Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: In multi server environments do you need the same master seed on all servers? #14

Closed
dkanchev opened this issue Oct 10, 2018 · 3 comments
Closed

Question: In multi server environments do you need the same master seed on all servers? #14

dkanchev opened this issue Oct 10, 2018 · 3 comments

Comments

@dkanchev
Copy link

Hi, @secumod

I watched your presentation here:

https://www.usenix.org/conference/srecon17asia/program/presentation/korgachin

I have a question in regards to managing setups which consist of many servers. Do I need to store the same master seed in UEFI on every server? Is there a way to use different master seeds on different servers and still have secure trusted communication between the servers.

If the same master seed is stored on every server then it is easy but can this be done with separate unique master seeds stored in the UEFI and based on a random number generator for example.

I am trying to figure out if gokey can be used for something similar to this:

Each server machine in the data center has its own specific identity that can be tied to the hardware root of trust and the software with which the machine booted. This identity is used to authenticate API calls to and from low-level management services on the machine.
@ignatk
Copy link
Contributor

ignatk commented Oct 10, 2018

It is possible to have unique master seeds, however the whole setup becomes a bit more complicated: you cannot predict anymore the "identity" of the machine, so you need to have a separate step in the server provisioning process, which will "collect" those identities (some public counterparts) in a secure manner. For example: you use gokey with unique master seed and you use that seed to generate server's SSH key. But you still need somehow to get to know the generated public key for your server to trust it. In other words, gokey will help, but not on its own, but rather as a part of a bigger process. Worth to mention that having a unique master seed per server, although more complicated, is much more secure, than having the same seed across all the servers, because in latter case a single server compromise will lead to compromising of the rest of the fleet.

There might be an alternative "middle" two-layer approach: you can have a "master master" seed. You may use that seed to generate unique server seeds, something like

gokey("master master seed", "some server hardware id (serialnum, hostname etc)")

and use gokey on each server with the "server seed" for everything else., but keeping the "master master seed" somewhere safe with limited access. This way a single server compromise will still be limited to the server itself, because you can't go back from the "server seed" to "master master seed", but you have the ability to predict the server identity in advance provided you know the serial number and have access to "master master seed".

However, from security standpoint, this schema is still fragile if the "master master seed" is compromised, so sufficient protection should be involved for keeping this "ultimate top master" seed secure.

@ignatk
Copy link
Contributor

ignatk commented Jan 2, 2019

Closing for now. Let me know if you have more questions.

@ignatk ignatk closed this as completed Jan 2, 2019
@dkanchev
Copy link
Author

dkanchev commented Jan 3, 2019

@secumod thanks for the info and the great explanation!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dkanchev @ignatk