Desktop Summit: Crypto consolidation [LWN.net]

By Jake Edge
August 10, 2011

While it is "boring stuff" at some level, consolidating the various desktop cryptography solutions has the potential to "pleasantly surprise our users and impress them", according to Stef Walter in his presentation at this year's Desktop Summit in Berlin. His talk, "Gluing Together Desktop Crypto" outlined his plan to use PKCS#11 as the "plumbing" that will serve as the foundation for desktop-wide and cross-desktop sharing of keys and certificates. Once the boring parts are taken care of, "we can do more interesting things", he said.

The basic problem that Walter is trying to solve is that many of our applications have their own ideas of where to store keys and certificates, which leads to duplication and, sometimes, user confusion. If two (or more) separate applications are accessing the same site and service (e.g. https), it would be much simpler if they were both using the same cryptographic information. Centralizing the storage of keys and certificates will make it easier for users to migrate that data to new systems as well.

The current crop of desktop encryption tools is good, and many of the tools are very stable, he said, but they need to be glued together to make them more usable. He is involved in both gnome-keyring and Seahorse development and noted that those applications already do some consolidation. For example, gnome-keyring stores both ssh and GPG keys, but it needs to be done "one level lower", he said. There needs to be a single store for keys and certificates, "so the user doesn't have to care about where they live". There is lots of diversity on the desktop, which "should be celebrated" but not pushed out to users, he said.

Fedora is currently porting applications to use Mozilla's Network Security Services (NSS), which has a certificate store, but he has an alternate proposal that will still work with Fedora's solution. He is proposing to use PKCS#11 (p11) as the standard for keys and certificates, because it has a number of different useful characteristics including integrating with hardware crypto devices and smart cards.

There are three steps that need to be taken to hide the complexity of crypto on the desktop from the user, he said. First you need to be able to store keys and certificates in such a way that all applications and crypto libraries can access the same ones. Second is that the framework needs to make consistent trust decisions. Today it is too often the case that one desktop application can connect to a particular service or system, but that others on the same box cannot—or they each may need to be configured separately. Lastly, there needs to be a way for applications to refer to keys and certificates in a consistent way, so that they (and users) can refer to them in standard ways.

Key storage is special, Walter said, so that a simple file or database cannot be used for that purpose. The idea is that some keys never leave the key store, instead the store signs those keys and returns that blob for use elsewhere. According to Walter, p11 makes for a good key store that can be used to glue together the different libraries that are used in various applications.

The p11 standard has "modules" that are something like drivers for different kinds of devices or storage facilities. It has a C API that is "old and baroque", but it does what is needed, he said. It is "not perfectly awesome, but what it has going for it is that it is supported in everything". Gnome-keyring and NSS already support it, while support in GLib, OpenSSL, and others is a work in progress.

When using p11 on the desktop, there are some coordination issues that need to be resolved for a single application that is using multiple libraries which all use the same p11 module. That's where p11-kit comes into play. It will coordinate the access to p11 modules as well as providing a consistent way for applications to determine which modules are installed and enabled on the system. It also handles some configuration duties, for example by telling applications and crypto libraries what key store they should be using.

Any application that is using p11 can use p11-kit because it can be used as a p11 proxy module. Due to the module mode, it can be used in various places without actually integrating it into the code. Walter specifically mentioned Java and Solaris as two possibilities there. It's BSD licensed and has no dependencies other than libc.

Trust decisions are another area that Walter would like to see addressed and he thinks that can be done using p11 as well. A trust decision is a positive or negative assertion about a particular object (e.g. key or certificate). It can also associate a level of trust in the object. The p11-glue freedesktop.org umbrella project, which is where this work is being done, has a proposed specification for storing these assertions.

Since the keys and other objects don't leave the key store, there needs to be a way to consistently refer to them so that they can be reused. There is an IETF RFC draft for p11 universal resource identifiers (URIs) that could be used. Those objects could then be referred to using the pkcs11: URI scheme.

None of the p11 support is "written in stone", Walter said. It is all still being designed and developed so he invited interested parties to get involved and help shape it. Once the code is written and gets into the distributions, users will have a much easier time dealing with crypto objects for multiple applications and desktops.

Several audience questions further explored the possibilities that this work would enable, including Mac OS X and Windows support and how to handle PIN queries for accessing smart cards. One area that is still needing a lot of attention is certificate revocation lists (CRLs). Revocations are essentially negative trust assertions that could be stored. Another possibility is to make a p11 module that exposes a directory of CRLs that can be used by applications. There is "no actual progress there", he said, but there are "solid plans". It is a topic that is under active IETF discussion as well, he said.

Making desktop crypto work reliably, and largely invisibly, across all of the applications on the free desktop would be an enormous boon for users. Having Firefox and Chromium (as well as other browsers) share certificates (and the level of trust the user has in them) would be quite nice, but it reaches out even further than that. Lots of other applications are rendering web content these days, so those could share the same information too. Multiple email clients could hook into the same keys, regardless of whether they were GPG keys or X.509 keys from some other email encryption scheme. Switching to a different desktop environment would no longer necessitate a repopulation of keys and certificates for various services. And so on. As Walter said, it certainly has the possibility of surprising and even impressing users who have likely been bitten by some of these problems in the past.

