Weekly Edition
Return to the Front page
| |||||||||||||
On keys, trust, and websAs kernel.org recovers from its compromise, there are a number of changes being made to improve security of this critical piece of kernel development infrastructure. One of the biggest changes is to remove shell access for the 450 or so developers and only allow Git pushes using SSH keys. But there is something of a chicken-and-egg problem: how do the kernel.org administrators reliably get the SSH credentials to each authorized kernel hacker, while ensuring that only that authorized user can get them? Enter GPG ... GNU Privacy Guard (GPG) is an implementation of the OpenPGP standard (RFC4880) that provides secure encrypted communication using public key cryptography. The standard is a descendant of Phil Zimmerman's original Pretty Good Privacy (PGP) program from the early 1990s—something that put him directly at odds with the US government for a time. GPG is typically used to protect email, by encrypting it so that only the recipient can decrypt it, or by signing it in such a way that recipients can verify the message sender. Public key cryptography (PKC) is used for most network encryption tasks, including SSH and SSL/TLS for secure web browsing (i.e. HTTPS). It requires that each user have two keys, one public and one private. The public key can (and generally should) be published widely and can be used to encrypt a message that only the holder of the corresponding private key can decrypt. The private key can be used by its owner to digitally "sign" messages (or other data) such that anyone can verify the signature by using the public key. These two modes can be combined so that an email can be sent that is only readable by its recipient who can also verify who wrote the message. One of the main differences between OpenPGP, SSH, and SSL/TLS is in how the public keys are managed—and authenticated. SSL/TLS relies on central certificate authorities to vouch for public keys (i.e. making the connection between a public key and a domain name)—a mechanism that has suffered from serious problems of late. SSH keys are typically handled directly by the user (or administrator), by placing the public key into the authorized_keys file on the host that is to be accessed. GPG key authentication is, instead, handled in a completely decentralized fashion using a "web of trust". The kernel.org administrators would like to be able to email credentials to and from kernel hackers securely using GPG keys. But a connection needs to be made between a given public key and a particular kernel hacker. Anyone can create a key pair claiming to belong to, say, Linus Torvalds that uses his email address; they could then present a public key that appears to be his. One could also use that key to sign Git tags, for example. How can someone distinguish Torvalds's legitimate key from any impostors? That's where the web of trust comes into play. The web is built by people signing each other's public keys. Signing a public key serves as an assertion that the signer believes that the mapping from key to user is valid (i.e. that the name and email specified in the key is correct). So, Torvalds and Andrew Morton could get together (at the upcoming Kernel Summit for example), sign each other's key, and add those keys to their key rings (essentially a list of known keys). At that point, Morton could easily detect that the impostor's key is bogus, but other kernel hackers would not necessarily be sure, especially if the impostor also crafted a bogus key for Morton and signed both fake keys with the other. The web of trust is what solves that particular problem. If Torvalds and Morton also sign a bunch (or even a handful) of other peoples' keys, those people can distinguish which of the keys are legitimate. If those people go on to sign additional keys, the web will grow. Anyone who can trace a path from one of their trusted keys (i.e. one that they signed), through one or more intermediates—each signed by the previous link in the chain—to the key in question, they can be reasonably assured that the key is owned by the name/email specified in it. A chain like that described above only provides reasonable assurance because it relies on each individual being diligent about verifying the identity of people (and their keys) before signing. It also relies on people ensuring that their private keys are not compromised. Finding multiple independent paths through the web of trust, all of which agree, would greatly increase the level of trust one can place in a key as well. Shorter paths and/or more trusted signatures can also increase the trust level. There are several levels of "trust" that one can have in a particular key. A key that you have signed is, presumably, one that you fully trust corresponds to the person that it purports to. That doesn't necessarily mean that you trust that person to be diligent about signing other keys. GPG allows trust levels to be associated with keys and has various configuration options to determine whether a given key is to be trusted for encryption purposes. By default, it requires that a key be signed by at least one person that is fully trusted or three people that are partially trusted before it will use that key. Some projects, notably distributions like Debian, Gentoo, Fedora, and others, already have well-established webs of trust. The keys are used for package signing and other purposes, so it is important for those projects to ensure that the keys are trusted. In fact, Henrique de Moraes Holschuh suggested that geographically isolated kernel developers might find it easier to track down a nearby Debian developer to get their key signed. Most Debian developers' keys are in the "strong set" of interconnected keys in the web of trust and keys signed by strong set members automatically join that set. In order to sign a particular public key, a user must access their private key, but, for verifying a signature, only the signer's public key is required. Basically, a cryptographic hash of the item to be signed is calculated and the hash value is what actually gets encrypted using the private key. Because of the way PKC works, the public key can be used to decrypt the hash value, which can then be compared to the hash value of the signed item. If the two match, then only the holder of the private key (which should correspond to the identity associated with the public key) could have generated the signature. Because protecting private keys is so important, many GPG users only store those keys in a single secure location (encrypted on a secure machine or USB stick, not on their laptop). That means that the private key may not be available when someone requests a key signature. The key can still be signed, however, by collecting the key "fingerprint" (a shorter hash value that represents the key) and verifying the person's identity, then doing the actual signing later. The key to be signed can be retrieved from a keyserver and the fingerprint verified. If they match, the key can be signed and sent back to the keyserver with the new signature applied. As part of the process for bringing kernel.org back, the administrators have put out some guidelines for generating keys and getting them signed. Several key signing parties are planned as well so that kernel hackers' keys can more quickly gather enough signatures to establish a reasonably sized web of trust. That way, the administrators can have confidence that they can send sensitive credential information to the right parties. That, in turn, will allow various kernel trees to return to the kernel.org infrastructure. While the compromise of kernel.org is embarrassing—and worrisome—there is something of a silver lining to the incident. It will result in much tighter security, not only for kernel.org, but likely for various other pieces of critical free software infrastructure as well. With luck, it will serve as a wakeup call to many different projects and organizations who may have gotten a bit lax with their security. GPG and its web of trust will be useful tools in those efforts. (Log in to post comments)
On keys, trust, and webs Posted Oct 6, 2011 1:04 UTC (Thu) by neilbrown (subscriber, #359) [Link]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I must say that I never really liked the "Web of trust" concept. Trust isn't transitive, and there is no uniform standard for trust. So when I see that there is some number of chains of "trust" between two keys I don't really know what that means. It might sound impressive but unless I understand it (and I don't - sorry) it is just security theater.
Linus recently observed that not very many people had signed his GPG key, but that wasn't really important. The important thing was that his key had signed all the recent linux releases. So that key must belong to the person who is leading kernel development. That the name of his driver's license happens to be Linus Torvalds is largely irrelevant.
Rather that key-signing-parties to establish as "web of trust" it make more sense to me for all kernel developers to start signing all emails (at least) with their GPG key. Not to prove that they wrote the email, but to increase confidence that they own that key. It is a history of behaviour rather than collection of key-signing parties that builds trust for me.
[I wonder if the message and the following signature will survive any transformations that lwn and your browser do...]
iD8DBQFOjP5fG5fc6gV+Wb0RAnqzAKCrJa8a7Co00fnJlwXReCpxKEiFygCgzvOe
On keys, trust, and webs Posted Oct 6, 2011 1:21 UTC (Thu) by jake (editor, #205) [Link]
> [I wonder if the message and the following signature will survive any
> transformations that lwn and your browser do...]
FWIW, Neil, I could verify the signature based on a key that I retrieved from pgp.mit.edu with the following fingerprint:
A539 96E0 95AE 2027 C2DB A965 1B97 DCEA 057E 59BD
but i don't trust that key (yet, anyway) :)
jake
On keys, trust, and webs Posted Oct 7, 2011 8:18 UTC (Fri) by neilbrown (subscriber, #359) [Link]
Are you really saying that you don't trust it, or that your gpg tool tells you that you don't trust it?
Because I suspect that in reality you do trust it, at least a little bit. And if I had had the forethought to sign my previous correspondence with you, you would probably trust it a lot more, despite what gpg tells you.
I've been trying to think of non-digital analogies and the idea of "Public Notices" comes fairly close. There are cases were placing a public notice and not getting a response in some reasonable time period means that you can proceed on the assumption that no-one else has an interest in the issue (handling deceased estate is one example I think).
So my original post is like a public notice. If it was faked, you can be pretty sure that the real neilbrown would have found a way to complain. He hasn't yet. Give it time, but if you don't hear anything in a couple of weeks, you can probably increase your trust level substantially.
