HTTPS client certificate authentication

Tell us your most wanted features from QNAP products.

HTTPS client certificate authentication

Postby pakoistinen » Sun Oct 27, 2013 6:45 pm

Hiyall,

I've noticed that Qnap boxes use UPnP to open several ports to Internet. (443, 8080,8081, etc). This is a huge security risk.

The risk could be mitigated if you supported SSL/TLS "Client certificate authentication". Note, there is an option to import a certificate already but most users cant create their own certificates. Autogenerating a cert is not that difficult.

This means that the NAS box would create a client certificate for the workstations that need to access the services (HTTPS for example). The client certificate would be installed to the certificate store of the workstation. Then, when the client tried to connect, apache on the NAS would request a valid client certificate. If the client did not have a valid certificate signed by the NAS, the connection would be refused.

This would present a pretty good level of security and protect the services that you open to the internet for your customers by using UPnP.
TS-421 with QTS 4: 4 hdds: 2 x 1,5TB raid1 and 2 x 2TB raid1 arrays.
TS-209: 2 hdds: 2 x 750GB raid1 array.
Mail pasi at turvallisuus dot org
User avatar
pakoistinen
Know my way around
 
Posts: 149
Joined: Sat May 24, 2008 12:38 pm
Model: TS-412

Re: HTTPS client certificate authentication

Postby schumaku » Sun Oct 27, 2013 9:18 pm

pakoistinen wrote:I've noticed that Qnap boxes use UPnP to open several ports to Internet. (443, 8080,8081, etc). This is a huge security risk.
Nope. Automatic port forwarding is a feature within myQNAPcloud.com - it can be disabled, and the ports/services can be selected and controlled.
pakoistinen wrote:The risk could be mitigated if you supported SSL/TLS "Client certificate authentication".
"mitigation" means using a longer key essentially. Implementing certificated based auth properly Not that easy doing it properly. This requires a careful designed, and manageable authentication layer -
pakoistinen wrote:Note, there is an option to import a certificate already but most users cant create their own certificates.
Transport layer SSL certificates - pretty much unrelated to cert auth. And limited to the primary access only, not covering virtual hosts et all.
pakoistinen wrote:Autogenerating a cert is not that difficult.
Yes, but pretty much not manageable beyond of very few users.

pakoistinen wrote:This means that the NAS box would create a client certificate for the workstations that need to access the services (HTTPS for example). The client certificate would be installed to the certificate store of the workstation. Then, when the client tried to connect, apache on the NAS would request a valid client certificate. If the client did not have a valid certificate signed by the NAS, the connection would be refused.
How would you do the mapping to local users, Active Directory users, LDAP users?
And how does it check the certificate - think about a generic solution - is checked? The Web servers taking cert auth need to be able to talk to directory based CRLs, to OCSP servers - as simple self-signed certificates are pretty much useless. And of course, we need a distribution point helping the users to install and manage the certificates on Windows, OS X, Android, iOS, ...

pakoistinen wrote:This would present a pretty good level of security and protect the services that you open to the internet for your customers by using UPnP.
Not limited to UPnP port forwarding of course. And yes, of course - having a tiny PKI on the NAS (to deal with certificates for other deployments like more NAS), to issue SSL certs, to issue authentication certs, ... would make a great add-on for security.

Well - I'm challenging QNAP for a certificate management system for years.
User avatar
schumaku
Guru
 
Posts: 31262
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Model: TS-x79 Pro

Re: HTTPS client certificate authentication

Postby pakoistinen » Tue Oct 29, 2013 4:10 pm

Certificate based authentication (on apache for instance) works nicely even in large production environments. I've designed and implemented several such systems with automated local Cerficate enrollment for multi-user mobile enviroments, etc. You are right in that this should be designed carefully. The most important thing first would be to have a person onboard who really understands crypto and can make the design correctly right from the start. This way it would not be an overly large task for the developers to implement the design. Btw. I think Qnap has the right technology choices in use already because Apache has the best documentation on the subject and OpenSSL works nicely for creating any PKI certificates. You seem to even have stunnel on the boxes which makes a nice addition to the toolset that can be used :)

In my experience automatic generation of certificates per user requires that a few scripts are written that trigger OpenSSL functions, generate the certificates and allow the users to install those certs on their machines. For secure HTTP interfaces the installation would probably happen manually via the browser. In my earlier projects we have created environments that are designed for several thousands of users. Also Microsoft does this with their AD with millions of users on the AD side.

