Re: [gentoo-dev] 2004.1 will not include a secure portage. - gentoo-dev

From:	Paul de Vrieze <pauldv@g.o>
To:	gentoo-dev@l.g.o
Subject:	Re: [gentoo-dev] 2004.1 will not include a secure portage.
Date:	Thu, 25 Mar 2004 22:23:09
Message-Id:	`200403252323.00947.pauldv@gentoo.org`
In Reply to:	Re: [gentoo-dev] 2004.1 will not include a secure portage. by Chris Bainbridge

1

On Thursday 25 March 2004 15:27, Chris Bainbridge wrote:

2

> On Thursday 25 March 2004 12:14, Paul de Vrieze wrote:

3

> > What if the old ACL on the system is so old that the people signing the

4

> > new ACL were not in the old ACL. I don't think forward signing is a good

5

> > (or secure idea). The parent dir system would require all devs to be in

6

> > the /usr/portage ACL anyway so still complicating things.

7

>

8

> Yes, this system requires regular updates, as does any security system.

9

> Does every dev to be able to create/modify any package?

10

11

Currently yes (at least all dev's that have portage tree access, as some 

12

(mainly documentation developers) do not). If there were reasons we could 

13

discuss a system that would limit this ability, but this would need to be 

14

discussed first by the developers and then by the managers.

15

16

> > We want to be able to implement ebuild signing fast (mainly to combat

17

> > rsync mirror compromise). Changing procedures beyond what is absolutely

18

> > necessary (entering your passphrase) would be a big impediment to doing

19

> > so.

20

>

21

> There is no difference from a normal developers viewpoint between this and

22

> your signing proposal. For the vast majority of packages it is not

23

> necessary to have more than one trusted developer!

24

25

How do you think this affects continuity. Also keep in mind that their are 

26

only two relevant differences between gcc/glibc and <obscure package that has 

27

been deprecated because of lack of upstream movement>

28

- glibc is likely to be present on most if not all systems, while the obscure

29

  package is not

30

- Any tampering in glibc is probably noticed within minutes of it being added

31

  to the cvs (not even rsync) tree, while tampering to the obscure package

32

  might go unnoticed for an extremely long time (think months)

33

34

>

35

> > The problem is that a manifest changes for any change in ebuilds or

36

> > patches. That means that for adding a keyword to a package one needs to

37

> > resign the manifest.

38

>

39

> Yes, a new release requires resigning. How does this differ from your

40

> proposal?

41

42

In that I only require one signature.

43

44

>

45

> > > > ps. Based on one public key on a single trusted source (A CD), how

46

> > > > do you ensure that the whole tree is uncompromised.

47

> > >

48

> > > You can't. Its an old tree which has already been signed. Trust it, or

49

> > > update to a new tree.

50

> >

51

> > As it is possible to have an approach that does offer such security, this

52

> > solution is inferior.

53

>

54

> You have an old copy of a signed tree. Without updating it is impossible to

55

> ensure that a compromise has not been discovered since then. Your solution

56

> is the same in this respect.

57

58

My approach however will block when the list on the rsync mirror is not 

59

updated. In your idea however it is possible for an attacker to block the 

60

update of an ACL file when he/she has access to an rsync mirror.

61

62

> > Ok, how do you ensure that the ACL is updated? From what I understand it

63

> > would be easy to prevent the ACL from being updated just by generating

64

> > an invalid ACL.

65

>

66

> Thats the whole point. If the new ACL is invalid it won't be updated. If

67

> the new key is valid it will be updated.

68

69

No the case is as follows:

70

- The old ACL is invalid

71

- The invalidness of the old ACL has been discovered after it has been send to

72

  the user

73

- There is a new ACL on the master rsync server that removes the invalid keys

74

  from the ACL

75

- The attacker also has access to an rsync mirror

76

- Now the attacker can prevent the new ACL to be put in place by his access to

77

  the rsync mirror

78

79

Alternatively if the ACL has only one key it is actually imposible to create a 

80

new valid ACL as your system uses forward signing.

81

82

> Some criticisms of your proposal:

83

>

84

> You are making the assumption that rsync servers are unsecure, whilst the

85

> computers of all gentoo developers are implicitly trusted. This is a basic

86

> security flaw, and probably an invalid assumption. There are more gentoo

87

> developers than rsync servers. Rsync servers are less vulnerable  - they

88

> perform only one function, they don't read email, they don't browse the

89

> web. Why do you assume that rsync servers are more vulnerable, and that

90

> this problem needs to be addressed more urgently than the compromised

91

> developer problem?

92

93

Rsync mirrors do perform more functions. Also the rsync mirrors are public 

94

while developer computers are not necessarilly. Further developer keys should 

95

be passphrase protected. I do not disagree though that developers are a weak 

96

spot. I think however that it is very hard to protect against developer 

97

compromises while it is a lot easier to protect against rsync compromises. 

98

Say that the chances to a compromise of a developer key are equal to the 

99

compromise to an rsync mirror I would prefer to protect against explictly 

100

untrusted rsync mirrors (They are third-party provided, we have very little 

101

control)

102

103

> What do you do if the master key is compromised?

104

105

Whine, revoke it and post it to all kinds of security lists. That's why I try 

106

to keep it very secured with a scheme where it would be accessible only 

107

fractions of the year (5 * 12 = 1 hour per year max).

108

109

>

110

> Signing of daily keys by the master key will be automated. Once an attacker

111

> has compromised the gentoo server he can submit a rogue daily key to be

112

> signed. An attacker compromising this system could generate daily keys for

113

> every day in the next 100 years, thus totally compromising the system.

114

115

No, signing uses an intermediate key and signing this intermediate key (by the 

116

master on a usb key) will not be automated. This intermediate key has a 

117

lifespan of a month. This means that a compromised intermediate key would 

118

only allow a compromise of 1 month (half a month on average)

119

120

That's why I enhanced the system to N servers and N keys. This would mean that 

121

the attacker would need to compromise N computers.

122

123

To enhance my proposal we could also sign the developer list with the keys of 

124

various devrel people, and have any invalid key invalidate the list. (One 

125

must still check that there are N machine keys though)

126

127

> Points of weakness in my proposal:

128

>

129

> You have to trust that an initial fetch of the tree hasn't been

130

> compromised. Single packages can be altered by >n devs compromised

131

> New packages can be created by >n devs compromised

132

> n==1 is possible, a single point of compromise

133

> If you don't update the tree regularly you may find that the new ACL hasn't

134

> been signed by enough people on the old ACL, if the ACL has changed enough.

135

> Compromised keys are only removed when user updates

136

137

The biggest problem with your system is that it breaks when keys are 

138

compromised while they are still in ACL's. An unknown compromised key could 

139

be used to change the ACLs of packages. Once these bogus ACL's are in place 

140

on the user computers, there is no way to use forward signing to get new keys 

141

to the user in a secure way (They don't have valid ACL's anymore as they 

142

thought the bogus ones were valid). 

143

144

>

145

> Points of weakness in your proposal:

146

>

147

> You have to trust that an initial fetch of the tree hasn't been

148

> compromised. You have to trust that every developer hasn't been compromised

149

> Single point of global failure - if gentoo server is compromised, master

150

> key is compromised, and attacker can do anything to any gentoo system. If

151

> signing server goes down it affects everybody

152

> Compromised keys are only removed when user updates

153

154

I have to trust that the fetch or retrieval of the public master key has not 

155

been compromised. Further for integrity my system has to trust that no 

156

developer keys have unknowingly been compromised. However once they have been 

157

compromised I have a clear path to purge them from the system in a way that I 

158

can say: "these, these and these packages have been compromised, if you 

159

didn't touch those within day x and day y you are safe and you will be safe 

160

from now on as the key is now invalid" It also ensures that one can trust the 

161

new list as it will be again derivable from the master key (which is indeed 

162

the single point of failure)

163

164

> Points of resilience in my proposal:

165

>

166

> Compromise of n devs is unlikely

167

> Distributed failure - compromise only effects small bits of the portage

168

> tree Distributed system - failure of one server doesn't affect operation of

169

> the rest of the system

170

171

Unfortunately a small bit equals a total failure for anyone who happens to 

172

touch that package. As I showed earlier packages that will affect lesser 

173

people are also likely to be detected later, so that would balance out. My 

174

system completely stops rsync server insecurity and allows for fast and 

175

reliable revocation of developer keys. Your system does not allow reliable 

176

revocation but instead could lead to a puzz of unverifiable ACL's

177

178

> Points of resilience in your proposal:

179

>

180

> Master key can be held offline in a safe. But any signing key used day to

181

> day is vulnerable.

182

183

Indeed my signing keys are more vulnerable as the intermediate key security is 

184

based on host security. An easy solution is to have multiple servers. One 

185

could also go so far to have a time switch which would only connect those 

186

servers to the net at the time that the keys have been generated and 

187

transfered. I can indeed not protect against rogue developers or compromised 

188

developer keys (only multiple signatures can), but however I can quickly and 

189

reliably invalidate them at the moment their compromise has been detected.

190

191

> Implementation details of my proposal:

192

>

193

> Requires simple post-check of emerge sync changes

194

> Developers must sign manifests

195

> Requires one file to be created in each directory saying which devs have

196

> access to that dir, and how many are required to agree on changes

197

198

This ACL file is insecure and also forces a policy we don't necesarilly want. 

199

It mixes two issues, however even if there would only be a master ACL (which 

200

is very comparable) forward signing is a bad idea and my scheme is superior.

201

202

> Implementation details of your proposal:

203

>

204

> Requires simple post-check of emerge sync changes

205

> Developers must sign manifests

206

> Requires establishment of secure infrastructure for global key, daily key

207

> signing, and submission of updates to developer list to this infrastructure

208

209

Correct

210

211

> My proposal does try to fix two problems at once. If the basic assumption

212

> that rsync servers are less secure than developers can't be trusted, then

213

> there is no point in fixing the former and not the latter. When the two

214

> subjects are so closely linked what is wrong with trying to create a

215

> combined solution?

216

217

Your ACL update system is compromisable which shows how hard it is to design 

218

really secure protocols. The reason why I don't want to solve the double 

219

signing issue is that it requires many (security unrelated) procedure changes 

220

within gentoo and will take a long long time to implement.

221

222

> Regards,

223

> Chris

224

225

Regards,

226

Paul

227

228

ps. I do appreciate your feedback although I don't agree on your proposal

229

230

--

231

Paul de Vrieze

232

Gentoo Developer

233

Mail: pauldv@g.o

234

Homepage: http://www.devrieze.net

1	On Thursday 25 March 2004 15:27, Chris Bainbridge wrote:
2	> On Thursday 25 March 2004 12:14, Paul de Vrieze wrote:
3	> > What if the old ACL on the system is so old that the people signing the
4	> > new ACL were not in the old ACL. I don't think forward signing is a good
5	> > (or secure idea). The parent dir system would require all devs to be in
6	> > the /usr/portage ACL anyway so still complicating things.
7	>
8	> Yes, this system requires regular updates, as does any security system.
9	> Does every dev to be able to create/modify any package?
10
11	Currently yes (at least all dev's that have portage tree access, as some
12	(mainly documentation developers) do not). If there were reasons we could
13	discuss a system that would limit this ability, but this would need to be
14	discussed first by the developers and then by the managers.
15
16	> > We want to be able to implement ebuild signing fast (mainly to combat
17	> > rsync mirror compromise). Changing procedures beyond what is absolutely
18	> > necessary (entering your passphrase) would be a big impediment to doing
19	> > so.
20	>
21	> There is no difference from a normal developers viewpoint between this and
22	> your signing proposal. For the vast majority of packages it is not
23	> necessary to have more than one trusted developer!
24
25	How do you think this affects continuity. Also keep in mind that their are
26	only two relevant differences between gcc/glibc and <obscure package that has
27	been deprecated because of lack of upstream movement>
28	- glibc is likely to be present on most if not all systems, while the obscure
29	package is not
30	- Any tampering in glibc is probably noticed within minutes of it being added
31	to the cvs (not even rsync) tree, while tampering to the obscure package
32	might go unnoticed for an extremely long time (think months)
33
34	>
35	> > The problem is that a manifest changes for any change in ebuilds or
36	> > patches. That means that for adding a keyword to a package one needs to
37	> > resign the manifest.
38	>
39	> Yes, a new release requires resigning. How does this differ from your
40	> proposal?
41
42	In that I only require one signature.
43
44	>
45	> > > > ps. Based on one public key on a single trusted source (A CD), how
46	> > > > do you ensure that the whole tree is uncompromised.
47	> > >
48	> > > You can't. Its an old tree which has already been signed. Trust it, or
49	> > > update to a new tree.
50	> >
51	> > As it is possible to have an approach that does offer such security, this
52	> > solution is inferior.
53	>
54	> You have an old copy of a signed tree. Without updating it is impossible to
55	> ensure that a compromise has not been discovered since then. Your solution
56	> is the same in this respect.
57
58	My approach however will block when the list on the rsync mirror is not
59	updated. In your idea however it is possible for an attacker to block the
60	update of an ACL file when he/she has access to an rsync mirror.
61
62	> > Ok, how do you ensure that the ACL is updated? From what I understand it
63	> > would be easy to prevent the ACL from being updated just by generating
64	> > an invalid ACL.
65	>
66	> Thats the whole point. If the new ACL is invalid it won't be updated. If
67	> the new key is valid it will be updated.
68
69	No the case is as follows:
70	- The old ACL is invalid
71	- The invalidness of the old ACL has been discovered after it has been send to
72	the user
73	- There is a new ACL on the master rsync server that removes the invalid keys
74	from the ACL
75	- The attacker also has access to an rsync mirror
76	- Now the attacker can prevent the new ACL to be put in place by his access to
77	the rsync mirror
78
79	Alternatively if the ACL has only one key it is actually imposible to create a
80	new valid ACL as your system uses forward signing.
81
82	> Some criticisms of your proposal:
83	>
84	> You are making the assumption that rsync servers are unsecure, whilst the
85	> computers of all gentoo developers are implicitly trusted. This is a basic
86	> security flaw, and probably an invalid assumption. There are more gentoo
87	> developers than rsync servers. Rsync servers are less vulnerable - they
88	> perform only one function, they don't read email, they don't browse the
89	> web. Why do you assume that rsync servers are more vulnerable, and that
90	> this problem needs to be addressed more urgently than the compromised
91	> developer problem?
92
93	Rsync mirrors do perform more functions. Also the rsync mirrors are public
94	while developer computers are not necessarilly. Further developer keys should
95	be passphrase protected. I do not disagree though that developers are a weak
96	spot. I think however that it is very hard to protect against developer
97	compromises while it is a lot easier to protect against rsync compromises.
98	Say that the chances to a compromise of a developer key are equal to the
99	compromise to an rsync mirror I would prefer to protect against explictly
100	untrusted rsync mirrors (They are third-party provided, we have very little
101	control)
102
103	> What do you do if the master key is compromised?
104
105	Whine, revoke it and post it to all kinds of security lists. That's why I try
106	to keep it very secured with a scheme where it would be accessible only
107	fractions of the year (5 * 12 = 1 hour per year max).
108
109	>
110	> Signing of daily keys by the master key will be automated. Once an attacker
111	> has compromised the gentoo server he can submit a rogue daily key to be
112	> signed. An attacker compromising this system could generate daily keys for
113	> every day in the next 100 years, thus totally compromising the system.
114
