HTTPS client certificate authentication

Tell us your most wanted features from QNAP products.
Post Reply
User avatar
pakoistinen
Know my way around
Posts: 149
Joined: Sat May 24, 2008 12:38 pm

HTTPS client certificate authentication

Post by pakoistinen »

Hiyall,

I've noticed that Qnap boxes use UPnP to open several ports to Internet. (443, 8080,8081, etc). This is a huge security risk.

The risk could be mitigated if you supported SSL/TLS "Client certificate authentication". Note, there is an option to import a certificate already but most users cant create their own certificates. Autogenerating a cert is not that difficult.

This means that the NAS box would create a client certificate for the workstations that need to access the services (HTTPS for example). The client certificate would be installed to the certificate store of the workstation. Then, when the client tried to connect, apache on the NAS would request a valid client certificate. If the client did not have a valid certificate signed by the NAS, the connection would be refused.

This would present a pretty good level of security and protect the services that you open to the internet for your customers by using UPnP.
TS-421 with QTS 4: 4 hdds: 2 x 1,5TB raid1 and 2 x 2TB raid1 arrays.
TS-209: 2 hdds: 2 x 750GB raid1 array.
Mail pasi at turvallisuus dot org
User avatar
schumaku
Guru
Posts: 43579
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: HTTPS client certificate authentication

Post by schumaku »

pakoistinen wrote:I've noticed that Qnap boxes use UPnP to open several ports to Internet. (443, 8080,8081, etc). This is a huge security risk.
Nope. Automatic port forwarding is a feature within myQNAPcloud.com - it can be disabled, and the ports/services can be selected and controlled.
pakoistinen wrote:The risk could be mitigated if you supported SSL/TLS "Client certificate authentication".
"mitigation" means using a longer key essentially. Implementing certificated based auth properly Not that easy doing it properly. This requires a careful designed, and manageable authentication layer -
pakoistinen wrote:Note, there is an option to import a certificate already but most users cant create their own certificates.
Transport layer SSL certificates - pretty much unrelated to cert auth. And limited to the primary access only, not covering virtual hosts et all.
pakoistinen wrote:Autogenerating a cert is not that difficult.
Yes, but pretty much not manageable beyond of very few users.
pakoistinen wrote:This means that the NAS box would create a client certificate for the workstations that need to access the services (HTTPS for example). The client certificate would be installed to the certificate store of the workstation. Then, when the client tried to connect, apache on the NAS would request a valid client certificate. If the client did not have a valid certificate signed by the NAS, the connection would be refused.
How would you do the mapping to local users, Active Directory users, LDAP users?
And how does it check the certificate - think about a generic solution - is checked? The Web servers taking cert auth need to be able to talk to directory based CRLs, to OCSP servers - as simple self-signed certificates are pretty much useless. And of course, we need a distribution point helping the users to install and manage the certificates on Windows, OS X, Android, iOS, ...
pakoistinen wrote:This would present a pretty good level of security and protect the services that you open to the internet for your customers by using UPnP.
Not limited to UPnP port forwarding of course. And yes, of course - having a tiny PKI on the NAS (to deal with certificates for other deployments like more NAS), to issue SSL certs, to issue authentication certs, ... would make a great add-on for security.

Well - I'm challenging QNAP for a certificate management system for years.
User avatar
pakoistinen
Know my way around
Posts: 149
Joined: Sat May 24, 2008 12:38 pm

Re: HTTPS client certificate authentication

Post by pakoistinen »

Certificate based authentication (on apache for instance) works nicely even in large production environments. I've designed and implemented several such systems with automated local Cerficate enrollment for multi-user mobile enviroments, etc. You are right in that this should be designed carefully. The most important thing first would be to have a person onboard who really understands crypto and can make the design correctly right from the start. This way it would not be an overly large task for the developers to implement the design. Btw. I think Qnap has the right technology choices in use already because Apache has the best documentation on the subject and OpenSSL works nicely for creating any PKI certificates. You seem to even have stunnel on the boxes which makes a nice addition to the toolset that can be used :)

In my experience automatic generation of certificates per user requires that a few scripts are written that trigger OpenSSL functions, generate the certificates and allow the users to install those certs on their machines. For secure HTTP interfaces the installation would probably happen manually via the browser. In my earlier projects we have created environments that are designed for several thousands of users. Also Microsoft does this with their AD with millions of users on the AD side.

