Comments (5)
I think there is potential but for now I would say that is outside the scope of NervesHub. One of the biggest benefits of certificate auth is when it is combined with a TPM, like NervesKey, which may required physical changes to previously deployed devices. The path to migrate could be very specific depending on the situation and I would generally recommend doing so without your own firmwares and code first.
from nerves_hub_web.
I tend to agree with @jjcarstens here. Right now there is nothing stopping you from using both Certs and Shared Secrets in the same Product, but in the medium term I would expect us to limit a Product from using one auth strategy, which is selected upon creation of the Product.
I think the preferred way of achieving what you have asked is creating a new Product which is set to use Cert auth, and then moving/migrating the devices to the new Product.
These are just thoughts and ideas right now, and your question is great indirect feedback of some of the use cases we should take into account. Thank you!
from nerves_hub_web.
Documenting some offline discussion:
Idea 1 - Access ID + Secret
Sometimes referred to as Pre-shared Identity (PSI) & Pre-shared Key (PSK)
Core idea is that a PSI and PSK are generated for each device which is supposed to be saved to device "securely" (This is up to the user, but typically just manually including in the firmware).
- PSK is not to be transmitted
- PSI is included with the request. NervesHub will use the PSI to lookup the corresponding PSK
- NervesHub calculates the expected salt based on specific headers and then verifies it with the found PSK
- The verified signature will result in the device identifier being decoded
Example signature calculation
##
# Generated from NervesHub
access_id = "nhd_123456789abcdefghijklmnop"
secret = "I-am-super-secret!-don't-share!!"
key_digest = :sha256
key_iterations = 1000
key_length = 32
signed_at = System.system_time(:second)
headers =
[
{"x-nh-key-digest", "NH1-HMAC-#{String.upcase(to_string(key_digest))}"},
{"x-nh-key-iterations", to_string(key_iterations)},
{"x-nh-key-length", to_string(key_length)},
{"x-nh-access-id", access_id},
{"x-nh-time", to_string(signed_at)}
]
headers_salt =
headers
# Ensure headers are always sorted
|> Enum.sort_by(fn {k, _} -> k end)
|> Enum.map_join("\n", fn {k, v} -> "#{k}=#{v}" end)
salt = """
NH1:device:token:connect
#{headers_salt}
"""
opts = [
key_digest: key_digest,
key_length: key_length,
key_iterations: key_iterations,
signed_at: signed_at,
cache: nil # Only when run on device - no need to cache single key and prevents start failures
]
identifier = "poser"
signature = Plug.Crypto.sign(secret, salt, identifier, opts)
[{"x-nh-signature", signature} | headers]
JITP
To allow for convenience, JITP can be supported by using a project access ID and secret. If authenticated with this,
a device access ID and secret would be generated and transmitted to the device. Device would store this and use for all subsequent connections. Transmitting of these values should be signed by the product secret
Note
This is highly debatable as "securely" using the same connection to transmit to device, but provides the most ease. Many warnings should be displayed in the web UI to advocate against this use outside of general experimentation.
- Device access ID/secret generated with this will be linked to the product access ID used
- If product secret compromised
- Disable product ID
- all linked device credentials should be marked (potentially in penalty box?)
- On device connect, a new product ID can be transmitted, signed by device credentials
- If device secret compromised
- Place device in penalty box
- Issue command to remove current access ID/secret
- Use product credentials to sign new credentials and send to device
- Optionally wait for device next connect attempt which would JIT
- If product and device secret compromised
- Penalty box device
- Probably need a human to manually fix the device
- Wish you would've used device certificates with TPMs
from nerves_hub_web.
Perhaps it's outside the scope of this initial version but is there a viable path to switching from PKS to certs?
I can imagine myself having a PoC rollout with 10-50 devices out there using PKS and then, if things work out as intended, to want to migrate these to a proper certificate infrastructure.
from nerves_hub_web.
🎉 This has been merged in 🎉
from nerves_hub_web.
Related Issues (20)
- Device metadata
- Remove `username` from User
- Invites to join an Org require the user to accept the invite
- Flexible role permission system HOT 1
- Error when rescinding already accepted invites HOT 1
- Managed Deployments HOT 1
- Add 404 tests for all pages
- Add tests for our mounts
- Add a fallback UI for the error `IP_ADDRESS_INVALID` in the device location box
- Add some tests for our Oban workers
- Add specs for our context modules
- Device List and Show pages need more tests
- Move Signing Keys from the Org to the Product
- turn off the cachex during testing
- test the UI aspects of the Device Index and Show pages requesting the Device status
- Review DB indexes, including ones needed for Device filtering
- Move the AuditLog UI bits to a component
- Remove Chat from the Console page
- Device 'quick actions`
- Support signing in with Google and GitHub
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nerves_hub_web.