Docstoc

digital-signatures

Document Sample
digital-signatures Powered By Docstoc
					                Verifying Digital Signatures

                  Security Bulletins, SSL, Code

                   James Leinweber, BadgIRT



Lockdown 2005             verifying digital signatures
                          warm up

• Are we all in the right room?

•   How many really know what a digital signature is?
•   How many have verified a PGP signature?
•   How many are confused by those browser lock icons?
•   How many have bought or installed a digital certificate
    for a web server?

• [Note to readers: some slides have notes, be sure to
  read those too.]


Lockdown 2005            verifying digital signatures
                                  Outline

• about this talk
• a little introduction to digital signatures

• verifying PGP signatures on security bulletins
     – trust model: distributed
• verifying digital certificates for SSL/TLS
     – trust model: hierarchical
• verifying code objects
     – trust model: one of the above




Lockdown 2005                verifying digital signatures
                about:         what is in this talk

• components of digital signatures
     – public key cryptography, secure hash, trust model
• PGP signatures
     – particularly on vendor security bulletins
• TLS
     – what SSL/TLS does
     – what digital certificates are
     – how to verify a chain of certificates
• signed code objects
     – example: redhat RPM packages
     – example: subversion
• (interwoven) what can go wrong with all of these
Lockdown 2005                 verifying digital signatures
                about: things we are omitting

• installing the software
     – we’re all professionals here
• gory cryptographic details
     – that was a lockdown 2003 talk
• encrypting and decrypting ciphertext
     – not hard, and the same tools that do digital signatures also do
       these, but left as an exercise for the reader
• S/MIME signatures
     – conceptually like PGP, only done with digital certificates
     – mostly used with e-mail, which isn’t today’s focus
• generating digital signatures
     – most of us need to validate way more than we sign

Lockdown 2005                verifying digital signatures
about: where do we find digital signatures?

1. On TLS (SSL) certificates for legitimate web sites
     – Amazon, E-bay, Paypal, Banks, …
           •    100% of e-commerce
2. On code objects
     – Microsoft DLL and EXE files
     – RedHat RPM packages
     – some Java code
3. On most vendor security bulletins
     – Microsoft, Apple, RedHat, CERT, …

     (Listed here in order of ordinary importance. But we will discuss
         them in a more convenient order.)

Lockdown 2005                  verifying digital signatures
                about: why verify signatures?

• If you are skeptical about something, you should
  investigate and validate it.
     – you don’t want to become a fraud or identity theft victim
     – you don’t want to voluntarily install malware on your PC


• The Internet is a scary place these days
     – Phishing scams, malware, and compromised web sites abound
• Good cryptography in actual use is one of our best
  defenses against some of these threats
     – this particularly important for system administrators
• In practice, hardly anyone knows how to do this stuff
     – but we can teach you
Lockdown 2005                 verifying digital signatures
  intro:             3 components in a digital signature

1. A public key encryption algorithm
     – Uses private secret key to encrypt, and a different public key to
       decrypt
           •    FIPS 186-2 digital signature standard identifies 3 implementations
                 •   DSA, RSA, Elliptic curve

2. A secure hash or message digest function
     – converts a variable length message into a fixed length psuedo-
       random bit string
           •    FIPS 180-2 describes SHA-1, SHA-256, SHA-384, SHA-512
           •    problem: MD5 is obsolete, attacks on SHA-1 are improving, and
                NIST isn’t working on alternatives yet
3. A key distribution and trust model
     – need to obtain & believe in the public keys

Lockdown 2005                        verifying digital signatures
                intro: making a digital signature

1.   Take a blob
2.   Run it through your hash function
3.   Encrypt the hash using your private key
4.   Send off the <blob, hash name, signature> triple




Lockdown 2005              verifying digital signatures
                intro: example digital signature

“Hello, World!” PGP signed by my private key

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello, World!
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQtbBPEGhkXlca8i5EQL8CQCePIMj1EH4Da+D5IBJZ5eDehj91S8AoK7g
rhwGVPFweYCUDpnR6+yqu/8Y
=CN5G
-----END PGP SIGNATURE-----




