[mirror_corosync.git] / SECURITY

Security Design of corosync

The corosync project intends to mitigate the following threats:

1. forged group messaging messages which are intended to fault the corosync
   executive
2. forged group messaging messages which are intended to fault applications
   using corosync apis
3. monitoring of network data to capture sensitive information

The corosync project does not intend to mitigate the following threats:

1. physical access to the hardware which could expose the private key
2. privledged access to the operating system which could expose the private key
   or be used to inject errors into the corosync executive.
3. library user creates requests which are intended to fault the corosync
   executive

The corosync project mitigates the threats using two mechanisms:

1. Authentication
2. Secrecy

Library Interface
-----------------
The corosync executive authenticates every library user.  The library is only
allowed to access services if it's GID is corosync or 0.  Unauthorized library
users are rejected.

The corosync group is a trusted group.  If the administrator doesn't trust the
application, it should not be added to the group!  Any member of the corosync group
could potentially send a malformed request to the executive and cause it to
fault.

Group Messaging Interface
-------------------------
Group messaging uses UDP/IP to communicate with other corosync executives using
messages.  It is possible without authentication of every packet that an
attacker could forge messages.  These forged messages could fault the corosync
executive distributed state machines.  It would also be possible to corrupt
end applications by forging changes.

Since messages are sent using UDP/IP it would be possible to snoop those
messages and rebuild sensitive data.

To solve these problems, the group messaging interface uses two new interfaces
interal to it's implementation:
1. encrypt_and_sign - encrypts and signs a message securely
2. authenticate_and_decrypt - authenticates and decrypts a message securely

When the executive wants to send a message over the network, it uses
encrypt_and_sign to prepare the message to be sent.  When the executive
wants to receive a message from the network, it uses
authenticate_and_decrypt to verify the message is valid and decrypt it.

Corosync uses AES256/SHA-1 which from the Mozilla Network Security
Services (libnss) library.

The internal functions utilize the following algorithms:
sha1 - hash algorithm secure for using with hmac
hmac - produces a 16 byte digest from any length input

Every message starts with a
struct security {
	unsigned char digest[20]; A one way hash digest
	unsigned char salt[16]; A securely generated random number
}

USING LIBNSS
------------
When corosync is started up libnss is initialised,
the private key is read into memory and stored for later use by the code.

When a message is sent (encrypt_and_sign):
------------------------------------------
- The message is encrypted using AES.
- A digest of that message is then created using SHA256 and based on the
  private key.
- the message is then transmitted.

When a message is received (decrypt_and_authenticate):
- A Digest of the encrypted message is created using the private key
- That digest is compared to the one in the message security_header
- If they do not match the packet is rejected
- If they do match then the message is decrypted using the private key.
- The message is processed.

Comments welcome mailto:discuss@corosync.org
Commit	Line	Data
dd3991c0	1	Security Design of corosync
32ff7abe	2
dd3991c0	3	The corosync project intends to mitigate the following threats:
32ff7abe	4
dd3991c0	5	1. forged group messaging messages which are intended to fault the corosync
32ff7abe SD	6	executive
32ff7abe SD	7	2. forged group messaging messages which are intended to fault applications
dd3991c0	8	using corosync apis
32ff7abe SD	9	3. monitoring of network data to capture sensitive information
32ff7abe SD	10
dd3991c0	11	The corosync project does not intend to mitigate the following threats:
32ff7abe SD	12
	13	1. physical access to the hardware which could expose the private key
	14	2. privledged access to the operating system which could expose the private key
7c8e83ac	15	or be used to inject errors into the corosync executive.
dd3991c0	16	3. library user creates requests which are intended to fault the corosync
32ff7abe SD	17	executive
32ff7abe SD	18
dd3991c0	19	The corosync project mitigates the threats using two mechanisms:
32ff7abe SD	20
	21	1. Authentication
	22	2. Secrecy
	23
	24	Library Interface
	25	-----------------
dd3991c0	26	The corosync executive authenticates every library user. The library is only
7c8e83ac	27	allowed to access services if it's GID is corosync or 0. Unauthorized library
32ff7abe SD	28	users are rejected.
32ff7abe SD	29
7c8e83ac SD	30	The corosync group is a trusted group. If the administrator doesn't trust the
7c8e83ac SD	31	application, it should not be added to the group! Any member of the corosync group
32ff7abe SD	32	could potentially send a malformed request to the executive and cause it to
	33	fault.
	34
	35	Group Messaging Interface
	36	-------------------------
dd3991c0	37	Group messaging uses UDP/IP to communicate with other corosync executives using
32ff7abe	38	messages. It is possible without authentication of every packet that an
dd3991c0	39	attacker could forge messages. These forged messages could fault the corosync
904a10ed	40	executive distributed state machines. It would also be possible to corrupt
6089c11f	41	end applications by forging changes.
32ff7abe SD	42
	43	Since messages are sent using UDP/IP it would be possible to snoop those
	44	messages and rebuild sensitive data.
	45
	46	To solve these problems, the group messaging interface uses two new interfaces
	47	interal to it's implementation:
6089c11f SD	48	1. encrypt_and_sign - encrypts and signs a message securely
6089c11f SD	49	2. authenticate_and_decrypt - authenticates and decrypts a message securely
32ff7abe SD	50
32ff7abe SD	51	When the executive wants to send a message over the network, it uses
6089c11f	52	encrypt_and_sign to prepare the message to be sent. When the executive
32ff7abe	53	wants to receive a message from the network, it uses
6089c11f	54	authenticate_and_decrypt to verify the message is valid and decrypt it.
32ff7abe	55
8cdd2fc4 JF	56	Corosync uses AES256/SHA-1 which from the Mozilla Network Security
8cdd2fc4 JF	57	Services (libnss) library.
e9660ee6 CC	58
e9660ee6 CC	59	The internal functions utilize the following algorithms:
904a10ed	60	sha1 - hash algorithm secure for using with hmac
6089c11f	61	hmac - produces a 16 byte digest from any length input
32ff7abe	62
e9660ee6 CC	63	Every message starts with a
	64	struct security {
	65	unsigned char digest[20]; A one way hash digest
	66	unsigned char salt[16]; A securely generated random number
	67	}
	68
e9660ee6 CC	69	USING LIBNSS
e9660ee6 CC	70	------------
8cdd2fc4	71	When corosync is started up libnss is initialised,
e9660ee6 CC	72	the private key is read into memory and stored for later use by the code.
	73
	74	When a message is sent (encrypt_and_sign):
	75	------------------------------------------
	76	- The message is encrypted using AES.
	77	- A digest of that message is then created using SHA256 and based on the
	78	private key.
	79	- the message is then transmitted.
	80
	81	When a message is received (decrypt_and_authenticate):
	82	- A Digest of the encrypted message is created using the private key
	83	- That digest is compared to the one in the message security_header
	84	- If they do not match the packet is rejected
	85	- If they do match then the message is decrypted using the private key.
	86	- The message is processed.
	87
7c8e83ac	88	Comments welcome mailto:discuss@corosync.org