1 |
On Thursday 25 March 2004 15:27, Chris Bainbridge wrote: |
2 |
> On Thursday 25 March 2004 12:14, Paul de Vrieze wrote: |
3 |
> > What if the old ACL on the system is so old that the people signing the |
4 |
> > new ACL were not in the old ACL. I don't think forward signing is a good |
5 |
> > (or secure idea). The parent dir system would require all devs to be in |
6 |
> > the /usr/portage ACL anyway so still complicating things. |
7 |
> |
8 |
> Yes, this system requires regular updates, as does any security system. |
9 |
> Does every dev to be able to create/modify any package? |
10 |
|
11 |
Currently yes (at least all dev's that have portage tree access, as some |
12 |
(mainly documentation developers) do not). If there were reasons we could |
13 |
discuss a system that would limit this ability, but this would need to be |
14 |
discussed first by the developers and then by the managers. |
15 |
|
16 |
> > We want to be able to implement ebuild signing fast (mainly to combat |
17 |
> > rsync mirror compromise). Changing procedures beyond what is absolutely |
18 |
> > necessary (entering your passphrase) would be a big impediment to doing |
19 |
> > so. |
20 |
> |
21 |
> There is no difference from a normal developers viewpoint between this and |
22 |
> your signing proposal. For the vast majority of packages it is not |
23 |
> necessary to have more than one trusted developer! |
24 |
|
25 |
How do you think this affects continuity. Also keep in mind that their are |
26 |
only two relevant differences between gcc/glibc and <obscure package that has |
27 |
been deprecated because of lack of upstream movement> |
28 |
- glibc is likely to be present on most if not all systems, while the obscure |
29 |
package is not |
30 |
- Any tampering in glibc is probably noticed within minutes of it being added |
31 |
to the cvs (not even rsync) tree, while tampering to the obscure package |
32 |
might go unnoticed for an extremely long time (think months) |
33 |
|
34 |
> |
35 |
> > The problem is that a manifest changes for any change in ebuilds or |
36 |
> > patches. That means that for adding a keyword to a package one needs to |
37 |
> > resign the manifest. |
38 |
> |
39 |
> Yes, a new release requires resigning. How does this differ from your |
40 |
> proposal? |
41 |
|
42 |
In that I only require one signature. |
43 |
|
44 |
> |
45 |
> > > > ps. Based on one public key on a single trusted source (A CD), how |
46 |
> > > > do you ensure that the whole tree is uncompromised. |
47 |
> > > |
48 |
> > > You can't. Its an old tree which has already been signed. Trust it, or |
49 |
> > > update to a new tree. |
50 |
> > |
51 |
> > As it is possible to have an approach that does offer such security, this |
52 |
> > solution is inferior. |
53 |
> |
54 |
> You have an old copy of a signed tree. Without updating it is impossible to |
55 |
> ensure that a compromise has not been discovered since then. Your solution |
56 |
> is the same in this respect. |
57 |
|
58 |
My approach however will block when the list on the rsync mirror is not |
59 |
updated. In your idea however it is possible for an attacker to block the |
60 |
update of an ACL file when he/she has access to an rsync mirror. |
61 |
|
62 |
> > Ok, how do you ensure that the ACL is updated? From what I understand it |
63 |
> > would be easy to prevent the ACL from being updated just by generating |
64 |
> > an invalid ACL. |
65 |
> |
66 |
> Thats the whole point. If the new ACL is invalid it won't be updated. If |
67 |
> the new key is valid it will be updated. |
68 |
|
69 |
No the case is as follows: |
70 |
- The old ACL is invalid |
71 |
- The invalidness of the old ACL has been discovered after it has been send to |
72 |
the user |
73 |
- There is a new ACL on the master rsync server that removes the invalid keys |
74 |
from the ACL |
75 |
- The attacker also has access to an rsync mirror |
76 |
- Now the attacker can prevent the new ACL to be put in place by his access to |
77 |
the rsync mirror |
78 |
|
79 |
Alternatively if the ACL has only one key it is actually imposible to create a |
80 |
new valid ACL as your system uses forward signing. |
81 |
|
82 |
> Some criticisms of your proposal: |
83 |
> |
84 |
> You are making the assumption that rsync servers are unsecure, whilst the |
85 |
> computers of all gentoo developers are implicitly trusted. This is a basic |
86 |
> security flaw, and probably an invalid assumption. There are more gentoo |
87 |
> developers than rsync servers. Rsync servers are less vulnerable - they |
88 |
> perform only one function, they don't read email, they don't browse the |
89 |
> web. Why do you assume that rsync servers are more vulnerable, and that |
90 |
> this problem needs to be addressed more urgently than the compromised |
91 |
> developer problem? |
92 |
|
93 |
Rsync mirrors do perform more functions. Also the rsync mirrors are public |
94 |
while developer computers are not necessarilly. Further developer keys should |
95 |
be passphrase protected. I do not disagree though that developers are a weak |
96 |
spot. I think however that it is very hard to protect against developer |
97 |
compromises while it is a lot easier to protect against rsync compromises. |
98 |
Say that the chances to a compromise of a developer key are equal to the |
99 |
compromise to an rsync mirror I would prefer to protect against explictly |
100 |
untrusted rsync mirrors (They are third-party provided, we have very little |
101 |
control) |
102 |
|
103 |
> What do you do if the master key is compromised? |
104 |
|
105 |
Whine, revoke it and post it to all kinds of security lists. That's why I try |
106 |
to keep it very secured with a scheme where it would be accessible only |
107 |
fractions of the year (5 * 12 = 1 hour per year max). |
108 |
|
109 |
> |
110 |
> Signing of daily keys by the master key will be automated. Once an attacker |
111 |
> has compromised the gentoo server he can submit a rogue daily key to be |
112 |
> signed. An attacker compromising this system could generate daily keys for |
113 |
> every day in the next 100 years, thus totally compromising the system. |
114 |
|
115 |
No, signing uses an intermediate key and signing this intermediate key (by the |
116 |
master on a usb key) will not be automated. This intermediate key has a |
117 |
lifespan of a month. This means that a compromised intermediate key would |
118 |
only allow a compromise of 1 month (half a month on average) |
119 |
|
120 |
That's why I enhanced the system to N servers and N keys. This would mean that |
121 |
the attacker would need to compromise N computers. |
122 |
|
123 |
To enhance my proposal we could also sign the developer list with the keys of |
124 |
various devrel people, and have any invalid key invalidate the list. (One |
125 |
must still check that there are N machine keys though) |
126 |
|
127 |
> Points of weakness in my proposal: |
128 |
> |
129 |
> You have to trust that an initial fetch of the tree hasn't been |
130 |
> compromised. Single packages can be altered by >n devs compromised |
131 |
> New packages can be created by >n devs compromised |
132 |
> n==1 is possible, a single point of compromise |
133 |
> If you don't update the tree regularly you may find that the new ACL hasn't |
134 |
> been signed by enough people on the old ACL, if the ACL has changed enough. |
135 |
> Compromised keys are only removed when user updates |
136 |
|
137 |
The biggest problem with your system is that it breaks when keys are |
138 |
compromised while they are still in ACL's. An unknown compromised key could |
139 |
be used to change the ACLs of packages. Once these bogus ACL's are in place |
140 |
on the user computers, there is no way to use forward signing to get new keys |
141 |
to the user in a secure way (They don't have valid ACL's anymore as they |
142 |
thought the bogus ones were valid). |
143 |
|
144 |
> |
145 |
> Points of weakness in your proposal: |
146 |
> |
147 |
> You have to trust that an initial fetch of the tree hasn't been |
148 |
> compromised. You have to trust that every developer hasn't been compromised |
149 |
> Single point of global failure - if gentoo server is compromised, master |
150 |
> key is compromised, and attacker can do anything to any gentoo system. If |
151 |
> signing server goes down it affects everybody |
152 |
> Compromised keys are only removed when user updates |
153 |
|
154 |