115	No, signing uses an intermediate key and signing this intermediate key (by the
116	master on a usb key) will not be automated. This intermediate key has a
117	lifespan of a month. This means that a compromised intermediate key would
118	only allow a compromise of 1 month (half a month on average)
119
120	That's why I enhanced the system to N servers and N keys. This would mean that
121	the attacker would need to compromise N computers.
122
123	To enhance my proposal we could also sign the developer list with the keys of
124	various devrel people, and have any invalid key invalidate the list. (One
125	must still check that there are N machine keys though)
126
127	> Points of weakness in my proposal:
128	>
129	> You have to trust that an initial fetch of the tree hasn't been
130	> compromised. Single packages can be altered by >n devs compromised
131	> New packages can be created by >n devs compromised
132	> n==1 is possible, a single point of compromise
133	> If you don't update the tree regularly you may find that the new ACL hasn't
134	> been signed by enough people on the old ACL, if the ACL has changed enough.
135	> Compromised keys are only removed when user updates
136
137	The biggest problem with your system is that it breaks when keys are
138	compromised while they are still in ACL's. An unknown compromised key could
139	be used to change the ACLs of packages. Once these bogus ACL's are in place
140	on the user computers, there is no way to use forward signing to get new keys
141	to the user in a secure way (They don't have valid ACL's anymore as they
142	thought the bogus ones were valid).
143
144	>
145	> Points of weakness in your proposal:
146	>
147	> You have to trust that an initial fetch of the tree hasn't been
148	> compromised. You have to trust that every developer hasn't been compromised
149	> Single point of global failure - if gentoo server is compromised, master
150	> key is compromised, and attacker can do anything to any gentoo system. If
151	> signing server goes down it affects everybody
152	> Compromised keys are only removed when user updates
153
154	I have to trust that the fetch or retrieval of the public master key has not
155	been compromised. Further for integrity my system has to trust that no
156	developer keys have unknowingly been compromised. However once they have been
157	compromised I have a clear path to purge them from the system in a way that I
158	can say: "these, these and these packages have been compromised, if you
159	didn't touch those within day x and day y you are safe and you will be safe
160	from now on as the key is now invalid" It also ensures that one can trust the
161	new list as it will be again derivable from the master key (which is indeed
162	the single point of failure)
163
164	> Points of resilience in my proposal:
165	>
166	> Compromise of n devs is unlikely
167	> Distributed failure - compromise only effects small bits of the portage
168	> tree Distributed system - failure of one server doesn't affect operation of
169	> the rest of the system
170
171	Unfortunately a small bit equals a total failure for anyone who happens to
172	touch that package. As I showed earlier packages that will affect lesser
173	people are also likely to be detected later, so that would balance out. My
174	system completely stops rsync server insecurity and allows for fast and
175	reliable revocation of developer keys. Your system does not allow reliable
176	revocation but instead could lead to a puzz of unverifiable ACL's
177
178	> Points of resilience in your proposal:
179	>
180	> Master key can be held offline in a safe. But any signing key used day to
181	> day is vulnerable.
182
183	Indeed my signing keys are more vulnerable as the intermediate key security is
184	based on host security. An easy solution is to have multiple servers. One
185	could also go so far to have a time switch which would only connect those
186	servers to the net at the time that the keys have been generated and
187	transfered. I can indeed not protect against rogue developers or compromised
188	developer keys (only multiple signatures can), but however I can quickly and
189	reliably invalidate them at the moment their compromise has been detected.
190
191	> Implementation details of my proposal:
192	>
193	> Requires simple post-check of emerge sync changes
194	> Developers must sign manifests
195	> Requires one file to be created in each directory saying which devs have
196	> access to that dir, and how many are required to agree on changes
197
198	This ACL file is insecure and also forces a policy we don't necesarilly want.
199	It mixes two issues, however even if there would only be a master ACL (which
200	is very comparable) forward signing is a bad idea and my scheme is superior.
201
202	> Implementation details of your proposal:
203	>
204	> Requires simple post-check of emerge sync changes
205	> Developers must sign manifests
206	> Requires establishment of secure infrastructure for global key, daily key
207	> signing, and submission of updates to developer list to this infrastructure
208
209	Correct
210
211	> My proposal does try to fix two problems at once. If the basic assumption
212	> that rsync servers are less secure than developers can't be trusted, then
213	> there is no point in fixing the former and not the latter. When the two
214	> subjects are so closely linked what is wrong with trying to create a
215	> combined solution?
216
217	Your ACL update system is compromisable which shows how hard it is to design
218	really secure protocols. The reason why I don't want to solve the double
219	signing issue is that it requires many (security unrelated) procedure changes
220	within gentoo and will take a long long time to implement.
221
222	> Regards,
223	> Chris
224
225	Regards,
226	Paul
227
228	ps. I do appreciate your feedback although I don't agree on your proposal
229
230	--
231	Paul de Vrieze
232	Gentoo Developer
233	Mail: pauldv@g.o
234	Homepage: http://www.devrieze.net

Gentoo Archives: gentoo-dev