First, I would implement client authentication with certificates only towards the internet because the services open to Internet are the ones that are attacked first. This would work nicely with all services that utilize HTTP but not for other protocols like Telnet, SSH etc.

As for mapping the certs to user accounts, I would perhaps create a script that first enumerates all local, AD & LDAP accounts to create a list of authorized users. Then it would run with cron to refresh that list of allowed accounts periodically. Next a OpenSSL certificate autogeneration script would be run after that cron job that creates a unique cert for each user and stores it in a secure location. Perhaps it could also auto send an email to each user with a unique link to their certificate for installment.

As for the packing and delivery of the certificates we do have several options. Personally I think that in this instance it could be easiest just to put the certificate chain (CA, server cert & user cert) into a single PKCS#12 file that is delivered to the user via a unique email link per user. I think the delivery is the only real difficulty because you could invent so many ways to impelement that mechanism.

But if we would want to achieve pretty good security with minimal effort... we could simply create a single shared user certificate for all the HTTP client users on the Domain / local system / LDAP. They could not be distinguished from each other on the level of TLS/SSL authentication. But they do have individual user accounts that go into logs. I think this would not be a bad option either. In this scenario only one certificate chain would need to be generated. Perhaps this could be the first step on the road towards implementing something more?
TS-421 with QTS 4: 4 hdds: 2 x 1,5TB raid1 and 2 x 2TB raid1 arrays.
TS-209: 2 hdds: 2 x 750GB raid1 array.
Mail pasi at turvallisuus dot org
User avatar
pakoistinen
Know my way around
 
Posts: 149
Joined: Sat May 24, 2008 12:38 pm
Model: TS-412

Re: HTTPS client certificate authentication

Postby larsahlstrom » Mon Dec 30, 2013 9:12 pm

Yes!
All that sound terrific...

But hey... I need a solution like:

"Go here, do this, and do that and enter your created key combination, and shere the key to your private network..."

Is there a solution on this obvious nonworking https-server?

If I get a solution, I promise to get back and post it here..
Last edited by larsahlstrom on Mon Dec 30, 2013 10:39 pm, edited 2 times in total.
BestSync backup software from Risefly, 459Pro II, 4xSeagate 2Tbyte in RAID5, 1gigabit LAN, DLINK 8 channel switch, cable 50mbit, Windows7 32, 2x1Tbyte WDC, a 2Tb Samsung, 2+2 screens, 2 graphics, Tascam DM24, Tascam US428, Wacom A3 mouse and airbrush, HP 3970 scanner, Plustec 7500 negative scanner, Samsung CLP650N Colorlaserprinter, EMU 1820m audio interface, NE Maschine controller, Kurzweil PC88+ masterkeyboard, Neon mini midi keyboard, and a whole bunch of midisynthesizers/controllers. Using BestSync for backups, and Antenna for webwork.
User avatar
larsahlstrom
Starting out
 
Posts: 23
Joined: Wed May 16, 2012 5:52 pm
Location: Stockholm, Sweden
Model: TS-459 Pro II

Re: HTTPS client certificate authentication

Postby schumaku » Mon Dec 30, 2013 10:32 pm

Nothing terrific here at all.
larsahlstrom wrote:Is there a solution on this obvious nonworking https-server?
Sorry, this is nonsense - the absence of a click and pray certificate management for authentication - what is part of a typical huge project with large corporate customers for making it properly, manageable, expandable, .... - does not make the https server nonworking.

