openpgp.conf: an update on the sks-keyservers.net services · b synchronizing key server (sks) is...
TRANSCRIPT
1/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
OpenPGP.conf:An update on the sks-keyservers.net services
Kristian Fiskerstrand94CB AFDD 3034 5109 5618
35AA 0B7F 8B60 E3ED FAE3
9 September 2016
2/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Table of Contents
1 Quick intro to keyservers and related protocols
2 sks-keyservers.net
3 Keyserver network and OpenPGP community
3/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Quick intro to keyservers, protocols etc I
B Synchronizing Key Server (SKS) is the most usedkeyserver today.
B One notable feature of SKS is the implementation of thefast reconciliation algorithms that were part of YaronMinksy’s PhD thesis.
B SKS replaced PKS that synchronized using email and didnot include the updated features of OpenPGP presented inRFC4880.
B SKS is written in objective caml, and the maindevelopment team is Yaron, John Clizbe and myself.Contributions are welcome.
4/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Quick intro to keyservers, protocols etc II
B SKS supports elliptic curves defined in RFC6637 (“EllipticCurve Cryptography (ECC) in OpenPGP”) since version1.1.5 (released 5th May 2014)• ECDH, ECDSA• Curves: nistp521, nistp384, nistp256, brainpoolP256r1,
brainpoolP384r1, brainpoolP512r1, secp256k1B Support for EdDSA / Ed25519 and Curve25519 is included
in version 1.1.6 (released 7th August 2016)• EdDSA• Curves/Schemes: Ed25519 (EdDSA), Curve25519
(ECDH)
5/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Quick intro to keyservers, protocols etc III
B SKS is single-threadedB Recommendations for setting up SKS is listed on
https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Peering
B These recommendations includes instructions on setting upa reverse proxy
B In particular this avoids DoS due to slow connectionsB Additionally some server administers that experience high
loads use a load-balanced setup (10)
6/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Quick intro to keyservers, protocols etc IV
B The keyservers in the pool is accessed based on theHorowitz Key Protocol (HKP).
B HKP is a layer on top of HTTP defining how to access thekeyserver. It was never formally accepted as a standard butthe basis is found in http://tools.ietf.org/html/draft-shaw-openpgp-hkp-00.
B Development since the initial draft is based on communityconsensus, mainly between GnuPG and SKS as referenceimplementations.
7/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Quick intro to keyservers, protocols etc V
B Some HKP examples http://pool.sks-keyservers.net:11371Stats request:/pks/lookup?op=statsVerbose index:/pks/lookup?op=vindex&[email protected]:/pks/lookup?op=get&search=0x0b7f8b60e3edfae3&options=mr − Machine readable output
8/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Quick intro to keyservers, protocols etc VI
B Alternative keyservers still exist, including Hockeypuck(written in Go) and that has preliminary support for SKSsynchronization.
B Other keyservers also exist that use different interfaces, e.g.PGP Corp’s/Symantec’s keyservers are using LDAP whichincludes the Symantec Encryption Server (former PGPUniversal) used in some corporate settings.
9/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Table of Contents
1 Quick intro to keyservers and related protocols
2 sks-keyservers.net
3 Keyserver network and OpenPGP community
10/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Introduction I
B https://sks-keyservers.net provides a convenient wayfor end users of OpenPGP to retrieve and update keysfrom synchronised and responsive HKP keyservers
B The project was started in 2006[1]B The servers are mainly based on SKS (p. 3).B Several pools of keyservers are available
pool. Main pool (on port 11371)hkps.pool. TLS enabled pool (HKPS) (more
on p. 15){NA,EU,OC}.pool. Geographical pools (more on p. 14)p80.pool. Firewall friendly, servers
responding on port 80.
11/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Introduction II
subset.pool. Supports latest functionalities.Currently SKS 1.1.6 only; ensuringsupport for e.g. Elliptic Curve keysc.f. RFC6637 as well asEd25519/Curve25519.
ha.pool. High availability. Only includingservers reported as operating asclustered setups.
Tor/Onion Pool to allow access as a Torhidden service (more on p. 18)
12/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Introduction III
B These pools are functioning as a DNS Round RobinB Currently ∼ 100 servers included in the main pool and
another ∼ 30 detected but rejected (inclusion criteria onp. 13)
B The pools are accessible using both IPv4 and IPv6 (withsome special pools limited to a single stack, e.g.ipv{4,6}.pool.sks-keyservers.net)
B GnuPG defaults to keys.gnupg.net which is a DNSCNAME to pool.sks-keyservers.net
13/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Inclusion criteria
B Servers responds to HKP queries on port 11371B The server’s number of available keys can’t be less than
than median number of keys – ∆ where ∆ is calculated in atwo-stage process. First excluding outliers (diff exceeding±0.5σ) then ∆ = Max (0.5σ, 300) of the recalculated σ
B Upgraded to a compatibility level of SKS 1.1.5 or higher.B Server name reported is a fully qualified domain nameB HTTP/1.1 POST does not result in HTTP status 417B Reverse Proxy (providing via header or based on server
header)B Server is not in the global exclude list
14/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Geographical pools
(1) During an update run, determinethe response time from multipleclient measuring stations (groupedby pool) as the mean of N attemptsand the bandwidth capacity foreach individual server.