Lockdown 2005                   verifying digital signatures
            intro: verifying a digital signature

1. Receive the <blob, hash name, signature> triple
2. Obtain the senders public key
3. Run your copy of the blob through the hash function
   again
4. Decrypt the accompanying signature using the public
   key
     •    the details vary, but you can let the software worry about that
5. If the results of steps 3 & 4 are the same, the signature
   is good. If you trust step 2, the good signature is valid,
   and you can read or run or use the blob safely.


Lockdown 2005                  verifying digital signatures
            intro: example verified signature

$ gpg --verify example1.asc

gpg: Signature made Thu 14 Jul 2005 02:47:08 PM CDT using DSA key
   ID 5C6BC8B9
gpg: Good signature from "James E. Leinweber <jiml@slh.wisc.edu>“



    (assumes the text is in a file and the public key is in your
    default keyring)




Lockdown 2005             verifying digital signatures
                   intro: why do it this way?
• you need a public key algorithm to do digital signatures
     – Diffie & Hellman, New Directions in Cryptography, 1976
• you need a secure hash function because of limitations
  of public key algorithms
     – public key algorithms are slow
           • 1000x slower or worse than symmetric key block ciphers such as
             AES
                – e.g. RSA with a 2048 bit key (weaker than 128 bit AES) requires lots
                  and lots of 4096 bit arithmetic operations
     – public key algorithms are weak (compared to block ciphers)
           • algorithmic solutions exist which are much faster than random key
             guessing, so you have to use enormous keys
           • highly vulnerable to known plaintext attacks
     – so you only use public key algorithms on small, random things.
           • message digest: yes. whole message or file: no

Lockdown 2005                      verifying digital signatures
                      intro: why bother?

• what you want:
     – to trust that the blob has correct contents certified by the signer


• what you are depending on
     –   only the key owner has the private key
     –   the signing computer is secure
     –   the verifying computer is secure
     –   the public key belongs to the purported owner


• what you really know:
     – the blob passed through a computer which had the private key


Lockdown 2005                 verifying digital signatures
                intro: what can go wrong?

• bad signature because the message was modified after
  signing
     – line wrapping, character set change, client is suppressing “extra”
       carriage returns, …
• Can’t find the public key at all
     – finding multiple keys is pretty unlikely, but not quite impossible
• Can’t find a reason to trust the public key
     – finding it next to the thing you want to verify, on the same server,
       is not a good enough reason – a bad guy could replace both
• your software can’t handle all of the algorithms used by
  the signer
     – so upgrade, already 

Lockdown 2005                 verifying digital signatures
   PGP: what the security community uses

• not quite “too hard for ordinary mortals”
• it works
• widely available
     – in both proprietary & open source implementations
• unlike S/MIME, it doesn’t require lots of expensive, not-
  quite existent Public Key Infrastructure

• Major use: signing security bulletins & code objects
• Medium use: encrypted password escrow
• Minor use: encrypted communications among incident
  response teams

Lockdown 2005               verifying digital signatures
                  PGP: typical algorithms

• public key:
     – DSA (1024 bit signing key, a bit short)
     – RSA (2048 bit keys are popular, adequate, and interoperable)
• secure hash / message digest
     – MD5 (obsolete)
     – SHA-1 (currently popular, NIST says retire by 2010)
• block cipher
     –   IDEA (128 bit, OK, but still patented, so not in GnuPG)
     –   3DES (an acceptable but silly choice)
     –   CAST-128 (good for interoperability)
     –   AES-128 or AES-256 (not available in older clients)


Lockdown 2005                 verifying digital signatures
                     PGP: typical software

