'Re: [Fwknop-discuss] EC2 + fwknop: Experiences? Thoughts?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fwknop-discuss
Subject:    Re: [Fwknop-discuss] EC2 + fwknop: Experiences? Thoughts?
From:       Michael Rash <mbr () cipherdyne ! org>
Date:       2008-11-08 7:23:16
Message-ID: 20081108072316.GA25421 () cipherdyne ! org
[Download RAW message or body]

On Oct 30, 2008, Mark V wrote:

> Hi Group,

Hi Mark -

> I've used fwknop previously with GPG encryption.
> I was wondering if any one had contemplated using fwknop within
> Amazon's EC2 instances?
> In particular without 'baking in' any security keys/settings - apart
> from the fwknop configuration
> 
> The advantage of this is tighter control over access as well as an
> additional security layer.
> 
> AFAICT, one hurdle in using GPG is that the setup requires the private
> key to reside on the fwknop server.
> In the case of running an EC2 instance the trust is relationship is reversed.
> Specifically, a ssh key pair is used to launch the instance and the
> public key is available within the running instance, via the EC2 API.
> 
> I can only think to use some of the meta-data on the EC2 AMI in the
> following way.
> The fwknop client would encrypt this data, and the fwknop server (on
> the running AMI instance) would decrypt, then parse the data received,
> compare it to the data on the queried from the API and grant access if
> they matched.
> In this setup the data the client sends would include the meta-data
> attribute the fwknop server should look up, as well as the data that
> should be matched with the instance's value.
> Hopefully that is clear?
> 
> In case people are not familiar with the EC2 API, meta-data can be
> queried via curl, or some perl, ruby etc library as described here:
> http://docs.amazonwebservices.com/AWSEC2/latest/DeveloperGuide/index.html?AESDG-chapter-instancedata.html
>  
> Any comments, suggestions, thoughts?

I've just written a blog post about this, and I credited you with the
idea of trying SPA with the EC2 service:

http://www.cipherdyne.org/blog/2008/11/single-packet-authorization-and-amazons-elastic-cloud-ec2-service.html


With the base communications now known to work, it should be easy to add
additional integration points - perhaps something that would allow
single shared keys on multiple EC2 instances, but include some meta data
unique to each instance within SPA packets (as you suggest).  This would
allow instance differentiation even between SPA packets encrypted with
the same key.  I'm no EC2 expert - I just signed up for an account to
see if I could get fwknop to work there.

-- 
Michael Rash
http://www.cipherdyne.org/
Key fingerprint: E2EF 0C8A 5AA9 654C 4763  B50F 37AC E946 7F51 8271

> 
> Regards
> Mark
> 
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
> Build the coolest Linux based applications with Moblin SDK & win great prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Fwknop-discuss mailing list
> Fwknop-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss

-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Fwknop-discuss mailing list
Fwknop-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic