[104883] in North American Network Operators' Group
RE: IOS Rookit: the sky isn't falling (yet)
daemon@ATHENA.MIT.EDU (Fred Reimer)
Thu May 29 11:27:47 2008
Date: Thu, 29 May 2008 11:27:34 -0400
In-Reply-To: <alpine.NEB.1.10.0805291104350.2838@himring.draga.com>
From: "Fred Reimer" <freimer@ctiusa.com>
To: "Jim Wise" <jwise@draga.com>
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
This is a multipart message in MIME format.
------=_NextPart_000_007C_01C8C17E.FDC9CCC0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
New keys, to be stored on the crypto chip, would presumably be delivered in
a separately signed package using a master key that would not change
(embedded within the chip). Maybe Cisco even doesn't have this key, and
would need to send a revocation or new public key to be stored on the chip
to the chip manufacturer, who would sign it with the master private key and
which then could be delivered in a software update to the system. There are
many possibilities, and no crypto scheme is foolproof. That much has been
proven. But no, you would not make the on-chip EEPROM of the crypto chip
"flashable" in the normal meaning of the word. You would send the chip a
pointer to a buffer that contains a signed update key, and the chip itself
would verify that signature and only then program the updated key(s).
My intention was not to turn nanog into a crypto forum. I'd be much more
interested in any unique methods that people use to harden their systems
that have not already been widely distributed through vendor or industry
best practices.
Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697
> -----Original Message-----
> From: Jim Wise [mailto:jwise@draga.com]
> Sent: Thursday, May 29, 2008 11:10 AM
> To: Fred Reimer
> Cc: Jared Mauch; nanog@nanog.org
> Subject: RE: IOS Rookit: the sky isn't falling (yet)
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Thu, 29 May 2008, Fred Reimer wrote:
>
> >The code would presumably be run upon boot from a non-flashable
> source,
> >which would run the boot ROM code through a check on the crypto chip
> and
> >only execute it if it passed. You would not put the code that checks
> the
> >boot ROM on the boot ROM. The new crypto chip would presumably have
> the
> >initial boot code, which would only be designed to check the boot ROM
> >signature and nothing else so presumably would never need to be
> replaced and
> >hence would be designed to be non-flashable.
>
> Doesn't this just push the chicken-and-egg problem up the chain one
> step?
> The ROMMON would be flashable (among other reasons) because the key
> used to
> sign IOS releases should change over the years -- gaining length as
> cycles
> get cheaper, being replaced periodically to prevent use of the same key
> for
> too long, and perhaps being revoked if it should ever be compromised.
>
> If the ROMMON is itself to be verified by a prior, non-flashable ROM,
> then
> all the same arguments would call for making its key-list updatable --
> and
> given the time-in-service seen by many such devices, any weakness in
> that
> key list would be around for quite some time.
>
> - --
> Jim Wise
> jwise@draga.com
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (NetBSD)
>
> iD8DBQFIPsdRq/KRbT0KwbwRAkcmAJ4xOBtANHOc+C/fzL+7PvgWnjp76ACfSGUw
> 43+1Pq3xWS4MagWzdetZ0ws=
> =62gJ
> -----END PGP SIGNATURE-----
------=_NextPart_000_007C_01C8C17E.FDC9CCC0
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIII0jCCAlow
ggHDoAMCAQICEE/N8u+Cjf1akAnPH3Rf2m8wDQYJKoZIhvcNAQEFBQAwYjELMAkGA1UEBhMCWkEx
JTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQ
ZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA4MDEyMjIxMjcyN1oXDTA5MDEyMTIxMjcy
N1owRDEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEhMB8GCSqGSIb3DQEJARYSZnJl
