Erlang cookies are secure

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Erlang cookies are secure

Lyn Headley
I don't understand why so many people are so dismissive of
cookie-based node security. Here's what Fred Hebert wrote, for
example:

"While documents like the official Erlang documentation put cookies
under the topic of security, they're really not security at all. If it
is, it has to be seen as a joke, because there's no way anybody
serious considers the cookie a safe thing. Why? Simply because the
cookie is a little unique value that must be shared between nodes to
allow them to connect together. They're closer to the idea of user
names than passwords and I'm pretty sure nobody would consider having
a username (and nothing else) as a security feature. Cookies make way
more sense as a mechanism used to divide clusters of nodes than as an
authentication mechanism."

In opposition to this extremely widespread sentiment, I believe that:

1) It is feasible to create an unguessable cookie.
2) It is feasible to prevent outsiders from seeing the cookie's value.

Therefore attackers cannot take over my node by compromising my cookie.

Where is the flaw in my reasoning?

Lyn Headley
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

Louis Pilfold
Hi!

In the event that the cookie is your only security, what do you do
when your cookie gets out?

Event if you cookie is not guessable, there is still a chance that
through malicious act or human error a trusted person within your
organisation shares your cookie with others. I've not got the evidence
to hand, but while preparing for security audits at a previous
workplace our trainer told us that most security breaches are due to
the actions of people within the organisation rather than outside of
it. This seems very plausible to me.

Cheers,
Louis


On 9 June 2016 at 21:20, Lyn Headley <[hidden email]> wrote:

> I don't understand why so many people are so dismissive of
> cookie-based node security. Here's what Fred Hebert wrote, for
> example:
>
> "While documents like the official Erlang documentation put cookies
> under the topic of security, they're really not security at all. If it
> is, it has to be seen as a joke, because there's no way anybody
> serious considers the cookie a safe thing. Why? Simply because the
> cookie is a little unique value that must be shared between nodes to
> allow them to connect together. They're closer to the idea of user
> names than passwords and I'm pretty sure nobody would consider having
> a username (and nothing else) as a security feature. Cookies make way
> more sense as a mechanism used to divide clusters of nodes than as an
> authentication mechanism."
>
> In opposition to this extremely widespread sentiment, I believe that:
>
> 1) It is feasible to create an unguessable cookie.
> 2) It is feasible to prevent outsiders from seeing the cookie's value.
>
> Therefore attackers cannot take over my node by compromising my cookie.
>
> Where is the flaw in my reasoning?
>
> Lyn Headley
> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

zxq9-2
On 2016年6月9日 木曜日 22:44:57 Louis Pilfold wrote:

> Hi!
>
> In the event that the cookie is your only security, what do you do
> when your cookie gets out?
>
> Event if you cookie is not guessable, there is still a chance that
> through malicious act or human error a trusted person within your
> organisation shares your cookie with others. I've not got the evidence
> to hand, but while preparing for security audits at a previous
> workplace our trainer told us that most security breaches are due to
> the actions of people within the organisation rather than outside of
> it. This seems very plausible to me.

People are almost always easier to manipulate or catch in error than
systems are to crack through exploitation of technical flaws.

How is this not exactly the same as a password? Or AWS credentials?
Or a secret key? Or any other of a host of similar schemes?

-Craig
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

Technion

One thing here is that a cookie has to be constant across an environment.


It's not easy to rotate it by tackling a few nodes at a time, and you can't define a new username, roll it out, and disable the old one later. As far as I know, it's always transferred in cleartext, and doesn't authenticate who it is being given to.


By modern security standards, it's very poor. But I also agree, the mere use cookies, from an outside attacker, is still a mile ahead of authenticated access, unless I'm missing something.


