Report information
The Basics
Id:
37410
Status:
resolved
Priority:
Medium/Medium
Queue:
bind9-public
People
Owner:
Nobody in particular
Requestors:
Cc:
AdminCc:
BugTracker
Version Fixed:
(no value)
Version Found:
(no value)
Versions Affected:
(no value)
Versions Planned:
(no value)
Priority:
P3 Low
Severity:
S3 Low
CVSS Score:
(no value)
CVE ID:
(no value)
Component:
(no value)
Area:
(no value)
Attachments
0001-detect-PKCS-11-PIN-length-overflow.patch 0002-increase-maximum-PKCS-11-PIN-size-to-1023-bytes.patch
Dates
Created:Wed, 08 Oct 2014 12:06:09 -0400
Updated:Fri, 07 Jul 2017 20:08:27 -0400
Closed:Wed, 22 Oct 2014 13:06:06 -0400

This bug tracker is no longer active.

Please go to our Gitlab to submit issues (both feature requests and bug reports) for active projects maintained by Internet Systems Consortium (ISC).

Due to security and confidentiality requirements, full access is limited to the primary maintainers.

History
  Wed, 08 Oct 2014 12:06:09 -0400 Petr Spacek <pspacek@redhat.com> - Ticket created
CC: Tomas Hozza <thozza@redhat.com>
Subject: PKCS#11 PIN length is silently limited to 32 characters [patch]
Date: Wed, 08 Oct 2014 18:06:00 +0200
To: bind9-bugs@isc.org
From: Petr Spacek <pspacek@redhat.com>

Hello, It seems that all versions of BIND with native PKCS#11 support are limited to 32 bytes of PIN length and didn't actually check the PIN length which can later cause login failures. First patch adds check for PIN length to prevent too long PINs from causing login failures later. Second patch extends maximal PIN length to 1023 bytes so it should be enough for everyone including me :-) Patches are also in Git branch 'pinlen' on my Github: https://github.com/spacekpe/bind/tree/pinlen Have a nice day! -- Petr Spacek @ Red Hat
0001-detect-PKCS-11-PIN-length-overflow.patch

Message body is not shown because sender requested not to inline it.

0002-increase-maximum-PKCS-11-PIN-size-to-1023-bytes.patch

Message body is not shown because sender requested not to inline it.

  Wed, 08 Oct 2014 12:25:22 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

On Wed Oct 08 16:06:09 2014, pspacek@redhat.com wrote: > It seems that all versions of BIND with native PKCS#11 support are > limited to > 32 bytes of PIN length and didn't actually check the PIN length which > can later cause login failures. => yes, the PIN length should be limited to something reasonable and 32 octets seemed the right value. In fact the PIN maximum length is a property of the HSM so I'll dig in the new PKCS#11 v2.40 specs I copied from OASIS some hours ago to see if there is useful about it in them... > First patch adds check for PIN length to prevent too long PINs from > causing login failures later. => IMHO it is a good idea. > Second patch extends maximal PIN length to 1023 bytes so it should be > enough for everyone including me :-) => 1023 octets are a very large value for a PIN. BTW with an enforced low limit of retries a short (4 digits) value is common, i.e.: - a PIN is not a password - no limit at all on retries is a *bad* idea (explain this to Apple with its cloud :-).
Wed, 08 Oct 2014 12:25:23 -0400 The RT System itself - Status changed from 'new' to 'open'
  Wed, 08 Oct 2014 12:29:21 -0400 Evan Hunt <each@isc.org> - Correspondence added
CC: undisclosed-recipients: ;
Subject: Re: [ISC-Bugs #37410] PKCS#11 PIN length is silently limited to 32 characters [patch]
Date: Wed, 8 Oct 2014 16:29:21 +0000
To: Francis Dupont via RT <bind9-bugs@isc.org>
From: Evan Hunt <each@isc.org>

> => 1023 octets are a very large value for a PIN. BTW > with an enforced low limit of retries a short (4 digits) value > is common, i.e.: Seems reasonable, since HSM PINs are always 1234 anyway. :)
  Wed, 08 Oct 2014 12:38:15 -0400 Petr Spacek <pspacek@redhat.com> - Correspondence added
Subject: Re: [ISC-Bugs #37410] PKCS#11 PIN length is silently limited to 32 characters [patch]
Date: Wed, 08 Oct 2014 18:38:10 +0200
To: bind9-bugs@isc.org
From: Petr Spacek <pspacek@redhat.com>

