ta: pkcs11: Build time option for controlling pin locking #7040
Conversation
Adding a build time option for disabling or enabling pin locking after failed authentication attempts. Option controls both, User and SO, pins. Default is 'y'. Option is called: CFG_PKCS11_TA_LOCK_PIN_AFTER_FAILED_LOGIN_ATTEMPTS Signed-off-by: Tanel Dettenborn <[email protected]>
|
Thanks @TanelDettenborn for the proposal. |
|
PIN in embedded devices is a bit of problem as by PKCS#11 standard it can cause the locked out scenario that you describe. We have one existing solution around this is to use "TEE Identity based authentication for tokens". This method disables the lockdown counter completely when method is activated for the token. There is access protection feature in Linux kernel that makes sure that group membership is checked for calling process. This authentication happens when connection is made from user space to PKCS#11 TA: There is also support library in here in case you want to handle this: When active for the token you just make sure that your calling process has needed credentials and just supply dummy PIN. I have a bit old instructions on how to use this in here: And here is also Linaro conference recording with demonstration: And the asciinema script for that demonstration: Would this work for you? |
I suppose the "TEE Identity based authentication for tokens" gives a bit prettier approach but may not be usable in all scenarios. Today many systems seem to utilize cool down period on login failures -- this could be volatile implementation eg. does not go into token itself but stays in memory. I suppose the problem here is that it would require concept of monotonic time. Now we come to problem what does different users want from the feature. Problem with the code proposed here allows one to quite easily bruteforce the PINs. |
Today if you get access to OP-TEE PKCS#11 API you can cause PIN lockout much faster: There is room for extra entropy for the PIN: I would prefer a solution that can be active for all users and they can just select it during runtime -- this would make it practical for someone else to use. Eg. if OP-TEE is part of some standard distribution then end-user does not need to guess whether the feature is available. Compile time enablements are always very firmware specific options. |
|
@vesajaaskelainen and @etienne-lms I appreciate your time and attention in reviewing my pull request. Hopefully I am able to address all of your feedback. "TEE Identity based authentication for tokens" is a practical and a neat feature, but unfortunately in our scenario it does not truly work. It would work partially, because we have a proxy setup and therefore only proxy daemon would interact with TEE/PKCS11 token. In matter of fact we are taking an extra step for enforcing pin usage by compiling our PKCS11 TA with Perhaps it would be a good idea to put some meat into discussion? I have at my dissposal NVIDIA's Orin NX board with our configuration. I would not put too much focus on board's configuration due following test is anyway highly hardware and configuration specific: Banging 60 second incorrect pin. Following script uses OpenSC's pkcs11-tool for banging incrroct login from host (no proxies involved)
Results (average of three execution) If above results are analyzed from DDOS and brute force attack perspective
In overall I would judge both attacks impact as severe, but exploitability low.
True! Unlimited logins exposes PKCS11 token to brute force attacks, but it can be mitigated with long pin(s). OP-TEE's PKCS11 TA supports pins sizes up to 128 characters and it should be sufficient pin space for rendering brute force attacks impractical.
I agree, but in our case timeout-solution would be another avenue for DDOS.
I have proposed it as build time option, because I have rationalized that this should be option, which should be used with extra care. Token/solution should design from the beginning in this feature in mind rather later toggle it on/off. For example designer could enforce minimum pin size at the compile time.
I was too attached to not to use exlamation mark. Your suggestion is a lot better than my! In conclusion I would raise a question if this is a feature that you would like to add into PKCS11 TA? If you feel it is a feature for a specific niche and would not like to bloat PKCS11 TA code then we could close this pull request. But if it usable for others also then I can put some effort in and rework it. I think that I would propose e.g. "1ms sleep" into check pin functions (mitigate brute force). I can also separate SO and USER into different compile flags. |
Could you describe your use case in more practical level?. Eg. what kind of setup you are trying to do? Any added details would help with pondering what is the best course of action. So far the main use cases (as far as I know) has been protecting private keys/secrets within embedded device and there are no pkcs11 proxies. In embedded device the PIN is problematic as it is a bit hard to protect so the user/group/application based authentication takes that problem away and works in closed embedded device quite OK. With pkcs11 proxy you need to also think how persistent the connection to the token would be. Eg. how often the PIN would need to be asked as pkcs11 proxy may keep the connection to the token open for long periods of time. With some HSM solutions there are "security world / PIN preload" applications that let you enter the PIN in controlled manner and then allow other automation to utilize pkcs11 tokens thru the pkcs11 proxy without having the access for real PIN. This of course requires then additional protection for the pkcs11 proxy access. Now I don't know what kind of use case/solution you are targeting. |
Hmm.. In short it is about security. Increasing maximum login attempts to its maximum possible value would not be same as unlimited login attempts even if both would lead to almost identical result (obviously the end result is case depended). In more practical terms our setup involves Virtual Machines. The setup has VMs and they require access to hardware PKCS11 token. Actually our setup is open source and available at the Github.
If I would wonder a bit off topic then a neat solution would be a direct access from VM to OPTEE. It would not change the fact about unlimited login issue, but it would remove pkcs11 proxy!
The threat is more about DDOS than protecting the PIN. It is about compartmentalizing the damage into VM rather spilling it over to other VMs. For example a rogue actor (inside VM) could start DDOS towards other user (if it has gained enough capabilities/privileges). I am not familiar with "security world / PIN preload"-applications. Would there be any examples/documentation/applications online? |
|
This pull request has been marked as a stale pull request because it has been open (more than) 30 days with no activity. Remove the stale label or add a comment, otherwise this pull request will automatically be closed in 5 days. Note, that you can always re-open a closed issue at any time. |
|
YouTube unlimited comment |
Proposing a new build time option for pkcs11 TA. Proposed option would enable or disable pin locking after failed authentication attempts. Option would control both pins (User and SO). Default value is 'y'/enabled.
In other worlds option would allow unlimited authentication attempts, but in certain specific scenarios it is desirable. As an example scenario would be pkcs11 token proxy access. A malicious actor could execute DDOS attack and could lock pin after 2³32 attempts (pin count stored uint32_t). A mitigation could be unlimited login attempts and using a long pin (mitigate against brute force attack).