I had the tech responsibility of designing and deploying large scale PKI, personal user certificate deployment, integrating service systems since the mid of the 90ties on corporate level with up to 250'000 users. Biggest nightmare for integration were always such ad-hoc hacked systems...
User avatar
schumaku
Guru
 
Posts: 31262
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Model: TS-x79 Pro

Re: HTTPS client certificate authentication

Postby larsahlstrom » Mon Dec 30, 2013 11:07 pm

Well the server seem to work... i mean the normal http-mode.
The "https"-mode, which is adequate for doing this file handling online, over internet, and against mobile equipment - is NOT working.
So that means I should unregister my server on the cloud and give up... Because there is no safety...according to some QNAP documents.
I HUGE, BIG red screen shows upp when I try to go cryptic, but "proceed anyway" gives me a crossed-over https-address.
I think this is a bit amateurish, not to give a solution for it, but at the same time tell me that I SHOULD have "https"...

I do have searched for a solution, but it is too difficult for me to fix it. Altough I have worked with computers since Intel 8080 and later Zilog Z80 CP/M business machines. If we should brag about it... :lol:


Another thing is that when I edit my users, their accounts, and inform them by sending them a mail, they get something that not even the neighbours cat stops laughing at... (well I know theres is a lot to do cleaning up the system, so no offens!)
"Just follow this and you will be up and running..." Noo way. The myQNAPCloud demands FLASH to work, when they finally get in.
I did have the Qmultimedia active, but... Androids and Flash...?
So I had to email the bunch and tell them how to do. Go get Qmobile, and Qphoto, and Qmusic... servername, enter my IP, and your name & password.
Then it says
<whitefont>MyCloudNAS <bluefont>servername.myqnapcloud.com
and under that a little note, like: "You are NOT going to get a secure SSL server, because youv'e got a Android prior to 3..1" 8)

Otherwise I am really happy with the new 4.0.2. Really cool work, QNAP staff. Keep it up!
BestSync backup software from Risefly, 459Pro II, 4xSeagate 2Tbyte in RAID5, 1gigabit LAN, DLINK 8 channel switch, cable 50mbit, Windows7 32, 2x1Tbyte WDC, a 2Tb Samsung, 2+2 screens, 2 graphics, Tascam DM24, Tascam US428, Wacom A3 mouse and airbrush, HP 3970 scanner, Plustec 7500 negative scanner, Samsung CLP650N Colorlaserprinter, EMU 1820m audio interface, NE Maschine controller, Kurzweil PC88+ masterkeyboard, Neon mini midi keyboard, and a whole bunch of midisynthesizers/controllers. Using BestSync for backups, and Antenna for webwork.
User avatar
larsahlstrom
Starting out
 
Posts: 23
Joined: Wed May 16, 2012 5:52 pm
Location: Stockholm, Sweden
Model: TS-459 Pro II

Re: HTTPS client certificate authentication

Postby schumaku » Tue Dec 31, 2013 12:36 am

Gee, this is RED because QNAP can not provide a valid, signed certificate for your own hostname used - as simple as that. Regardless, the https server is working correct.

It's the NAS owner responsibility to acquire a valid certificate, signed by an authority trusted by your browser and/or by your OS, and install it on the nAS accordingly. When serving

larsahlstrom wrote:Because there is no safety...according to some QNAP documents.
In todays world of references, such a note is useless. Always provide references, links.

I guess you talk about this: All QNAP NAS default certificates are identical, and share the same private key. True, with this key decrypting is possible as the default private key can be considered well known. And exactly this is the reason you should invest in a certificate issued to your FQDN. this certificate will be valid exactly only if the NAS is accessed using this FQDN - otherwise modern browsers will issue warnings again.

The proposal of creating an own certificate authority from before has very limited value, can be deployed used for a limited number of users only - for anybody else there is no trust to your private CA.

Again: This does not imply a on-working https server - complete nonsense.

Happy New Year anyway.

