Re: [Arx-users] Adding crypto to ArX

arx-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Arx-users] Adding crypto to ArX

From:	Walter Landry
Subject:	Re: [Arx-users] Adding crypto to ArX
Date:	Thu, 02 Dec 2004 22:17:16 -0500 (EST)

Kevin Smith <address@hidden> wrote:
> Walter,
> 
> You have mentioned that crypto is at the top of your todo list. I have 
> some experience with a high-security crypto product, so I would like to 
> help--especially with the design.
> 
> Do you already have a plan for the user experience? It would be great if 
> you could post a summary as early as possible to get feedback. Same for 
> any internal technical implementation details, but fewer people would be 
> able to provide valuable feedback so that's probably not quite as important.

There are two kinds of entities in ArX: patches and revisions.  A
revision is just a complete source tree, and a patch is what gets you
from one revision to another.  ArX signs both of them [1], invoking gpg to
do the actual signing.  Patches are signed directly.  Revisions are
signed indirectly by signing a SHA-256 hash of the manifest.  The
manifest is mostly a listing of the files, their properties, and
SHA-256 hashes of their contents.  It also has a manifest version
(currently ArX-2.0) and the full revision name
(e.g. foo/bar.baz.1.0,22).  For details,

  src/arx/utility_functions/write_manifest.cpp

writes a manifest, and

  src/arx/utility_functions/file_attributes.cpp

shows how individual entries for the paths are written.  Whenever you
get a revision, ArX checks all of the hashes of all of the files.
This was all done for the initial ArX-2 release.

For signing, normally you would specify that an archive will be signed
when you create it.  This puts your public gpg key in the archive in
,meta-info/public_keys.  When someone else registers your archive in
the most ordinary way, then the public keys will be downloaded and
stored in ~/.arx/archives/(archive name)/public_keys.  Then, when they
download a patch or revision, the signature is checked to make sure
that it is in that public keyring.

Running "arx archives" will list the archive names, locations, and
public keys associated with it.

It is possible to add and remove keys from the public_keys file in the
archive.  This is useful as developers join and leave a project.  You
can then delete signatures on patches and revisions and resign with a
currently trusted key.  However, ArX will not update the public_keys
file on your machine unless you unregister and reregister.  So if
someone breaks in, they can only fool new users, not old.

The trickiest part as I see it is getting the manifest right so that
you can't modify the files without changing the manifest.

ArX uses gpg, but it does not use the web of trust (as opposed to
tla's implementation).  I see that as a feature.  If I want to
download a revision from a random place on the web, I don't want to
have to extend my trust for other things to this particular public
key.  Moreover, if someone manages to compromise one person's key, they
may be able to subvert a larger number of projects.

It turns out that making gpg do what you want is rather difficult.  I
considered using X.509 certificates like monotone does.  But a number
of people already have a gpg key, so an X.509 certificate would just
be another secret to protect, another password to remember, etc.  In
addition, your gpg public key may be already be known to the
recipient.

Finally, there will be some user-specified parameters (with "arx
param").  The first one is so that you can define your own gpg
program.  Normally, the command for gpg will be defined when you
compile ArX.  You could run

  arx param gpg (gpg prog)

if, for example, you want to use quintuple-agent so that you don't
have to type your password all of the time.

The second param will be "sign" which, if true, will be make your
archives signed by default.

I have also thought about another param called "key" which would
override whatever gpg thinks your default key is.

I have implemented some of this already (arx.2.1,116).  The only thing
missing is the "param" stuff.  I am appending the help for "sign" and
"make-archive".  It is still rough.  I think the syntax for "sign"
could still use a little improvement.  Also, it currently asks for
passwords twice when committing: once for the patch and once for the
revision.  I haven't been able to get gpg to make multiple detached
signatures in one go.

Cheers,
Walter

[1] Note that tla only signs patches, not revisions.  This suffers
from a weakness that if you branch from an unsigned archive, the
results of getting something from your signed archive can still be
trojaned.

--------------------------------------------------------------------

address@hidden:~$ arx/ArX-bin_new/bin/arx sign -H
Manage cryptographic signatures
usage: sign [options] [REVISION]

 --revision        Work on the revision, not the patch
 --patch           Work on the patch, not the revision
 -a --add          Add your own signature
 -d --delete       Remove signatures
 --archive         Add your signature to the authorized list of signatures
                   for an archive
 --key KEY         Use KEY to add, delete, or list
 --dir DIR         change to DIR first

Manage the signatures in an archive.  Both patches (which get you from
one revision to the next) and revisions (a snapshot of the tree at a
particular point) can be signed.  By default, ArX works on both patches
and revisions, but you can specify one or both with the --revision
and --patch options.

Without any options, ArX will list and verify who signed REVISION.  With
the --add option, it will sign REVISION with your private gpg key.
It will prompt for a passphrase if needed and overwrite any existing
signature.  With the --delete option, the signature for REVISION is deleted.

With the --archive option, ArX will list, add, or delete a key from the
archive.  When archive keys are changed, everyone must reregister the
archive to update their keys.

-------------------------------------------------------------------

address@hidden:~$ arx/ArX-bin_new/bin/arx make-archive -H
Create and register an archive
usage: make-archive [options] name directory

 --mirror master         Make the archive a mirror of MASTER
 --signed KEY            Put KEY in the archive

NAME is the global name for the archive.  For now, it is best
to make it be an email address with a fully qualified domain name,
optionally followed by "--" and a string of letters, digits, periods
and dashes (but not two dashes in a row).  This restriction will be lifted
in future releases.

The archive must not already exist.  It will create the directory if it
does not already exist.

With the --mirror option, the new archive will be made a mirror of the
master archive.  To actually populate it, see "arx mirror --help".

With the --signed option, the new archive will have a copy of the public
gpg key for KEY.  See "arx sign --help" for details on how signed
archives work.

[Prev in Thread]

Current Thread

[Next in Thread]

[Arx-users] Adding crypto to ArX, Kevin Smith, 2004/12/02
- Re: [Arx-users] Adding crypto to ArX, Walter Landry <=
  - Re: [Arx-users] Adding crypto to ArX, Kevin Smith, 2004/12/07
    - Re: [Arx-users] Adding crypto to ArX, Walter Landry, 2004/12/08
    - Re: [Arx-users] Adding crypto to ArX, Kevin Smith, 2004/12/08
    - Re: [Arx-users] Adding crypto to ArX, Walter Landry, 2004/12/09

Prev by Date: [Arx-users] Adding crypto to ArX
Next by Date: Re: [Arx-users] Ease of use
Previous by thread: [Arx-users] Adding crypto to ArX
Next by thread: Re: [Arx-users] Adding crypto to ArX
Index(es):
- Date
- Thread