- Sigsum-general - Tillitis mailing lists

Origin line issues
by Niels Möller 11 Oct '24

11 Oct '24

Hi, I said during the witnessing breakout at tdev that I'm afraid that the origin line as id is coming back to bite us. Let me expand a little on the problem I see. For a start, when adding keys for logs or witnesses to the trust policy for log users, it's clear that care and due diligence is required. That's natural, and I don't think origin line or other non-cryptographic ids in the picture is much of a problem. However, I think it's desirable that logs and witnesses are decoupled. When an operator of a log or witness gets an email "please add my new shiny witness/log to your config", I think it's rather important that no subtle or complicated due diligence is required, and that there are no severe or surprising consequences for temporarily adding a malicious entry. Main problem is for witness operators, and in particular if trying to run a witness on a device like the tkey with minimal configuration. For a sigsum log, with origin line based on keyhash, the only irreversible consequence when a witness operator adds a new log to the witness config is a commitment to storing a record (on the order of 100 bytes) for that log for the entire lifetime of the witness. If the log causes other operational problems, it could be rate limited or completely removed from the config, and that's it. The tkey app could happily accept any add-checkpoint request + log pubkey from the host, verify everything, and store the (pubkey, treehead) on success. A compromised host could fill up the tkey storage, preventing the witness from adding new logs later on, but that's about the worst it could do. On the other hand, if the host provides a pubkey and a checkpoint with an arbitrary origin line, that mapping needs to be authenticated. If not, an attacker could make it's own keypair for anyone else origin line, push a tree head with new leaves to the witness, and the witness would then refuse cosiging genuine tree heads for that origin. If we envision that people will start lots of application specific logs, and want them cosigned by public witnesses (e.g., consider a thousand github projects doing "serverless logs" in their github actions (if that makes sense, I'm not that familiar with github)), it's clear that adding logs to a witness config must be easy. The witness needs an authority mapping origin lines to keys. In the tkey case, the simple solution would be to have that authority sign some kind of certs defining this binding, and embed the ca pubkey in the tkey app binary. (For key rotation, one could consider accepting certs signed by previous key rather than the ca, but the ca is still needed for new logs). And then origin line owners should demand transparency for those certs, and we're down the rabbit whole. Finally, on the log side, for a non-sigsum log that publishes cosignatures as checkpoints, we have a related issue with the witness key names. I think that's less severe: if a bad witness is added, the log might publish cosignatures where the pubkey doens't belong to the "proper" owner of a key name, which will look invalid to users that have the right keys for that name, but that is a recoverable problem; once the problem is pointed out, the log can just drop that witness, and it will not appear on later checkpoints. So what would be my take aways, accepting that the "ship has sailed" on radical changes, and this isn't the right time for cosignature/v2? 1. We should define a origin line scheme similar to sigsum.org/v1/tree for use by non-sigsum logs that don't need key rotation. And strongly recommend that logs that don't have an urgent need for key rotation use that scheme. The advantage for logs that follow this scheme is that it's very cheap for witnesses to add their logs, since no due diligence on who's the proper "owner" of that origin line is needed. We will in effect get two classes of logs: Those with self-authenticating origin lines, and those that need require additional data or context to establish an authentic mapping between name and keys. (Again, this is an issue in the context of making witness operation easy; defining a proper trust policy will always require more information about a log than just what its key is). 2. Witness operators need to document what procedures they use to validate origin lines of logs they are asked to witness, and how they validate new public keys to be added for that origin line. 3. It would be nice if those operating logs identified by arbitrary origin lines, like "go.sum database tree", outline what procedures they'd like a witness to take before accepting a new public key for that log. For example, say Debian wants to run a witness for the go checksum database and patch go tooling to require that as an additional witness in the trust policy, how will they get authentic information about key rotation events? (Making a replica of the log and witness that, instead of witnessing the upstream log, as was suggested at the breakout, doesn't seem like an attractive alternative to me. With a new origin line, witness cosignatures on the upstream log won't verify, so they are effectively lost. And one would still need that authentic key for the upstream log, when building the replica. But maybe that alternative could be fleshed out). 4. How should we act when we find that a witness used a "wrong" or unexpected public key to verify a checkpoint for some origin? The witness clearly can't cosign any later tree heads for the proper view of that log, and it should be removed from policies involving that log. But perhaps we should make it very clear that this is possible result of an honest mistake, and not hold that against the witness operator's reputation? 5. We could think of alternative ways to do key rotation, e.g., starting a new log under a fresh key, and adding a special leaf at index 0 including the signed tree head of the old log + needed metadata. And possibly with a corresponding forward link in the tombstone message of the old log. /nisse