On 8.10.2014 18:25, Francis Dupont via RT wrote: > On Wed Oct 08 16:06:09 2014, pspacek@redhat.com wrote: >> It seems that all versions of BIND with native PKCS#11 support are >> limited to >> 32 bytes of PIN length and didn't actually check the PIN length which >> can later cause login failures. > > => yes, the PIN length should be limited to something > reasonable and 32 octets seemed the right value. > In fact the PIN maximum length is a property of the HSM > so I'll dig in the new PKCS#11 v2.40 specs I copied from OASIS > some hours ago to see if there is useful about it in them... > >> First patch adds check for PIN length to prevent too long PINs from >> causing login failures later. > > => IMHO it is a good idea. > >> Second patch extends maximal PIN length to 1023 bytes so it should be >> enough for everyone including me :-) > > => 1023 octets are a very large value for a PIN. BTW > with an enforced low limit of retries a short (4 digits) value > is common, i.e.: > - a PIN is not a password I'm not opposing to that however I do not see a reason to artificially limit PIN length on *client* side. HSM will deal with it if the PIN value is too long for that particular implementation of PKCS#11. IMHO maximum PIN length advertised by HSM for purposes of PIN initialization to let user know what PIN he can enter for that particular HSM. > - no limit at all on retries is a *bad* idea > (explain this to Apple with its cloud :-). In this particular case I'm using SoftHSM so there is no secure way how to enforce limit on retries. That is the reason why I wanted to use very long PIN. I hope it explains my motivation. (And yes, I know that SoftHSM is really cheap HSM :-)) Have a nice day! -- Petr Spacek @ Red Hat
  Wed, 08 Oct 2014 12:41:05 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

> In fact the PIN maximum length is a property of the HSM > so I'll dig in the new PKCS#11 v2.40 specs I copied from OASIS > some hours ago to see if there is useful about it in them... => ulMinPinLen and ulMaxPinLen are members of the CK_TOKEN_INFO structure, so one can check for the range used by its HSM(s). Of course, the PKCS#11 specs give nothing about the reasonable values... SoftHSMv2 uses the 4..255 range (so 32 could be too small). BTW, what is the HSM where you need long PINs?
  Wed, 08 Oct 2014 12:45:05 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

On Wed Oct 08 16:29:21 2014, each@isc.org wrote: > > => 1023 octets are a very large value for a PIN. BTW > > with an enforced low limit of retries a short (4 digits) value > > is common, i.e.: > > Seems reasonable, since HSM PINs are always 1234 anyway. :) => the reason is the PIN must be available somewhere in clear (usually in a file) to make the HSM operable by applications as bind9 (this doesn't mean PINs are useless, only they are for other things, and security is from a set of means...).
  Wed, 08 Oct 2014 12:56:17 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

> I'm not opposing to that however I do not see a reason to artificially > limit PIN length on *client* side. => laziness... (i.e., it is more complex to manage a dynamically sized piece of memory :-). > In this particular case I'm using SoftHSM so there is no secure way > how to > enforce limit on retries. That is the reason why I wanted to use very > long PIN. => a long PIN won't save you, in particular with SoftHSM which doesn't really protect it (BTW mainly because it can't in an easy way. I know how to reset the PIN in the case I used something which is not 1234 and I'd like to keep objects, and I did it more than once :-). > (And yes, I know that SoftHSM is really cheap HSM :-)) => I added a large amount of code in SoftHSMv2 so now I am in its developer list! But if SoftHSM is a very good tool to debug/practice/etc PKCS#11 code it was *not* designed for strong security at all.
  Wed, 08 Oct 2014 13:28:04 -0400 Petr Spacek <pspacek@redhat.com> - Correspondence added
Subject: Re: [ISC-Bugs #37410] PKCS#11 PIN length is silently limited to 32 characters [patch]
Date: Wed, 08 Oct 2014 19:27:56 +0200
To: bind9-bugs@isc.org
From: Petr Spacek <pspacek@redhat.com>

On 8.10.2014 18:56, Francis Dupont via RT wrote: >> I'm not opposing to that however I do not see a reason to artificially >> limit PIN length on *client* side. > > => laziness... (i.e., it is more complex to manage > a dynamically sized piece of memory :-). That is why I used 1024 byte buffer :-) I don't want to be bold but... aren't we spending too much time on such a minor thing? Feel free to amend the buffer size or refuse the second patch completely if you feel that 31 byte PIN is good enough for everyone :-) >> In this particular case I'm using SoftHSM so there is no secure way >> how to >> enforce limit on retries. That is the reason why I wanted to use very >> long PIN. > > => a long PIN won't save you, in particular with SoftHSM > which doesn't really protect it (BTW mainly because it can't > in an easy way. I know how to reset the PIN in the case I used > something which is not 1234 and I'd like to keep objects, and > I did it more than once :-). I'm not an SoftHSM expert but I have to ask: Are you talking about SoftHSM v2? Looking at src/lib/data_mgr/SecureDataManager.cpp it seems that all values with CKA_PRIVATE = TRUE are encrypted with key which is derived from PIN. Sure, it can't help against on-line attack where the key is in memory but it should help against off-line attacks. Also, we want to run SoftHSM in separate process so bugs which allow attacker to read server's memory will not expose keys. >> (And yes, I know that SoftHSM is really cheap HSM :-)) > > => I added a large amount of code in SoftHSMv2 so now > I am in its developer list! But if SoftHSM is a very good tool > to debug/practice/etc PKCS#11 code it was *not* designed > for strong security at all. I'm aware of that. Customers who want real security are encouraged to buy real HSM but SoftHSM is good enough for those who do not care. SoftHSM should not be worse than keys stored in plaintext on disk, right? Thank you for the discussion and your time! -- Petr Spacek @ Red Hat
  Wed, 08 Oct 2014 14:33:36 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

On Wed Oct 08 17:28:04 2014, pspacek@redhat.com wrote: > I don't want to be bold but... aren't we spending too much time on > such a minor thing? => I was doing something else at the same time... > I'm not an SoftHSM expert but I have to ask: > > Are you talking about SoftHSM v2? => SoftHSMv1 (I finished to learn to use 1234 without exception :-). > Looking at > src/lib/data_mgr/SecureDataManager.cpp it seems that all values with > CKA_PRIVATE = TRUE are encrypted with key which is derived from PIN. => yes, SoftHSMv2 is better for this. > I'm aware of that. Customers who want real security are encouraged to > buy real HSM but SoftHSM is good enough for those who do not care. => if they don't care why they don't use plain OpenSSL and put the private key on an USB key kept in a safe? It is cheaper (and IMHO more secure) than a HSM if you believe only the KSK must be really protected. Of course this needs first a security analysis but: 1- I repeat myself 2- nobody as far as I know began by a security analysis. oops! > SoftHSM should not be worse than keys stored in plaintext on disk, > right? => yes but if you have no plan to switch to a real HSM this is over (under?) killing. BTW look at the way .SE is managed: the only device is a physical RNG. Cheap, efficient, and designed before ICANN emits recommendations/rules/etc.
Wed, 08 Oct 2014 17:22:48 -0400 Francis Dupont <Francis_Dupont@isc.org> - Taken
  Wed, 08 Oct 2014 17:31:36 -0400 Francis Dupont <Francis_Dupont@isc.org> - Correspondence added

IMHO ISC_R_RANGE is a better error for PIN overflow. At this exception the patches are fine.
Wed, 08 Oct 2014 17:35:37 -0400 Francis Dupont <Francis_Dupont@isc.org> - Queue changed from #6 to #7
Wed, 08 Oct 2014 17:35:37 -0400 Francis Dupont <Francis_Dupont@isc.org> - Given to Nobody in particular
Wed, 08 Oct 2014 17:35:37 -0400 Francis Dupont <Francis_Dupont@isc.org> - Priority P3 Low added
Wed, 08 Oct 2014 17:35:37 -0400 Francis Dupont <Francis_Dupont@isc.org> - Severity S3 Low added
Mon, 13 Oct 2014 03:05:02 -0400 Mukund Sivaraman <muks@isc.org> - Taken
Mon, 13 Oct 2014 03:07:53 -0400 Mukund Sivaraman <muks@isc.org> - Given to Francis Dupont <Francis_Dupont@isc.org>
Mon, 13 Oct 2014 08:43:48 -0400 Francis Dupont <Francis_Dupont@isc.org> - Given to Nobody in particular
Tue, 14 Oct 2014 13:03:40 -0400 Mukund Sivaraman <muks@isc.org> - Taken
Tue, 14 Oct 2014 13:20:27 -0400 Mukund Sivaraman <muks@isc.org> - Given to Francis Dupont <Francis_Dupont@isc.org>
Sun, 19 Oct 2014 03:20:40 -0400 Francis Dupont <Francis_Dupont@isc.org> - Given to Mukund Sivaraman <muks@isc.org>
Sun, 19 Oct 2014 10:25:34 -0400 Mukund Sivaraman <muks@isc.org> - Given to Francis Dupont <Francis_Dupont@isc.org>
Mon, 20 Oct 2014 17:00:25 -0400 Francis Dupont <Francis_Dupont@isc.org> - Queue changed from #7 to #30
Mon, 20 Oct 2014 17:00:25 -0400 Francis Dupont <Francis_Dupont@isc.org> - Given to Nobody in particular
Wed, 22 Oct 2014 13:06:06 -0400 Evan Hunt <Evan_Hunt@isc.org> - Status changed from 'open' to 'resolved'
Wed, 21 Jun 2017 14:36:14 -0400 Brian Conry <bconry@isc.org> - Queue changed from #30 to #6
Fri, 07 Jul 2017 20:08:27 -0400 Vicky Risk <vicky@isc.org> - Queue changed from #6 to bind9-public