-Kurt.
User avatar
schumaku
Guru
 
Posts: 31262
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Model: TS-x79 Pro

Re: HTTPS client certificate authentication

Postby larsahlstrom » Tue Dec 31, 2013 9:55 pm

Well, perhaps it is my swenglish, or you, that wants to make a "war of honor" out of this. I dont know. I can read your cynisms...

But let me try to make an reflection for you, so you better can understand what i talk about: WiFi keys....

Any type... AES, TKIP, anyone... what do you enter? Your own key, right? And what does that for open networks?
LOCK THEM FOR MY NEIGHBOURS.....

Well I can produce my own certifikate!

"I, Lars Ahlstrom, the superadmin of this network, hereby grant YOU my dear trustee, to enter.
To anyone else I'd like to say: http://www.youtube.com/watch?v=ikssfUhAlgg

and then...? ;)

Happy Newyear to you too! :P
BestSync backup software from Risefly, 459Pro II, 4xSeagate 2Tbyte in RAID5, 1gigabit LAN, DLINK 8 channel switch, cable 50mbit, Windows7 32, 2x1Tbyte WDC, a 2Tb Samsung, 2+2 screens, 2 graphics, Tascam DM24, Tascam US428, Wacom A3 mouse and airbrush, HP 3970 scanner, Plustec 7500 negative scanner, Samsung CLP650N Colorlaserprinter, EMU 1820m audio interface, NE Maschine controller, Kurzweil PC88+ masterkeyboard, Neon mini midi keyboard, and a whole bunch of midisynthesizers/controllers. Using BestSync for backups, and Antenna for webwork.
User avatar
larsahlstrom
Starting out
 
Posts: 23
Joined: Wed May 16, 2012 5:52 pm
Location: Stockholm, Sweden
Model: TS-459 Pro II

Re: HTTPS client certificate authentication

Postby schumaku » Tue Dec 31, 2013 10:26 pm

Yes, you can create your own certificate - but it will never be fully trusted (= all green) by any browser.

What we're talking here does barely compare to a PSK of a WLAN - much more of what could be done in good enterprise design. And there we have no browser maker in between qualifying the certificate based on the CA (read: CA makers having paid a lot of money so their root certificates are considered "trusted" in an OS an/or a browser.

Without much cynicism ... when adding your own or a third party trusted CA in current Android ... Android keeps nagging "A third party is capable of monitoring your network activity, including emails, apps and secure websites. A trusted credential installed on your device is making this possible." Granted - my private keys generated along with the CSR (certificate signature request) have never left my own systems - so how likely this information is correct is questionable, too. If it would be true - the same would apply to the "trusted" signature issuers.
User avatar
schumaku
Guru
 
Posts: 31262
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Model: TS-x79 Pro

Re: HTTPS client certificate authentication

Postby pakoistinen » Tue Jan 07, 2014 1:55 am

One could make the QNAP CA certificate trusted on his own clients. It takes a bit of fiddling though. Steps:
1.) copy the ca.crt from the qnap box via sftp (or other means) to the client devices. It should be located under /etc/openvpn/easy-rsa/keys/
2.) import that ca.crt into all of your own client devices. Place the certificate into the "trusted root authorities" or similar class. Sometimes you need to do a manual step where you set this certificate to be trusted. Each browser may need it's own importing to be done because their certificate bundles may be individually managed.
3.) now the SSL/TLS on QNAP box should not yell at you anymore.

Except for the hostname - you should still get a nag about DNS hostname not matching with the DN in the SSL server certificate. I bet the hostname doesn't match with anyone currently. There is a fix for that one too. You can use the easy-rsa scripts on the QNAP box to create your own server certificate if you like to fiddle around a bit.
TS-421 with QTS 4: 4 hdds: 2 x 1,5TB raid1 and 2 x 2TB raid1 arrays.
TS-209: 2 hdds: 2 x 750GB raid1 array.
Mail pasi at turvallisuus dot org
User avatar
pakoistinen
Know my way around
 