First, I would implement client authentication with certificates only towards the internet because the services open to Internet are the ones that are attacked first. This would work nicely with all services that utilize HTTP but not for other protocols like Telnet, SSH etc.

As for mapping the certs to user accounts, I would perhaps create a script that first enumerates all local, AD & LDAP accounts to create a list of authorized users. Then it would run with cron to refresh that list of allowed accounts periodically. Next a OpenSSL certificate autogeneration script would be run after that cron job that creates a unique cert for each user and stores it in a secure location. Perhaps it could also auto send an email to each user with a unique link to their certificate for installment.

As for the packing and delivery of the certificates we do have several options. Personally I think that in this instance it could be easiest just to put the certificate chain (CA, server cert & user cert) into a single PKCS#12 file that is delivered to the user via a unique email link per user. I think the delivery is the only real difficulty because you could invent so many ways to impelement that mechanism.

But if we would want to achieve pretty good security with minimal effort... we could simply create a single shared user certificate for all the HTTP client users on the Domain / local system / LDAP. They could not be distinguished from each other on the level of TLS/SSL authentication. But they do have individual user accounts that go into logs. I think this would not be a bad option either. In this scenario only one certificate chain would need to be generated. Perhaps this could be the first step on the road towards implementing something more?
TS-421 with QTS 4: 4 hdds: 2 x 1,5TB raid1 and 2 x 2TB raid1 arrays.
TS-209: 2 hdds: 2 x 750GB raid1 array.
Mail pasi at turvallisuus dot org
User avatar
larsahlstrom
Getting the hang of things
Posts: 63
Joined: Wed May 16, 2012 5:52 pm
Location: Stockholm, Sweden
Contact:

Re: HTTPS client certificate authentication

Post by larsahlstrom »

Yes!
All that sound terrific...

But hey... I need a solution like:

"Go here, do this, and do that and enter your created key combination, and shere the key to your private network..."

Is there a solution on this obvious nonworking https-server?

If I get a solution, I promise to get back and post it here..
Last edited by larsahlstrom on Mon Dec 30, 2013 10:39 pm, edited 2 times in total.
QNAP TS-459ProII, 4xWD 3TB RED's in RAID5, 1Gbit LAN, ZyXEL 16 channel switch, cable-modm 250Mbit, Win10 Pro 64, PC:4x3Tbyte WD Red's in RAID5, Seagate 8TB USB3, WD 4TB USB3, 2xWD3TBUSB3, Seagate Desktop Expansion, Trial screens 16:4, 24", 28", Tascam DM24 mix. to MOTU 2408II 24 channels to/from PC, Mackie Cntl Univ. motor-faders for soft-control, Wacom Intous2 A4 pad w. mouse-pen-airbrush, Epson PX800 print/scan, Plustec 7500 diascan, Samsung CLP650 ColorLaser, AVID MboxPro & ProTools 11, EMU 1820m ASIO audio intfc, 2xNE Maschine, Kurzweil PC88+ mastrkeyboard, Neon keyb, a bunch of synthesizers/controllers. Using BestSync 2015 Ultimate for network backups, and Antenna from Stormdance Website editor (like Paintshop, objectoriented).
User avatar
schumaku
Guru
Posts: 43579
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: HTTPS client certificate authentication

Post by schumaku »

Nothing terrific here at all.
larsahlstrom wrote:Is there a solution on this obvious nonworking https-server?
Sorry, this is nonsense - the absence of a click and pray certificate management for authentication - what is part of a typical huge project with large corporate customers for making it properly, manageable, expandable, .... - does not make the https server nonworking.