1 0

Primary and secondary
by Niels Möller 07 Oct '24

07 Oct '24

I've been thinking a bit about roles and responsibilities for the primary and secondary nodes of a log. Here I'm sketching a model that is mostly compatible with the current replication protocol, and which makes the nodes a bit more independent (e.g., could be run by different organizations). A log instance consists of a primary node and (ideally) several secondary nodes. A log is identified by its key, i.e., the key that is used to sign the log's advertised tree heads (the same tree heads that are cosigned by witnesses, and for which the log operator's states intended reliability etc). Each node is identified by a separate node key. * Local trees Each node (including the primary) keeps its own local tree. That tree is possibly larger (but not smaller, except when a new node is starting up) than the log's advertised tree. Each node is identified by its node key. The node key is used to sign the tree heads of its local tree. These signatures must not be confused with the log's signed tree heads; if it's not enough that separate keys are used, they could use a separate signature namespace. The semantics of the signatures on local trees is that the node promises that it's local tree is append-only, and that all data covered by the signed tree head is committed to local storage. I.e., the tree should survive events like a local power outage. However, reliability is best effort. If the node suffers a disk failure, or is decommissioned for any other reason, the contents of the tree may be lost (except for parts of it replicated elsewhere, as described below). * Primary node The primary node's responsibility is to accept new leaves from users, commit into its local tree, and sign resulting local tree using its node key. Periodically, it queries the signed tree heads of the secondary nodes' trees, checks consistency, and publishes new versions of the *log*'s signed tree head once data is replicated to all secondaries. (If we have a larger number of secondaries, we could consider allowing the primary to proceed even in the case that a single secondary is behind or unreachable). * Secondary nodes Secondaries only accept new leaves from the primary. A secondary that is new or for some reason is behind, will first get the log's signed tree head, and retrieve all leaves it is missing. It must check inclusion and consistency before committing the leaves to its local tree and underlying storage. Next, it will periodically get the primary node's local tree head (verifying the signature using the node key of the node that is the current primary), and similarly incorporate after inclusion and consistency checks pass. Periodically, or when asked by the primary, it will sign the head of its local tree using its own node key. So at all time we have this relation between tree sizes: log's tree <= each secondary node tree <= primary node tree Extensions: It may be useful to enable secondaries to also act as mirrors, republishing the latest tree head it has received from the primary node, together with available cosignatures. It may be possible to distribute new leaves in more of a peer-to-peer fashion, instead of each secondary retrieving them directly from the primary. * Migration on primary failure What needs to happen when a primary fails or is to be replaced? We need the following steps: 0. If possible, the primary node's access to the log signing key should be removed. 1. Each secondary must be configured that the primary is down. This must likely be a manual procedure, with a human determining that the primary should no longer be used. On each secondary, this means that the node key of the old primary is removed from the configuration. 2. Once all the secondaries agree that there is no longer any primary node, one of the secondaries can become new primary. If the local trees of the secondaries are of different sizes, the one with the largest tree should be selected as the new (interrim) primary, but not yet with access to the log's signing key. (If, for some reason, a different node is chosen, the nodes that are ahead of the chosen node must be reset: Discard the extra leaves, destroy previous node key and create a new one). 3. The secondaries that were not chosen as primary are now reconfigured to use the chosen node (identified by node key, as usual) as primary, and retrieve all leaves and commit them to their local trees. 4. After some time, nodes should all be in sync. If desired, the chosen node can now be demoted back to secondary (after which all the other secondaries will again be reconfigured that there is no primary), and a new primary node can be selected. 5. Finally, the new primary should be given access to the log's signing key and start normal operation (accept leaves from users, advertise new tree heads, request cosignatures, etc). If we are willing to have secondaries coordinate with eachother, part of this process could potentially be automated. If all nodes are connected to each other (with the exception of the failing primary, which is explicitly and manually removed from the set of nodes in step (1) above), we could maybe have a protocol that lets nodes first agree that there is no primary, and then elect a new primary based on tree size, and which nodes are configured as candidates for getting access to the log's signing key. Regards, /Niels

