Preview only show first 10 pages with watermark. For full document please download

Experiences Running Sks-keyservers.net Norwegian Unix User`s Group

   EMBED

Share

Transcript

A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Experiences running sks-keyservers.net Norwegian Unix User’s Group Kristian Fiskerstrand 0x0B7F8B60E3EDFAE3 9 September 2014 1/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Table of Contents 1 A brief introduction to OpenPGP 2 sks-keyservers.net 3 Code base 4 Keyserver network and community 2/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Introduction I B PGP is an abbreviation for “Pretty Good Privacy” and was originally created by Phil Zimmermann in 1991. B OpenPGP is a framework for cryptographic operations defined as a standard by IETF and described in RFC4880 and RFC6637 (Elliptic Curves) B The most popular implementation of OpenPGP for GNU/Linux environments is the GNU Privacy Guard (GnuPG), but alternatives exists both as free software and commercially (e.g. PGP). 3/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Introduction II B OpenPGP is a hybrid scheme using – Asymmetric keys for integrity, authentication and encryption of a random session key per message. – Symmetric encryption is used to ensure confidentiality of the data itself. B A default key generated by GnuPG today contains: – A primary key capable of Certification and Signing – An encryption capable subkey. – At least one User ID (e.g. “Kristian Fiskerstrand ”) 4/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Table of Contents 1 A brief introduction to OpenPGP 2 sks-keyservers.net 3 Code base 4 Keyserver network and community 5/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Introduction I B http://sks-keyservers.net provide a convenient way for end users of OpenPGP to retrieve and update keys from synchronised and responsive HKP keyservers B The project was started in 2006 B The servers are mainly based on SKS (p. 9). B Several pools of keyservers are available pool. Main pool (on port 11371) hkps.pool. TLS enabled pool (HKPS) (more on p. 14) {NA,EU,OC}.pool. Geographical pools (more on p. 13) p80.pool. Firewall friendly, servers responding on port 80. 6/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Introduction II subset.pool. ha.pool. Supports latest functionalities. Currently SKS 1.1.5 only; ensuring support for e.g. Elliptic Curve keys c.f. RFC6637. High availability. Historically included only instances that were running behind reverse proxies, but since making that a hard requirement for the main pool it is currently not different - however keeping it and intend to re-use for clustered setups. 7/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Introduction III B These pools are functioning as a DNS Round Robin B Currently ∼ 110 servers included in the main pool and another ∼ 60 detected but rejected (inclusion criteria on p. 12) B The pools are accessible using both IPv4 and IPv6 (with some special pools limited to a single stack, e.g. ipv{4,6}.pool.sks-keyservers.net) B GnuPG defaults to keys.gnupg.net which is a DNS CNAME to pool.sks-keyservers.net 8/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Quick intro to keyservers, protocols etc I B Synchronizing Key Server (SKS) is the most used keyserver today. B One notable feature of SKS is the implementation of the fast reconciliation algorithms that were part of Yaron Minksy’s PhD thesis. B SKS replaced PKS that synchronized using email and did not include the updated features of OpenPGP presented in RFC4880. B SKS is written in objective caml, and the main development team is Yaron, John Clizbe and myself. Contributions are welcome. 9/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Quick intro to keyservers, protocols etc II B The keyservers in the pool is accessed based on the Horowitz Key Protocol (HKP). Although alternative implementations exists (e.g. PGP Corp’s keyserver is using LDAP) B HKP is a layer on top of HTTP defining how to access the keyserver. It was never formally accepted as a standard but the basis is found in http: //tools.ietf.org/html/draft-shaw-openpgp-hkp-00. B Developments since the initial draft is based on community consensus, mainly between GnuPG and SKS as reference implementations. B Alternative keyservers still exists, including Hockeypuck that is written in Go and that has preliminary support for SKS synchronization. 10/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Quick intro to keyservers, protocols etc III B Some HKP examples http://pool.sks-keyservers.net:11371 Stats request: /pks/lookup?op=stats − operation Verbose index: /pks/lookup?op=vindex [email protected] − search parameters Get: /pks/lookup?op=get &options=mr − Machine readable output &search=0x0b7f8b60e3edfae3 11/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Inclusion criteria B Server responds to HKP queries B Number of keys can’t contain less than median number of keys – ∆ where ∆ is calculated during a two-stage process. First excluding outliers (diff exceeding ±0.5σ) then ∆ = Max (0.5σ, 300) of the recalculated σ B Upgraded to a compatibility level of SKS 1.1.3 or higher. B Server name reported is a fully qualified domain name B HTTP/1.1 POST does not result in HTTP status 417 B Reverse Proxy (providing via header or based on server header) B Server is not in the global exclude list B Responds to port 80 as well as 11371 (for p80 pool) B Not vulnerable to CVE-2014-3207 (for HKPS pool) 12/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Geographical pools SRV weights are defined as: (1) During an update run, determine the response time from multiple client measuring stations (grouped by pool) as the mean of N attempts and the bandwidth capacity for each individual server. weight = α  1 (R − (µR − 2σR ))y   ,φ    B  + βB  P  m (2) Calculate the mean (µ) and standard deviation (σ) of the aforementioned parameters across the servers in the pool. (3) Exclude outliers to the results based on N (σ) rejection criteria.  + Min βR Bj     j=1 + βP · DP · ρ (1) where: α is a constant to provide a basis weight (4) Calculate new µ and σ for the remainder of the servers. βi is the loading (weight) of the respective factor in determining the SRV weight (5) Calculate the SRV weights for the individual servers. ρ is the additional weight given for a reverse proxy enabled server (6) Sort the servers by weights and pick top 10 for each individual pool DP is a dummy variable that is 1 if a reverse proxy exists and 0 otherwise y is a constant (even number) that define penalization for deviation φ is the ceiling of weight to be added for R Further information is available at http://kfwebs.com/sks-keyservers-SRV.pdf 13/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community HKPS Pool I B HKPS is regular HKP over TLS (port 443) B In order to achieve such a setup across multiple independent servers, all participants in the pool needs a certificate signed by the sks-keyservers.net CA (SCA) B The certificates contains the CN of the individual servers and include the pool hostnames as subjectAltNames. B The SCA issued certificate needs to be issued whenever the hkps SNI is presented, but several operators also maintain their own certificates from the global PKIX system for their individual hostname. 14/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community HKPS Pool II B The public SCA cert is available at https: //sks-keyservers.net/sks-keyservers.netCA.pem and is signed by my OpenPGP key in a detached signature with .pem.asc suffix. B The Cetificate Revocation List (CRL) is published at https://sks-keyservers.net/ca/crl.pem B the SCA cert is also included in GnuPG: http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg. git;a=blob_plain;f=dirmngr/sks-keyservers.netCA. pem;hb=refs/heads/master 15/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community HKPS Pool III B More info on https://sks-keyservers.net/verify_tls.php B To use the HKPS pool require the following configuration: ∼/.gnupg/gpg.conf for GnuPG 1.4 and 2.0 branches keyserver hkps://hkps.pool.sks-keyservers.net keyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem 16/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Global reach Despite not having any data on actual usage, as this is handled by the slave DNS servers, visitors on the website indicate a global reach (based on last months visitors, the number of users of the service is expected to be higher than the number of visitors of the website) 17/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community SRV compatibility issues B However, some issues still remain in GnuPG: – Issue 1446: hkps SRV lookup discards port from SRV – Issue 1447: TLS hostname selection uses insecure SRV data B Until these are fixed and been present in standard versions for a while, a large-scale use of SRV records will not be used in the pool (it is currently disabled for everything except for the geographical pools) B This restricts e.g. the possibility of using HKPS pool on non-standard port (restricted to 443) B Note: Even when clients are expected to handle it, it might make sense to keep the restriction, e.g. due to firewalls. 18/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Table of Contents 1 A brief introduction to OpenPGP 2 sks-keyservers.net 3 Code base 4 Keyserver network and community 19/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community The code base B The code base consists of PHP (∼ 14k LOC (excluding embedded libraries)) and bash B Open Source: https://code.google.com/p/sks-keyservers-pool/ B A crawler is executed once an hour to update the data and is performing a recursive walk across servers detected in the peering mesh from the other servers. B The primary DNS server is updated every 15 minutes B Slave DNS servers are provided by a voluntary community, several of which are AnyCasted clusters. 20/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Scalability I B When I started in 2006 the number of servers was about 15–20 B As the number of tests performed as well as the number of servers increased, so did crawler execution time B The linear increase in time resulted in a need to rewrite core components to parallel execution. B The rewrite reduced the execution time for a full crawl from 14.5 minutes to 3.5 minutes (most of which is network delay and intended sleep() procedures to avoid DoS conditions) 21/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Scalability II B The crawler is now executed using libevent – a stand-alone PHP script is executed for each server lookup that returns data in json format. – peering servers not already checked are added to a pool of servers to check – iterates until the pool is empty B This approach also allows for direct testing against specific servers for debugging purposes. 22/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Customizations I B In particular setting up the HKPS pool required tweaks outside of PHP. B At the time of initial writing, PHP did not support CURL RESOLVE, as such execution would not accurately detect the presence of a X.509 Certificate of the pool due to connecting to IP address with Host: header of the pool. B This issue was solved by patching curl directly to use the value of the HTTP Host header as value for Server Name Indication. http://curl.haxx.se/mail/lib-2012-11/0104.html B CURL RESOLVE was added in PHP5.5. This permitted a code rewrite to remove the need for a custom patch of curl. 23/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Customizations II B But PHP did not yet allow for specifying a Certificate Revocation List (CRL). As such PHP itself had to be patched: https://bugs.php.net/bug.php?id=65575 B Support for CRL files were added in the mainline PHP source in 5.5.4. B The crawler now operate without need for custom patches in any external component. 24/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Table of Contents 1 A brief introduction to OpenPGP 2 sks-keyservers.net 3 Code base 4 Keyserver network and community 25/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Number of keys B I started recording statistics on the number of keys in 2011. B Since then there are about 800,000 new keys available B There has been a sustained increase in the growth rate since the Snowden revelations. B A more detailed breakdown of the keys (key length, algorithms etc) is available at http://blog.sumptuouscapital.com/ 2014/01/openpgp-key-statistics/ 26/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community Network analysis B With a growing number of servers, keys and other updates the time to replicate the data across the network increase B In order to optimize this, bottlenecks in the network have to be detected and fixed. B This is mostly a manual operation aided by tools for network analysis. 27/28 A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community B The keyserver community is generally friendly and is active in providing support and responding to new requests B Wiki at https://bitbucket.org/skskeyserver/ sks-keyserver/wiki/Home B Mailing list at [email protected], both for SKS questions and general keyserver operational procedures 28/28