I had the tech responsibility of designing and deploying large scale PKI, personal user certificate deployment, integrating service systems since the mid of the 90ties on corporate level with up to 250'000 users. Biggest nightmare for integration were always such ad-hoc hacked systems...
User avatar
larsahlstrom
Getting the hang of things
Posts: 63
Joined: Wed May 16, 2012 5:52 pm
Location: Stockholm, Sweden
Contact:

Re: HTTPS client certificate authentication

Post by larsahlstrom »

Well the server seem to work... i mean the normal http-mode.
The "https"-mode, which is adequate for doing this file handling online, over internet, and against mobile equipment - is NOT working.
So that means I should unregister my server on the cloud and give up... Because there is no safety...according to some QNAP documents.
I HUGE, BIG red screen shows upp when I try to go cryptic, but "proceed anyway" gives me a crossed-over https-address.
I think this is a bit amateurish, not to give a solution for it, but at the same time tell me that I SHOULD have "https"...

I do have searched for a solution, but it is too difficult for me to fix it. Altough I have worked with computers since Intel 8080 and later Zilog Z80 CP/M business machines. If we should brag about it... :lol:


Another thing is that when I edit my users, their accounts, and inform them by sending them a mail, they get something that not even the neighbours cat stops laughing at... (well I know theres is a lot to do cleaning up the system, so no offens!)
"Just follow this and you will be up and running..." Noo way. The myQNAPCloud demands FLASH to work, when they finally get in.
I did have the Qmultimedia active, but... Androids and Flash...?
So I had to email the bunch and tell them how to do. Go get Qmobile, and Qphoto, and Qmusic... servername, enter my IP, and your name & password.
Then it says
<whitefont>MyCloudNAS <bluefont>servername.myqnapcloud.com
and under that a little note, like: "You are NOT going to get a secure SSL server, because youv'e got a Android prior to 3..1" 8)

Otherwise I am really happy with the new 4.0.2. Really cool work, QNAP staff. Keep it up!
QNAP TS-459ProII, 4xWD 3TB RED's in RAID5, 1Gbit LAN, ZyXEL 16 channel switch, cable-modm 250Mbit, Win10 Pro 64, PC:4x3Tbyte WD Red's in RAID5, Seagate 8TB USB3, WD 4TB USB3, 2xWD3TBUSB3, Seagate Desktop Expansion, Trial screens 16:4, 24", 28", Tascam DM24 mix. to MOTU 2408II 24 channels to/from PC, Mackie Cntl Univ. motor-faders for soft-control, Wacom Intous2 A4 pad w. mouse-pen-airbrush, Epson PX800 print/scan, Plustec 7500 diascan, Samsung CLP650 ColorLaser, AVID MboxPro & ProTools 11, EMU 1820m ASIO audio intfc, 2xNE Maschine, Kurzweil PC88+ mastrkeyboard, Neon keyb, a bunch of synthesizers/controllers. Using BestSync 2015 Ultimate for network backups, and Antenna from Stormdance Website editor (like Paintshop, objectoriented).
User avatar
schumaku
Guru
Posts: 43579
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: HTTPS client certificate authentication

Post by schumaku »

Gee, this is RED because QNAP can not provide a valid, signed certificate for your own hostname used - as simple as that. Regardless, the https server is working correct.

It's the NAS owner responsibility to acquire a valid certificate, signed by an authority trusted by your browser and/or by your OS, and install it on the nAS accordingly. When serving
larsahlstrom wrote:Because there is no safety...according to some QNAP documents.
In todays world of references, such a note is useless. Always provide references, links.

I guess you talk about this: All QNAP NAS default certificates are identical, and share the same private key. True, with this key decrypting is possible as the default private key can be considered well known. And exactly this is the reason you should invest in a certificate issued to your FQDN. this certificate will be valid exactly only if the NAS is accessed using this FQDN - otherwise modern browsers will issue warnings again.

The proposal of creating an own certificate authority from before has very limited value, can be deployed used for a limited number of users only - for anybody else there is no trust to your private CA.

Again: This does not imply a on-working https server - complete nonsense.

Happy New Year anyway.

-Kurt.
User avatar
larsahlstrom
Getting the hang of things
Posts: 63
Joined: Wed May 16, 2012 5:52 pm
Location: Stockholm, Sweden
Contact:

Re: HTTPS client certificate authentication

Post by larsahlstrom »

Well, perhaps it is my swenglish, or you, that wants to make a "war of honor" out of this. I dont know. I can read your cynisms...

But let me try to make an reflection for you, so you better can understand what i talk about: WiFi keys....

Any type... AES, TKIP, anyone... what do you enter? Your own key, right? And what does that for open networks?
LOCK THEM FOR MY NEIGHBOURS.....

Well I can produce my own certifikate!

"I, Lars Ahlstrom, the superadmin of this network, hereby grant YOU my dear trustee, to enter.
To anyone else I'd like to say: http://www.youtube.com/watch?v=ikssfUhAlgg

and then...? ;)

Happy Newyear to you too! :P
QNAP TS-459ProII, 4xWD 3TB RED's in RAID5, 1Gbit LAN, ZyXEL 16 channel switch, cable-modm 250Mbit, Win10 Pro 64, PC:4x3Tbyte WD Red's in RAID5, Seagate 8TB USB3, WD 4TB USB3, 2xWD3TBUSB3, Seagate Desktop Expansion, Trial screens 16:4, 24", 28", Tascam DM24 mix. to MOTU 2408II 24 channels to/from PC, Mackie Cntl Univ. motor-faders for soft-control, Wacom Intous2 A4 pad w. mouse-pen-airbrush, Epson PX800 print/scan, Plustec 7500 diascan, Samsung CLP650 ColorLaser, AVID MboxPro & ProTools 11, EMU 1820m ASIO audio intfc, 2xNE Maschine, Kurzweil PC88+ mastrkeyboard, Neon keyb, a bunch of synthesizers/controllers. Using BestSync 2015 Ultimate for network backups, and Antenna from Stormdance Website editor (like Paintshop, objectoriented).
User avatar
schumaku
Guru
Posts: 43579
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: HTTPS client certificate authentication

Post by schumaku »

Yes, you can create your own certificate - but it will never be fully trusted (= all green) by any browser.

What we're talking here does barely compare to a PSK of a WLAN - much more of what could be done in good enterprise design. And there we have no browser maker in between qualifying the certificate based on the CA (read: CA makers having paid a lot of money so their root certificates are considered "trusted" in an OS an/or a browser.

Without much cynicism ... when adding your own or a third party trusted CA in current Android ... Android keeps nagging "A third party is capable of monitoring your network activity, including emails, apps and secure websites. A trusted credential installed on your device is making this possible." Granted - my private keys generated along with the CSR (certificate signature request) have never left my own systems - so how likely this information is correct is questionable, too. If it would be true - the same would apply to the "trusted" signature issuers.
User avatar
pakoistinen
Know my way around
Posts: 149
Joined: Sat May 24, 2008 12:38 pm

Re: HTTPS client certificate authentication

Post by pakoistinen »

One could make the QNAP CA certificate trusted on his own clients. It takes a bit of fiddling though. Steps:
1.) copy the ca.crt from the qnap box via sftp (or other means) to the client devices. It should be located under /etc/openvpn/easy-rsa/keys/
2.) import that ca.crt into all of your own client devices. Place the certificate into the "trusted root authorities" or similar class. Sometimes you need to do a manual step where you set this certificate to be trusted. Each browser may need it's own importing to be done because their certificate bundles may be individually managed.
3.) now the SSL/TLS on QNAP box should not yell at you anymore.

