use encryption+authentication during configuring clients?

Jan Bredereke jan.bredereke at hs-bremen.de
Mon Sep 22 09:35:10 CEST 2014 

Hi Toomas,

Am 19.09.2014 schrieb Toomas Tamm:
> > As for the initial installation process, I suppose it cannot be
> > secured fully. You would have to transfer the crypto keys to the
> > clients without using the network, i.e., manually. As far as I have
> > seen, FAI does not provide mechanisms for this.
> 
> Please have a look at the list archives - this has been discussed
> several times over recent years.
> 
> The bottom line is that a fully automatic transfer of secrets (eg
> passwords) over an uncontrolled network seems impossible.

I had already done a quick search there, with the result you
describe. But I hoped that there could be something new or something
I missed.

> Imagine an
> attacker impersonating one of your clients, for example. FAI would
> perform an installation onto the attacker's hardware, which he can later
> analyze and learn the secrets. Other types of attacks can be thought of
> as subsets of this.
> 
> However, users have come up with "nearly secure" solutions which can be
> used without physical access to the clients. One is setting up a key
> provider and logging all attempts to access it. Normally you know the
> times when installations occur, so you can later account for all key
> request attempts and map them to individual installations (successful or
> failed). In case of any suspicious entries in the logs, just repeat the
> installation with new keys.

Hey, that is a clever idea. In principle, this defence can be
fooled, too, but the effort would be quite high. You need a
permanent, custom-tailored capability to monitor and intercept
(MITM) the network traffic in order to pull off an attack.

> Of course, if you have physical access or can establish out-of-band
> communication with the client (such as plugging in a USB stick or CD),
> you can use these to provide any necessary secrets.

Yes. However, everything discussed is not part of stock FAI anymore,
so you would have to roll your own extension.

Thanks,
Jan

-- 
Prof. Dr. Jan Bredereke
Hochschule Bremen, Fak. 4, Flughafenallee 10, D-28199 Bremen.

More information about the linux-fai mailing list