From: [hidden email] <[hidden email]> on behalf of zxq9 <[hidden email]>
Sent: Friday, 10 June 2016 2:33:25 PM
To: [hidden email]
Subject: Re: [erlang-questions] Erlang cookies are secure
 
On 2016年6月9日 木曜日 22:44:57 Louis Pilfold wrote:
> Hi!
>
> In the event that the cookie is your only security, what do you do
> when your cookie gets out?
>
> Event if you cookie is not guessable, there is still a chance that
> through malicious act or human error a trusted person within your
> organisation shares your cookie with others. I've not got the evidence
> to hand, but while preparing for security audits at a previous
> workplace our trainer told us that most security breaches are due to
> the actions of people within the organisation rather than outside of
> it. This seems very plausible to me.

People are almost always easier to manipulate or catch in error than
systems are to crack through exploitation of technical flaws.

How is this not exactly the same as a password? Or AWS credentials?
Or a secret key? Or any other of a host of similar schemes?

-Craig
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

Louis Pilfold
In reply to this post by zxq9-2

Heya

With the given examples each entity had their own password/key/secret, so a breach means one node is secure, rather than all of them. Additionally each piece of functionality can require different permissions, and not all nodes can have permissions to request all tasks, so the scale of the potential damage done is lower.

Additionally one can rotate those values easily, this seems like it would be much harder to do with cookies.

Cheers,
Louis

On 10 Jun 2016 05:33, "zxq9" <[hidden email]> wrote:
On 2016年6月9日 木曜日 22:44:57 Louis Pilfold wrote:
> Hi!
>
> In the event that the cookie is your only security, what do you do
> when your cookie gets out?
>
> Event if you cookie is not guessable, there is still a chance that
> through malicious act or human error a trusted person within your
> organisation shares your cookie with others. I've not got the evidence
> to hand, but while preparing for security audits at a previous
> workplace our trainer told us that most security breaches are due to
> the actions of people within the organisation rather than outside of
> it. This seems very plausible to me.

People are almost always easier to manipulate or catch in error than
systems are to crack through exploitation of technical flaws.

How is this not exactly the same as a password? Or AWS credentials?
Or a secret key? Or any other of a host of similar schemes?

-Craig
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

zxq9-2
On 2016年6月10日 金曜日 07:18:51 you wrote:

> Heya
>
> With the given examples each entity had their own password/key/secret, so a
> breach means one node is secure, rather than all of them. Additionally each
> piece of functionality can require different permissions, and not all nodes
> can have permissions to request all tasks, so the scale of the potential
> damage done is lower.
>
> Additionally one can rotate those values easily, this seems like it would
> be much harder to do with cookies.

Changing cookies is certainly an issue, but the partitioning issue is
almost entirely moot these days. With single-sign-on via Kerberos, LDAP
and especially let's-just-pretend-its-secure web auth systems that have
a tendency to place a person's (and sometimes by extension entire
organization's) data, management controls and platforms just one
(publicly known) email and password away from complete compromise.

How many companies are keeping systems-critical credentials in
plain text within config files on s3 or private github repos? How
many organizations have come to depend *entirely* on Google or fb
credentials?

This is the trend today -- to sacrifice security for usability, and it
is a pretty steep tradeoff.

My point isn't that cookies are secure -- I don't believe that they are.
My point is that cookies are not inherently *less* secure than the mass
of SSO schemes I have begun to see sprout up everywhere the word "cloud"
is used.

-Craig
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

Chandru-4
In reply to this post by Lyn Headley
Hi Lyn,

There are several problems with Erlang's distribution model from a security standpoint. For e.g. if a host which has access to inter-node comms is compromised, it can sniff the cookie out and then establish connections to any node in the Erlang cluster.

Okay, so you change distribution to use TLS so one cannot sniff cookies. But now imagine that someone got access to just one of the boxes in an Erlang cluster. The entire cluster is now open for abuse because there is no access control mechanism within distributed erlang. There is no audit log of which node connected when, what commands were executed, nothing at all. Even os:cmd/1 is available for executing anything as that user on the box.

Distributed erlang assumes that the cluster is operating in a secure environment which may not always satisfy the requirements. For e.g. if you are building something in Erlang and you want it to be PCIDSS [1] compliant, you will want to turn off distributed erlang on that node because the combination of the openness of an Erlang cluster combined with its tracing capabilities means that anyone with access to a single node in a cluster can trace and capture data flowing through code handling credit card transactions.

regards,
Chandru



On 9 June 2016 at 21:20, Lyn Headley <[hidden email]> wrote:
I don't understand why so many people are so dismissive of
cookie-based node security. Here's what Fred Hebert wrote, for
example:

"While documents like the official Erlang documentation put cookies
under the topic of security, they're really not security at all. If it
is, it has to be seen as a joke, because there's no way anybody
serious considers the cookie a safe thing. Why? Simply because the
cookie is a little unique value that must be shared between nodes to
allow them to connect together. They're closer to the idea of user
names than passwords and I'm pretty sure nobody would consider having
a username (and nothing else) as a security feature. Cookies make way
more sense as a mechanism used to divide clusters of nodes than as an
authentication mechanism."

In opposition to this extremely widespread sentiment, I believe that:

1) It is feasible to create an unguessable cookie.
2) It is feasible to prevent outsiders from seeing the cookie's value.

Therefore attackers cannot take over my node by compromising my cookie.

Where is the flaw in my reasoning?

Lyn Headley
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

Tony Rogvall-2
Hi Chandru.

I am not sure what you mean by sniff cookies?

The distribution has been sending blank cookies since first open source release.
The distribution do not send the cookie in clear text but rely on a MD5 challenge procedure
at connection setup.

So Erlang is more likely to be vulnerable to connection hijacking since not every message
is signed.

So keep the nodes safe and away from random users. At least until we get Safe Erlang ( any decade now )

/Tony

> On 10 jun 2016, at 10:19, Chandru <[hidden email]> wrote:
>
> Hi Lyn,
>
> There are several problems with Erlang's distribution model from a security standpoint. For e.g. if a host which has access to inter-node comms is compromised, it can sniff the cookie out and then establish connections to any node in the Erlang cluster.
>
> Okay, so you change distribution to use TLS so one cannot sniff cookies. But now imagine that someone got access to just one of the boxes in an Erlang cluster. The entire cluster is now open for abuse because there is no access control mechanism within distributed erlang. There is no audit log of which node connected when, what commands were executed, nothing at all. Even os:cmd/1 is available for executing anything as that user on the box.
>
> Distributed erlang assumes that the cluster is operating in a secure environment which may not always satisfy the requirements. For e.g. if you are building something in Erlang and you want it to be PCIDSS [1] compliant, you will want to turn off distributed erlang on that node because the combination of the openness of an Erlang cluster combined with its tracing capabilities means that anyone with access to a single node in a cluster can trace and capture data flowing through code handling credit card transactions.
>
> regards,
> Chandru
>
> [1] http://www.theukcardsassociation.org.uk/security/what_is_PCI%20DSS.asp
>
>
> On 9 June 2016 at 21:20, Lyn Headley <[hidden email]> wrote:
> I don't understand why so many people are so dismissive of
> cookie-based node security. Here's what Fred Hebert wrote, for
> example:
>
> "While documents like the official Erlang documentation put cookies
> under the topic of security, they're really not security at all. If it
> is, it has to be seen as a joke, because there's no way anybody
> serious considers the cookie a safe thing. Why? Simply because the
> cookie is a little unique value that must be shared between nodes to
> allow them to connect together. They're closer to the idea of user
> names than passwords and I'm pretty sure nobody would consider having
> a username (and nothing else) as a security feature. Cookies make way
> more sense as a mechanism used to divide clusters of nodes than as an
> authentication mechanism."
>
> In opposition to this extremely widespread sentiment, I believe that:
>
> 1) It is feasible to create an unguessable cookie.
> 2) It is feasible to prevent outsiders from seeing the cookie's value.
>
> Therefore attackers cannot take over my node by compromising my cookie.
>
> Where is the flaw in my reasoning?
>
> Lyn Headley
> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions
>
> _______________________________________________
> erlang-questions mailing list
> [hidden email]
> http://erlang.org/mailman/listinfo/erlang-questions

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions

signature.asc (817 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

zxq9-2
On 2016年6月10日 金曜日 12:14:09 Tony Rogvall wrote:

> Hi Chandru.
>
> I am not sure what you mean by sniff cookies?
>
> The distribution has been sending blank cookies since first open source release.
> The distribution do not send the cookie in clear text but rely on a MD5 challenge procedure
> at connection setup.
>
> So Erlang is more likely to be vulnerable to connection hijacking since not every message
> is signed.
>
> So keep the nodes safe and away from random users. At least until we get Safe Erlang ( any decade now )

Indeed! :-)

On that note...

Even if it were safe to run disterl across a WAN on an open network, does anyone really think operating a chatty mesh across variable latency connections is a good idea?

"Variable" meaning:
  - Totally out of your control
  - Local nodes and distant nodes will have dramatic
    network performance differences.

That's not at all the case disterl seems to have been intended for. Or at least it certainly doesn't seem to have been the case driving the disterl implementation. I've only ever seen localized disterl clusters connect (sometimes multiply) over TLS to distant other clusters -- treating each cluster, essentially, as an opaque supernode in a larger system.

It would be pretty slick if we could link safely across the world with a very flexible distribution system that works over TLS, checks verifies peers with certificates, and can handle very long disruptions. Oh, and and automatically mend network damage. Oh, and while we're at it, automagically solve network partition problems. Oh, and...

...but we're running a bit short on unicorn blood to feed the machine so instead we have disterl, which seems very much to have been designed with a localized cluster of nodes in mind, all of which are under a reasonable level of control of the system operators -- and therefore constitutes an internally safe execution environment. In this context it is hard to view cookies as really being intended as a security mechanism.

That said, disterl is a dodgy proposition in environments like hosted mesos, AWS, and similar environments where you can't know anything about internal security and there is a strong economic incentive to keep breaches and insecurities quiet.

So now can someone please explain to me why my vision of the world is wrong? *Was* disterl intended to be used to link machines across very wide networks? Were cookies + MD5 intended as a partitioning mechanism, or did someone think that was secure at one time? In *practice* I've only encountered the situation I describe above -- but all this apparent confusion about the issue of what cookies were intended for makes me wonder whether that was the *intention*.

-Craig
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

Chandru-4
In reply to this post by Tony Rogvall-2
Hi Tony,

On 10 June 2016 at 11:14, Tony Rogvall <[hidden email]> wrote:
Hi Chandru.

I am not sure what you mean by sniff cookies?

The distribution has been sending blank cookies since first open source release.
The distribution do not send the cookie in clear text but rely on a MD5 challenge procedure
at connection setup.

So Erlang is more likely to be vulnerable to connection hijacking since not every message
is signed.

Hmm...that is strange. My memory tells me that I saw the cookie while examining packet captures a long time ago - I could be mistaken. I'll go read the source again - thanks for correcting me.

cheers,
Chandru


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

Per Hedeland
In reply to this post by Tony Rogvall-2
Tony Rogvall <[hidden email]> wrote:
>
>I am not sure what you mean by sniff cookies?
>
>The distribution has been sending blank cookies since first open source release.
>The distribution do not send the cookie in clear text but rely on a MD5 challenge procedure
>at connection setup.

Hi Tony!

Indeed - and I will take credit for pestering you to fix that just
before the first open source release:-) (I will not divulge what it did
before that...).

>So Erlang is more likely to be vulnerable to connection hijacking since not every message
>is signed.

