FTN8.3: FutoIn Security Concept - Master Secret Authentication Version: 0.2DV Date: 2017-12-30 Copyright: 2014-2018 FutoIn Project (http://futoin.org) Authors: Andrey Galkin
This sub-specification of FTN8 covers more secure Master Secret Authentication with dynamically updated shared secrets.
Service is assumed to be a unattended software or equal - high number of unattended requests.
Goals met:
Schema: futoin-sec-master-mac
{
"title" : "FutoIn 'sec' field - Master MAC",
"type" : "object",
"additionalProperties" : false,
"required" : [ "msid", "algo", "kds", "sig" ],
"properties" : {
"msid" : {
"type" : "string",
"description" : "Unique Master Secret ID"
},
"algo" : {
"type" : "string",
"description" : "MAC algo name as defined in FTN8"
},
"kds" : {
"type" : "string",
"description" : "Key Derivation Strategy"
},
"prm" : {
"type" : "string",
"description" : "KDS parameter, if applicable"
},
"sig" : {
"type" : "string",
"description" : "Base64 encoded MAC"
}
}
}
"-mmac:{msid}:{algo}:{dks}:{prm}:{sig}"
Response must be authenticated by the same Secret and the same hash algorithm as used for request signing.
PrivilegedOps
security level must be assigned.
User/Service is in control of its own privacy vs. simplicity. There is an optional,
scope
parameter for new Master Secret generation.
Peer Service must not be able to get derived key for particular Master Secret directly. It must be possible only if invoking Service signs any message with particular derived key - implicit approval to provide Derived Key to particular Service.
Only Master Secret with empty or matching scope
must be accepted for new Secret
exchange to mitigate unauthorized access with Master Secret recovered from scoped
derived key. So, Master Secret with empty scope
is seen as "main".
There are various options:
MS_DEL
- new master secretid
- MasterSecretIDProvide Master Secret based authentication to Executor.
It is designed the way when MAC secret is always kept inside AuthService to minimize risk of exposure.
{
"iface" : "futoin.auth.master",
"version" : "{ver}",
"ftn3rev" : "1.8",
"imports" : [
"futoin.ping:1.0",
"futoin.auth.types:{ver}"
],
"types" : {
"MACSecField" : {
"type" : "map",
"fields" : {
"msid" : "MasterSecretID",
"algo" : "MACAlgo",
"kds" : "KeyDerivationStrategy",
"prm" : {
"type" : "Base64",
"optional" : true
},
"sig" : "MACValue"
}
}
},
"funcs" : {
"checkMAC" : {
"params" : {
"base" : "MACBase",
"sec" : "MACSecField",
"source" : "ClientFingerprints"
},
"result" : "AuthInfo",
"throws" : [
"SecurityError"
]
},
"genMAC" : {
"params" : {
"base" : "MACBase",
"reqsec" : "MACSecField"
},
"result" : "MACSecField",
"throws" : [
"SecurityError"
]
},
"exposeDerivedKey" : {
"params" : {
"base" : "MACBase",
"sec" : "MACSecField",
"source" : "ClientFingerprints"
},
"result" : {
"info" : "AuthInfo",
"ekey" : "EncryptedKey"
},
"throws" : [
"SecurityError"
],
"desc" : "Feature to support local key cache"
}
},
"requires" : [
"SecureChannel"
]
}
Perform periodic secure symmetric Master Secret exchange initiated by Service.
{
"iface" : "futoin.auth.master.exchange",
"version" : "{ver}",
"ftn3rev" : "1.8",
"imports" : [
"futoin.ping:1.0",
"futoin.auth.types:{ver}"
],
"funcs" : {
"getNewEncryptedSecret" : {
"params" : {
"type" : "ExchangeKeyType",
"pubkey" : "ExchangeKey",
"scope" : {
"type" : "MasterScope",
"default" : null
}
},
"result" : {
"id" : "MasterSecretID",
"esecret" : "EncryptedMasterSecret"
},
"throws" : [
"SecurityError",
"NotSupportedKeyType"
]
}
},
"requires" : [
"SecureChannel",
"MessageSignature"
]
}
This interface allow anonymous access and should be disabled by default configuration.
TBD.
{
"iface" : "futoin.auth.master.register",
"version" : "{ver}",
"ftn3rev" : "1.8",
"imports" : [
"futoin.ping:1.0",
"futoin.auth.types:{ver}"
],
"funcs" : {
},
"requires" : [
"SecureChannel",
"MessageSignature"
]
}
This one is complementary to "futoin.auth.manage" iface.
{
"iface" : "futoin.auth.master.manage",
"version" : "{ver}",
"ftn3rev" : "1.8",
"imports" : [
"futoin.ping:1.0",
"futoin.auth.types:{ver}"
],
"funcs" : {
"getNewPlainSecret" : {
"params" : {
"user" : "LocalUser"
},
"result" : {
"id" : "MasterSecretID",
"secret" : "Base64"
},
"throws" : [
"UnknownUser",
"NotSet"
]
}
},
"requires" : [
"SecureChannel",
"MessageSignature"
]
}
=END OF SPEC=