Wiki source for WikkaSecurity
======Wikka Security======
<<**Note** The examples in this page were created using the 1.1.6.3 release. Please substitute whatever version you are currently working with, and be aware that actual checksums and signatures reproduced here may not match the release you're working with.<<::c::
====Authentication of Wikka distributions====
===Why?===
History is rife with examples of F/OSS software distros being hacked and released, often from the same "authoritative" website. Digital signatures and checksums offer //integrity checking// by verifying the contents of a distro or tarball is what was intended to be released by the original developers. Digital signatures add //authentication// verification by providing some information as to what parties are associated with a specific distro or tarball. They can also be used to authenticate the checksums to add an extra level of security (checksum files can be updated with the "real" checksum of a hacked version, and therefore offer only limited integrity checking).
===Checksums===
Checksums can only test for //integrity//. The idea behind checksums is that variations in the file being checksummed (down to a single byte) will produce distinctly different checksums, so that hacked or defective versions of a file will produce checksums that no longer match the checksum as originally generated. While checksums do not determine //authenticity// (//i.e.,// who created the file), **verifying checksums is better than doing nothing at all**.
We provide two checksums for each Wikka release: An MD5 (""[md5]"") and an SHA1 (""[sha1]"") checksum. (SHA1 checksums are considered more secure than MD5 checksums; the latter will eventually be phased out.)
==Verifying checksums==
Binary and source versions of both ##md5sum## and ##sha1sum## are usually shipped with most Unix installations as part of the [[http://www.gnu.org/software/textutils/textutils.html GNU textutils]] package. (OSX users will probably need to install the textutils package manually using Fink or Darwin ports to access md5sum and/or sha1sum.)
Binary and source versions of the md5sum program for Windows/Unix/OSX can be found [[http://www.fourmilab.ch/md5/ | here]].
Binary and source versions of the sha1sum program for Windows can be found [[ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.exe | here]].
Verifying checksums using either ##md5sum## and/or ##sha1sum## is trivial. First, make sure both the checksum file(s) and the release file are in the same directory. Then, use one or both of the following commands to verify the checksums:
%%
$ md5sum -c Wikka-1.1.6.3.tar.gz.md5
Wikka-1.1.6.3.tar.gz: OK
%%
//Note: some versions of md5sum do not display any message if the checksum is correct.//
%%
$ sha1sum -c Wikka-1.1.6.3.tar.gz.sha1
Wikka-1.1.6.3.tar.gz: OK
%%
Both of these results indicate a reasonable likelihood that the release file you downloaded hasn't been tampered with. However, please keep in mind that you have no way of determining who generated this checksum or release file (for this, you would have to try to determine //authenticity// as well). Again, you will need to determine where your "comfort level" lies with regards to verifying the ""WikkaWiki"" release files (or any other files you might download from the Internet).
===Digital signatures===
Digital signatures can be used to test for both //authenticity// and //integrity//. Each Wikka release is signed by a ""WikkaWiki"" Release Verification Key. For each Wikka release we post, clicking on the ""[sig]"" link will download an ASCII signature file that can be used to verify both the authenticity and integrity of the downloaded file. (Some users may find it necessary to right click and/or CTRL-click the link to ensure the signature is downloaded to the computer rather than displayed in the browser as a text file.)
==Verifying signatures using [[http://www.gnupg.org | GnuPG]]==
Most Unix/Linux and Mac ""OSX"" distributions ship with ""GnuPG"" installed. From the command line, typing ##gpg -h## will quickly tell you whether or not ""GnuPG"" is installed on your machine. If not, click on the link above to download (""OSX"" users can alternatively use Fink to install the application).
Windows users can obtain GPG command-line binaries [[http://www.gnupg.org/(en)/download/index.html | here]]. All of the commands above should also work on the Windows client.
Windows users might also be interested in [[http://www.gpg4win.org | GPG4Win]], a set of integrated GPG utilities (both command-line and GUI-based).
