FTN8.3: FutoIn Security Concept - Master Secret Authentication
Version: 0.2DV
Date: 2017-12-30
Copyright: 2014-2018 FutoIn Project (http://futoin.org)
Authors: Andrey Galkin

CHANGES

1. Intro

This sub-specification of FTN8 covers more secure Master Secret Authentication with dynamically updated shared secrets.

Service is assumed to be a unattended software or equal - high number of unattended requests.

2. Concept

2.1. Overall idea

  1. Strong symmetric master key is assumed under "Secret".
  2. Use approach to exchange keys based on temporary assymetric key generated by Service.
  3. Ensure assymetric key authenticity based transport security and/or existing shared Secret.
  4. Ensure temporary key and new Secret quality by AuthService.
  5. Use one of supported key derivation strategies:
  6. Secret exchange interval solely depends on Invoker, but AuthService may deactivate too old/too used keys (defined by configuration).

2.2. Secure Master Secret exchange

  1. Service makes initial call:
  2. AuthService processes the request:
  3. Service processes response:
  4. Service gradually starts using the new Secret.
  5. Both the new Secret and the previous Secret are active.

Goals met:

2.3 "sec" field structured format

Schema: futoin-sec-master-mac

{
    "title" : "FutoIn 'sec' field - Master MAC",
    "type" : "object",
    "additionalProperties" : false,
    "required" : [ "msid", "algo", "kds", "sig" ],
    "properties" : {
        "msid" : {
            "type" : "string",
            "description" : "Unique Master Secret ID"
        },
        "algo" : {
            "type" : "string",
            "description" : "MAC algo name as defined in FTN8"
        },
        "kds" : {
            "type" : "string",
            "description" : "Key Derivation Strategy"
        },
        "prm" : {
            "type" : "string",
            "description" : "KDS parameter, if applicable"
        },
        "sig" : {
            "type" : "string",
            "description" : "Base64 encoded MAC"
        }
    }
}

2.4 "sec" field string format

"-mmac:{msid}:{algo}:{dks}:{prm}:{sig}"

2.5. Master MAC response "sec" field

Response must be authenticated by the same Secret and the same hash algorithm as used for request signing.

2.6. Master MAC security level

PrivilegedOps security level must be assigned.

2.7. Optional Master Secret Scope

User/Service is in control of its own privacy vs. simplicity. There is an optional, scope parameter for new Master Secret generation.

Peer Service must not be able to get derived key for particular Master Secret directly. It must be possible only if invoking Service signs any message with particular derived key - implicit approval to provide Derived Key to particular Service.

Only Master Secret with empty or matching scope must be accepted for new Secret exchange to mitigate unauthorized access with Master Secret recovered from scoped derived key. So, Master Secret with empty scope is seen as "main".

There are various options:

  1. Use one global Master Secret with high risk of its recovery through derived key.
  2. Use several Master Secrets per peer service vendor.
  3. Use a separate Master Secret per each peer.

2.8. Events

3. Interface

3.1. Message authentication

Provide Master Secret based authentication to Executor.

It is designed the way when MAC secret is always kept inside AuthService to minimize risk of exposure.

{
    "iface" : "futoin.auth.master",
    "version" : "{ver}",
    "ftn3rev" : "1.8",
    "imports" : [
        "futoin.ping:1.0",
        "futoin.auth.types:{ver}"
    ],
    "types" : {
        "MACSecField" : {
            "type" : "map",
            "fields" : {
                "msid" : "MasterSecretID",
                "algo" : "MACAlgo",
                "kds" : "KeyDerivationStrategy",
                "prm" : {
                    "type" : "Base64",
                    "optional" : true
                },
                "sig" : "MACValue"
            }
        }
    },
    "funcs" : {
        "checkMAC" : {
            "params" : {
                "base" : "MACBase",
                "sec" : "MACSecField",
                "source" : "ClientFingerprints"
            },
            "result" : "AuthInfo",
            "throws" : [
                "SecurityError"
            ]
        },
        "genMAC" : {
            "params" : {
                "base" : "MACBase",
                "reqsec" : "MACSecField"
            },
            "result" : "MACSecField",
            "throws" : [
                "SecurityError"
            ]
        },
        "exposeDerivedKey" : {
            "params" : {
                "base" : "MACBase",
                "sec" : "MACSecField",
                "source" : "ClientFingerprints"
            },
            "result" : {
                "info" : "AuthInfo",
                "ekey" : "EncryptedKey"
            },
            "throws" : [
                "SecurityError"
            ],
            "desc" : "Feature to support local key cache"
        }
    },
    "requires" : [
        "SecureChannel"
    ]
}

3.2. Secret exchange

Perform periodic secure symmetric Master Secret exchange initiated by Service.

{
    "iface" : "futoin.auth.master.exchange",
    "version" : "{ver}",
    "ftn3rev" : "1.8",
    "imports" : [
        "futoin.ping:1.0",
        "futoin.auth.types:{ver}"
    ],
    "funcs" : {
        "getNewEncryptedSecret" : {
            "params" : {
                "type" : "ExchangeKeyType",
                "pubkey" : "ExchangeKey",
                "scope" : {
                    "type" : "MasterScope",
                    "default" : null
                }
            },
            "result" : {
                "id" : "MasterSecretID",
                "esecret" : "EncryptedMasterSecret"
            },
            "throws" : [
                "SecurityError",
                "NotSupportedKeyType"
            ]
        }
    },
    "requires" : [
        "SecureChannel",
        "MessageSignature"
    ]
}

3.3. Auto registration

This interface allow anonymous access and should be disabled by default configuration.

TBD.

{
    "iface" : "futoin.auth.master.register",
    "version" : "{ver}",
    "ftn3rev" : "1.8",
    "imports" : [
        "futoin.ping:1.0",
        "futoin.auth.types:{ver}"
    ],
    "funcs" : {
    },
    "requires" : [
        "SecureChannel",
        "MessageSignature"
    ]
}

3.3. Management

This one is complementary to "futoin.auth.manage" iface.

{
    "iface" : "futoin.auth.master.manage",
    "version" : "{ver}",
    "ftn3rev" : "1.8",
    "imports" : [
        "futoin.ping:1.0",
        "futoin.auth.types:{ver}"
    ],
    "funcs" : {
        "getNewPlainSecret" : {
            "params" : {
                "user" : "LocalUser"
            },
            "result" : {
                "id" : "MasterSecretID",
                "secret" : "Base64"
            },
            "throws" : [
                "UnknownUser",
                "NotSet"
            ]
        }
    },
    "requires" : [
        "SecureChannel",
        "MessageSignature"
    ]
}

=END OF SPEC=