New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Blind Key Rotation not properly supported #9658
Comments
Based on whenever this gets fixed in Mastodon we intend to roll it out in Pleroma after a few development cycles. Right now this issue is blocking our efforts to improve future deniability by rotating keys. |
A couple things:
|
Signed updates are good for regular rotations but blind updates are better for deniability, one of the key things to remember in a deniability situation is that you don't want a cryptographic relationship between the keys. As for refreshing keys I guess an improvement would be to tighten the TTL. |
We should definitely reduce the TTL (or remove it altogether, we may not need to do the expensive round-trip related to full account update if it's only to fetch the key). I wouldn't advocate changing keys after each On a related note, we only use LDS to forward replies and Delete activities, other implementations may use them for other things, but I can't see any convincing use case. We do sign way more stuff than needed for that purpose (we basically sign everything). I think we should only LDS-sign EDIT: There is another thing that may need changing. Indeed, Mastodon currently assumes that if an account's key change, it's because it's lost its data, and it proceeds to re-follow them. |
Nevermind, there is a use for LDS for pretty much all public activities: relays. |
@kaniini I fail to see how signing the Sending such an EDIT: Sending an |
@ThibG actually it is a serious problem because it creates a cryptographic relationship between the two keys. a forensic analyst will have a lot of fun with that. Also relays do NOT need LDS, if you relay metadata about the posts instead, as the Pleroma implementation does (edit: which works just fine with Mastodon). |
This would be a significant improvement but rotating keys at some point after a |
Regarding determining if an instance lost data or not, we could probably signal somehow in the actor object that it isn't brand new. I'm not sure what the semantics would be, but it seems possible to me. |
Relays don't need LDS, but not using LDS means every participant will have to fetch each relayed object to validate it, doesn't it? That would be highly inefficient.
Le 30 décembre 2018 15:31:02 GMT+01:00, William Pitcock <notifications@github.com> a écrit :
…
@ThibG actually it is a serious problem because it creates a
cryptographic relationship between the two keys. a forensic analyst
will have a lot of fun with that.
Also relays do NOT need LDS, if you relay metadata about the posts
instead, as the Pleroma implementation does.
--
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub:
#9658 (comment)
|
I am sorry, but I still can't understand how signing the
I improved the situation a bit (#9659), but yup, I agree we should rotate keys (I'm still trying to figure out how to avoid race conditions though). |
The Update contains the new key material, which means the old key is signing the new key material. This creates a cryptographic relationship between both keys which negatively impacts deniability. You are looking at this from simply invalidating signatures on objects, that's an important part of it, but a forensic analyst can say in court something like: "well, |
But your defense relies on claiming that |
|
I'm still not convinced by the benefits of blind key rotation over a standard rollout (if we assume that anybody listening to #9667 is an attempt to drop the potential 1 day delay before accepting a blind key rotation, it doesn't address the refollow stuff nor possible race conditions, though. As for avoiding race conditions, @kaniini proposed an interesting strategy: postponing the key change to when the account has been idle for one hour. I'm not too sure how we could do that with sidekiq, but that's a very sensible way to avoid those issues. The account refollow stuff is still an open question. Should we drop that behavior altogether? Issue re-follows anyway? Something else entirely? |
Keys are comparatively large pieces of text and constantly updating every user's row in the accounts table sounds like a very, very bad idea to me. |
I'm not sure what part of the scheme you're opposing to exactly. If everyone would implement it as hinted there, this would be at most one change per account per hour, and much less in practice (only if the account deleted a toot, and only after 1h of subsequent inactivity). If you're worried about the fetching part, it's already possible to flood an instance with proper |
Background
Blind Key Rotation is a proposed mitigation for the inability to revoke JSON-LD Linked Data Signatures. It is based on the fact that AP implementations are supposed to refetch an actor's keys in the event that a signature fails to validate and recheck the signature.
Mastodon should implement Blind Key Rotation on
Delete
activities by sending theDelete
activity signed by the original key and then generating a new keypair afterward, but that should be split into a different bug.Expected behaviour
Mastodon should accept a blind key rotation from a remote user. This is necessary for situations where an instance is reinstalled anyway.
Actual behaviour
Mastodon does not accept blind key rotations. In order to get Mastodon to accept the new keys, the instance or user must be entirely suspended and unsuspended in order to delete the old key data.
Steps to reproduce the problem
Specifications
Mastodon 2.6.5 on testodon.dereferenced.org.
The text was updated successfully, but these errors were encountered: