Cryptographic Vault

James F. Carter, 2004-11-14

Most machines have a whole family of unencrypted secrets, e.g. the SSH host key, the secret key that goes with the digital certificate used to send TLS mail, and the web browser's HTTPS secret key. How can these be protected properly?

Protected from what? On a datacenter machine, the main threat is that a hacker perpetrates a root exploit during normal operation. This threat is less, but not zero, on a personal laptop.

On a personal laptop the major threat is that it will be physically stolen, after which the Black Hats can run a rescue system or transfer the disc to a convenient other system, and apply whatever tools they please. Thus, when the laptop is stolen, the secrets must be encrypted. Most likely the laptop will not be running when stolen, but there is a high probability that it may be suspended. Let's deal with this case first.

Cryptographic Vault for Theft Resistance

This is a small crypto filesystem containing all the secrets in unencrypted form. Let's say its mount point is /vault.
Crypto clients either mention a filename in /vault in their config files, or have a symbolic link from a standard location in /etc pointing to the /vault file.
/vault is mounted by the automounter. If a crypto client needs to read the secret key and it isn't mounted, the client will block until the automounter finishes the mount. The timeout on this mount will be infinite; the automounter will not dismount /vault until explicitly ordered to.
As one step in mounting /vault, its mount script will obtain a passphrase interactively from the user.
- Although /vault is not one of the filesystems standardly mounted at boot time, a boot script will cause it to be mounted (rather than waiting until the first crypto client provokes the mount). This way the passphrase is solicited at a controllable time, rather than possibly during the transition from console to X-windows operation, and before getty has taken over the console.
- The mount script must be able to either solicit the passphrase from the console or from X-windows.
- If the user types the passphrase wrong, the script should be aware and should be able to ask for the passphrase again.
- The user should be able to refuse to enter the passphrase, e.g. if hostile eyes are watching, or so a repair technician can boot the machine (minus its secrets).
When the machine is suspended, /vault will be dismounted. When it resumes, either an immediate remount will be forced (requiring the passphrase) or the remount will be deferred until a client reads a secret, on the assumption that often the crypto clients will often remain unused.
Services such as ssh and gpg include an agent which, given the user's passphrase, decrypts and stores in memory his secret key, so that the passphrase is not needed separately for every transaction. The key is more or less vulnerable to attacks against memory. The right way to handle this is for the user's secret key to be unencrypted in the vault, to be read on every transaction. This mode is particularly feasible for gpg; less so for ssh. While not feasible on a shared execution server, storing the user's personal secret in the vault is particularly useful on a personal laptop.

Thus, the secrets in the Cryptographic Vault are accessible only when the machine is in active use, and (most likely) they are not accessible if the machine is physically stolen.

Objections to the Cryptographic Vault

Because the passphrase must be entered, unattended booting is not possible. Response: If you want security you're going to have to work for it. Truly unattended booting of a personal laptop is hardly ever done. If the issue is being able to chatter uninterrupted with your neighbor while the thing boots in your lap, your security is worth the trouble of attending to the boot.
You mean I have to type the passphrase every time I resume after suspend? Yes. See the response above.
The Cryptographic Vault is useless because it does not protect against exploits in normal operation (e.g. Windows mail viruses). Response: It protects against an important threat class. Inability to protect against a different class of threats does not mean it is useless. See below for recommendations on root exploits.
The crypto filesystem necessarily relies on unchained block ciphers, which are inherently easier to crack than chained block ciphers; or the kernel does not have my favorite cipher available for crypto filesystems. Response: This may or may not be true, but if it worries you, encrypt the filesystem into a plain file using your favorite chained cipher. To mount, decrypt the file into another plain file in /var, and mount that. When dismounting, wipe the temporary file. This method has another advantage: the secret key for the filesystem is not in memory once mounting is finished.

Root Exploits in Normal Operation

Turning to the datacenter situation: In what is commonly called a root exploit, the usual procedure is to induce a system daemon to execute arbitrary hacker-provided code under its own permission, which often is the superuser (root). The exploit code will then do general hostile activity such as reproducing by attacking other vulnerable machines, installing a bot to which the hacker can open a connection and give commands, vandalizing the victim machine, or (of particular interest here) looking for secrets and mailing them back to the hacker.

The Cryptographic Vault is useless against root exploits (except possibly with SELinux), because the crypto filesystem is mounted and decryptable when the exploit happens.

