On Wed, Apr 26, 2017 at 2:42 PM, Adam Roach <[email protected]> wrote: > On 4/26/17 11:34 AM, Kathleen Moriarty wrote: >> >> Since the following text int he Security Considerations section is a >> recommendation, IMO it would be better to drop "or otherwise obfuscated" >> from the sentence as encrypting the keys really should be the >> recommendation. Can we make this update? >> >> It is RECOMMENDED that keys be encrypted or otherwise obfuscated >> when >> stored internally on a network device supporting this specification. >> >> If obfuscation is what happens more often in practice, maybe mention this >> as a fallback from the recommendation, but not make them sound >> equivalent? > > > > To be clear -- the current guidance from the security area is to perform > this kind of encryption, where you have encrypted material living > side-by-side with the key necessary to decrypt it?
We are talking about using a key encrypting key (KEK) and storing that, not storing the raw key next to the encrypted data as far as I can tell. Additionally, I haven't seen a discussion on the hardware this is expected to run on. Some implementations of KEK solutions use dedicated hardware for the KEK and require authentication for access to the key, hence preventing generic access and side-by-side storage of the KEK's protected key, and encrypted data. I'd rather see a KEK used than just a key stored in any case. Are you arguing for not using any encryption at all? For YANG modules, couldn't the application via NETCONF/RESTCONF accessing the module provide the credentials to access the key protected by the KEK? Some implementations could store the KEK in dedicated hardware as well. In this way, storing the KEK and data together is not the same as storing a key right next to the data it is protecting. Use of a KEK is better then not encrypting and can be done well. Am I missing something? Was there something implementation specific that has the raw key stored with the encrypted data? Thanks, Kathleen > > /a > -- Best regards, Kathleen _______________________________________________ rtgwg mailing list [email protected] https://www.ietf.org/mailman/listinfo/rtgwg
