Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] PKI Signatures working?

2015-09-24 21:55:35
Subject: Re: [Bacula-users] PKI Signatures working?
From: Ana Emília M. Arruda <emiliaarruda AT gmail DOT com>
To: Kern Sibbald <kern AT sibbald DOT com>
Date: Thu, 24 Sep 2015 22:48:56 -0300
Hello Kern,

Thank you. I did not remember to mention about the TLS Authentication. And this is a possibility of verifying the client (peer/FD) before data exchange between daemons.

I thought that Markus was talking about data authenticity and not FD authentication. In the first case, the goal is to assure the source of the data. This can be achieved using a MAC (Message Authentication Code) or pki digital signatures. The TLS Authentication (TLS Verify Peer = yes) used by bacula daemons are intended for entity authentication, which means that they (daemons) are sure that the other entity (the other daemon) they are talking to is who they believe to be.

In the case of a message authentication, in this case a backup data authentication or an entire volume authentication, the only way I see that is treated by the bacula cryptography implementation is when the data sent by the client is also encrypted (a crypto session is created for sending the data encrypted). That means that your data is firstly encrypted and then signed by FD. This assures data confidentiality, integrity and authenticity through the use of pki digital signatures.

I undesrtood that Markus was talking about generating a MAC or a hash+pki signature of the data sent by FD. And I was not able to see this in the bacula crypto open code. Also, in this case, the restore FD that was receiving the data from the first FD must have the public key of the FD that originated the data (in the case of a pki signature) or the symmetric key used in the case of a MAC.

Hope this helps a little more to clarify this thread.

Best regards,
Ana




 

On Thu, Sep 24, 2015 at 7:16 PM, Kern Sibbald <kern AT sibbald DOT com> wrote:
Hello Ana,

I have not followed this thread in detail, but if the user wants more security in verifying the FD, it is possible to enable TLSAuthentication without enabling TLS on transmitted data, and in that case, in addition to the regular MD5 authentication Bacula will do TLSAuthentication but then not use TLS for the rest of the data transmission.

Best regards,
Kern


On 15-09-23 04:27 PM, Ana Emília M. Arruda wrote:
Complementing my previous post, MD5 and SHA1 do not make use of pki signatures from bacula crypto lib. They are hashes used for integrity verification and not for authenticity verification.

Best regards,
Ana

On Wed, Sep 23, 2015 at 3:45 PM, Ana Emília M. Arruda <emiliaarruda AT gmail DOT com> wrote:
Hello Markus,

I´m quite sure that it is not possible to have pki signature without pki encryption. You can have computation of MD5 and SHA1 signature of the file if configured in your FileSet. When dealing with pki signatures, this works only when you use pki encryption. I mean, the encrypted data at file daemon is signed before sent to storage daemon.

Best regards,
Ana

On Wed, Sep 23, 2015 at 5:30 AM, Markus Falb <markus.falb AT fasel DOT at> wrote:
Hello Bacula Users,

I am trying pki signatures without pki encryption off.
In my fd config I have

FileDaemon {
        Name = x-fd
        ...
        pki signatures = yes
        pki encryption = no
        pki keypair = /etc/pki/tls/private/x-fd.pem # with CN=x-fd
}

I have a second machine y-fd with equivalent config.

I make a Backup of x-fd.

I do a restore of this backup but I change the restore host to y-fd, and
it works, and that surprises me because y-fd should not be able to
verify the signature made with the private key from x-fd, it does not
know the public key of x-fd, right?

I wonder how this is supposed to work.
+
I don't even know if a signature was made in the first place and how to
verify that.

--
Kind Regards, Markus Falb


------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users




------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140


_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users



------------------------------------------------------------------------------

_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] PKI Signatures working?, Kern Sibbald
Next by Date:  Re: [Bacula-users] is 7.2 ready for prime time?, Uwe Schuerkamp
Previous by Thread:  Re: [Bacula-users] PKI Signatures working?, Kern Sibbald
Next by Thread:  [Bacula-users] bacula-fd.service systemd file?, Stephen Thompson
Indexes:  [Date] [Thread] [Top] [All Lists]