It is not prudent to assume that system code is perfect; in other words, we have to assume that security holes are always present. However, the ones that are easy to find have already been found and fixed, and in many cases security holes are found by the developers or (for open-source software only) interested third parties, so-called White Hats. These are then fixed and are never exploited. But occasionally a new exploit is found circulating in the wild. Once it is recognized, the fix usually appears promptly.

These steps can mitigate the vulnerability of the datacenter machine to a security breach. The same steps are important for personal laptops.

First and foremost, don't have security breaches: aggressively update your software with the latest fixes. Viruses spread among machines that have not been patched. Nonetheless, someone has to be first to be victimized.
Many important and exposed system daemons, such as ssh and postfix, can execute their most risky parts as a special user, not root, so that any damage is confined to files owned by the special user. Attacking such a system is not worthwhile for a virus (or its author). This feature should be used when available.
The USA National Security Agency has sponsored a SELinux set of kernel patches, which strip the root user of much of its power while still allowing the system to provide normal services, relatively unobtrusively and with low runtime overhead. Administering such a system takes extra work because normal system administration tools and training assumes that root has permission to do anything. Nonetheless, the enhanced security is worth the bother in administration. SELinux would be much harder for a virus to exploit productively.
You should carefully audit your practices and procedures, and stop doing inherently risky things. For example, Sun's remote shell protocol relies on hostbased authentication, which the hacker can fake. You should disable this protocol and rely on ssh entirely. Similarly, Sun's NFS was never intended to resist hackers, and a more secure network filesystem like AFS should be used.
If you su (activate the root user) on a personal laptop, you should exit from that shell before the laptop is stolen. Particularly you should not leave a root shell active when you suspend the machine.

Unattended Booting of Datacenter Machines

If you are serious about security, you should only run your machines, including booting them up, when a trusted operator or owner/user is in immediate attendance, and the operator can enter the password. However, there are many situations where an operator is not feasible, for example a small business, a commercial hosting company (colo) (which may have an operator, but not one trusted by you), an academic department, or a public computer lab where users may power cycle the machines. How can you use the Cryptographic Vault in this situation?

If the hacker can perpetrate a root exploit he can read the secrets directly (except possibly with SELinux), so these schemes are deemed sufficient if a root exploit is needed to break them.

Let's be clear what threat is being protected against: a hacker who breaks into an unattended datacenter or public lab, or an unscrupulous colo operator, physically working on the victim machine. This is the same type of threat as for a stolen personal laptop, but with more weaknesses since the machines have to boot unattended.

First, the BIOS should be password protected and configured so a CD-only rescue system cannot be booted, particularly in a public computer lab. The checksum of the nvram should be used in relevant cryptographic keys, so if a hacker opens the case and clears the nvram, enabling the rescue system to boot, steps listed below will fail.
You can get a lockbox card. After a PCI bus reset (i.e. upon boot), it will divulge a secret, but only once, and only if the operating system sends in its own secret, which is typically a checksum over the kernel, system libraries and the nvram. Exchanging one secret for another seems not useful for the Cryptographic Vault.
Also one has to wonder whether the secret is stored in nvram that can be unsoldered and read by the Black Hats, having stolen the computer with the card in it. None of the protections in this section can withstand that intensity of attack.
During boot, you can communicate over the net (by an encrypted protocol using Diffie-Hellman key exchange) with a machine that stores the necessary secrets for all your servers or lab machines, similar to the lockbox card. However, the hacker can communicate too and receive the secret. These variants may have better security.
- If the secret server, on the same subnet, checks the client's MAC address, the hacker will have to send from the client (presumably blocked by its internal firewall once booting is complete), or force it off the net (e.g. by unplugging it) and substitute his own machine with its MAC address configured.
- If you use a dedicated serial port, UNIX file permissions will keep the hacker off it. However, dedicated serial ports are expensive and hard to wire up in cases like a public lab or a colo. Also the serial cable can be unplugged and connected to the hacker's machine.
- If the secret server can monitor the power usage of the clients, it can know authoritatively when they reboot. However, it is still vulnerable to an unplugging attack, and power monitors are even more expensive and hard to wire up than serial ports.
Thus, Ethernet with a MAC check is probably the most practical variant for the secret server. But the secret server has similar vulnerabilities as the clients, and it also has to boot unattended. This solution is probably only useful in a public lab where the secret server is physically better protected than the clients.
Suppose the secret needed to decrypt the Cryptographic Vault is simply a checksum over the nvram content, possibly concatenated with another file, different on every machine. Both of these elements would have UNIX file permissions locking out the hacker during normal operation (barring a root exploit). To boot a rescue system, the hacker would have to clear the nvram content, specifically its password, losing this essential part of the crypto secret. This is the simplest solution and is probably sufficient for the level of protection implied by the public lab or unattended datacenter model.