• PGP, from PGP, inc
     – costs about $70/PC/year
     – GUI client integrates with host OS (Windows, Mac OS-X)
           • plugins for outlook and other major e-mail clients
           • system tray gizmo to manipulate files & clipboard
           • right click extensions for windows explorer
• GnuPG, from FSF
     –   freely redistributable
     –   command line tools
     –   3rd party GUI wrappers maturing and usable but mostly still beta
     –   increasing integration with other free software
           • particularly rpm, mutt, kmail


Lockdown 2005                    verifying digital signatures
                PGP: good example




Lockdown 2005       verifying digital signatures
                PGP: bad example




Lockdown 2005       verifying digital signatures
                PGP: distributed web of trust
• Alice generates a key
• Alice gets other PGP users to sign her public key using
  their private keys
     – many security conferences have Key Signing Parties
• Alice publishes her public key to keyservers
     – ~ 2M keys, 200K signed by someone, only 14K in strong set


• Bob downloads Alice’s public key from somewhere
     – a keyserver
     – a web server
     – directly from Alice
• Hopefully, Bob trusts one of the signers of Alice’s key
     – he can locally sign Alice’s key to signal he has validated it
Lockdown 2005                 verifying digital signatures
                PGP: viewing a key ring




Lockdown 2005          verifying digital signatures
                PGP: key properties




Lockdown 2005        verifying digital signatures
                PGP: obtaining (fake?) keys




Lockdown 2005            verifying digital signatures
                   PGP: trust problems
• no trust path from signer to you
• no 3rd party signatures on key
• unreliable 3rd party signatures on key
     – you have to know the person’s signing policy to distinguish
• don’t rely on PGP v9 keyserver signature
     – It means e-mail address works and possesses the private key,
       which is a good thing.
     – But, there is no identity implication, unlike signatures from
       people
• Fake keys exist
     – e.g. Phil Zimmerman, Bill Gates, …
• too many useless keys exist
• different data on different key servers
Lockdown 2005               verifying digital signatures
                   PGP: when to trust a key
• Best
     – obtained fingerprint in person from a well-verified owner
           • This is the only way good enough to justify creating an exportable signature!
• OK
     o available from key servers and from parent web site, and the
       fingerprints match
     o verified out of band (e.g. by phone call to known good number)
     o signed by one person you trust a lot
     o signed by one or more short enough chains of people you trust enough
• Bare minimum
      not revoked
      not expired
      in sustained good use without repudiation


Lockdown 2005                       verifying digital signatures
                PGP: an example trust path




Lockdown 2005           verifying digital signatures
                 PGP: questions?

• any questions about PGP or verifying security bulletins?



• next up: TLS




Lockdown 2005          verifying digital signatures
                TLS: about digital certificates

• complicated nested structure full of binary vectors
• main purpose is to bind a public key to a distinguished
  name under the authority of someone’s digital
  signature
• typical distinguished name material is DNS host names,
  personal names, IP addresses, organizations
     – syntax is borrowed from X.500 directories (X.509 & LDAP)
• lots of optional fields. A really important one is Basic
  Constraints which identifies the purposes a certificate
  was validated for by the issuer.
     – bug some issuers are sloppy and don’t bother with this
     – typical uses are e-mail, code signing, server identity

Lockdown 2005               verifying digital signatures
                  TLS: trusting a certificate

• the trust model is hierarchical
• your certificate is signed by someone else's
• two or three certificates up the chain you hit a root
  certificate
• a root certificate signed itself
• any modern OS includes tools to generate root
  certificates; which roots do you consider authorities?
     – commercial firms saw gold in them thar hills; certificates are
       overpriced
           • free is too cheap: doing worthwhile validation costs money
     – this week, your OS and/or browser trust about 150 roots


Lockdown 2005                   verifying digital signatures
                TLS: about protocol negotiation

• establishing a TLS (SSL) connection is complicated
• the two ends need to prove identity, choose a block
  cipher, choose an HMAC, and generate a shared secret
  key
• the server always needs a certificate
• the client may or may not need a certificate
     – server’s option
     – part of the protocol involves using the private key on random
       nonce material to prove it’s available
• application decides if the cipher suite is good enough
     – <null, null> is an available choice, but not good enough
• user decides if the server identity is plausible enough
Lockdown 2005                verifying digital signatures
                TLS: certificate general info




