Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document the Trust model #5

Open
kelseyhightower opened this issue Nov 2, 2016 · 2 comments
Open

Document the Trust model #5

kelseyhightower opened this issue Nov 2, 2016 · 2 comments

Comments

@kelseyhightower
Copy link
Owner

It's not clear from the docs that we are trusting the network on step 4 of the token request flow. We are subject to MitM attacks on the response from the vault-controller back to the init-container. The wrapped token can be unwrapped by an untrusted 3rd party so we must set a timeout or raise an alarm so it can be tracked in the vault audit logs.
@Albibek
Copy link

Albibek commented Jan 11, 2017

Regarding the timeout issue: Vault has the NumUses seting in TokenCreateRequest structure. Setting this to 1 allows to be more alertful for wrapped token steals.

I wlse see the easy solution to avoid this problem at all: public-key cryptography, be it RSA or whatever.
Vault-init could generate a keypair providing the public key to vault-controller, so controller was able to answer with encrypted message.
Also the Vault transit backend can be used for the same purpose, but it seems harder to implement, since correct policies need to be set up first.

@anshumanbh
Copy link

@kelseyhightower do you think the cubbyhole approach from Vault could be used to avoid the MiTM attack? - https://www.vaultproject.io/docs/concepts/response-wrapping.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kelseyhightower @Albibek @anshumanbh