Posts: 149
Joined: Sat May 24, 2008 12:38 pm
Model: TS-412

Re: HTTPS client certificate authentication

Postby larsahlstrom » Thu Jan 09, 2014 1:20 am

Thanks guys. I will try to fiddle a little.
But I wonder... even if I do not have a certificate, does the SSL work?
And is this communication then encrypted approximately as the banks or paypals are?
No way to easily put a tap on the TCP flow and see whats goin on?
BestSync backup software from Risefly, 459Pro II, 4xSeagate 2Tbyte in RAID5, 1gigabit LAN, DLINK 8 channel switch, cable 50mbit, Windows7 32, 2x1Tbyte WDC, a 2Tb Samsung, 2+2 screens, 2 graphics, Tascam DM24, Tascam US428, Wacom A3 mouse and airbrush, HP 3970 scanner, Plustec 7500 negative scanner, Samsung CLP650N Colorlaserprinter, EMU 1820m audio interface, NE Maschine controller, Kurzweil PC88+ masterkeyboard, Neon mini midi keyboard, and a whole bunch of midisynthesizers/controllers. Using BestSync for backups, and Antenna for webwork.
User avatar
larsahlstrom
Starting out
 
Posts: 23
Joined: Wed May 16, 2012 5:52 pm
Location: Stockholm, Sweden
Model: TS-459 Pro II

Re: HTTPS client certificate authentication

Postby schumaku » Thu Jan 09, 2014 1:31 am

larsahlstrom wrote:But I wonder... even if I do not have a certificate, does the SSL work?
Yes - within limitations (hostname not match, never trusted, and definitively no "green" bar in the browser.

larsahlstrom wrote:And is this communication then encrypted approximately as the banks or paypals are?
Hm, kind of - but not really ... all default certificates share the same private key, so technically it's possible to decrypt your SSL stream.

larsahlstrom wrote:No way to easily put a tap on the TCP flow and see whats goin on?
See above. Define "easily".

Again - you can always install your own certificate preferably signed by a trusted authority (by the browser and/or operating system makers as the operators of certificate authorities paid money to be trusted :geek:) - and then you have the same SSL security like Paypal, finance institutions, ...

But before you consider this, you need to figure out on how you want to access your NAS, i.e. under which name. AFAIK it's not possible to get these certificates for domains you don't own (i.e. [name].myqnapcloud.com, [name].dyndns.org, ...) - so you need a domain, a DNS service provider (permitting static or dynamic updates - depends on the Internet connection and ISP deal).
User avatar
schumaku
Guru
 
Posts: 31262
Joined: Mon Jan 21, 2008 4:41 pm
Location: Kloten (Zurich), Switzerland -- Skype: schumaku
Model: TS-x79 Pro

Re: HTTPS client certificate authentication

Postby larsahlstrom » Thu Jan 09, 2014 8:57 am

Thanks for the reply! Hm... i think I understand this better now.
Easily tapping a LAN wire? Well I use a sniffer... ;) Sily, ey? :D
BestSync backup software from Risefly, 459Pro II, 4xSeagate 2Tbyte in RAID5, 1gigabit LAN, DLINK 8 channel switch, cable 50mbit, Windows7 32, 2x1Tbyte WDC, a 2Tb Samsung, 2+2 screens, 2 graphics, Tascam DM24, Tascam US428, Wacom A3 mouse and airbrush, HP 3970 scanner, Plustec 7500 negative scanner, Samsung CLP650N Colorlaserprinter, EMU 1820m audio interface, NE Maschine controller, Kurzweil PC88+ masterkeyboard, Neon mini midi keyboard, and a whole bunch of midisynthesizers/controllers. Using BestSync for backups, and Antenna for webwork.
User avatar
larsahlstrom
Starting out
 
Posts: 23
Joined: Wed May 16, 2012 5:52 pm
Location: Stockholm, Sweden
Model: TS-459 Pro II


Return to Features Wanted

Who is online

Users browsing this forum: No registered users and 3 guests