(2) Calculate the mean (µ) andstandard deviation (σ) of theaforementioned parameters acrossthe servers in the pool.
(3) Exclude outliers to the results basedon N (σ) rejection criteria.
(4) Calculate new µ and σ for theremainder of the servers.
(5) Calculate the SRV weights for theindividual servers.
(6) Sort the servers by weights and picktop 10 for each individual pool
SRV weights are defined as:
weight = α
+ Min(βR
( 1(R − (µR − 2σR))y
), φ
)
+ βB
Bm∑
j=1Bj
+ βP ·DP · ρ
(1)
where:α is a constant to provide a base weightβi is the loading (weight) of the respective factor indetermining the SRV weightDP is a dummy variable that is 1 if a reverse proxy existsand 0 otherwiseρ is the additional weight given for a reverse proxy enabledservery is a constant (even number) that defines penalization fordeviationφ is the ceiling of weight to be added for R
Further information is available at[2]
15/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
HKPS Pool I
B HKPS is regular HKP over TLS (port 443)B In order to achieve such a setup across multiple
independent servers, all participants in the pool needs acertificate signed by the sks-keyservers.net CA (SCA)
B The certificates contain the CN of the individual serversand include the pool hostnames as subjectAltNames.
B The SCA issued certificate needs to be presented wheneverthe hkps SNI is requested, but several operators alsomaintain their own certificates from the global PKIXsystem for their individual hostname.
16/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
HKPS Pool II
B The public SCA cert is available at https://sks-keyservers.net/ca/sks-keyservers.netCA.pemand is signed by my OpenPGP key in a detached signaturewith .pem.asc suffix.
B The Certificate Revocation List (CRL) is published athttps://sks-keyservers.net/ca/crl.pem
B the SCA cert is also included in GnuPG:http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=dirmngr/sks-keyservers.netCA.pem;hb=refs/heads/master
17/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
HKPS Pool III
B More info on https://sks-keyservers.net/overview-of-pools.php#pool_hkps
B The GnuPG 2.1 branch doesn’t require any additionalconfiguration starting with 2.1.11
B Using the HKPS pool for 1.4 and 2.0 branches of GnuPGrequires the following configuration (requires a full curlimplementation, i.e. not curl-shim):
∼/.gnupg/gpg.conf for GnuPG 1.4 and 2.0 brancheskeyserver hkps://hkps.pool.sks-keyservers.netkeyserver-options ca-cert-file=/path/to/CA/sks-keyservers.netCA.pem
18/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Tor/Onion pool
B An experimental Tor hidden service is running ashkp://jirk5u4osbsr34t5.onion
B The hidden service uses OnionBalance(https://onionbalance.readthedocs.io/en/latest/)to distribute requests across multiple backend Torinstances.
B The pool currently consists of ∼ 15 serversB Tor support is included since GnuPG 2.1.10B Since it still use hkp, the tor service needs to respond to
port 11371
19/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Table of Contents
1 Quick intro to keyservers and related protocols
2 sks-keyservers.net
3 Keyserver network and OpenPGP community
20/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Number of keys
B I started recordingstatistics on the number ofkeys in 2011.
B Since then there are about1.5 million new keysavailable
B There has been anoticeable change to thegrowth rate at the time ofthe Snowden revelations.
B A more detailed breakdownof the keys (key length,algorithms etc) is availableat http://blog.sumptuouscapital.com/2014/01/openpgp-key-statistics/
21/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Network analysis
B With a growing number ofservers, keys and otherupdates the time toreplicate the data acrossthe network increases
B In order to optimizereconciliation times,bottlenecks in the networkhave to be detected andfixed.
B This is mostly a manualoperation aided by toolsfor network analysis.
22/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
B The keyserver community is generally friendly and is activein providing support and responding to new requests
B Wiki at https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Home
B Mailing list at [email protected], both for SKSquestions and general keyserver operational procedures
23/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Duplicate keyids in focus
B Since the evil32 dataset was released there has been a bitof discussion on the use of short keyids in the web outputof keyservers
B The OpenPGP security model is founded on object basedsecurity where the content of the OpenPGP keyblock isself-protected
B Any OpenPGP key needs to be verified out of band beforebeing used
B Verification happens using full fingerprintB keyids provide a convenient quick identifierB Duplicate keyids (32 or 64 bit) in existence don’t affect
security when using OpenPGP or the keyservers at all (ifanything it increases security of people are sufficientlyconfused to properly verify keys)
B More on https://blog.sumptuouscapital.com/2016/08/openpgp-duplicate-keyids-short-vs-long/
24/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
Questions
Any questions?
25/25
Quick intro to keyservers and related protocols sks-keyservers.net Keyserver network and OpenPGP community References
References
[1] Kristian Fiskerstrand. [sks-devel] keyserver pool, 2006. URLhttp://lists.nongnu.org/archive/html/sks-devel/2006-12/msg00002.html.
[2] Kristian Fiskerstrand. Improving dns service record (srv)weights in sks-keyservers.net. 2012. URL https://sks-keyservers.net/files/sks-keyservers-SRV.pdf.