aW1lckBjdGl1c2EuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDFAAtjFvwayIA70SOY
SunlDptyQhb1DviV+LHKOcX5MadLk2NANpODodUvSUb2AgwAqOkCv7cEEMVTAtYaupWbqtyTSTC8
/T8+mmKwBFgci1PmQrkfE30vneHVuylH2n/lKE4vbLXDFKpcIvqSE8SkgAxQFF2+npog2Uxase9t
6QIDAQABoy8wLTAdBgNVHREEFjAUgRJmcmVpbWVyQGN0aXVzYS5jb20wDAYDVR0TAQH/BAIwADAN
BgkqhkiG9w0BAQUFAAOBgQAHcmBSgreS/FopWMmY+jGgR8IMk07AxNIyvszC1+EqT5GN8CB+BOrr
ePcfIajM/1s/jVJhl7GN/wbKx39vcRFLdTMWfYwRWXJfJFk9C7NBp5QmpUaVxi/q0BFTC9l25BnB
13sv24vIsjSCGif979xFZpwEdP+UZ4U9xfqG+Ps32jCCAy0wggKWoAMCAQICAQAwDQYJKoZIhvcN
AQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNh
cGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0NlcnRpZmljYXRp
b24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBD
QTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3RlLmNvbTAeFw05NjAxMDEw
MDAwMDBaFw0yMDEyMzEyMzU5NTlaMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVybiBD
YXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgwJgYD
VQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUgUGVy
c29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRoYXd0
ZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANRp19SwlGRbcelH2AxRtupykbCEXn0t
DY97Et+FJXUodDpCLGMnn5V7S+9+GYcdhuqj3bnOlmQawhRuRKx85o/oTQ9xH0A4pgCjh3j2+ZSG
Xq3qwF5269kUo11uenwMpUtVfwYZKX+emibVars4JAhqmMex2qOYkf152+VaxBy5AgMBAAGjEzAR
MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAx+ySfk749ZalZ2IqpPBNEWDQb41g
WGGsJrtSNVwIzzD7qEqWih9iQiOMFw/0umScF6xHKd+dmF7SbGBxXKKs3Hnj524ARx+1DSjoAp3k
mv0T9KbZfLH43F8jJgmRgHPQFBveQ6mDJfLmnC8Vyv6mq4oHdYsM3VGEa+T40c53ooEwggM/MIIC
qKADAgECAgENMA0GCSqGSIb3DQEBBQUAMIHRMQswCQYDVQQGEwJaQTEVMBMGA1UECBMMV2VzdGVy
biBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xGjAYBgNVBAoTEVRoYXd0ZSBDb25zdWx0aW5nMSgw
JgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9uMSQwIgYDVQQDExtUaGF3dGUg
UGVyc29uYWwgRnJlZW1haWwgQ0ExKzApBgkqhkiG9w0BCQEWHHBlcnNvbmFsLWZyZWVtYWlsQHRo
YXd0ZS5jb20wHhcNMDMwNzE3MDAwMDAwWhcNMTMwNzE2MjM1OTU5WjBiMQswCQYDVQQGEwJaQTEl
MCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3RlIFBl
cnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMSm
PFVzVftOucqZWh5owHUEcJ3f6f+jHuy9zfVb8hp2vX8MOmHyv1HOAdTlUAow1wJjWiyJFXCO3cnw
K4Vaqj9xVsuvPAsH5/EfkTYkKhPPK9Xzgnc9A74r/rsYPge/QIACZNenprufZdHFKlSFD0gEf6e2
0TxhBEAeZBlyYLf7AgMBAAGjgZQwgZEwEgYDVR0TAQH/BAgwBgEB/wIBADBDBgNVHR8EPDA6MDig
NqA0hjJodHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUGVyc29uYWxGcmVlbWFpbENBLmNybDAL
BgNVHQ8EBAMCAQYwKQYDVR0RBCIwIKQeMBwxGjAYBgNVBAMTEVByaXZhdGVMYWJlbDItMTM4MA0G
CSqGSIb3DQEBBQUAA4GBAEiM0VCD6gsuzA2jZqxnD3+vrL7CF6FDlpSdf0whuPg2H6otnzYvwPQc
UCCTcDz9reFhYsPZOhl+hLGZGwDFGguCdJ4lUJRix9sncVcljd2pnDmOjCBPZV+V2vf3h9bGCE6u
9uo05RAaWzVNd+NWIXiC3CEZNd4ksdMdRv9dX2VPMYIC+DCCAvQCAQEwdjBiMQswCQYDVQQGEwJa
QTElMCMGA1UEChMcVGhhd3RlIENvbnN1bHRpbmcgKFB0eSkgTHRkLjEsMCoGA1UEAxMjVGhhd3Rl
IFBlcnNvbmFsIEZyZWVtYWlsIElzc3VpbmcgQ0ECEE/N8u+Cjf1akAnPH3Rf2m8wCQYFKw4DAhoF
AKCCAdgwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDgwNTI5MTUy
NzM0WjAjBgkqhkiG9w0BCQQxFgQUwCJadSfEnjYMmfaJBpBrSg26CrUwZwYJKoZIhvcNAQkPMVow
WDAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwDQYIKoZIhvcNAwICAUAwBwYFKw4DAgcwDQYI
KoZIhvcNAwICASgwBwYFKw4DAhowCgYIKoZIhvcNAgUwgYUGCSsGAQQBgjcQBDF4MHYwYjELMAkG
A1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT
I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBAhBPzfLvgo39WpAJzx90X9pvMIGH
BgsqhkiG9w0BCRACCzF4oHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0
aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5n
IENBAhBPzfLvgo39WpAJzx90X9pvMA0GCSqGSIb3DQEBAQUABIGAkLkgVVE+IDk2GOVm4iKVMfwZ
R4Br/t3JLhLCv9FpuTN4BeqTm5khibM715mKgEIhsuE6YBrmwMcXpnWR6bgyLPnh3g/rTTJJlFE3
qlO1EV1IFnjWXnHUEyNGuzZqPN6IfhZiorrdnBgk7aPM+xnYGNdf/X1sV/X87t/yVl0DYWUAAAAA
AAA=
------=_NextPart_000_007C_01C8C17E.FDC9CCC0--