Conclusion

On a personal laptop, unencrypted secrets should be stored in the Cryptographic Vault, whose passphrase must be entered manually every time it is mounted. With proper care in dismounting the vault before theft, and with careful attention to avoiding or mitigating root exploits, this protection is as good as you're going to get, in keeping your secrets away from the Black Hats.
Servers and desktop machines in a national security context should be protected similarly to a personal laptop, despite their somewhat better physical security. A trusted operator should provide the passphrase for the vault, every time the machine is booted.
Where a lesser degree of security can be tolerated, unattended booting is possible. The secret for mounting the Cryptographic Vault should be a digest over the BIOS nvram (so clearing the BIOS password prevents mounting) and an additional initialization vector file which is unique for every machine.

Appendix: Implementation Plan

Make a list of secrets that should be in the vault.
- Kerberos host key: /etc/krb5/krb5.keytab
- Kerberos database (servers only): /var/krb5kdc/*
- ssh (secure shell server): /etc/ssh/ssh_host_rsa_key and friends
- Postfix (mail): /etc/postfix/host.key
- httpd (web server): /etc/apache2/ssl.key/host.key
- BIND (namedaemon) TLS certificate, if any
- CUPS (printing) TLS certificate, if any
- X Window System: The key for access to the server is generated anew at each login, but it persists if a laptop is suspended, so a truly paranoid user would write it into the vault. /etc/X11/xdm/authdir/authfiles/*, symlink to /var/lib/xdm/authdir (/authfiles).
- User's ssh (secure shell client) identity key(s): $HOME/.ssh/id_rsa
- User's gpg (mail and general cryptography) signing and encryption key: $HOME/.gnupg/secring.gpg --- except the user's GPG secret key is required to decrypt the vault. Which comes first, the chicken or the egg?
Set up the automounter to mount the vault on demand.
Write a script that solicits the passphrase and then mounts the vault. Alternatively for unattended operation it should create a passphrase by checksumming the nvram.
Unfortunately, when a BIOS password was set, /dev/nvram did not change.
Write a script to go with apmd/acpid (power management) which will dismount the vault when the laptop is suspended.

Survey of Cryptographic Processes

Here is a complete survey of processes on a personal laptop, split up by cryptographic significance:

Requires cryptographic secrets, should use the vault:

/usr/lib/heimdal/sbin/kdc: Kerberos authentication engine; beware of chicken and egg issues if its secret key is in the vault. Kerberos (kdc) only needs to read its secret at startup; it continues to function even when the vault is unmounted afterward.
/opt/kde3/bin/kdm (X-server's access control cookie)
User's login session, actual crypto accessories:
- ssh-agent (holds OpenSSH secure shell authentication secret)
- gpg-agent (holds GPG secret key) --- but the GPG secret key is required to decrypt the vault, so there's a chicken and egg issue here.
User's login session, X-Windows access control cookie:
- fvwm2 (window manager) and its numerous applets
- xterm and various other X applications
/usr/sbin/sshd: OpenSSH secure shell. It reads its keys once at startup and continues to function if the vault is unmounted later.
/usr/lib/postfix/master: Mailer; uses TLS to secure SMTP gateway. If you send mail while the vault is unmounted, it will disable TLS until a manual reload. This could happen if mail is queued and the queue run interval occurs while the vault is unmounted.
/usr/sbin/httpd2-prefork: Apache web server; uses TLS for secure service. It reads its secret at startup and continues to function if the vault is unmounted later.
/usr/sbin/openvpn: Virtual private network, uses X.509 authentication. It reads its secret at startup and continues to function if the vault is unmounted later.