Yes - the *default* distribution fulfills none of the CIA requirements
(no, not that evil US thing, but Confidentiality, Integrity, and
Availability). But this has nothing to do with the authentication
mechanism as such, and can be fixed by using TLS - which also brings one
or more other authentication mechanisms, but they are not in any
fundamental sense more "secure" than the cookie authentication.

>So keep the nodes safe and away from random users. At least until we get Safe Erlang ( any decade now )

Sure - but this point is actually also confusing in a cookie discussion,
as shown by other messages in this thread - it is about the
*authorization* you automatically get at the point when you have managed
to break the authentication mechanism - i.e. basically you can do
"anything". But this is independent of the strength of the
authentication mechanism itself.

I do find it rather tiresome with this constant ridicule of the cookie
authentication from people who haven't even bothered to do a basic
investigation of how it works, let alone done any actual security
analysis.

And just to put another myth to death, no, you are not required to use
the same cookie on all your distributed erlang nodes - every node is
capable of maintaining a specific cookie for every other node, RTFM
erlang:set_cookie/2.

It is absolutely true that *maintaining* security in a network with
cookie-based authentication can be troublesome, and that e.g. TLS with
certificate authentication can do much better in that respect, as long
as you have mechanisms for certificate revocation properly set up (which
in turn is not entirely trivial to do).

But again, as long as you do not throw your cookies around, AFAIK no-one
has demonstrated any fundamental weakness with the mechanism as such.

--Per
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

Serge Aleynikov-3
I guess it's worth mentioning in the current thread that the present architecture only supports one distributed protocol in a node at a time.  So using TLS for some nodes over Internet would require all nodes in a cluster to use TLS, which is a waste of resources and additional latency for nodes located in the same local network not involving Internet.

I'd love to see some progress by the OTP team in flexing this requirement, since the patch I submitted a while back that introduced support for distribution over multiple protocols was not accepted (*).

Serge


On Fri, Jun 10, 2016 at 4:10 PM, Per Hedeland <[hidden email]> wrote:
Tony Rogvall <[hidden email]> wrote:
>
>I am not sure what you mean by sniff cookies?
>
>The distribution has been sending blank cookies since first open source release.
>The distribution do not send the cookie in clear text but rely on a MD5 challenge procedure
>at connection setup.

Hi Tony!

Indeed - and I will take credit for pestering you to fix that just
before the first open source release:-) (I will not divulge what it did
before that...).

>So Erlang is more likely to be vulnerable to connection hijacking since not every message
>is signed.

Yes - the *default* distribution fulfills none of the CIA requirements
(no, not that evil US thing, but Confidentiality, Integrity, and
Availability). But this has nothing to do with the authentication
mechanism as such, and can be fixed by using TLS - which also brings one
or more other authentication mechanisms, but they are not in any
fundamental sense more "secure" than the cookie authentication.

>So keep the nodes safe and away from random users. At least until we get Safe Erlang ( any decade now )

Sure - but this point is actually also confusing in a cookie discussion,
as shown by other messages in this thread - it is about the
*authorization* you automatically get at the point when you have managed
to break the authentication mechanism - i.e. basically you can do
"anything". But this is independent of the strength of the
authentication mechanism itself.

I do find it rather tiresome with this constant ridicule of the cookie
authentication from people who haven't even bothered to do a basic
investigation of how it works, let alone done any actual security
analysis.

And just to put another myth to death, no, you are not required to use
the same cookie on all your distributed erlang nodes - every node is
capable of maintaining a specific cookie for every other node, RTFM
erlang:set_cookie/2.

It is absolutely true that *maintaining* security in a network with
cookie-based authentication can be troublesome, and that e.g. TLS with
certificate authentication can do much better in that respect, as long
as you have mechanisms for certificate revocation properly set up (which
in turn is not entirely trivial to do).

