Wikka Security


Note The examples in this page were created using the 1.1.6.3 release. Please substitute whatever version you are currently working with, and be aware that actual checksums and signatures reproduced here may not match the release you're working with.
 


Authentication of Wikka distributions


Why?

History is rife with examples of F/OSS software distros being hacked and released, often from the same "authoritative" website. Digital signatures and checksums offer integrity checking by verifying the contents of a distro or tarball is what was intended to be released by the original developers. Digital signatures add authentication verification by providing some information as to what parties are associated with a specific distro or tarball. They can also be used to authenticate the checksums to add an extra level of security (checksum files can be updated with the "real" checksum of a hacked version, and therefore offer only limited integrity checking).

Checksums

Checksums can only test for integrity. The idea behind checksums is that variations in the file being checksummed (down to a single byte) will produce distinctly different checksums, so that hacked or defective versions of a file will produce checksums that no longer match the checksum as originally generated. While checksums do not determine authenticity (i.e., who created the file), verifying checksums is better than doing nothing at all.

We provide two checksums for each Wikka release: An MD5 ([md5]) and an SHA1 ([sha1]) checksum. (SHA1 checksums are considered more secure than MD5 checksums; the latter will eventually be phased out.)

Verifying checksums
Binary and source versions of both md5sum and sha1sum are usually shipped with most Unix installations as part of the GNU textutils package. (OSX users will probably need to install the textutils package manually using Fink or Darwin ports to access md5sum and/or sha1sum.)

Binary and source versions of the md5sum program for Windows/Unix/OSX can be found here.

Binary and source versions of the sha1sum program for Windows can be found here.

Verifying checksums using either md5sum and/or sha1sum is trivial. First, make sure both the checksum file(s) and the release file are in the same directory. Then, use one or both of the following commands to verify the checksums:
$ md5sum -c Wikka-1.1.6.3.tar.gz.md5
Wikka-1.1.6.3.tar.gz: OK

Note: some versions of md5sum do not display any message if the checksum is correct.

$ sha1sum -c Wikka-1.1.6.3.tar.gz.sha1
Wikka-1.1.6.3.tar.gz: OK


Both of these results indicate a reasonable likelihood that the release file you downloaded hasn't been tampered with. However, please keep in mind that you have no way of determining who generated this checksum or release file (for this, you would have to try to determine authenticity as well). Again, you will need to determine where your "comfort level" lies with regards to verifying the WikkaWiki release files (or any other files you might download from the Internet).

Digital signatures

Digital signatures can be used to test for both authenticity and integrity. Each Wikka release is signed by a WikkaWiki Release Verification Key. For each Wikka release we post, clicking on the [sig] link will download an ASCII signature file that can be used to verify both the authenticity and integrity of the downloaded file. (Some users may find it necessary to right click and/or CTRL-click the link to ensure the signature is downloaded to the computer rather than displayed in the browser as a text file.)

Verifying signatures using GnuPG
Most Unix/Linux and Mac OSX distributions ship with GnuPG installed. From the command line, typing gpg -h will quickly tell you whether or not GnuPG is installed on your machine. If not, click on the link above to download (OSX users can alternatively use Fink to install the application).

Windows users can obtain GPG command-line binaries here. All of the commands above should also work on the Windows client.

Windows users might also be interested in GPG4Win, a set of integrated GPG utilities (both command-line and GUI-based).

The following examples assume you have a working GnuPG installation, and have downloaded a Wikka distribution as well as the associated signature file. We will use Wikka-1.1.6.3.tar.gz and Wikka-1.1.6.3.tar.gz.asc (both located in the same directory) for this example.

The first step is to verify the signature against the release file:
$ gpg --verify Wikka-1.1.6.3.tar.gz.asc
gpg: Signature made Sun 01 Apr 2007 04:42:19 PM CDT using DSA key ID 952F79C5
gpg: Can't check signature: public key not found


We don't have the WikkaWiki Release Verification Key (key ID 952F79C5) in our "keyring," and will need to import it. You can either use a keyserver to do this:
$ gpg --keyserver pgp.mit.edu --recv-keys 952F79C5
gpg: key 952F79C5: public key "WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1


or download the signing key from our server and import it directly into your "keyring":
$ gpg --import wikkawiki_release_key.pub
gpg: key 952F79C5: public key "WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>" imported
gpg: Total number processed: 1
gpg:               imported: 1


At this point, you really don't have any way of checking the authenticity of this key (after all, anyone could have created a signing key with this name), but we'll address this in a moment. Re-verify the signature against the release file:
$ gpg --verify Wikka-1.1.6.3.tar.gz.asc
gpg: Signature made Sun 01 Apr 2007 04:42:19 PM CDT using DSA key ID 952F79C5
gpg: Good signature from "WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>"
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: EB84 9552 7671 E97C 9585  2DF4 3529 DC1B 952F 79C5


This tells you the signature is good (meaning this is the same key that was used to generate the signature you just verified, and that there is a strong likelihood the file has not been tampered with in any way), but you really don't know whose key this is. The next step would be to authenticate the public key to such a degree that you are personally comfortable that this key does, in fact, belong to the WikkaWiki development team. To do this, you generate the key's fingerprint:
$ gpg --fingerprint 952F79C5
pub  1024D/952F79C5 2007-04-01 WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>
	 Key fingerprint = EB84 9552 7671 E97C 9585  2DF4 3529 DC1B 952F 79C5


A cursory attempt at verifying the authenticity of this key might be to compare the fingerprint with a publicly-posted fingerprint (for instance, on a WikkaWiki developer's Wikki page or home page). A higher degree of verification would be achieved by actually meeting with this key's owner in a face-to-face environment, complete with an exchange of IDs to positively verify that the owner of this key is who you expect this person to be, and that they can confirm the fingerprint as being authentic.

It should be obvious that there is a continuum of verification that exists which will satisfy an individual's "comfort level" with regards to authenticity. It's highly unlikely WikkaWiki's developers would have the time to meet with each WikkaWiki end-user individually to verify digital fingerprints. Instead, one can achieve a fairly high level of authenticity by taking advantage of the "web of trust" that results from a key being digitally signed by one or more individuals. For instance, it might be acceptable to you to verify the published fingerprints for three of the WikkaWiki developers who signed this key, realizing that a hacker would have to go to great lengths (and be highly motivated by something more than just juvenile impulses) to hack into every WikkaWiki developers' servers or wiki pages and change fingerprints to match a forged signing key.

Determining who else has signed a key is easy:
$ gpg --list-sigs 952F79C5
pub  1024D/952F79C5 2007-04-01 WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>
sig 3       952F79C5 2007-04-01   WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>
sig 3       60AFDF6F 2007-04-01   Brian Koontz (Personal key) <brian@pongonova.net>


This indicates that not only is the key "self-signed," but that an additional person (me, in this case) has also signed the key. Using the steps outlined above, you can then determine if my signature is authentic (to some degree), maybe by looking up my digital fingerprint on my wiki page. Other developers may have also signed the key; by verifying multiple signatures, you can increase your "comfort level" as to the authenticity of the signing key.

(If this discussion has piqued your interest in PKI and digital signatures, the GnuPG site is a great place to start your research.)



CategoryEN
There are no comments on this page.
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki