-
Notifications
You must be signed in to change notification settings - Fork 512
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign previous timestamp hash into current timestamp #458
Comments
(I haven’t done a deep or formal analysis, I may be missing something.) |
@mtrmac, a few quick notes: Our main objective is to have a non-malicious client be able to have the exact same view of the history of another non-malicious client. If we assume, for now, that the timestamp key hasn't been compromised, then this timestamp chain achieves that. In particular, if we think of the situation where TUF data is being served via a malicious mirror, or HTTP mirror, or even the HTTPS connection to notary-server being MiTMed by an attacker, the timestamp key wouldn't have been compromised, and we're thus providing guarantees around the validity of the history (guarantees which we currently do not provide). Additionally, I would also argue that we can have protections against timestamp key compromise. The definition of a secure log is in essence: "entries generated prior to the logging machine's compromise are impossible to undetectably modify or destroy". If we make the notary-clients always verify timestamps chains to the last known version on disk, this hash chain will provide that guarantee. Now, obviously an attacker can continue moving the version numbers forward, and sign arbitrary new timestamps. However, as soon as the legitimate owner of the root key rotates the timestamp key, and republishes the repository, we're back in a known-good state, and all of the histories of all non-malicious clients will eventually converge to the exact same chain. Obviously there is a pretty big change here: having clients download all the timestamps between the one on disk and the latest one being served, but if we wanted to do it, we could. |
On the rewriting history aspect, I should have been more verbose. It protects against an old (timestamp) key that has been rotated out being used to rewrite parts of history for which that key was originally used. Currently, history is not protected from old keys that have been compromised and rotated out. Audits often need to take years of data into account (6 years max for an IRS audit) which means brute force key compromise may become a viable attack if the goal is to tamper with history, particularly as the signing algorithm being used a few years ago may be vulnerable to newly discovered attacks. We considered the snapshot chain you mentioned, but determined that ultimately a snapshot does not represent a published version of a TUF repo, only a timestamp does that. As such, to list all versions, listing snapshots is insufficient because we would need back links to the timestamps to confirm a given snapshot was actually published, and adding those back links in a trusted way would require something additional to or outside of TUF. Additionally, as of docker 1.10 and notary 0.2 we will also be supporting online snapshotting so users may choose to trust notary server for that too (it can be enabled by performing a key rotation with a new flag that indicates which roles should be signed by the server, currently only the snapshot is supported). This is so that users can easily make use of the delegation features of TUF without having to share the snapshot key with an arbitrary group of collaborators, or come online to manually snapshot their repo when collaborators push updates. |
(Agreed re: protection against mirrors and the like. Again, timestamping the timestamp service seems a bit ridiculous to worry about.) (On mitigating timestamp key compromise:)
No, that allows undetectable modification and destruction of entries prior to compromise (between the previous clients' download and the moment of compromise). For a popular repo with many thousands of clients the “total sum of state of all clients” will probably be able to detect when the compromise happened, but an individual user or an auditor trying to retrospectively figure out the state wouldn’t.
(BTW it is not obvious that this is always possible. The attacker can keep publishing new timestamps with increasing version numbers to keep the legitimate authors’ timestamps pointing to |
… assuming that the key has been rotated. Certainly useful, at least as long as it doesn’t introduce user-visible UI complexity.
Can we have both easily enough? That would prevent the timestamp server from pretending an update never happened, and the author from retroactively adding a never-published version. |
Submitting this on behalf of @cyli and the rest of the notary team to get it written down.
We should sign the previous timestamp into the current timestamp as an entry in the
meta
map. This provides 2 properties:cc @mtrmac - we would greatly appreciate your input and thoughts on this, particularly item 2.
The text was updated successfully, but these errors were encountered: