luxolus
/
open-consul
2
0
Fork 0
Code Issues 1 Pull Requests Packages Releases Wiki Activity
open-consul/website/build/docs/internals/security.html

15 lines
9.4 KiB
HTML
Raw Blame History

<!DOCTYPE html> <html lang=en> <head> <meta charset=utf-8> <meta name=viewport content="width=device-width, initial-scale=1.0"> <meta name=description content=""> <meta name=author content=""> <title>Security Model - Serf</title> <link href="/stylesheets/bootstrap.min-82fe1490.css" media=screen rel=stylesheet /><link href="/stylesheets/main-e5014f86.css" media=screen rel=stylesheet /> <!--[if lt IE 9]><script src="/javascripts/html5shiv-310dd184.js"></script> <script src="/javascripts/respond.min-88c91176.js"></script><![endif]--> <script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
(i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-45101516-1', 'serfdom.io');
ga('send', 'pageview');
</script> </head> <body class="page-Security Model"> <div id=header> <div class=container> <a class="navbar-brand logo" href="/"> <span></span> </a> <a class="navbar-brand text rls-l" href="/">SERF</a> <ul class="buttons nav navbar-nav navbar-right rls-sb"> <li class=first><a href="/downloads.html">Download</a></li> <li><a href="https://github.com/hashicorp/serf">Github</a></li> </ul> <ul class="main-links nav navbar-nav navbar-right rls-sb"> <li><a href="/intro/index.html">Intro</a></li> <li><a href="/docs/index.html">Docs</a></li> <li><a href="/community.html">Community</a></li> </ul> </div> </div> <div class=container> <div class=col-md-4> <div class="docs-sidebar hidden-print affix-top" role=complementary> <ul class="nav docs-sidenav"> <li> <a href="/docs/index.html">Documentation Home</a> </li> <li> <a href="/docs/upgrading.html">Upgrading and Compatibility</a> <ul class=nav> <li> <a href="/docs/upgrading.html">Upgrading Serf</a> </li> <li> <a href="/docs/compatibility.html">Compatibility Promise</a> </li> </ul> </li> <li class=active> <a href="/docs/internals/index.html">Serf Internals</a> <ul class=nav> <li> <a href="/docs/internals/gossip.html">Gossip Protocol</a> </li> <li class=active> <a href="/docs/internals/security.html">Security Model</a> </li> <li> <a href="/docs/internals/simulator.html">Convergence Simulator</a> </li> </ul> </li> <li> <a href="/docs/commands/index.html">Serf Commands (CLI)</a> <ul class=nav> <li> <a href="/docs/commands/agent.html">agent</a> </li> <li> <a href="/docs/commands/event.html">event</a> </li> <li> <a href="/docs/commands/force-leave.html">force-leave</a> </li> <li> <a href="/docs/commands/join.html">join</a> </li> <li> <a href="/docs/commands/keygen.html">keygen</a> </li> <li> <a href="/docs/commands/leave.html">leave</a> </li> <li> <a href="/docs/commands/members.html">members</a> </li> <li> <a href="/docs/commands/monitor.html">monitor</a> </li> </ul> </li> <li> <a href="/docs/agent/basics.html">Serf Agent</a> <ul class=nav> <li> <a href="/docs/agent/basics.html">Running and Stopping</a> </li> <li> <a href="/docs/agent/options.html">Configuration</a> </li> <li> <a href="/docs/agent/event-handlers.html">Event Handlers</a> </li> <li> <a href="/docs/agent/encryption.html">Encryption</a> </li> <li> <a href="/docs/agent/rpc.html">RPC Protocol</a> </li> </ul> <li> <a href="/docs/roadmap.html">Roadmap</a> </li> </ul> </div> </div> <div class=col-md-8 role=main> <div class=bs-docs-section> <h1 id=toc_0>Security Model</h1> <p>Serf uses a symmetric key, or shared secret, cryptosystem to provide <a href="//en.wikipedia.org/wiki/Information_security">confidentiality, integrity and authentication</a>.</p> <p>This means Serf communication is protected against eavesdropping, tampering, or attempts to generate fake events. This makes it possible to run Serf over untrusted networks such as EC2 and other shared hosting providers.</p> <div class="alert alert-block alert-warning"> <strong>Advanced Topic!</strong> This page covers the technical details of the security model of Serf. You don't need to know these details to operate and use Serf. These details are documented here for those who wish to learn about them without having to go spelunking through the source code. </div> <h2 id=toc_1>Security Primitives</h2> <p>The Serf security model is built on around a symmetric key, or shared secret system. All members of the Serf cluster must be provided the shared secret ahead of time. This places the burden of key distribution on the user.</p> <p>To support confidentiality, all messages are encrypted using the <a href="//en.wikipedia.org/wiki/Advanced_Encryption_Standard">AES-128 standard</a>. The AES standard is considered one of the most secure and modern encryption standards. Additionally, it is a fast algorithm, and modern CPUs provide hardware instructions to make encryption and decryption very lightweight.</p> <p>AES is used with the <a href="//en.wikipedia.org/wiki/Galois/Counter_Mode">Galois Counter Mode (GCM)</a>, using a randomly generated nonce. The use of GCM provides message integrity, as the ciphertext is suffixed with a &#39;tag&#39; that is used to verify integrity.</p> <h2 id=toc_2>Message Format</h2> <p>In the previous section we described the crypto primitives that are used. In this section we cover how messages are framed on the wire and interpretted.</p> <h3 id=toc_3>UDP Message Format</h3> <p>UDP messages do not require any framing since they are packet oriented. This allows the message to be simple and saves space. The format is as follows:</p> <pre><code>-------------------------------------------------------------------
| Version (byte) | Nonce (12 bytes) | CipherText | Tag (16 bytes) |
-------------------------------------------------------------------
</code></pre> <p>The UDP message has an overhead of 29 bytes per message. Tampering or bit corruption will cause the GCM tag verification to fail.</p> <p>Once we receive a packet, we first verify the GCM tag, and only on verification, decrypt the payload. The version byte is provided to allow future versions to change the algorithm they use. It is currently always set to 0.</p> <h3 id=toc_4>TCP Message Format</h3> <p>TCP provides a stream abstraction and therefor we must provide our own framing. This intoduces a potential attack vector since we cannot verify the tag until the entire message is received, and the message length must be in plaintext. Our current strategy is to limit the maximum size of a framed message to prevent an malicious attacker from being able to send enough data to cause a Denial of Service.</p> <p>The TCP format is similar to the UDP format, but prepends the message with a message type byte (similar to other Serf messages). It also adds a 4 byte length field, encoded in Big Endian format. This increases its maximum overhead to 33 bytes.</p> <p>When we first receive a TCP encrypted message, we check the message type. If any party has encryption enabled, the other party must as well. Otherwise we are vulnerable to a downgrade attack where one side can force the other into a non-encrypted mode of operation.</p> <p>Once this is verified, we determine the message length and if it is less than our limit,. After the entire message is received, the tag is used to verify the entire message.</p> <h2 id=toc_5>Threat Model</h2> <p>The following are the various parts of our threat model:</p> <ul> <li>Non-members getting access to events</li> <li>Cluster state manipulation due to malicious messages</li> <li>Fake event generation due to malicious messages</li> <li>Tampering of messages causing state corruption</li> <li>Denial of Service against a node</li> </ul> <p>We are specifically not concerned about replay attacks, as the gossip protocol is designed to handle that due to the nature of its broadcast mechanism.</p> <p>Additionally, we recognize that an attacker that can observe network traffic for an extended period of time may infer the cluster members. The gossip mechanism used by Serf relies on sending messages to random members, so an attacker can record all destinations and determine all members of the cluster.</p> <p>When designing security into a system you design it to fit the threat model. Our goal is not to protect top secret data but to provide a &quot;reasonable&quot; level of security that would require an attacker to commit a considerable amount of resources to defeat.</p> <h2 id=toc_6>Future Roadmap</h2> <p>Eventually, Serf will be able to use the versioning byte to support different encryption algorithms. These could be configured at the start time of the agent.</p> <p>Additionally, we need to support key rotation so that it is possible for network administrators to periodically change keys to ensure perfect forward security.</p> </div> </div> </div> <div id=footer> <div class=container> <div class=footer-links> <ul class="main-links nav navbar-nav rls-sb"> <li><a href="/intro/index.html">Intro</a></li> <li class=active><a href="/docs/index.html">Docs</a></li> <li><a href="/community.html">Community</a></li> </ul> <ul class="buttons nav navbar-nav rls-sb"> <li class=first><a href="/downloads.html">Download</a></li> <li><a href="https://github.com/hashicorp/serf">Github</a></li> </ul> </div> <div class=footer-logo> <span></span> </div> <div class="footer-hashi os"> <span>© 2013. A <a href="//www.hashicorp.com">HashiCorp</a> Project.</span> <a href="//www.hashicorp.com"><img src="/images/hashi-logo-s-3644fe63.png"></a> </div> </div> </div> <script src="javascripts/lib/d3.v3.min.js"></script> <script src="javascripts/app/deploy/site.js"></script> <script>
Serf.initialize();
</script> </body> </html>
Reference in New Issue View Git Blame Copy Permalink