-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revoked Subkeys: Attacks and Mitigations? #544
Comments
I had a quick chat with @oconnor663 Friday evening, and we’re trying to figure out why we shouldn't store the PGP keys themselves in the sigchain. The main argument against was to keep the sigchain small, but clients are going to need the full keys anyway to validate chain links. Any thoughts? |
Just to clarify what Sidney said, I think @maxtaco was concerned about users uploading kajillion megabyte PGP keys and getting those stuck in the sigchain. But even without embedding the keys, users are still going to have to pay the performance penalty of fetching those keys. I think we might want a limit on the size of PGP keys either way, in which case there might not be downsides to just embedding PGP keys directly in the sigchain. (In fact right now, users have to fetch large key bundles every time they hit |
Is there a disadvantage to storing just the hash? It seems like good On Monday, July 27, 2015, oconnor663 notifications@github.com wrote:
|
I can concoct some cases in which I don't want to download the pgp keys but On Monday, July 27, 2015, Maxwell Krohn themax@gmail.com wrote:
|
Think about mobile etc. we will regret forcing 2Mb downloads. I also Offline for a few hours On Monday, July 27, 2015, Maxwell Krohn themax@gmail.com wrote:
|
I assumed that clients need all of the keys to verify the chain. Is that wrong? Either way, I'll proceed with embedding hashes. |
I can concoct a few scenarios in which not. One for sure is the case of On Monday, July 27, 2015, Sidney San Martín notifications@github.com
|
That makes a lot of sense to me. Hadn't thought about e.g. third party mirrors. |
I think keybase/keybase-issues#1770 just exposed the current plan as inadequate.
I'm thinking that, when verifying a
I haven't come up with a solution for issue two that doesn't give the server dangerous power. Example: let's say that the version of my key specified by my sigchain expires in a week. One night, in a drunken stupor, I re-sign it to never expire and upload it to a keyserver. The next morning, refreshed, I re-re-sign it to expire in a week once again. (If the Keybase server is allowed to append to the key, it could maliciously serve the never-expiring version and suppress the second update.) Thoughts? Did I miss any more problems with the current strategy? |
As for (1), we can chose to ignore the expiration for this case. That feels like the right answer. Maybe Jack is right, maybe we should just be ignoring expiration times. I'm really coming around. For (2), I'd say we ignore revocations too. We're designing our own system to handle both, maybe it's time to start abandoning the PGP system. I think on upload, we should leave the key unmolested but just start ignoring things we don't like, as above. |
Agreed with Max on (1). Ignoring expiration times entirely for this type of link would be the easiest thing. (Well, the easiest easiest thing would be ignoring expiration times for every link.) We could also specify that PGPUpdate links should be verified with the post-update key, if the signing KID is the same as the KID being updated. If we really cared about key expiration I would suggest the latter, but it sounds like we don't. For (2), I think we have to tell people that their expectations are wrong, and that Keybase does not interact with public key servers. I'm not sure what you guys mean by ignoring revocations. Do you mean getting rid of the |
For (1), I agree if ignoring expiration times is simple. Otherwise, we already have code to merge versions of a PGP key so it would be easy to merge the existing and new version of a key when validating a @oconnor663, to clarify on (2): I think we're on the same page. From the point of view of someone who's used to PGP, we should pick up updates from keyservers. But, since that would let a malicious Keybase pick up updates selectively, we shouldn't do it. By "ignoring revocations", I think Max just means stripping revocations from the new PGP key when using it to check the signature. |
(2nd time typing this up, the last time I unplugged my computer with my foot just before hitting submit)
@oconnor663 and @Sidnicious spent a few fun-packed hours talking about PGP subkey attacks and our sloppy-merge strategy in #531.
It turns out there is an attack here:
There's really no combination of server/client hacks to ameliorate this problem. It's why we built the keybase sigchain the way we did. For now, let's go with the approach in #531, but in the future, we need to implement a better solution, which is:
When pushing new and updated PGP keys, the client should sign a sigchain statement with both the KID of the PGP key and also a SHA256 hash computed over the whole PGP key body, including all of the framing and header comments (no reason not to!). This hash should land in the sigchain, and the server is obligated to store and display the full PGP key that is the preimage. Clients should use this exact full PGP key for all links after this link that use this KID. For all (legacy) links that come previously, clients fallback to the sloppy-merge PGP key that they're currently using.
Here are the components needed for this fix:
full_pgp_hash
to applicableeldest
,dualkey
andsibkey
chainlinks (Support for full-body PGP key signing proofs#23)pgp_update
, for just updating a PGP key (New chain link type for PGP key updates proofs#24)pgp_update
links to the server on key upload (keybase/keybase#264)full_pgp_hash
hash link foreldest
,dualkey
andsibkey
signatures (Sign full PGP body hashes into PGP-related sigchain links #546).pgp_update
chain link on pgp update (Upload a pgp_update chain link on PGP update. #547)full_pgp_hash
as necessary, on delegation or update (Sign full PGP body hashes into PGP-related sigchain links node-client#205)The text was updated successfully, but these errors were encountered: