MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity
Page: AuthenticationProject
Pages
3rd party modules AddNewAttributes AuthenticationProject Categories & Types changes CheckList CommitMessageBestPractices Contributing to MISP Project CortexIntegration Critical aspects or features DeploymentTools EnhancedSighting Frequently Asked Questions Hackathon Hardening Home Max and min value for first_seen last_seen NewAttributes Notes: MISP STIX2 Planned features and functionalities Presentations about MISP or mentioning MISP Project dependencies Proxy RedisAllocation ReleaseCheckList Rename default branches master to main STIX2.0 to STIX2.1 changes Sharing guidelines TaxonomiesResearch Use cases UserInterface
10 AuthenticationProject
Alexandre Dulaunoy edited this page 2016-11-21 22:33:39 +01:00
Table of Contents

Authentication Project in MISP

Adversaries can abuse the current distribution model in MISP, especially if a connected MISP instance is operated carelessly, or compromised and abused by malicious instances. Usually, MISP communities rely on trusted partners to provide, distribute and update events among the community.

The project objective is to provide a mechanism to authenticate organisations, ensuring the integrity of MISP events (partial or complete) from authenticated organizations.

The authentication of MISP organizations can also support other services like scoring and trust evaluation.

Challenges

  • MISP events can be filtered and updated by other MISP instances (e.g. regexp filtering).
  • MISP events evolve based on the feedback from other MISP organizations (e.g. proposals).
  • MISP organization are created autonomously and independently relying on a simple UUID assignment.
  • MISP communities often rely on their own infrastructure or/and processes for assigning trust.

(1) Validation and authentication services to ensure trust of organizations

A validation and authentication service should be provided by default in the standard MISP configuration to support new users a way to trust the information they received from other MISP instances or feeds.

The services should also be open source and allowing any private communities to build their own validation infrastructure. A MISP instance can connect to one or more services to validate and authenticate a MISP organization.

The existing PGP key infrastructure used by MISP users should be used. The MISP.host_org_id will be expanded to support an associated PGP key. The PGP key can be generated on request from MISP. The PGP uid will be the MISP.host_org_id UUID.

(2) Signature and authentication of MISP events

A method should be included to support the signing of MISP events and especially the attributes to ensure a minimal integrity published by validated and authenticated MISP organizations as performed in (1).

The signature can be enabled at MISP instance level and is limited, as a first step, to the MISP.host_org_id.

Signature of attributes

Each attribute is PGP signed by the orgc. The signature (PGP detached signature format) is encoded next to each attributes with a specific key. The signature is based on the concatenation of "type", "category","to_ids", "uuid", "timestamp","comment","deleted" and "value".

The key used is "sig".

Signature of event-level attribute

The event-level attribute is PGP signed by the orgc. The signature (PGP detached signature format) is encoded next to the event-level attribute. The signature is based on the concatenation of the "date", "threat_level_id","info","uuid","analysis" and "timestamp".

The key used is "sig".

Signature of the event

The global signature of the event is the sorted concatenation of all sig at attributes levels with the event-level attribute signature. The signature (PGP detached signature format) is at event-level attribute.

The key used is "global_sig".

Notes

  • The distribution is not signed as this is updated following the distribution rule. Maybe signing the organisation only or the distribution all would make sense.

MISP-core implementation

  1. MISP gets user request to validate
  2. MISP sends event to python simple-zmq service
  3. Python service gets event and fetches creator org key from external service
  4. Python service validates full package, event metadata, attributes
  5. Python service (a.) pushes results back via API / (b.) puts the results in ZMQ
  6. (if b.) polls ZMQ for results 6.ii updates events from ZMQ when they are found in the queue