[alright, I admit it - I just don't like parties and want to find a way to get my access to kernel.org back without having to go to a key-signing party :-) ]
On keys, trust, and webs Posted Oct 7, 2011 13:38 UTC (Fri) by jake (editor, #205) [Link]
> Are you really saying that you don't trust it, or that your gpg tool
> tells you that you don't trust it?
well, it was meant flippantly (thus the smiley), but, yes, what I meant was that GPG did not trust the key ...
I don't think keysigning parties are the only way to get signatures ... Jon and I verified fingerprints over the phone recently, for example. Sending me a signed email with info that only the entity I know as "Neil Brown" (who ever you are in real life :) would know would go a long way toward establishing the connection between that key and that entity ... enough that I might be willing to sign the key for example ...
jake
On keys, trust, and webs Posted Oct 10, 2011 0:33 UTC (Mon) by vonbrand (subscriber, #4458) [Link] <paranoid>Perhaps you have the real one kidnapped somewhere...</paranoid>
On keys, trust, and webs Posted Oct 6, 2011 1:22 UTC (Thu) by mjg59 (subscriber, #23239) [Link]
gpg: Good signature from "NeilBrown <neilb@suse.de>"
gpg: aka "NeilBrown <nfbrown@novell.com>" gpg: aka "Neil Brown <neilb@cse.unsw.edu.au>"
On keys, trust, and webs Posted Oct 6, 2011 14:39 UTC (Thu) by jcm (subscriber, #18262) [Link]
So of course keysigning parties are one of those excitingly nerdy "I like to stare at scrolling green text in dark rooms" things. You're right that the main thing that actually matters is that "Linus" is still "Linus". Whether or not it's actually Linus Torvalds with passport number X doesn't really matter if we've all been trusting that signed identity for years.
FWIW, I have always independently signed anything I put on kernel.org, even in the face of a number of hostile emails (not from kernel.org - we always have the best relations) over the years from folks suggesting I was doing it wrong. Now the egg is on their face. If you want to release something, sign it yourself. Don't let some resigning service do it for you :)
Jon.
On keys, trust, and webs Posted Oct 7, 2011 14:37 UTC (Fri) by Baylink (subscriber, #755) [Link]
Palm Pilot Sync Day in the employee cafeteria? :-)
On keys, trust, and webs Posted Oct 6, 2011 15:20 UTC (Thu) by jackb (subscriber, #41909) [Link]
FireGPG recognizes your comment as a signed message.
Too bad the plugin is unmaintained and broken so I can't actually use it any more.
On keys, trust, and webs Posted Oct 10, 2011 1:13 UTC (Mon) by ras (subscriber, #33059) [Link]
I stopped going to key signing parties years ago after coming to the same conclusion. We have two examples of PKI: X509 and the web of trust. Both are deeply flawed. The Web of Trust adds no security whatsoever, but seems to be harmless in that it doesn't undermine the security of the systems it is bolted onto. X509 in contrast does give us something we didn't have before - when it works it prevents man in the middle attacks. But it is brittle. A single weak link can and has broken the entire thing. And when it breaks, it compromises the security of every system on the planet using it.
Unfortunately we seem to be trapped by commercial incentives. X509 is brittle because CA's make money from selling trust. It is in their interest to keep you dependent on them. We would all be better off if we just used their cert to download a self-signed cert from the vendor, giving ourselves forward secrecy. If that had been in place before the Iran thing Google would have downloaded their own certs to most browsers, so the hacked cert would have only effected new connections. As it is, they got all of connections.
I think you are right is saying when it comes to establishing trust, creating an audit trail of signed postings is the best way to go. A couple of years worth of signed postings to LKML or debian devel creates a history far more reliable than someone on the other side of the planet claiming they had sighted drivers licence. It is also easily transferred to other projects.
Sadly that is undermined by Google and other email merchants who don't provide a way to send signed messages with their software. The cynic in me says Google would far prefer you to depend on their login and password management, their server security, and their "True Names" policy for establishing trust. It's far better from Google's perspective if we all put our faith in "I saw it in Linus's g+ posting" rather than "I saw it in a message signed by Linus".
We probably have only ourselves to blame. The current PKI are not only broken, they are unbelievably difficult to use. Who here has managed to produce a self signed cert with openssl, or has truly mastered gpg options? The mere thought of gpg's 76 line output for gpg --help makes me shudder. In the light of that mess it is not surprising commercial solutions are stepping in to fill the gap.
I don't think it is technically difficult to design a system that would work well. The problem seems to be one of social engineering; of agreeing on a standard and getting the code out there; not of designing it. A such it seems like a problem open source could solve.
