1

I have a bit of an 'initial trust' issue. We are using CoreOS to run Kubernetes, and secure both the etcd API and the Kubernetes API servers using client certificates. We are using iPXE to boot everything except the etcd servers.

The issue I am trying to overcome is how to distribute the client keys in a secure AND automated way? Are there effective ways of uniquely and securely validating a machine without storing anything to the disk?

Our requirements dictate that the solution can be used on both physical and virtual nodes, and allow for dynamic, on-demand scaling, which means that physical devices are not an option.

My colleagues have suggested using firewalls to secure a node that hosts the keys (i.e. a web server), but I am convinced there must be a more secure option. I suspect it may have something to do with the TPM, but my current research hasn't provided any practical examples as of yet.

Thanks in advance for any answers/comments/edits!

Jason Murray
  • 11
  • 3

1 Answers1

1

Fundamentally, to trust a computer, you need to verify that it knows something that only the computer you're expecting knows. This is how all certificates work: you assume that because they signed something with a key that only they could possibly know then it's actually the person you wanted to talk to.

The same applies for computers: the computer has to have something only it knows that you know that it knows to authenticate it. Using people an example, there are three factors of authentication (two of which are used for "two-factor authentication"): something you know, something you have, and something you are.

  • Something you know: This would be a [private] key stored on the disk. You've stated you don't want this, so this is a no-go. (For humans, this is a username/password authentication challenge).

  • Something you have: A USB PKI token/key could be used for authentication with the idea that you have physically plugged this key into the computer you want to trust. They key itself cannot be copied, but this is vulnerable to malware running iPXE in a virtual machine, giving it access to the token, but then intercepting all its memory-accesses and the like (but, then again, this is always a threat?).

  • Something you are: e.g. A MAC address or other unique ID. This, however, is easy to fake because if you know it than it can be copied. In humans, this is like DNA, a retina, or a fingerprint - something you are and cannot [reasonably] copy. Computers have this too, but it's much harder to prove this over a network without it degrading to something you know quickly.

To make this work, you really need to put a key on the computer (something you know) or put a PKI token into the computer (something you have).

iAdjunct
  • 1,710
  • 10
  • 15
  • Thank you for your prompt and descriptive answer! I have updated the question based on the information you have provided, and some more of my research – Jason Murray May 01 '16 at 15:16