I have to trust that the fetch or retrieval of the public master key has not |
155 |
been compromised. Further for integrity my system has to trust that no |
156 |
developer keys have unknowingly been compromised. However once they have been |
157 |
compromised I have a clear path to purge them from the system in a way that I |
158 |
can say: "these, these and these packages have been compromised, if you |
159 |
didn't touch those within day x and day y you are safe and you will be safe |
160 |
from now on as the key is now invalid" It also ensures that one can trust the |
161 |
new list as it will be again derivable from the master key (which is indeed |
162 |
the single point of failure) |
163 |
|
164 |
> Points of resilience in my proposal: |
165 |
> |
166 |
> Compromise of n devs is unlikely |
167 |
> Distributed failure - compromise only effects small bits of the portage |
168 |
> tree Distributed system - failure of one server doesn't affect operation of |
169 |
> the rest of the system |
170 |
|
171 |
Unfortunately a small bit equals a total failure for anyone who happens to |
172 |
touch that package. As I showed earlier packages that will affect lesser |
173 |
people are also likely to be detected later, so that would balance out. My |
174 |
system completely stops rsync server insecurity and allows for fast and |
175 |
reliable revocation of developer keys. Your system does not allow reliable |
176 |
revocation but instead could lead to a puzz of unverifiable ACL's |
177 |
|
178 |
> Points of resilience in your proposal: |
179 |
> |
180 |
> Master key can be held offline in a safe. But any signing key used day to |
181 |
> day is vulnerable. |
182 |
|
183 |
Indeed my signing keys are more vulnerable as the intermediate key security is |
184 |
based on host security. An easy solution is to have multiple servers. One |
185 |
could also go so far to have a time switch which would only connect those |
186 |
servers to the net at the time that the keys have been generated and |
187 |
transfered. I can indeed not protect against rogue developers or compromised |
188 |
developer keys (only multiple signatures can), but however I can quickly and |
189 |
reliably invalidate them at the moment their compromise has been detected. |
190 |
|
191 |
> Implementation details of my proposal: |
192 |
> |
193 |
> Requires simple post-check of emerge sync changes |
194 |
> Developers must sign manifests |
195 |
> Requires one file to be created in each directory saying which devs have |
196 |
> access to that dir, and how many are required to agree on changes |
197 |
|
198 |
This ACL file is insecure and also forces a policy we don't necesarilly want. |
199 |
It mixes two issues, however even if there would only be a master ACL (which |
200 |
is very comparable) forward signing is a bad idea and my scheme is superior. |
201 |
|
202 |
> Implementation details of your proposal: |
203 |
> |
204 |
> Requires simple post-check of emerge sync changes |
205 |
> Developers must sign manifests |
206 |
> Requires establishment of secure infrastructure for global key, daily key |
207 |
> signing, and submission of updates to developer list to this infrastructure |
208 |
|
209 |
Correct |
210 |
|
211 |
> My proposal does try to fix two problems at once. If the basic assumption |
212 |
> that rsync servers are less secure than developers can't be trusted, then |
213 |
> there is no point in fixing the former and not the latter. When the two |
214 |
> subjects are so closely linked what is wrong with trying to create a |
215 |
> combined solution? |
216 |
|
217 |
Your ACL update system is compromisable which shows how hard it is to design |
218 |
really secure protocols. The reason why I don't want to solve the double |
219 |
signing issue is that it requires many (security unrelated) procedure changes |
220 |
within gentoo and will take a long long time to implement. |
221 |
|
222 |
> Regards, |
223 |
> Chris |
224 |
|
225 |
Regards, |
226 |
Paul |
227 |
|
228 |
ps. I do appreciate your feedback although I don't agree on your proposal |
229 |
|
230 |
-- |
231 |
Paul de Vrieze |
232 |
Gentoo Developer |
233 |
Mail: pauldv@g.o |
234 |
Homepage: http://www.devrieze.net |