On keys, trust, and webs Posted Oct 11, 2011 21:15 UTC (Tue) by jcm (subscriber, #18262) [Link]
In fairness, Google wasn't vulnerable (in Chrome) to the root cert. issues because they had added a cert hashing check and whitelists to their browser specifically to work around this kind of attack (something I love about them as the modern Xerox PARC, Sun, or Bell Labs of our time). It only worked if you were using Chrome, but they did think about it.
Subkeys Posted Oct 6, 2011 8:01 UTC (Thu) by liw (subscriber, #6379) [Link]
It may be useful to set up a subkey as well. http://wiki.debian.org/subkeys may be helpful.
Subkeys Posted Oct 6, 2011 17:15 UTC (Thu) by dd9jn (subscriber, #4459) [Link]
I second this suggestion. The primary key is only required to sign other keys, create new subkeys and to revoke a subkey or the entire key. It makes me a bit nervous when I notice that my key was signed within minutes after a signing party. Usually that means that the primary key is on some laptop and not too hard to spy out later at the social event. The funny thing is that those folks often use ridiculous long key seizes. Guess what ownertrust I will assign to such keys? Having an offline primary key is more work but after all it pays off if the working key gets compromised.
I use an old unconnected laptop for more than 10 years to keep my primary key reasonable safe.
On keys, trust, and webs Posted Oct 6, 2011 16:22 UTC (Thu) by iabervon (subscriber, #722) [Link]
For what it's worth, I actually know someone with a passport that says "Andrew Morton" who isn't a trusted kernel developer. He just happens to have the same, not too uncommon, name. The problem with checking government-issued ID is that the government doesn't identify any unique aspects suitable for recognizing them for development purposes.
On keys, trust, and webs Posted Oct 6, 2011 20:19 UTC (Thu) by droundy (subscriber, #4559) [Link]
The combination of name with email address, however, is usually unique. In cases of doubt, it's usually not hard to check that a person can receive an email sent to the address they claim. Of course, if this isn't actually done, then it does add a factor of doubt to key-signing parties. In many cases (where people already know each other online) it isn't hard to establish that the email address corresponds to the person.
On keys, trust, and webs Posted Oct 6, 2011 20:39 UTC (Thu) by liw (subscriber, #6379) [Link]
For verifying that a key and it's e-mail address belong together, the caff tool is useful: http://pgp-tools.alioth.debian.org/
On keys, trust, and webs Posted Oct 7, 2011 6:16 UTC (Fri) by ringerc (subscriber, #3071) [Link]
I've been a stickler for proper identity verification and secure repository access since I spent several years managing the Scribus CVS (later svn) repository.
Unfortunately, then and now most people view my insistence on using crypto and on proper key management as kind of weird, paranoid, and an unnecessary hassle. That's despite REPEATED high-profile breaches over the years, and plenty of evidence that smaller operators are hardly safe either.
I'll be pleased if the kernel.org folks can overcome this sort of attitude, but I don't rate their chances. People will be creating infinite-expiry GnuPG keys without revocation certs then failing to back them up. Others will forget to push updated keys at expiry time. Most people won't bother signing mail and won't bother to deal with signed mail they receive once they break their key - which they'll do sooner rather than later. One or more people will have to spend a LOT of time hand-holding with basic GnuPG key management, etc. Yes, even with kernel developers; if running a repo taught me one thing it was that programming skills do NOT necessarily translate to even basic abilities/interest when it comes to mail client config, crypto setup, backups, etc.
Too many people see all this stuff as annoying bureaucratic crap they want to go away so they can get back to coding. With that attitude, security will always be sloppy and a hassle.
Best-practice GUI Posted Oct 7, 2011 7:01 UTC (Fri) by Cato (subscriber, #7643) [Link]
Maybe someone could write a simple GUI that encodes best practices for key management with a number of wizards - the idea being that even expert developers are lacking in time and could do with some automated step by step help to do things properly. It could be as simple as a Python application using the Wx framework, wrapped around GPG, and would work on various platforms quite easily.
On keys, trust, and webs Posted Oct 7, 2011 11:52 UTC (Fri) by fuhchee (subscriber, #40059) [Link]
"That's despite REPEATED high-profile breaches over the years,"
Can you explain the beneficial linkage between having properly signed pgp keys, and the vulnerabilities resulting from someone rooting a developer/admin's laptop?
|
|||||||||||||