But again, as long as you do not throw your cookies around, AFAIK no-one
has demonstrated any fundamental weakness with the mechanism as such.

--Per
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

Tony Rogvall-2
In reply to this post by Per Hedeland


"typed while walking!"

> On 10 juni 2016, at 22:10, Per Hedeland <[hidden email]> wrote:
>
> Tony Rogvall <[hidden email]> wrote:
>>
>> I am not sure what you mean by sniff cookies?
>>
>> The distribution has been sending blank cookies since first open source release.
>> The distribution do not send the cookie in clear text but rely on a MD5 challenge procedure
>> at connection setup.
>
> Hi Tony!
>
> Indeed - and I will take credit for pestering you to fix that just
> before the first open source release:-) (I will not divulge what it did
> before that...).
>
Yes, master.  :-)

>> So Erlang is more likely to be vulnerable to connection hijacking since not every message
>> is signed.
>
> Yes - the *default* distribution fulfills none of the CIA requirements
> (no, not that evil US thing, but Confidentiality, Integrity, and
> Availability). But this has nothing to do with the authentication
> mechanism as such, and can be fixed by using TLS - which also brings one
> or more other authentication mechanisms, but they are not in any
> fundamental sense more "secure" than the cookie authentication.
>
>> So keep the nodes safe and away from random users. At least until we get Safe Erlang ( any decade now )
>
> Sure - but this point is actually also confusing in a cookie discussion,
> as shown by other messages in this thread - it is about the
> *authorization* you automatically get at the point when you have managed
> to break the authentication mechanism - i.e. basically you can do
> "anything". But this is independent of the strength of the
> authentication mechanism itself.
>

My point was just that if the city wall has collapsed you could still have a couple of more walls to protect your but.

> I do find it rather tiresome with this constant ridicule of the cookie
> authentication from people who haven't even bothered to do a basic
> investigation of how it works, let alone done any actual security
> analysis.
>
> And just to put another myth to death, no, you are not required to use
> the same cookie on all your distributed erlang nodes - every node is
> capable of maintaining a specific cookie for every other node, RTFM
> erlang:set_cookie/2.
>
> It is absolutely true that *maintaining* security in a network with
> cookie-based authentication can be troublesome, and that e.g. TLS with
> certificate authentication can do much better in that respect, as long
> as you have mechanisms for certificate revocation properly set up (which
> in turn is not entirely trivial to do).
>
> But again, as long as you do not throw your cookies around, AFAIK no-one
> has demonstrated any fundamental weakness with the mechanism as such.
>
> --Per

_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

Fred Hebert-2
In reply to this post by Per Hedeland
On 06/10, Per Hedeland wrote:
>I do find it rather tiresome with this constant ridicule of the cookie
>authentication from people who haven't even bothered to do a basic
>investigation of how it works, let alone done any actual security
>analysis.
>

https://twitter.com/DonAndrewBailey/status/737693679997984770
https://twitter.com/DonAndrewBailey/status/737693957656698880
https://twitter.com/DonAndrewBailey/status/737699529701490688

This security researcher appears to have found issues with it as
recently as the last 30 days.


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

Per Hedeland
Fred Hebert <[hidden email]> wrote:

>
>On 06/10, Per Hedeland wrote:
>>I do find it rather tiresome with this constant ridicule of the cookie
>>authentication from people who haven't even bothered to do a basic
>>investigation of how it works, let alone done any actual security
>>analysis.
>>
>
>https://twitter.com/DonAndrewBailey/status/737693679997984770
>https://twitter.com/DonAndrewBailey/status/737693957656698880
>https://twitter.com/DonAndrewBailey/status/737699529701490688
>
>This security researcher appears to have found issues with it as
>recently as the last 30 days.

