Add timeserver key rotation #173

awwad · 2019-03-07T18:03:29Z

Motivation

In implementations of Uptane employing a timeserver, the ability to update the timeserver key is required. Since the reference implementation uses a timeserver, timeserver key rotation is required.

For discussion of timeserver key rotation as a fast-forward attack mitigation, and to see the portions of the Uptane standard dealing with this process, see uptane-standard PR 41.

Changes Required

PRs in Progress

The PRs in progress addressing this requirement are (check off when merged):

upTUF PR 22: allow custom override of system clock
Uptane PR 170: timeserver times override use of system clock
an upTUF PR implementing metadata support in Root and Targets for timeserver key listing
Uptane PR 171: implement timeserver key rotation

Direct requirements

Root metadata on the Director repository must include the additional 'timeserver' role, specifying its keys.
Targets metadata on the Director repository must include an additional entry to specify timeserver keys (if partial verification secondaries are supported).
primary.py and secondary.py must employ the above, using Root for full verification and using Targets for partial verification.

Indirect requirements

Uptane's current TUF implementation (upTUF) requires several changes in formats.py, repository_lib.py, conf.py, repository_tool.py, and updater.py in order to (1) support overriding use of the system clock and (2) support timeserver key listing.
After the Uptane reference implementation's migration from using a custom TUF implementation (upTUF) to using the TUF reference implementation, after the fix to TUF Issue 660 is deployed, there should be no code changes in TUF itself required to handle timeserver key rotation support: the Uptane code should be able to achieve this transparently through use of the new roledb interface.

The latter point is because the 660 rewrite involves a lot of generalization of repository_lib and repository_tool, and a removal of the intermediate metadata format currently in roledb. That makes it much easier to construct custom metadata (since generating/writing metadata will basically just be dumping the contents of roledb, instead of the current weird reconstruction with implicit rules about what roles exist).

So for now, upTUF will use Uptane-specific timeserver key code... but post-merge, I don't think a fork persists: the Uptane repository-side interface will just add some info to roledb and then write the metadata in the usual TUF way.

Resolution uses rotation of the Timeserver key. See: - #173 - uptane/uptane-standard#41 This requires a bit more editing. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

test_secondary.test_95_timeserver_fastforward_attack We add an additional test client (bringing us to 4 test Secondary clients). Resolution uses rotation of the Timeserver key. See: - #173 - uptane/uptane-standard#41 This commit also improves the prior test added in this PR, test_90_timeserver_key_rotation, adding a few checks and improving readability and comments. This requires a bit more editing. Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>

awwad added the enhancement label Mar 7, 2019

awwad self-assigned this Mar 7, 2019

This was referenced Mar 7, 2019

WIP: Timeserver key rotation #171

Open

support setting the clock manually via timeserver attestations #170

Merged

awwad mentioned this issue Mar 25, 2019

Fix repo update order (Director first) #179

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add timeserver key rotation #173

Add timeserver key rotation #173

awwad commented Mar 7, 2019 •

edited

Loading

Add timeserver key rotation #173

Add timeserver key rotation #173

Comments

awwad commented Mar 7, 2019 • edited Loading

Motivation

Changes Required

PRs in Progress

Direct requirements

Indirect requirements

awwad commented Mar 7, 2019 •

edited

Loading