Lockdown 2005            verifying digital signatures
                TLS: certificate details




Lockdown 2005          verifying digital signatures
                TLS: managing certificates




Lockdown 2005           verifying digital signatures
            TLS: why CRL needs tools




Lockdown 2005         verifying digital signatures
                TLS: the fine print




Lockdown 2005       verifying digital signatures
         TLS: what can you reasonably do?
1. no warning message from your browser
2. distinguished name should be plausible
3. certificate purpose (basic constraint) should exist and match your
   intended use
Also:
• browser should be patched
• use TLS or SSL v3 with 128 bit encryption
     – disable SSL v2, it has security problems
•   root certificate should be someone you’ve heard of and believe in
     – Verisign, Thawte, Visa, …
•   each certificate in the hierarchy should be in its valid period
•   no certificate in the hierarchy has been revoked


Lockdown 2005                 verifying digital signatures
                            TLS: problems

• Certificate Revocation Lists aren’t real time
     – might not be available or responsive, and you need Internet
     – update lag can be several weeks
• Too many roots
     – and does anyone actually understand their certificate practices?
     – some omit basic constraints
           • BUG: obtain an e-mail certificate, use it to sign code, fool user & OS
• Even harder to understand than PGP
• Applications are notoriously buggy dealing with CRL’s
     – Originally, Internet Explorer didn’t even check them
• outsourced E-commerce fulfillment is hard to distinguish
  from a man-in-the-middle attack
Lockdown 2005                    verifying digital signatures
            Aside: man in the middle attacks

• Alice thinks she is talking to Bob
• Actually, Mallory has insinuated himself in between
     – Alice is talking to Mallory
     – Mallory is talking to Bob
• Requires compromising some infrastructure
     – either network itself (routers, switches) or destination servers
• Problem: Mallory, being evil, lies.
     – he may just eavesdrop
           • e.g. to steal identity and financial account information
     – he may tell different lies to Alice than to Bob
           • Alice sends: transfer $100 to MG&E
           • Bob receives: transfer $5000 to Romania

Lockdown 2005                     verifying digital signatures
                  TLS: questions?

• any questions about TLS or digital certificates?



• next: verifying code objects




Lockdown 2005          verifying digital signatures
                            Code: signing

• some vendors sign their code
     – Microsoft, RedHat do
     – more vendors should
• the patch process should validate stuff before applying it
     – Microsoft, Redhat do
           • certificate of download server
           • signature of package / bundle file
• there should be ways to check individual files




Lockdown 2005                    verifying digital signatures
    Code: about Redhat Package Manager

• Unix executable files historically may lack extensible
  substructure
• Linux installation process includes lots of optional pieces
• Redhat Enterprise 3 Linux has about 1200 packages
• the packages carry GPG signatures
• the RPM tool now has its own keyring
     – older versions depended on the users keyring
• rpm can validate files against a package
     – beware of root kits
• up2date tool uses this infrastructure by default


Lockdown 2005                verifying digital signatures
                        Code: rpm examples

• importing the Redhat code signing keys
     rpm --import /usr/share/rhn/*GPG-KEY*
           • unless you Really Trust the install CD’s, also import these into gpg
             or PGP and validate them against the redhat web site
                – https://www.redhat.com/security/team/key/

• checking a package
     rpm --checksig perl-5.8.0-89.10.i386.rpm
     perl-5.8.0-89.10.i386.rpm: (sha1) dsa sha1 md5 gpg OK

• verifying against a package
     rpm --verify –p perl-5.8.0-89.10.i386.rpm
• verifying against your RPM DB
     rpm -Va


Lockdown 2005                     verifying digital signatures
                          Code: Microsoft

• most Microsoft code objects (.CAB, .EXE, .DLL, …) carry
  digital signatures (from X.509 code certificates)
     – their keyword is Authenticode
           • http://msdn.microsoft.com/library/default.asp?url=/workshop/security
             /authcode/authenticode_ovw_entry.asp
     – validated automatically during their patch process
• they encourage 3rd party vendors to sign too
• tool: mbsa 2
     – can check your Microsoft .DLL and .EXE signatures
• tool: chktrust (from the .Net framework SDK)
     – can check individual files from anyone
           • http://msdn.microsoft.com/library/default.asp?url=/library/en-
             us/cptools/html/cpgrfCertificateVerificationToolChktrustexe.asp
Lockdown 2005                    verifying digital signatures
                Code: open source - subversion

• find a project you want to install from source, say
  subversion
     – a source code control system intended to supercede CVS
• Download the source archive and a detached signature
     – wget or curl are your friends
• Results:
     ls –l subv*
     -rw-rw-r--    1 jiml     jiml      6982288 Apr 25 13:40
       subversion-1.2.0-rc2.tar.bz2
     -rw-rw-r--    1 jiml     jiml          562 Apr 25 13:40
       subversion-1.2.0-rc2.tar.bz2.asc




Lockdown 2005              verifying digital signatures
           Code: open source – 1rst verify try
gpg --verify subversion-1.2.0-rc2.tar.bz2.asc

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more
   information
gpg: Signature made Thu 21 Apr 2005 06:46:52 PM CDT using DSA key
   ID 641E358B
gpg: Can't check signature: public key not found
gpg: Signature made Fri 22 Apr 2005 12:30:09 AM CDT using DSA key
   ID F894BE12
gpg: Can't check signature: public key not found
gpg: Signature made Fri 22 Apr 2005 05:13:39 PM CDT using DSA key
   ID EC6B5156
gpg: Can't check signature: public key not found




Lockdown 2005                  verifying digital signatures
       Code: open source – get missing keys
gpg --recv-keys --keyserver hkp://pgp.mit.edu 641E358B F894BE12 EC6B5156

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more
   information
gpg: key 641E358B: public key "Ben Reser <ben@reser.org>"
   imported
gpg: key F894BE12: public key "Brian W. Fitzpatrick
   <fitz@apache.org>" imported
gpg: key EC6B5156: public key "Ben Collins-Sussman
   <sussman@collab.net>" imported
gpg: Total number processed: 3
gpg:               imported: 3




Lockdown 2005               verifying digital signatures
           Code: open source – validate keys

• check trust paths
     – tolerable for all 3, though not outstanding
• see if the project web site has the keys
     – in this case, no
           • tsk, tsk
• see if the web site agrees with the key servers
     – can’t
     – but searching on the user names doesn’t turn up any extraneous
       keys either, which is good
     – can google the signers and see what they are involved with




Lockdown 2005                verifying digital signatures
            Code: open source – verify again
gpg --verify subversion-1.2.0-rc2.tar.bz2.asc

gpg: WARNING: using insecure memory!
gpg: please see http://www.gnupg.org/faq.html for more
   information
gpg: Signature made Thu 21 Apr 2005 06:46:52 PM CDT using
   DSA key ID 641E358B
gpg: Good signature from "Ben Reser <ben@reser.org>"
gpg:                  aka "Ben Reser <breser@siaer.net>"
gpg:                  aka "Ben Reser <breser@vecdev.com>"
gpg:                  aka "Ben Reser <ben@reser.org>"
gpg:                  aka "Ben Reser <breser@siaer.net>"
gpg:                  aka "Ben Reser <breser@vecdev.com>"
gpg: WARNING: This key is not certified with a trusted
   signature!
gpg:           There is no indication that the signature
   belongs to the owner.
. . .

Lockdown 2005               verifying digital signatures
                Code: questions?

• any questions?

• we’re done




Lockdown 2005      verifying digital signatures

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:7
posted:10/14/2011
language:Swedish
pages:50
gjmpzlaezgx gjmpzlaezgx
About