He claims to have found *bugs*, and reported them to the OTP team -
great! However it's not like the existence of bugs in software is
something unique to the OTP implementation of the cookie-based
authentication scheme (or wherever the bugs are). And I have never seen
(I may of course have missed it) the argument "because it has bugs"
being brought forward by those who claim "the cookie authentication
isn't secure" on this mailing list. In fact there typically isn't any
"because" at all.

As for actual analysis of the mechanism as such, the only thing I can
find is the statement "cookie key space by default is 26^20" - given as
a good property, but it certainly makes me wonder about the depth of
such an analysis, if it has indeed been undertaken (I see no claim that
it has). The cookie is an arbitrary atom, and thus the value space is
larger than 256^255 ((1 - 256^256)/(1 - 256) to be precise, or just a
few bits short of 2048) - period.

I guess his "default" refers to the cookie that is auto-generated if you
don't provide one - I'm not sure why you would want to make use of that
if you are attempting to set up a "secure" network of Erlang nodes.
Besides the fact that you need to additionally figure out the value
space of that generation, and analyze the actual mechanism used (maybe
it's even bad old random(3):-), it seems pretty impractical compared to
pre-generating the cookies yourself.

--Per
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

Fred Hebert-2
On 06/11, Per Hedeland wrote:
>As for actual analysis of the mechanism as such, the only thing I can
>find is the statement "cookie key space by default is 26^20" - given as
>a good property, but it certainly makes me wonder about the depth of
>such an analysis, if it has indeed been undertaken (I see no claim that
>it has). The cookie is an arbitrary atom, and thus the value space is
>larger than 256^255 ((1 - 256^256)/(1 - 256) to be precise, or just a
>few bits short of 2048) - period.

The space is likely smaller since you're going for an MD5 challenge and
only have to generate a conflicting MD5, not the actual cookie I
believe?

The challenge itself uses the cookie and then 'salts' it with the result
of this function:
https://github.com/erlang/otp/blob/e1489c448b7486cdcfec6a89fea238d88e6ce2f3/lib/kernel/src/dist_util.erl#L376-L388
which has no great source of randomness, especially on mostly idle nodes
I'd guess.
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

Per Hedeland
Fred Hebert <[hidden email]> wrote:

>
>On 06/11, Per Hedeland wrote:
>>As for actual analysis of the mechanism as such, the only thing I can
>>find is the statement "cookie key space by default is 26^20" - given as
>>a good property, but it certainly makes me wonder about the depth of
>>such an analysis, if it has indeed been undertaken (I see no claim that
>>it has). The cookie is an arbitrary atom, and thus the value space is
>>larger than 256^255 ((1 - 256^256)/(1 - 256) to be precise, or just a
>>few bits short of 2048) - period.
>
>The space is likely smaller since you're going for an MD5 challenge and
>only have to generate a conflicting MD5, not the actual cookie I
>believe?

Hm, so now you're doing a security analysis, and asking me to comment on
it? Probably a case of the blind leading the blind, but OK... The value
space of the cookie is what it is, independent of how it is used - I was
merely pointing out that the only statement that seemed indicative of a
security analysis being done was inaccurate.

How the value space of the cleartext and its relation to the value space
(and quality?) of the digest translates into "security" in this context
isn't something I feel qualified to comment on, but I think I know
enough to say that it isn't just a matter of counting the respective
number of bits.

>The challenge itself uses the cookie and then 'salts' it with the result
>of this function:
>https://github.com/erlang/otp/blob/e1489c448b7486cdcfec6a89fea238d88e6ce2f3/lib/kernel/src/dist_util.erl#L376-L388
>which has no great source of randomness, especially on mostly idle nodes
>I'd guess.

AFAIK the "salt", or as it's more commonly called in this context, the
"nonce", has no actual requirement of randomness, only of variation -
i.e. it should not be repeated. It could quite possibly be done better,
but it's certainly not obvious to me that there is any actual problem
with the current implementation.

