)] or [Save (and continue)]

_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


natacha.mach@...
 

Hello,

Many thanks for your answer.

Regarding the following statement: 
"The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A)."

==> the "not applicable", in my understanding / opinion should not be possible.
TLS should be mandatory, with no other option. If TLS is not possible then the solution is not comptible and the statement unmet.

What do you think?

best regards
Natacha


De : HANSEN, TONY L [tony@...]
Envoyé : jeudi 20 juin 2019 14:27
À : MACH Natacha TGI/OLS; GATHMAN, JONATHAN C; onap-seccom@...
Cc : PAWLAK Pawel O-PL; ZWARICO, AMY; CLOSE, PIERRE
Objet : Re: [Onap-seccom] next steps with CII -- focus on crypto_credential_agility

Thank you for your email, Natacha.

 

These are both very important considerations, and they are covered under other CII topics:

 

The comment about hashing passwords is covered under the CII topic [crypto_password_storage]:

 

If the software produced by the project causes the storing of passwords for authentication of external users, the passwords MUST be stored as iterated hashes with a per-user salt by using a key stretching (iterated) algorithm (e.g., PBKDF2, Bcrypt or Scrypt).

 

The comment about TLS certification verification is covered under the CII topic [crypto_certificate_verification]:

 

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

There is another thread on the [onap-seccom] mailing list that is focusing on the [crypto_certificate_verification] CII topic. Please take a look there and make sure that your concerns regarding certification verification are being sufficiently addressed.

 

Thank you again for your email, Natacha.

 

                Tony

 

From: "natacha.mach@..." <natacha.mach@...>
Date: Thursday, June 20, 2019 at 5:41 AM
To: "HANSEN, TONY L" <tony@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>, "onap-seccom@..." <onap-seccom@...>
Cc: PAWLAK Pawel O-PL <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: RE:[Onap-seccom] next steps with CII -- focus on crypto_credential_agility

 

Hello 

 

Thanks for these informations.

 

i have 2 comments / questions:

- The storage of password must be hashed.

- regarding the following statement:

If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.

  • Click [Unmet]
  • FILE A JIRA against your project
  • In the description, explain what you don’t do
  • Include the current date at the end of your explanation, as in [2019/06/24]
  • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
  • Include the JIRA ticket number(s) in your answer.

 

==> is TLS is available, the certificate verification should be mandatory.

 

What do you think?

 

Regards

Natacha

 

 

 

 

 


De : onap-seccom@... [onap-seccom@...] de la part de Tony Hansen [tony@...]
Envoyé : jeudi 20 juin 2019 05:34
À : GATHMAN, JONATHAN C; onap-seccom@...
Cc : PAWLAK Pawel O-PL; ZWARICO, AMY; CLOSE, PIERRE
Objet : Re: [Onap-seccom] next steps with CII -- focus on crypto_credential_agility

This message focuses on [crypto_credential_agility].

 

Reminder about the CII text:

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

My take is that this one covers both the credentials needed to access remote services by the application AND the credentials used for authentication of others connecting to the application.

 

  1. Correct, no hard coding of passwords within the source code.
  2. Good questions on containers. I’m not sure what the answers are.
    1. Kubernetes secrets would probably satisfy the requirement.
  1. It seems that AAF would be a perfectly reasonable way to satisfy this requirement.

 

One aspect is that if you have passwords (or hashes of the passwords, etc), should be saved in the a different file from where other configuration values are stored.

 

Additional discussion is welcome.

 

                Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 6:45 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII

 

Question(s), Tony,

 

. . .

 

Agility

1.      Are you talking about storing Credentials, etc, of the App itself, or Clients

a.      By “Compile” are you talking about not Hard Coding Passwords in Source (i.e. .js, java, .c, .cpp, whatever) files.

b.      Or are we realizing that Containers essentially Freeze what used to be dynamic configs, so you have to plan for updates.

                                                      i.      Does “Use docker/kubectl Container Copy instructions” meet this goal?

                                                    ii.      The constant Top priority of “Start from Scratch” makes this difficult, of course.

c.       If Client Creds, it should be pointed out that Apps can use Externalization of Client Creds, which is, of course, the point of AAF (sorry for the plug)

 

. . .

     

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Tuesday, June 18, 2019 at 11:49 AM
To: "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: next steps with CII

 

Here are the next few items that I think we need to work on with respect to moving forward with CII badging. These three have lots of projects marked [?] under the Silver level.

 

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

[crypto_verification_private]

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

As discussed at DDF, the idea is that we would

 

Week 1

Introduce a topic at the PTL meeting with instructions.

We give stats on how many projects that have answered this question already.

Week 2

One week later, we check to see what progress there is.

Give kudos to those who have made progress.

We file JIRA tickets on those projects that have not given any answer.

Introduce the next topic, etc

Week 3

We bump up the priority on those tickets.

 

So, for next week’s meeting, here are instructions for [crypto certificate verification]. Comments are welcome.

 

  • This week’s CII issue is

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  • Visit your project page, and login. (If necessary, go to bestpractices.coreinfrastructure.org and do a search.)
  • Click on the silver button near the top where it says “You can also view your [silver] or [gold] level criteria.”
  • Click the [Edit] button at the top.
  • Scroll to the bottom and click on the v Security banner. Search for “The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS”
  • This question is about places in your software where you invoke external APIs, such as HTTP REST calls or database queries or LDAP.
    • If your project software does not make any external API calls, then select “not applicable”
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes its architecture.
    • If your project software does NOT use TLS for ANY of your external API calls, then select “not applicable”.
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, and its default mode is to do certification verification against a locally maintained list of Certificate Authority certificates.
      • Click [Met]
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
      • Click [Unmet]
      • FILE A JIRA against your project
      • In the description, explain what you don’t do
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
      • Include the JIRA ticket number(s) in your answer.
    • If some of your software meets the above but other parts do not:
      • Select [Unmet]
      • Include an explanation in the description for each part, following the above instructions.
    • If some of your software meets the above, but other parts do not use TLS,
      • Select [Met]
      • Include an explanation in the description for each part, following the aboe instructions.
  • VERY IMPORTANT: Click one of the green buttons that say [Save (and exit)] or [Save (and continue)]

_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.