Except for the hostname - you should still get a nag about DNS hostname not matching with the DN in the SSL server certificate. I bet the hostname doesn't match with anyone currently. There is a fix for that one too. You can use the easy-rsa scripts on the QNAP box to create your own server certificate if you like to fiddle around a bit.
TS-421 with QTS 4: 4 hdds: 2 x 1,5TB raid1 and 2 x 2TB raid1 arrays.
TS-209: 2 hdds: 2 x 750GB raid1 array.
Mail pasi at turvallisuus dot org
User avatar
larsahlstrom
Getting the hang of things
Posts: 63
Joined: Wed May 16, 2012 5:52 pm
Location: Stockholm, Sweden
Contact:

Re: HTTPS client certificate authentication

Post by larsahlstrom »

Thanks guys. I will try to fiddle a little.
But I wonder... even if I do not have a certificate, does the SSL work?
And is this communication then encrypted approximately as the banks or paypals are?
No way to easily put a tap on the TCP flow and see whats goin on?
QNAP TS-459ProII, 4xWD 3TB RED's in RAID5, 1Gbit LAN, ZyXEL 16 channel switch, cable-modm 250Mbit, Win10 Pro 64, PC:4x3Tbyte WD Red's in RAID5, Seagate 8TB USB3, WD 4TB USB3, 2xWD3TBUSB3, Seagate Desktop Expansion, Trial screens 16:4, 24", 28", Tascam DM24 mix. to MOTU 2408II 24 channels to/from PC, Mackie Cntl Univ. motor-faders for soft-control, Wacom Intous2 A4 pad w. mouse-pen-airbrush, Epson PX800 print/scan, Plustec 7500 diascan, Samsung CLP650 ColorLaser, AVID MboxPro & ProTools 11, EMU 1820m ASIO audio intfc, 2xNE Maschine, Kurzweil PC88+ mastrkeyboard, Neon keyb, a bunch of synthesizers/controllers. Using BestSync 2015 Ultimate for network backups, and Antenna from Stormdance Website editor (like Paintshop, objectoriented).
User avatar
schumaku
Guru
Posts: 43579
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Contact:

Re: HTTPS client certificate authentication

Post by schumaku »

larsahlstrom wrote:But I wonder... even if I do not have a certificate, does the SSL work?
Yes - within limitations (hostname not match, never trusted, and definitively no "green" bar in the browser.
larsahlstrom wrote:And is this communication then encrypted approximately as the banks or paypals are?
Hm, kind of - but not really ... all default certificates share the same private key, so technically it's possible to decrypt your SSL stream.
larsahlstrom wrote:No way to easily put a tap on the TCP flow and see whats goin on?
See above. Define "easily".

Again - you can always install your own certificate preferably signed by a trusted authority (by the browser and/or operating system makers as the operators of certificate authorities paid money to be trusted :geek:) - and then you have the same SSL security like Paypal, finance institutions, ...

But before you consider this, you need to figure out on how you want to access your NAS, i.e. under which name. AFAIK it's not possible to get these certificates for domains you don't own (i.e. [name].myqnapcloud.com, [name].dyndns.org, ...) - so you need a domain, a DNS service provider (permitting static or dynamic updates - depends on the Internet connection and ISP deal).
User avatar
larsahlstrom
Getting the hang of things
Posts: 63
Joined: Wed May 16, 2012 5:52 pm
Location: Stockholm, Sweden
Contact:

Re: HTTPS client certificate authentication

Post by larsahlstrom »