--Per
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

Per Hedeland
In reply to this post by Lyn Headley
Ulf Wiger <[hidden email]> wrote:
>
>We should be able to agree that:
>
>- the cookie strategy and challenge aren’t necessarily broken in principle
>- the MD5 hash is a weakness which could be addressed
>- using TCP opens up for eavesdropping and MITM attacks
>- the biggest weakness is the (human) practice of using hard-coded simple cookies for convenience
>- little (albeit some) support exists for applying a more sophisticated cookie management strategy
>- The simplest advice to heed is “don’t expose your dist ports to strangers"

I can agree to all of that, except that I'm not sure that the "weakness"
of MD5, which pertains to its ability to produce a digest of a cleartext
that can't be reproduced by applying it to a different cleartext, even
when the original cleartext is known (i.e. the case of using a digest +
signature to ensure integrity), is significant in this particular
context. And unfortunately that's the only one of your points that
addresses the security of the cookie authentication mechanism as such...

--Per
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

Mike Oxford
​​I've not looked into the Erlang use of the key, I'm only commenting on the use of MD5 sums ...

MD5 effectively "normalizes" the input to a discrete output space, by design, as the output length/set is finite.

​If MD5 is weak to hash-collisions (which it is, relatively) then I don't need to spray the cluster with a single discrete value to get the command accepted - the range of possibilities goes from "1" to "N" where "N" is the discrete (but yet unknown) set of values which produce the collision.

You may have used a super high-tech and secure 2048-bit key but if it just happens to collide with "password" then it'll be found relatively quickly.

Again, haven't looked at Erlang code to see how it's actually used in the context of this discussion.

-mox


On Sat, Jun 11, 2016 at 2:54 PM, Per Hedeland <[hidden email]> wrote:
Ulf Wiger <[hidden email]> wrote:
>
>We should be able to agree that:
>
>- the cookie strategy and challenge aren’t necessarily broken in principle
>- the MD5 hash is a weakness which could be addressed
>- using TCP opens up for eavesdropping and MITM attacks
>- the biggest weakness is the (human) practice of using hard-coded simple cookies for convenience
>- little (albeit some) support exists for applying a more sophisticated cookie management strategy
>- The simplest advice to heed is “don’t expose your dist ports to strangers"

I can agree to all of that, except that I'm not sure that the "weakness"
of MD5, which pertains to its ability to produce a digest of a cleartext
that can't be reproduced by applying it to a different cleartext, even
when the original cleartext is known (i.e. the case of using a digest +
signature to ensure integrity), is significant in this particular
context. And unfortunately that's the only one of your points that
addresses the security of the cookie authentication mechanism as such...

--Per
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions


_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions
Reply | Threaded
Open this post in threaded view
|

Re: Erlang cookies are secure

Per Hedeland
Mike Oxford <[hidden email]> wrote:
>I've not looked into the Erlang use of the key, I'm only commenting on
>the use of MD5 sums ...
>
>MD5 effectively "normalizes" the input to a discrete output space, by
>design, as the output length/set is finite.

Yes, this is obviously true of all digest algorithms.

>If MD5 is weak to hash-collisions (which it is, relatively) then I don't
>need to spray the cluster with a single discrete value to get the command
>accepted - the range of possibilities goes from "1" to "N" where "N" is the
>discrete (but yet unknown) set of values which produce the collision.
>
>You may have used a super high-tech and secure 2048-bit key but if it just
>happens to collide with "password" then it'll be found relatively quickly.
>
>Again, haven't looked at Erlang code to see how it's actually used in the
>context of this discussion.

OK, but even from just following the discussion, it should be clear that
the authentication isn't done by sending the MD5 of only the cookie,
which your reasoning seems to assume - this would be completely
pointless, as it would be basically equivalent to sending the cookie
itself from a security perspective.

Google "digest authentication" to find examples of the general
principle.

--Per
_______________________________________________
erlang-questions mailing list
[hidden email]
http://erlang.org/mailman/listinfo/erlang-questions