-
Notifications
You must be signed in to change notification settings - Fork 104
Security Model
Knox is a solution for storing and rotating secrets thus it is important to consider the security implications. This security model is intended to be comprehensive and go over all threat scenarios. We assume attacker has access to Knox client code and has full understanding of the system. We will discuss attacker privileges vs. confidentiality, integrity, and availability of secrets.
If attacker has no authentication data for user or machine, attacker can retrieve no information on keys from Knox. If attacker has authentication data for a user or machine, the attacker can breach confidentiality on keys that have that principal listed for access.
The attacker can perform denial of service attacks against the Knox server and potentially prevent reads and writes while he has active network access. This should only cause temporary outages that should be restored if the attacker is removed from the network. These temporary outages will not impact machines that have previously registered keys besides preventing rotation.
If attacker has no authentication data for user or machine, attacker cannot affect the integrity of Knox data. If an attacker is able to compromise the authentication data of a machine, the attacker will be unable to compromise the integrity of key data unless that machine was explicitly granted write or admin privileges for a key. If an attacker is able to compromise the authentication data of a user, the attacker can perform actions as that user: adding versions to a key (with write permission), changing the status of key versions(with write permission), changing the access control list(with admin permission), or by deleting the key(with admin permission).
An attacker on the Knox server machine has full access to all keys.
With control of the Knox server, an attacker could disable access to all keys. It should be noted that keys that have registered in the past will still be available on any machine that has it registered unless the attacker crafts replies to cause the clients to update.
An attacker on the Knox server machine has full access to all keys and can perform operations on the key database as if they had full access.
Without access to the cryptor authenticated encryption key(s), an attacker will be unable to read key data. An attacker will be able to read version IDs, creation dates, access control lists, and version status associated with key ids.
An attacker with write permissions can delete all Knox data permanently and it is recommended that the Knox DB is backup-ed in a way that is difficult to delete to prevent loss of key data. It should be noted that key data in use is available on any machine that has it registered.
An attacker with write permissions can modify the access control lists and version status on any key. With access to the cryptor authenticated encryption key(s), an attacker can change any data.