Thanks for the reply! Hm... i think I understand this better now.
Easily tapping a LAN wire? Well I use a sniffer... ;) Sily, ey? :D
QNAP TS-459ProII, 4xWD 3TB RED's in RAID5, 1Gbit LAN, ZyXEL 16 channel switch, cable-modm 250Mbit, Win10 Pro 64, PC:4x3Tbyte WD Red's in RAID5, Seagate 8TB USB3, WD 4TB USB3, 2xWD3TBUSB3, Seagate Desktop Expansion, Trial screens 16:4, 24", 28", Tascam DM24 mix. to MOTU 2408II 24 channels to/from PC, Mackie Cntl Univ. motor-faders for soft-control, Wacom Intous2 A4 pad w. mouse-pen-airbrush, Epson PX800 print/scan, Plustec 7500 diascan, Samsung CLP650 ColorLaser, AVID MboxPro & ProTools 11, EMU 1820m ASIO audio intfc, 2xNE Maschine, Kurzweil PC88+ mastrkeyboard, Neon keyb, a bunch of synthesizers/controllers. Using BestSync 2015 Ultimate for network backups, and Antenna from Stormdance Website editor (like Paintshop, objectoriented).
User avatar
larsahlstrom
Getting the hang of things
Posts: 63
Joined: Wed May 16, 2012 5:52 pm
Location: Stockholm, Sweden
Contact:

Re: HTTPS client certificate authentication

Post by larsahlstrom »

Good writing, Pakoistinen! I like that simple sort of vision. My aim was to degrade the mysticism around this matter of HTTPS.
Theres just a matter of me having 1000 subscribers, each with a long key. Written on some simple Notepad text file. A file crypted already and with a extension name of *.urrk.

Then the server only lets that person in, who has the right key (password) installed in his server login script. If he transfer readable test like:
"Hey you lousy SOB, how are you?" That is 29 characters, each with a 7 bit code (ASCII) So his encryptor/serverlet, checks his key, key is correct, and then encrypts the line. Like this maybe, as an example:
His key, a VERY short key, would04 have done the following. Key = he8Wp47t3lkd = 12 ASCII's'...only numbers, capitals and letters, as the third char from the end = 3...
And then use the 4 last chars to soften the line up a little:

Y=LEN(KEY)-3 ; 12-3=9 Y= constant = 9 pointing to "3" in KEY 4 from end
For X = 1 TO LEN (KEY)-8 ; 12-8=4 IN THIS CASE = 4 laps
IF (line(X)+key(Y)<=7FH THEN sum(X)=line(X)+key(Y) ELSE sum(X)=7FH
IF (key(Y)-line(X))>=0 THEN sum(X)=sum(X)+(key(Y)-line(X) ELSE sum(X)=sum(X)+0

When encryptor is ready with those four last chars working on the line we get....yes we do!!!. :roll: ;)

Then make the final encryption on the whole line. And now the number cruncher gets the third char from the end of the key = 3, and that is the amount of different numbers, caps, letters or specials. In this case 3=number, capital an letter to use in the key
Nobody knew that, and nobody could even imagine a 4 char pre-crunching.... This creates the simplest encryption, and yes I know it must be altered, corrected etc.etc. But to crack it? How?

But the point is that this is for a small number of people, that each one gets a file, also encrypted, and contains key and encryptor/decryptor that makes a waterproof crypto for communication. Once you debugged it, it will suite billions of people, who then is NOT in the hands of BIG Corps. and NOT dependant on HTTPS or HTTP. It works with HTTP. Does it not?
QNAP TS-459ProII, 4xWD 3TB RED's in RAID5, 1Gbit LAN, ZyXEL 16 channel switch, cable-modm 250Mbit, Win10 Pro 64, PC:4x3Tbyte WD Red's in RAID5, Seagate 8TB USB3, WD 4TB USB3, 2xWD3TBUSB3, Seagate Desktop Expansion, Trial screens 16:4, 24", 28", Tascam DM24 mix. to MOTU 2408II 24 channels to/from PC, Mackie Cntl Univ. motor-faders for soft-control, Wacom Intous2 A4 pad w. mouse-pen-airbrush, Epson PX800 print/scan, Plustec 7500 diascan, Samsung CLP650 ColorLaser, AVID MboxPro & ProTools 11, EMU 1820m ASIO audio intfc, 2xNE Maschine, Kurzweil PC88+ mastrkeyboard, Neon keyb, a bunch of synthesizers/controllers. Using BestSync 2015 Ultimate for network backups, and Antenna from Stormdance Website editor (like Paintshop, objectoriented).
Post Reply

Return to “Features Wanted”