[ I would like to thank KDE e.V. and the GNOME Foundation for assistance with my travel to the Desktop Summit. ]

(Log in to post comments)

PKCS#11 and GnuPG

Posted Aug 11, 2011 8:38 UTC (Thu) by dd9jn (subscriber, #4459) [Link]

PKCS#11 allows the use of proprietary tokens. In fact that is the sole reason why this API has been established a long time ago. It is designed as glue code between between different proprietary applications. Instead of supporting PKCS#11 tokens, the FS community should demand the release of the token's specs to the public. For almost all tokens this is not the case; for some you can get the specs with a bit of trouble but most vendors try to lock users in to their products. This is the reason why GnuPG does not support PKCS#11 tokens but requires that the host side of the token is being implemented in GnuPG.

PKCS#11 is not a well defined standard. Granted, since a few years it has changed to the better but nevertheless it is, as stated in the article, a baroque thing and very low-level. Part of the reason that it is nowdays a bit better might be that one large OS vendor has turned away from PCKS#11 as primary method to access tokens.

NSS is very closely controlled by one vendor and worse it is a library which has been hacked together by the words of some standards without much thinking on whether it could be done better than stated in the standards. I was once involved in a project were we tried to renew Mozilla's S/MIME infrastructure to a modern profile so that it would have been useful for European administrations. The Mozilla Foundation refused our offer to do that and sticked for many more years to their barely unusable S/MIME stuff. Without the option to get our code into Mozilla we implemented it from scratch for GnuPG/Kmail/Mutt.

Gnome-keyring has been mentioned: It is less known that it hijacks the GnuPG interprocess communication (between gpgsm/gpg and gpg-agent) which has been the cause for many false bug reports and trouble. This badly reflects on the repudiation of GnuPG-2 because users notice only that gpg2/gpgsm do not work properly but can't see the real cause for it.

Now for some shameless self-advertising: For many years GnuPG provides nearly all the features the desktop crypto consolidation demands: X.509 key store and generation, OpenPGP stuff of course, ssh-agent with and without smartcards, re-use of keys for different protocols (in particular important for smartcards), clean separation of private and public keys (with 2.1-beta also for OpenPGP), a well tested and easily available smartcard with an open specification, passphrase cache (persistance is missing but easy to add), even an PKCS#11 interface to use GnuPG as a token, etc. This code is available for all kinds of platforms: Unix, Windows, WindowsCE, VMS. We have no marketing department, though.

PKCS#11 and GnuPG

Posted Aug 11, 2011 10:42 UTC (Thu) by HelloWorld (guest, #56129) [Link]

GnuPG may well be the solution to the problems described in the article, but why do you tell us instead of the article's author?

PKCS#11 and GnuPG

Posted Aug 11, 2011 15:34 UTC (Thu) by shpedoikal (subscriber, #33369) [Link]

Free or proprietary PKCS#11 implementations can be used without modifying an the application. I'd consider that supporting evidence that PKCS#11 is in fact well defined and I'd consider that a strength (WRT proprietary tokens) as opposed to a weakness.

PKCS#11 and GnuPG

Posted Aug 11, 2011 16:35 UTC (Thu) by dd9jn (subscriber, #4459) [Link]

Indeed some very basic operations are now working more or less flawless. But again, very basic standard operations only. If you want to do something more complicated which might even be asking for a special PIN or presenting more information it turns out to be a problem. Vendors then stretch the interpretation of PKCS#11 or fall back to the proprietary pkcs#11 extensions those who have been the cause for all the problems in the past.

PKCS#11 and GnuPG

Posted Aug 11, 2011 16:51 UTC (Thu) by stefw (subscriber, #75025) [Link]

I can understand your concerns.

As far as using the gnupg architecture instead of libraries like NSS... That's interesting to imagine, but that would be a massive undertaking (think army of developers, years of work).

There's really limited developer interest in the usability aspect of crypto, so we're working on gluing together libraries and stuff that already exists like NSS and GnuTLS. This means apps can work together with pretty minimal code and integration changes.

Part of the reason that I'm working on this is to make crypto more accessible and usable on the Desktop. I hope this will make it more interesting to get involved with. With the resulting interest and developer manpower, it's possible that a move to an architecture that's 'better' than PKCS#11 could take place.

As an aside, I think it'd be really cool to see someone work on a backend for Glib GIO TLS based around gnupg.

PKCS#11 and GnuPG

Posted Aug 11, 2011 17:13 UTC (Thu) by dd9jn (subscriber, #4459) [Link]

AFAIR, RedHat pushed for NSS because it has a FIPS certification and thus would make it easy to get RHEL FIPS certified. I don't know whether this is still the plan; I heard that they now plan to move all crypto into the Linux kernel to satisfy newer FIPS requirements.

Crypto usability is more important than discussions on whether SHA-1 or SHA-256 is appropriate. Actually everything should work without any user interactions. We are far away from such a goal.

For what do you really need PKCS#11? Shall we discuss this on a ML and see whether we can do something about it?

PKCS#11 and GnuPG

Posted Aug 11, 2011 19:06 UTC (Thu) by stefw (subscriber, #75025) [Link]

Yes, a great place to discuss it would be p11-glue@lists.freedesktop.org

http://lists.freedesktop.org/mailman/listinfo/p11-glue