Requires crypto but cannot use the vault:

/usr/sbin/saslauthd (authentication proxy potentially looks at /etc/shadow)
opera (web browser -- has its own crypto for X.509 certificates)

Potential crypto but not encrypted on this system:

/usr/sbin/named (Domain Name Service can use TLS for authenticated dynamic DNS)
/usr/bin/mysqld_safe (database engine may or may not have TLS capability)
/usr/sbin/cupsd (printing service can require authentication)
/usr/sbin/ntpd (Network Time Protocol can require partners to authenticate)

No cryptographic implications:

init (master UNIX process)
[numerous kernel threads]
/usr/sbin/xinetd (daemon master process, starts individual servers)
/sbin/portmap (Sun Remote Procedure Call protocol manager)
/sbin/cardmgr (manages laptop's removeable PCMCIA cards)
/usr/sbin/apmd (also acpid) (power management)
/sbin/mingetty (serial line control)
/sbin/dhcpcd (gets host's IP address assignment from server)
/sbin/syslogd (system logging daemon)
/sbin/klogd (kernel message logger)
/usr/sbin/atd (time-scheduled job execution)
/usr/sbin/cron (time-scheduled job execution)
/usr/sbin/nscd (Name Service Cache)

More Implementation Plan

As a compromise between useability, implementability and security, this alternative scheme is proposed for mounting and unmounting the vault. This is specifically for a personal laptop or workstation where all users (generally only one) are authorized to mount the root's portion of the crypto vault.

The exact protective mechanism is like this: each user including root has a vault, which is encrypted with a randomly generated key, which is contained in a file encrypted with GPG. Such a file can be encrypted with the public keys of multiple recipients, e.g. root and jimc both, and this is done for the root vault. A script running (setUID root) on behalf of the user who is logging in will use the login password to decrypt the user's GPG secret key, to decrypt root's vault key file, to attach root's vault to a loopback device, to mount root's vault. The system-wide secrets are in this vault. Other secrets such as the user's SSH key are in the user's own vault, which is mounted similarly via a second loopback device.

When the system boots, services whose secret keys are in the vault will be deferred, not starting until after the vault is actually mounted (if ever).
As part of the PAM stack for the X display manager (kdm, etc), a module will run which mounts the vault. The proposed module is pam_runscript (by jimc), which runs an arbitrary script with (if so configured) the password piped in on an open file descriptor.
If root's crypto vault key file is not encrypted with the user's key (e.g. a guest account), the vault cannot be not mounted. Since Kerberos cannot start, the user cannot log in. However, if an authorized user logs in first, Kerberos can start, and it only needs its secret key at startup time. After that, unwashed users can log in.
For Kerberos, the vault will be mounted first as part of the PAM auth phase, then Kerberos will be allowed to start up, then the script will exit allowing the Kerberos auth module to check the user's identity. The vault will be mounted before Kerberos has authenticated the user. The user needs to give a correct password to decrypt the vault, and this is actually sufficient authentication so that Kerberos is redundant, but GSSAPI is needed to propagate the user's identity for some services.
The vault mounting script needs to positively verify (by fsck on the loopback device) that the password will decrypt the vault, so as not to try to mount random garbage, which could break something.
The user is required to lock his screen when not in immediate attendance to the computer, including before suspending a laptop. Xlock has the -startCmd command which it runs at that time, which would unmount the vault. It is necessary that the vault mountpoint be configured with the user attribute so the user can mount and unmount it. The startCmd should also reset the ssh-agent and gpg-agent. It will not be possible to cause daemons such as Postfix and Apache to forget their secrets. Beware, if the X-server cookie is in the vault, eye candy (so-called screen savers) will not be able to run.
To unlock the screen, the user must type his password. Xlock has the -pipepassCmd command which can receive the password and remount the vault. It's assumed that there is no password on the ssh and gpg secrets, so it is trivial to then reload the respective agents.
On session tear-down, the vault will be dismounted. But a scenario can be envisioned where the auth phase mounts the vault but no session ensues, e.g. the account phase denies access. On the personal laptop this is not credible. Or if the display manager crashes, the session closing phase would not happen and the vault would remain mounted. If this is going to be a problem, a cron job can check for a live session and dismount the vault if a session is not apparent.
Crypto services will not be able to read their secrets when the vault is not mounted. It is hoped that they either cache the secret in memory, or fail gracefully and can be revived when the vault is remounted. See notes with the services on this point.

The above plan means that pam_runscript needs to be able to ask for the password by itself, which it is presently not able to do. This has been accomplished, and the Cryptographic Vault appears to operate successfully.