1 0

What verification info should a sigsum submitter publish?
by Niels Möller 20 Aug '24

20 Aug '24

It's not entirely obvious what info should be provided to users that want to enforce an application's sigsum logging. This was discussed previously in the context of age releases, see https://github.com/FiloSottile/age?tab=readme-ov-file#verifying-the-release…. Here, I'm trying to lay out which information should be there, and why. My angle is to ensure consistency between users (sigsum verifiers) and monitors: if any item accepted by a verifier doesn't live up to expectations, monitors should be able to alert. 1. Submitter pubkey(s), i.e., the keys used for the sigsum leaf signatures. 2. The pubkeys of logs used. It's essential that users and monitors agree on these keys; or more precisely, monitors must be aware of all submitter keys and all log keys that verifiers are willing to accept. Previously, I think I've asked if there's a good reason for a sigsum verifier to check the log's signature on a tree head; if we say trust is in the witnesses, why isn't it enough to only verify the cosignatures? I think assurance of monitoring is a good reason. That the item appears logged and properly cosigned by well known and perfectly honest witnesses in some *arbitrary* log is not enough. The verifier really needs a proof of logging in a log with relevant *monitoring* for this application. 3. Suggested witnesses and policy. I think this should be a pretty strong recommendation, because for effective monitoring, the monitor must be aware of the witness policy. E.g., if a single witness disappears from the monitor's view, that witness could potentially be cosigning a different version of the tree. And whether or not that is a reason for alert depends on the verifier's policy. (See https://git.glasklar.is/sigsum/project/documentation/-/blob/main/archive/20… for details). A user or organization can of course tweak the policy they use any way they like, but if they do, they ought to also think about operating their own monitoring. 4. The claims implied by a logged item. It aids monitoring if claims can be represented in machine friendly form. E.g., provide a way to download relevant data and metadata for each logged checksum, for archival as well as immediate or future analysis. And specify the expected properties of that data and metadata. E.g., when doing a binary releases by logging the checksums of executables, the data would be the executable file itself, and metadata could include everything needed to be able to reproducibly recreate that executable from sources. An extended claim could also say that corresponding sources must be properly signed, or even sigsum-logged in turn. At some point, we should document this properly. Any feedback on this analysis highly appreciated. /Niels

