Consider including the Saved Object's top-level created_by and updated_by properties in the AAD automatically.
#184800
Comments
azasypkin
added
Team:Security
|
Pinging @elastic/kibana-security (Team:Security) |
Yeah that's a good point. What options can we explore?
|
This option wouldn't be too bad, but might seem hacky. We could just look at the creation time choose to add the extra AAD fields if created after xxxx/xx/xx.
Yeah, this could add a lot of overhead in some situations. We use this sort of method when there are multiple decrypt keys, do we have an idea of the possible impact from that scenario as a baseline?
Yeah this could be really painful. Do we have telemetry on average number of ESOs/deployment, or on key rotation mass re-encrypt duration?
No other ideas yet, but I'm still thinking through it. I am trying to think if there might be a way to use model versions to support option 1, but not sure that makes sense or is feasible yet. |
I don't know yet how we can do that, but conceptually, it feels like the ideal solution to me. Dealing with the creation date might be tricky since we don't know when the customer upgrades to a newer version, but if we could know the exact version in which the SO was created or updated (whichever is the latest), it would solve our problems. Sounds familiar, right (Versioned Encryption Definition)? 🙂
If we say that we use
Agree, it can be quite troublesome. I did some measurements around rotation here: #72420 (see tables at the bottom of the PR description), but it makes sense to re-measure if we decide to go this route.
Same, no ideas yet, but I will think about it. We could embed the version of the "built-in" AAD into the encrypted value directly in one way or another (e.g., |
|
I don't like this option, but I mention it in case it sparks a better idea for some else. We could exclude all current ESO types from using these fields, but include them by default for any new ESO types that are introduced. We don't introduce new ESO types all that frequently, so this wouldn't provide a meaningful benefit. It also provides zero benefit for our current ESOs. |
So it's settled. We'll implement the VED system. 👍 😉 But you're right, I didn't think this all the way through. For serverless ZDT, there are further implications. Even if we could access the updated time and decide when to include the extra AAD during decryption, the previous version of Kibana will fail trying to decrypt any of the re-encrypted objects. This would only be a concern for one version upgrade, but still something to consider. |
|
I don't think we can automatically include |
Oh, yeah, it's a good point. Unless we can somehow rely on a new behavior in SO land shared in #50256 (comment) |
|
Another thought - we used to include namespace in AAD for ESOs with the legacy single namespace type. But we currently do not include namespace(s) as part of AAD for any multi-namespace SO types, including multiple-isolated. We should consider adding namespace(s) to AAD because they offer a unique protection that other fields cannot - validating an ESO hasn't been maliciously or accidentally moved to a different space. With this, we run into the same issue - how do we handle whether we should include it when decrypting an existing ESO, and ZDT. |
Summary
Now that we have top-level
created_byandupdated_byproperties in the Saved Objects, it makes sense to automatically include them in the AAD for encrypted Saved Objects if present. The tricky part will be to not break existing ESOs with populatedcreated_byandupdated_by(to be released in 8.14.0 - #179344).The text was updated successfully, but these errors were encountered: