Monkeysphere: Easing key management and improving HTTPS security

Update 2014-05-24

To make it easier to add the overlay it is now included in Layman (make sure layman is compiled with the mercurial use flag). It can then be added using layman -a k_f

End of Update

Lately I've been paying some more attention to Monkeysphere. Since it has been some time since my last blog post, I figured this was a good opportunity to share some new ideas.

I've already been using parts of the framework for some of my websites, including sks-keyservers.net for quite some time. The reason for this is to offer an alternative to the traditional way of validating the authenticity of HTTPS server certificates, by utilizing the more decentralized approach of OpenPGP's Web of Trust (WoT). In particular with the recent Snowden/NSA/GCHQ revelations, an alternative to the Root CA (Certificate Authority)  structure being used today is interesting to investigate further.

The Monkeysphere project's goal is to extend OpenPGP's web of trust to new areas of the Internet to help us securely identify servers we connect to, as well as each other while we work online. The suite of Monkeysphere utilities provides a framework to transparently leverage the web of trust for authentication of TLS/SSL communications through the normal use of tools you are familiar with, such as your web browser0 or secure shell.

For this part, Monkeysphere imports the cryptographic details from my usual X.509 SSL Certificate used to identify the https connection and generate an OpenPGP certificate containing the same data, after which I've signed the OpenPGP key using my personal key and uploaded the certificate to the usual keyservers. This way, anyone that has validated my own OpenPGP key (if you don't have one on your own yet, you should create one) can find a trust path and compare the key data of the OpenPGP key to the X.509 certificate provided during SSL/TLS negotiation. When a match is found, we know that this is the intended key and can continue to browse safely.

Although it is possible to validate this manually, that can obviously be cumbersome, so I'm using the components msva-perl and the Firefox extension for Monkeysphere, titled xul-ext-monkeysphere, that automates the process. For information on how to set this up for yourself, see the documentation on Identifying secure web servers through the Web of Trust.

Somewhat more hidden to the everyday user, is however one of Monkeysphere's greatest advantages; using OpenPGP to ease key management for the Secure Shell Protocol (SSH). As my key has an authentication subkey that I use to log into my servers, it helps me automate how I access my servers. It is prudent to utilize Public Key Infrastructure and deny any password-based authentication to get into the server, to make it more difficult for an adversary to brute-force their way into the server, or simply to reduce the resources needed on the server to handle such attempts by automated robots. By specifying a trusted introducer on each server I can specify the OpenPGP User IDs that are permitted access for a given user. This also enable me to easily add new users without requesting that they provide me with their SSH keys, and managing the updating of such keys whenever they change across a number of servers. More importantly, if a user detect that their key is compromised and revoke it, it is automatically handled across all my servers as well, limiting the security impact. And the best part, it is rather  easy to set up. 

Monkeysphere also works for authenticating the server itself based on the Host key for SSH so that I don't have to remember the fingerprint of the host key whenever I clear out my known_hosts file.
If you haven't already, I recommend looking into this approach. If you're using Gentoo, as I am on most of my servers, I've created a repository for a Portage Overlay available at https://bitbucket.org/kristianf/portage-overlay/

In order to use this, you'll want to pull the repository into some location using

hg clone https://bitbucket.org/kristianf/portage-overlay/

You can then create a symlink to e.g. /usr/local/portage and include this in your /etc/portage/make.conf file using

PORTDIR_OVERLAY="/usr/local/portage ${PORTDIR_OVERLAY}"

you should then be able to emerge the packages using e.g.

emerge monkeysphere

Note that for now I've masked the packages with the ~arch attribute, so you'll need to unmask them as per instructions provided by portage, or by adding the following to your /etc/portage/package.accept_keywords in order to unmask all packages in this overlay for your ~arch:

*/*::kristian_general_overlay

In order to update the repository and get updates you'll want to run

hg pull && hg up

in your local repository directory from time to time before wanting to updated your installed packages.

 

 

Source for sks-keyservers.net released as open source

Due to popular demand, and what I hope will result as good contributions to the further development of sks-keyservers.net I decided to release the sourcecode under the GNU General Public License v3 in a subversion repository available at code.google.com

For those who haven't gotten to know this project, yet, I started it in 2006 when the former random.sks.keyserver.penguin.de round-robin pool by Bjoern Buerger went offline. The SKS Keyservers provide the public key component / certificates in the Web of Trust of which OpenPGP ("Pretty Good Privacy") is based on. The whole framework is used in order to facilitate digitally signed and encrypted email messages.

In an environment where the governments implement schemes such as the Data Retention Directive (EU), and documentation shows that US used its Echelon surveillance network to promote Boeing's business (in 1994), one can't stress the importance of encryption enough. But even for those who don't feel this need, email is becoming an increasingly important method of communication - and without digital signatures, anyone can spoof an email address. Despite this, surprisingly few have decided to invest any time or effort into securing their digital communication.

That was also the reason for me starting to write my still un-published book in 2008, Sending Emails The Safe Way. I started this with the intention of convincing more people about the necessity and teaching them about the various elements related to proper security. The more I wrote, however, I noticed that my writing got more technical and in the end I concluded that the book was not suitable for the intended task, but was rather aimed at system administrators. Realizing this I never got around to finished the book. However, the parts I wrote during a couple very interesting weeks can nevertheless be downloaded in PDF format. By now all but the cryptography theory and history is outdated, including quite a few of the references found in the footnotes, so any new effort at writing something on the subject would be from scratch. Based on the adoption rate of the technology, it sure seems necessary.

sks-keyservers.net gets a well deserved update

Its been a while since I've gotten around to do any programming, so over the weekend I've finally gotten around to adding some new features to sks-keyservers.net .

Most notably SRV records have been added , and in this process I introduced performance timing of the servers in the pool. This is now reflected both in the SRV pool and in the primary pool of A records. Hopefully this makes the pool even more responsive and improve the user-experience.

In addition usage statistics of the pool has been added by analyzing the bind query log across the various DNS NameServers involved.