Adding TLS for communication between agents and managers (alternative to the 'secure message' protocol)

Demetri

unread,

Nov 30, 2018, 1:23:32 PM11/30/18

to Wazuh mailing list

Hi,

We have this link in the documentation: https://documentation.wazuh.com/current/development/message-format.html#secure-message-format

Would the community be opposed to adding TLS for the communication between agents and managers? I'm unsure if there has been any discussion regarding this. I know TLS is used during the registration process.

Thanks.

David Vidriales

unread,

Dec 14, 2018, 9:46:24 AM12/14/18

to Demetri, Wazuh mailing list

Hi Demetri,

Currently, the communication between agent and manager works the following way:

- For the registration process: as you said, TLS can be used to verify the agent. Once it’s verified, both manager and agent share a key (client.keys) to exchange messages with a symmetric encryption method (AES or Blowfish).

- This key is permanent (in the client.keys file) and its access is restricted to root. Every agent is identified by its IP direction (unless the agent is registered with ip=any).

If we used TLS for message exchanging:

- The manager should have a certificate (instead of the keys) and in every session, a handshake should happen between agent and manager.

- This and the fact that we would have to manage expiring certificates could make Wazuh have some performance issues.

In summary, both methods are somehow alike. The main difference is that we’re keeping a permanent AES (or Blowfish) encryption key and TLS would change it every session.

Anyway, this is a very good question and we acknowledged the possible security issues in our actual message exchange process. This will be definitely discussed in our team in the near future. We will let you know our decision when it’s been discussed.

Best regards,

David Vidriales

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/60fb2d2f-eacb-439a-974d-9f86e6f05ce2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Barry Kaplan

unread,

Dec 14, 2018, 11:44:42 AM12/14/18

to Wazuh mailing list

We are going to be setting up consul connect for our inter service coms soon. It would be nice if we had the option to use that for manager-agent coms. Then wazuh wouldn't have to do any work.

David Vidriales

unread,

Dec 17, 2018, 11:19:27 AM12/17/18

to Barry Kaplan, Wazuh mailing list

Hi Barry,

We’ve been checking Consul Connect and we’ve found it really interesting. It’s a positive point to be aware of when considering to develop TLS for communication between manager and agent or not. It could free Wazuh from substantial work, as you said.

Since implementing a TLS layer natively in the agent-manager communication would be a major change in Wazuh code, I’m not sure if this would be achievable in the near future, but it’s definitely a tool to keep in mind for next releases. As I said in the previous mail, we will be considering all of this soon (keeping this tool in mind) and I will be keeping you updated. Please feel free to ask any questions or give any suggestion.

Kind regards,

David

On Fri, Dec 14, 2018 at 5:44 PM Barry Kaplan <mem...@gmail.com> wrote:

We are going to be setting up consul connect for our inter service coms soon. It would be nice if we had the option to use that for manager-agent coms. Then wazuh wouldn't have to do any work.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To post to this group, send email to wa...@googlegroups.com.
Visit this group at https://groups.google.com/group/wazuh.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d146e8f0-e26a-4ab3-a0e2-6f899ca5e41f%40googlegroups.com.

nOBEL jUNG

unread,

Jan 30, 2019, 2:29:00 AM1/30/19

to Wazuh mailing list

Hi David,

Can we choose the message protocol among AES(256), Blowfish and TLS?

And which case do you select among them?

Because I am confusing about it in your manual such as:

The Wazuh message protocol uses a 192-bit Blowfish encryption with a full 16-round implementation, or AES encryption with 128 bits per block and 256-bit keys.

Many thanks,

N.J

2018년 12월 14일 금요일 오후 11시 46분 24초 UTC+9, David Vidriales 님의 말:

Hi Demetri,

Currently, the communication between agent and manager works the following way:

-        For the registration process: as you said, TLS can be used to verify the agent. Once it’s verified, both manager and agent share a key (client.keys) to exchange messages with a symmetric encryption method (AES or Blowfish).

-        This key is permanent (in the client.keys file) and its access is restricted to root. Every agent is identified by its IP direction (unless the agent is registered with ip=any).

If we used TLS for message exchanging:

-        The manager should have a certificate (instead of the keys) and in every session, a handshake should happen between agent and manager.

-        This and the fact that we would have to manage expiring certificates could make Wazuh have some performance issues.

In summary, both methods are somehow alike. The main difference is that we’re keeping a permanent AES (or Blowfish) encryption key and TLS would change it every session.

Anyway, this is a very good question and we acknowledged the possible security issues in our actual message exchange process. This will be definitely discussed in our team in the near future. We will let you know our decision when it’s been discussed.

Best regards,

David Vidriales

On Fri, Nov 30, 2018 at 7:23 PM Demetri <demetri...@gmail.com> wrote:

Hi,

We have this link in the documentation: https://documentation.wazuh.com/current/development/message-format.html#secure-message-format

Would the community be opposed to adding TLS for the communication between agents and managers? I'm unsure if there has been any discussion regarding this. I know TLS is used during the registration process.

Thanks.

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.

To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+unsubscribe@googlegroups.com.

Juan Carlos

unread,

Jan 30, 2019, 2:40:38 AM1/30/19

to Wazuh mailing list

Hello N.J.,

Wazuh can use either Blowfish or AES encryption for communication between the agent and the manager.

AES encryption is the default encryption, Blowfish is maintained for backward compatibility as prior to version 3.5 this was the only option.

This can be selected on the agent's ossec.conf file, for more information you can see this page of the documentation:

https://documentation.wazuh.com/current/user-manual/reference/ossec-conf/client.html?highlight=crypto_method#crypto-method

AES is the default and is recommended. The Blowfish encryption method works perfectly well but might not be preferred by some people because when used with a small block or few rounds of encryption may be vulnerable, this is not the case in Wazuh.