Gentoo Archives: gentoo-dev

From: Patrick Lauer <patrick@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Signing everything, for fun and for profit
Date: Fri, 19 May 2006 15:38:01
Message-Id: 1148052386.23382.40.camel@localhost
In Reply to: Re: [gentoo-dev] Signing everything, for fun and for profit by Chris Bainbridge
1 On Fri, 2006-05-19 at 15:13 +0100, Chris Bainbridge wrote:
2 > There are now several hundred gentoo developers. It is more likely
3 > that one of them has a security lapse than cvs.gentoo.org.
4 One is a "local" bug, the other one "global".
5 I'd prefer a system that is resilient against two devs going crazy -
6 right now the "right" persons could stage a manipulation that would be
7 hard to detect and where your (single central) signature fails quite
8 nicely.
9
10 > It is a single signature across the entire portage tree. It means that
11 > after rsync emerge can check the signature against the retrieved tree
12 > to validate the whole tree (or overlay).
13 It's very coarse - Yes / No
14 Doesn't tell you what failed how ... so I DoS it by inserting one bit on
15 any rsync mirror and it will "fail". You don't know what fails where ...
16
17 > Instead of guessing performance, test it. We can assume that disk
18 > activity is negligible - we have a dedicated server, and the portage
19 > tree is ~115MB, so most of it will be cached in main memory. In
20 > particular there is no disk seek latency. To simulate that we can
21 > gather everything into a single file (which also has the side effect
22 > of pulling into the cache) and then gpg sign that file:
23 >
24 > find /usr/portage -path '/usr/portage/metadata' -prune -o -path
25 > '/usr/portage/distfiles' -prune -o -path '/usr/portage/packages'
26 > -prune -o -type f -exec cat {} > /tmp/blah \;
27 > time gpg --detach-sign -a /tmp/blah
28 >
29 > I get 1.5 seconds on a desktop and 6.5 seconds on a laptop.
30 ok
31
32 > > > The benefits of this would be that changes are minimised - developers
33 > > > and users act the same, the impact on the tree is a 191 byte
34 > > > signature, and yet it will protect against the most likely and most
35 > > > practical form of attack.
36 > > So ... DoS scenario
37 > > I just add one byte to the tree and the signature fails ... what then?
38 >
39 > Emerge informs the user that the rsync server has been corrupted and
40 > terminates. How would this be any different with distributed file
41 > signing?
42 You can't upgrade and you don't know what fails where ...
43
44 > You have to rsync the entire tree, and then verify it - at
45 > that point the tree is already corrupt. Ideally overlayfs (or just
46 > plain old keeping a backup) could be used to restore the pre-sync
47 > tree.
48 Right, but ... what caused the error?
49
50 > It could be done in stages. Start with the (easier) central key, then
51 > later add distributed keys. I think a hybrid system would be the ideal
52 > system, but realistically, bug #5902 has been around since March 2003
53 > and no real progress has been made.
54 That bug appears quite unrelated to me ... how does FEATURES="userpriv"
55 relate to signing?
56
57 > The main sticking point seems to
58 > be disagreements over key management and policies. I would hope that
59 > most people could agree that a single key with a post-commit signing
60 > is better than what we have now,
61 debatable
62 > and could be easily implemented,
63 yes
64 > whilst leaving open the option of a hybrid system implementation at a
65 > later date.
66 yes
67
68 but that's not a cure. You'd have to sign _each file_ to get a
69 reasonable tampering detection, or at least per-directory. You add a
70 single point of failure and give attackers a high-profile target.
71
72 It's like security checks at the airport: It gives you the illusion of
73 security, it inconveniences everybody ... and it's easier for me to
74 smuggle a bomb aboard because noone thinks it's possible. (It's easy,
75 use a sidechannel attack on the baggage transports, they have bad
76 security ...)
77
78 Patrick
79 --
80 Stand still, and let the rest of the universe move

Attachments

File name MIME type
signature.asc application/pgp-signature

Replies

Subject Author
Re: [gentoo-dev] Signing everything, for fun and for profit Chris Bainbridge <chris.bainbridge@×××××.com>