1 0

Re: Witnessing for high-traffic log
by Hayden Blauzvern 06 Feb '24

06 Feb '24

Thanks Rasmus! I've cc'd the list and added Bob who's interested in this topic too. What submit latency are you willing to accept? I'm asking because > depending on if you need ~1s or ~10s will influence the options. > I'd like to keep this latency as low as possible. It would be a breaking change across the ecosystem if we upped latency to ~10s, as I'm assuming clients have not configured their timeouts to expect this high of a latency. That's not to say we couldn't make this change, as we could provide a different API, I'd just like to explore a low latency initially. I.e., the log can keep track of a witness' latest state X, then provide > to the witness a new checkpoint Y and a consistency proof that is valid > from X -> Y. If all goes well, the witness returns its cosignature. If > they are out of sync, the log needs to try again with the right state. Assuming that all witnesses are responsive and maintain the same state, this could work. Keeping track of N different witnesses is doable, but I think it's likely they would get out of sync, e.g. a request to cosign a checkpoint times out but the witness still verifies and persists the checkpoint. This isn't a blocker though, it's just an extra call if needed. The current plan for Sigsum is to accept up to T seconds of logging > latency, where T is in the order of 5-10s. Every T seconds the log > selects the current checkpoint, then it collects as many cosignatures as > possible before making the result available and starting all over again. This seems like the most sensible approach assuming that latency can be accepted by the ecosystem. Batching entries is something we've discussed before, there's other performance benefits besides witnessing. > An alternative implementation of the same witness protocol would be as > follows: always be in the process of creating the next witnessed > checkpoint. I.e., as soon as one finalized a witnessed checkpoint, > start all over again because the log's tree already moved forward. To > keep the latency down, only collect the minimum number of cosignatures needed to satisfy all trust policies that the log's users depend on. This makes sense, though I think adding some latency as suggested above makes this more straightforward. One detail, which may not be relevant depending on your order of operations, is that we just need to confirm that the inclusion proof returned will be based on the cosigned checkpoint. Currently our workflow is first requesting an inclusion proof for the latest tree head, then signing the tree head. On Fri, Feb 2, 2024 at 3:37 AM Rasmus Dahlberg <rgdd(a)glasklarteknik.se> wrote: > Hi Hayden, > > Exciting that you're exploring this are, answers inline! > > On Thu, Feb 01, 2024 at 01:05:48PM -0800, Hayden Blauzvern wrote: > > Hey y'all! I was reading up on Sigsum docs and witnessing and had a > > question about if or how you're handling logs with significant traffic. > > > > Context is I've been looking at improving our witnessing story with > > Sigstore and exploring the viability of the bastion-based witnessing > > approach. Currently, the Sigstore log does no batching of entry uploads, > > and so the tree head/checkpoint is frequently updated. Consequently this > > means that two witnesses are very unlikely to witness the same > checkpoint. > > To solve this, we added a 'stable' checkpoint, one that is published > every > > X minutes (5 currently). Witnesses are expected to compute consistency > > proofs off that checkpoint so that multiple witnesses verify the same > > checkpoint. > > Sounds similar the initial witness protocol we used: the log makes > available a checkpoint for some time, and witnesses poll to cosign it. > > We moved away from this communication pattern to solve two problems: > > 1. High submit latency, which is the issue you're experiencing. > 2. Ensure logs without publicly reachable endpoints are not excluded. > > While reworking this, we also tried to keep as many of the properties we > liked with the old protocol. For example, the bastion host stems from > the nice property that witnesses can be pretty locked down behind a NAT. > > > > > I've been exploring the bastion-based approach where for each entry or > tree > > head update, the log requests cosignatures from a set of witnesses. What > > I'm pondering now is how to deal with a log that frequently updates its > > tree head due to frequent new entries. > > One solution is to batch entries for a long enough period, let's say 1 > > minute, so that the log can fetch cosignatures from a quorum of witnesses > > while accounting for some latency. But this is not our preferred user > > experience, to have signers wait that long. > > Lowering the batch to 1 second would solve the UX issue. > > What submit latency are you willing to accept? I'm asking because > depending on if you need ~1s or ~10s will influence the options. > > > However now > > there's an issue for updating a witness's checkpoint. Using the API > Filippo > > has documented for the witness, the log makes two requests to the > witness: > > One for the latest witness checkpoint, one to provide the log's new > > checkpoint. > > The current witness protocol allows the log to collect a cosignature > from a witness in a single API call, see the add-tree-head endpoint: > > > https://git.glasklar.is/sigsum/project/documentation/-/blob/d8de0eeebbb5bb0… > > (Warning: the above API document is being reworked and moved to C2SP. > The new revision will revolve around checkpoint names and encodings. > You'll find links to all the decided proposals on www.sigsum.org/docs.) > > I.e., the log can keep track of a witness' latest state X, then provide > to the witness a new checkpoint Y and a consistency proof that is valid > from X -> Y. If all goes well, the witness returns its cosignature. If > they are out of sync, the log needs to try again with the right state. > > > This seemingly would not work with a high-volume log since the > > witness's latest checkpoint would update too frequently. > > > > Did you have any thoughts on how to handle this? > > The current plan for Sigsum is to accept up to T seconds of logging > latency, where T is in the order of 5-10s. Every T seconds the log > selects the current checkpoint, then it collects as many cosignatures as > possible before making the result available and starting all over again. > > The rationale is: a witness that is online will be able to respond in > 5-10s, so waiting longer than that will not really do much. I.e., the > witness is either online and responding or it isn't. So: under normal > circumstances one would expect cosignatures from all reliable witnesses. > > An alternative implementation of the same witness protocol would be as > follows: always be in the process of creating the next witnessed > checkpoint. I.e., as soon as one finalized a witnessed checkpoint, > start all over again because the log's tree already moved forward. To > keep the latency down, only collect the minimum number of cosignatures > needed to satisfy all trust policies that the log's users depend on. > > For example, if you're opinionated and say users should rely on 10 > selected witnesses with a 3-of-10 policy; the log server can publish the > next checkpoint as soon as it received cosignatures from 3 witnesses. > > Both approaches work, but depending on which one you choose the > properties and complexity will be slightly different. Avoiding to hash > out that analysis here in order to keep this initial answer brief, but > if you need the ~1s latency the second option should get you close. > > By the way, would it be OK to @CC the sigsum-general list? Pretty sure > this is a conversation other folks would be interested in as well! > > -Rasmus >

3 2

Any value in storing tree head signatures locally?
by Niels Möller 21 Nov '23

21 Nov '23

Hi, I'm looking at my draft MR for persisting monitor state (https://git.glasklar.is/sigsum/core/sigsum-go/-/merge_requests/152). There's a bit of extra complexity there because the monitor stores treeheads *including* signature. Those signatures are verified when it is restarted and state is read back from disk. It's not clear to me that provides any real value, though. Do we lose anything if we verify signatures when tree heads are received from the network, and then discard the signatures and just trust local system integrity? One attack I'm thinking of: Say leaf 17 records some malicious act that the monitor would flag. If the monitor can be taken down when it has processed the log up to leaf 15, and then have it's state fast-forwarded so that when it is restarted, it thinks it already have looked at everything up to leaf 20, that's a problem. However, (i) verifying the tree head signature doesn't help; since attacker can get a properly signed later tree head by just asking the log, and (ii) if the attacker is control of the local storage, monitoring is broken anyway. Almost the same question applies to witnesses, which also needs to persist latest observed and cosigned tree head. My witness implementation stores the log's signature and its own cosignature, and verifies both when state is loaded at restart. The relevant attack here is forcing the state backwards, rather than forwards, but the signatures appear to not provide any protection against that attack either. And in either scenarios, in case the treehead is modified in any other way than to a different valid treehead in the past or in the future, that should result in a consistency error when the monitor/witness received the next treehead from the log. Am I missing something, or can we just drop local storage of tree head signatures? Regards, /Niels

2 3

On k-of-n witnessing
by Niels Möller 17 Nov '23

17 Nov '23

Not sure if this is already well known and documented somewhere, but I'd like to sort out the implication of dishonest witnesses. Say there are a total of n witnesses, m of which are honest. The other n-m are willing to participate in either denial of service (refuse to cosign anything) or split-view attacks (cosign multiple inconsistent tree heads). Assume client policy requires at least k valid cosignatures. To thwart denial of service attacks, we must have k <= m. For a split-view attack, the attacker wants two clients (with the same policy) to accept two distincts views of the log. It seems the best the attacker can do is to have each view the tree cosigned by half of the honest witnesses and all of the dishonest witnesses, so that the number of valid cosignatures on each view is n - floor(m/2), n - ceil(m/2) The attack succeeds if both are accepted, and it is thwarted if k > n - ceil(m/2) We would like to have at least one value of k that is secure, and that would have to be k = m, and then we need k > n - ceil(k/2) which should be equivalent (if I get the details of ceil and floor logic right) to k > 2n/3 and k >= 1 + floor(2*n/3) So a little table, n 1 2 3 4 5 6 7 8 9 10 min k 1 2 3 3 4 5 5 6 7 7 The important point here, is that if one uses a k-of-n policy with smaller k than in this table, say, 5-of-8 witnesses, then it is *not* sufficient with 5 honest witnesses to reject a split view, since we could have a split view with 5 and 6 cosignatures on each view. And 6 honest witnesses isn't enough either, we need at least 7, i.e., we can tolerate at most a single dishonest witness. It also seems worth noting that we need at least 4 witness before we can have any redundancy. Regards, /Niels

1 0

ANNOUNCE: Sigsum Log Server Protocol version v1.0.0
by Niels Möller 08 Nov '23

08 Nov '23

The Sigsum team is happy to make the first official release, version v1.0.0, of the Sigsum Log Server Protocol. This is the protocol used to submit new entries to a Sigsum log, and to query the log for cosigned tree heads, stored entries, and for inclusion and consistency proofs. See https://www.sigsum.org/ for more information about the Sigsum project. NEWS file entry for this release is appended below. This release of the specification can be read at https://git.glasklar.is/sigsum/project/documentation/-/blob/log.md-release-…. The specification will also be published on https://www.sigsum.org/. /The Sigsum team NEWS for log.md, version v1.0.0 This is the first official release of the Sigsum Log Server Protocol, i.e., the file log.md. This release is identified by the git tag log.md-release-v1.0.0. It is intended to be stable, and there are no planned breaking changes. See README.md for information on development and release processes for Sigsum specifications. The protocol is implemented by the log-go server v0.14.1 announced recently, see https://git.glasklar.is/sigsum/core/log-go/-/blob/v0.14.1/NEWS, and by the command line tools at https://git.glasklar.is/sigsum/core/sigsum-go, current version being v0.6.1.

2 1

ANNOUNCE: log-go v0.14.1
by Niels Möller 01 Nov '23

01 Nov '23

The Sigsum team is happy to release a new version of the log-go log server software, version tag v0.14.1, succeeding the previous release v0.9.0. The source code for the release can be checked out from the git repository as git clone -b v0.14.1 https://git.glasklar.is/sigsum/core/log-go.git or installed using go install sigsum.org/log-go/cmd/sigsum-log-primary@v0.14.1 This release updates the log to the version 1 Sigsum protocol. It also adds back support for witness cosigning, following an interim witness protocol. See NEWS file for details on changes and how to upgrade, excerpt below. If you find any bugs, please report them here on the sigsum-general mailing list or open an issue on GitLab in the log-go repository: https://git.glasklar.is/sigsum/core/log-go/ The expectations and intended use of the log server software is documented in the log-go RELEASES file. You will also find more information about the overall release process there, see https://git.glasklar.is/sigsum/core/log-go/-/blob/main/RELEASES.md. / The Sigsum team NEWS for log-go v0.14.1 This release updates the log server to implement the v1 sigsum protocols [1]. The log protocol, i.e., the protocol for querying a log and submitting new entries, is now considered stable: there are no plans for incompatible changes, and future updates will consider transitions carefully. However, the witness protocol, used by logs to interact with witnesses, is under development, and will likely be replaced in later versions. Upgrading existing log services from the previous release, v0.9.0, is automatic, see below for the implications of upgrading. However, downgrading is *NOT* tested nor supported. Downgrading would require manual replacement of the signed-tree-head file by restoring it from a backup or recreating it using sigsum-mktree. This release has been tested to work together with: * Command line tools (most importantly sigsum-submit and sigsum-verify) https://git.glasklar.is/sigsum/core/sigsum-go, tag v0.6.1. * The prototype witness, https://git.glasklar.is/sigsum/core/sigsum-py, tag v0.1.1. * The litetlog witness, https://github.com/FiloSottile/litetlog, tag v0.1.1. New features: * Implemented a new interim witness protocol [2], where a log queries witnesses for cosignatures. Witnesses to use are configured using a sigsum policy file. Further changes to the log <-> witness protocol are planned. Incompatible changes: * Tree head serialization used for signatures and cosignatures changed to use a checkpoint-compatible [3] text serialization. * Leaf signatures as well as submit token signatures changed to no longer use SSH signature format. Notes on upgrading: * Existing logs can be upgraded. When loading a log server's signed-tree-head file, the server accepts either a sigsum v0 tree head signature, as created by log-go v0.9.0, or a v1 signature, as created by the current version. * An upgraded log will publish tree heads signed according to the v1 protocol, and accept new leaves signed according to the v1 protocol. * Old leaves submitted according to the v0 protocol obviously stay in the tree, but they will appear invalid to anyone who has the submitter's public key and attempts to verify the leaf signature according to the v1 specification. * Old sigsum proofs can still be verified using old tools (since verification is purely offline, the log server is not involved at all). However, attempting to create a new proof for an old leaf will fail. Miscellaneous: * An intermediate version, tagged v0.13.0, included an explicit "v1" signature version on the cosignature lines. This protocol change was reverted for v0.14.x. Version v0.13.0 was never announced or properly released, but in case anyone is nevertheless running v0.13.0, upgrading to v0.14.1 is expected to work. The only user-visible change is the removal of cosignature version, which means that any client software and witnesses written to interop with log servers running v0.13.0 will need upgrading as well. [1] https://git.glasklar.is/sigsum/project/documentation/-/blob/main/log.md [2] https://git.glasklar.is/sigsum/project/documentation/-/blob/4ee138f1294f9c1… [3] https://github.com/transparency-dev/formats/blob/main/log/README.md#checkpo…

2 2

Sketch of tkey apps for signing keys with backup
by Niels Möller 21 Sep '23

21 Sep '23

Tkey for signing keys. Motivation: Sigsum needs long-lived signing keys, with backup in case the device holding the signing key (and maybe the rest of the site as well) is destroyed. Same may apply to other long lived keys, e.g., close to the top of a cert hierarchy/delegation chain. 1. Signer app: Recieve an encrypted signing key, encrypted to the key's unique key using some public key crypto algorithm. Decrypts the signing key, and acts as signing oracle. Also needs a way to advertise its own pubkey, as well as the pubkey corresponding to the signing key. 2. Keygen app: Takes a list of public keys. Generates a new signing key, and encrypts it to each of the public keys. 3. Export app: Takes public keys and an encrypted signing key. Decrypts using its own unique key, and reencrypts to each of the public keys. Also needs a way to advertise its own pubkey. (Similar role as a yubihsm with key export enabled, but with "keywrap" done using public keys rather than a symmetric key). Usage scenario: Get at least three tkeys, two intended as backups, the other(s) as signing oracles. Extract the public keys for each key and the respective intended app (signer or exporter). Load the key-gen app on any of the keys, and give it all those pubkeys. Store the resulting encrypted blob reliably. Lock up the two backup/export keys. Attach a signing key to the machine intended to do signing, and provide the encrypted blob and the signing app on that machine. When any one of the keys breaks, take one of the export keys out of the safe, and use it to reencrypt the signing key to a replacement key of the appropriate type. Extension 1 (technically quite easy, I think): Add a symmetric key/passphrase, required for operation of the keys, either a single one, or separate for each key. Would be particularly relevant for access to the export keys, and it would also make sense to apply k-of-n secret sharing of the secret needed to operate the export keys. Extension 2 (hand waving): Have the signer app require a proof of logging of the act of exporting the signing key to that particular key. /Niels

1 0

Private key backup
by Niels Möller 04 Apr '23

04 Apr '23

Hi, I wrote up some notes and ideas on how to do backups of private keys, which is needed for sigsum primary-secondary failover. I would hope the way I propose (if it actually works) could be implemented on a Tillitis key. I have no idea if something like that is supported by yubico hsm, but I think Linus is investigating. See https://git.glasklar.is/sigsum/project/documentation/-/blob/main/archive/20…, all comments and feedback appreciated. /Niels

2 1

2024

2023

2022

2021

Sigsum-general