Open drandreas opened 3 years ago
This looks more like a security enhancement than network one to me. cc: @d3zd3z @ceolin
I think this is a good start. Opaque keys will be important when wanting to store keys in a secure environment such as TF-M/PSA.
Hello, Any news on this feature which could really enhance security ? Would be interested!
At this point, we are waiting for some more progress in how this is done within TF-M. It works when chosen at build time, and there was additional information added to the keys, but it isn't yet possible to have keys that live in different places from how the system was configured.
Introduction
Zephyr implements the concept of Secure Sockets. Those ease the integration of TLS and DTLS into arbitrary applications. However, the secure sockets hide the underlaying crypto library. Moreover, the current code lacks support for opaque private keys and engine callbacks.
The secure socket API should be extended with an API that allows replacing any of the asymmetric functions on a per context basis.
Problem description
mbedTLS has support for alternative crypto implementations and limited (RSA: yes, ECP: no) support of opaque keys. However, Zephyr’s code that setups the pk context is very rigid and cannot cope with situations where
TLS_CREDENTIAL_PRIVATE_KEY
is not set.Proposed change
Add support for adding opaque private keys with
TLS_CREDENTIAL_PRIVATE_KEY_BLOB
in addition to the existingTLS_CREDENTIAL_PRIVATE_KEY
and allow for the definition of alternative cryptographic functions.Detailed RFC
Proposed change (Detailed)
The Secure Socket subsystem runs to the best of my knowledge in kernel space. The proposed change therefore needs to take privilege separation into account. User space should not be able to set functions that are executed in kernel mode.
mbedTLS features mbedtls_pk_setup_rsa_alt which allows the definition of
mbedtls_pk_rsa_alt_decrypt_func
,mbedtls_pk_rsa_alt_sign_func
andmbedtls_pk_rsa_alt_key_len_func
. Those could be exposed to the developer to be defined at compile time. Additionally,tls_set_own_cert
could be extended to detect opaque keys and callmbedtls_pk_setup_rsa_alt
instead ofmbedtls_pk_setup
with the above alt function pointers. Finaly Zephyr should provide a macro/function that allows for a type safe recovery of theKEY_BLOB
within the alt-functions fromvoid *ctx
. Blow the function typedefs:Dependencies
The proposed change addresses RSA only. The three alt functions described above are not yet available for ecp. We would need to create a PR in the mbedTLS project to upstream
mbedtls_pk_setup_ecp_alt
.Concerns and Unresolved Questions
Depending on the application an engine might need to communicate with a UI to request a password. The current RFC only addresses one-way data transfers.
Alternatives
I've created a Proof of Concept for using a Trusted Platform Modules (TPM2) as secure storage of private keys. The PoC defines
MBEDTLS_ECDSA_SIGN_ALT
to catch all sign-requests and forward them to the TPM2. HoweverMBEDTLS_ECDSA_SIGN_ALT
was designed with crypto accelerators in mind and does not offer a context, see the function prototype below:Therefore I had to pass
KEY_BLOB
on a side channel. I chose a global variable. Moreover sinceMBEDTLS_ECDSA_SIGN_ALT
lacks the context, this approach only works for a single key per algorithm (1x RSA, 1xECP).