The following examples assume you have a working ""GnuPG"" installation, and have downloaded a Wikka distribution as well as the associated signature file. We will use ##Wikka-1.1.6.3.tar.gz## and ##Wikka-1.1.6.3.tar.gz.asc## (both located in the same directory) for this example.
The first step is to verify the signature against the release file:
%%
$ gpg --verify Wikka-1.1.6.3.tar.gz.asc
gpg: Signature made Sun 01 Apr 2007 04:42:19 PM CDT using DSA key ID 952F79C5
gpg: Can't check signature: public key not found
%%
We don't have the ""WikkaWiki"" Release Verification Key (key ID 952F79C5) in our "keyring," and will need to import it. You can either use a keyserver to do this:
%%
$ gpg --keyserver pgp.mit.edu --recv-keys 952F79C5
gpg: key 952F79C5: public key "WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
%%
or [[http://www.wikkawiki.org/downloads/wikkawiki_release_key.pub | download the signing key]] from our server and import it directly into your "keyring":
%%
$ gpg --import wikkawiki_release_key.pub
gpg: key 952F79C5: public key "WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
%%
At this point, you really don't have any way of checking the authenticity of this key (after all, anyone could have created a signing key with this name), but we'll address this in a moment. Re-verify the signature against the release file:
%%
$ gpg --verify Wikka-1.1.6.3.tar.gz.asc
gpg: Signature made Sun 01 Apr 2007 04:42:19 PM CDT using DSA key ID 952F79C5
gpg: Good signature from "WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>"
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EB84 9552 7671 E97C 9585 2DF4 3529 DC1B 952F 79C5
%%
This tells you the signature is good (meaning this is the same key that was used to generate the signature you just verified, and that there is a strong likelihood the file has not been tampered with in any way), but you really don't know whose key this is. The next step would be to //authenticate// the public key to such a degree that you are personally comfortable that this key does, in fact, belong to the WikkaWiki development team. To do this, you generate the key's //fingerprint//:
%%
$ gpg --fingerprint 952F79C5
pub 1024D/952F79C5 2007-04-01 WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>
Key fingerprint = EB84 9552 7671 E97C 9585 2DF4 3529 DC1B 952F 79C5
%%
A cursory attempt at verifying the authenticity of this key might be to compare the fingerprint with a publicly-posted fingerprint (for instance, on a ""WikkaWiki"" developer's Wikki page or home page). A higher degree of verification would be achieved by actually meeting with this key's owner in a face-to-face environment, complete with an exchange of IDs to positively verify that the owner of this key is who you expect this person to be, and that they can confirm the fingerprint as being authentic.
It should be obvious that there is a continuum of verification that exists which will satisfy an individual's "comfort level" with regards to authenticity. It's highly unlikely ""WikkaWiki's"" developers would have the time to meet with each ""WikkaWiki"" end-user individually to verify digital fingerprints. Instead, one can achieve a fairly high level of authenticity by taking advantage of the "web of trust" that results from a key being digitally signed by one or more individuals. For instance, it might be acceptable to you to verify the published fingerprints for three of the ""WikkaWiki"" developers who signed this key, realizing that a hacker would have to go to great lengths (and be highly motivated by something more than just juvenile impulses) to hack into every ""WikkaWiki"" developers' servers or wiki pages and change fingerprints to match a forged signing key.
Determining who else has signed a key is easy:
%%
$ gpg --list-sigs 952F79C5
pub 1024D/952F79C5 2007-04-01 WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>
sig 3 952F79C5 2007-04-01 WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>
sig 3 60AFDF6F 2007-04-01 Brian Koontz (Personal key) <brian@pongonova.net>
%%
This indicates that not only is the key "self-signed," but that an additional person (me, in this case) has also signed the key. Using the steps outlined above, you can then determine if //my// signature is authentic (to some degree), maybe by looking up my digital fingerprint on my [[BrianKoontz | wiki page]]. Other developers may have also signed the key; by verifying multiple signatures, you can increase your "comfort level" as to the authenticity of the signing key.
(If this discussion has piqued your interest in PKI and digital signatures, the [[http://www.gnupg.org | GnuPG]] site is a great place to start your research.)
CategoryEN
<<**Note** The examples in this page were created using the 1.1.6.3 release. Please substitute whatever version you are currently working with, and be aware that actual checksums and signatures reproduced here may not match the release you're working with.<<::c::
====Authentication of Wikka distributions====
===Why?===
History is rife with examples of F/OSS software distros being hacked and released, often from the same "authoritative" website. Digital signatures and checksums offer //integrity checking// by verifying the contents of a distro or tarball is what was intended to be released by the original developers. Digital signatures add //authentication// verification by providing some information as to what parties are associated with a specific distro or tarball. They can also be used to authenticate the checksums to add an extra level of security (checksum files can be updated with the "real" checksum of a hacked version, and therefore offer only limited integrity checking).
===Checksums===
Checksums can only test for //integrity//. The idea behind checksums is that variations in the file being checksummed (down to a single byte) will produce distinctly different checksums, so that hacked or defective versions of a file will produce checksums that no longer match the checksum as originally generated. While checksums do not determine //authenticity// (//i.e.,// who created the file), **verifying checksums is better than doing nothing at all**.
We provide two checksums for each Wikka release: An MD5 (""[md5]"") and an SHA1 (""[sha1]"") checksum. (SHA1 checksums are considered more secure than MD5 checksums; the latter will eventually be phased out.)
==Verifying checksums==
Binary and source versions of both ##md5sum## and ##sha1sum## are usually shipped with most Unix installations as part of the [[http://www.gnu.org/software/textutils/textutils.html GNU textutils]] package. (OSX users will probably need to install the textutils package manually using Fink or Darwin ports to access md5sum and/or sha1sum.)
Binary and source versions of the md5sum program for Windows/Unix/OSX can be found [[http://www.fourmilab.ch/md5/ | here]].
Binary and source versions of the sha1sum program for Windows can be found [[ftp://ftp.gnupg.org/gcrypt/binary/sha1sum.exe | here]].
Verifying checksums using either ##md5sum## and/or ##sha1sum## is trivial. First, make sure both the checksum file(s) and the release file are in the same directory. Then, use one or both of the following commands to verify the checksums:
%%
$ md5sum -c Wikka-1.1.6.3.tar.gz.md5
Wikka-1.1.6.3.tar.gz: OK
%%
//Note: some versions of md5sum do not display any message if the checksum is correct.//
%%
$ sha1sum -c Wikka-1.1.6.3.tar.gz.sha1
Wikka-1.1.6.3.tar.gz: OK
%%
Both of these results indicate a reasonable likelihood that the release file you downloaded hasn't been tampered with. However, please keep in mind that you have no way of determining who generated this checksum or release file (for this, you would have to try to determine //authenticity// as well). Again, you will need to determine where your "comfort level" lies with regards to verifying the ""WikkaWiki"" release files (or any other files you might download from the Internet).
===Digital signatures===
Digital signatures can be used to test for both //authenticity// and //integrity//. Each Wikka release is signed by a ""WikkaWiki"" Release Verification Key. For each Wikka release we post, clicking on the ""[sig]"" link will download an ASCII signature file that can be used to verify both the authenticity and integrity of the downloaded file. (Some users may find it necessary to right click and/or CTRL-click the link to ensure the signature is downloaded to the computer rather than displayed in the browser as a text file.)
==Verifying signatures using [[http://www.gnupg.org | GnuPG]]==
Most Unix/Linux and Mac ""OSX"" distributions ship with ""GnuPG"" installed. From the command line, typing ##gpg -h## will quickly tell you whether or not ""GnuPG"" is installed on your machine. If not, click on the link above to download (""OSX"" users can alternatively use Fink to install the application).
Windows users can obtain GPG command-line binaries [[http://www.gnupg.org/(en)/download/index.html | here]]. All of the commands above should also work on the Windows client.
Windows users might also be interested in [[http://www.gpg4win.org | GPG4Win]], a set of integrated GPG utilities (both command-line and GUI-based).
The following examples assume you have a working ""GnuPG"" installation, and have downloaded a Wikka distribution as well as the associated signature file. We will use ##Wikka-1.1.6.3.tar.gz## and ##Wikka-1.1.6.3.tar.gz.asc## (both located in the same directory) for this example.
The first step is to verify the signature against the release file:
%%
$ gpg --verify Wikka-1.1.6.3.tar.gz.asc
gpg: Signature made Sun 01 Apr 2007 04:42:19 PM CDT using DSA key ID 952F79C5
gpg: Can't check signature: public key not found
%%
We don't have the ""WikkaWiki"" Release Verification Key (key ID 952F79C5) in our "keyring," and will need to import it. You can either use a keyserver to do this:
%%
$ gpg --keyserver pgp.mit.edu --recv-keys 952F79C5
gpg: key 952F79C5: public key "WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
%%
or [[http://www.wikkawiki.org/downloads/wikkawiki_release_key.pub | download the signing key]] from our server and import it directly into your "keyring":
%%
$ gpg --import wikkawiki_release_key.pub
gpg: key 952F79C5: public key "WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>" imported
gpg: Total number processed: 1
gpg: imported: 1
%%
At this point, you really don't have any way of checking the authenticity of this key (after all, anyone could have created a signing key with this name), but we'll address this in a moment. Re-verify the signature against the release file:
%%
$ gpg --verify Wikka-1.1.6.3.tar.gz.asc
gpg: Signature made Sun 01 Apr 2007 04:42:19 PM CDT using DSA key ID 952F79C5
gpg: Good signature from "WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>"
gpg: checking the trustdb
gpg: no ultimately trusted keys found
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: EB84 9552 7671 E97C 9585 2DF4 3529 DC1B 952F 79C5
%%
This tells you the signature is good (meaning this is the same key that was used to generate the signature you just verified, and that there is a strong likelihood the file has not been tampered with in any way), but you really don't know whose key this is. The next step would be to //authenticate// the public key to such a degree that you are personally comfortable that this key does, in fact, belong to the WikkaWiki development team. To do this, you generate the key's //fingerprint//:
%%
$ gpg --fingerprint 952F79C5
pub 1024D/952F79C5 2007-04-01 WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>
Key fingerprint = EB84 9552 7671 E97C 9585 2DF4 3529 DC1B 952F 79C5
%%
A cursory attempt at verifying the authenticity of this key might be to compare the fingerprint with a publicly-posted fingerprint (for instance, on a ""WikkaWiki"" developer's Wikki page or home page). A higher degree of verification would be achieved by actually meeting with this key's owner in a face-to-face environment, complete with an exchange of IDs to positively verify that the owner of this key is who you expect this person to be, and that they can confirm the fingerprint as being authentic.
It should be obvious that there is a continuum of verification that exists which will satisfy an individual's "comfort level" with regards to authenticity. It's highly unlikely ""WikkaWiki's"" developers would have the time to meet with each ""WikkaWiki"" end-user individually to verify digital fingerprints. Instead, one can achieve a fairly high level of authenticity by taking advantage of the "web of trust" that results from a key being digitally signed by one or more individuals. For instance, it might be acceptable to you to verify the published fingerprints for three of the ""WikkaWiki"" developers who signed this key, realizing that a hacker would have to go to great lengths (and be highly motivated by something more than just juvenile impulses) to hack into every ""WikkaWiki"" developers' servers or wiki pages and change fingerprints to match a forged signing key.
Determining who else has signed a key is easy:
%%
$ gpg --list-sigs 952F79C5
pub 1024D/952F79C5 2007-04-01 WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>
sig 3 952F79C5 2007-04-01 WikkaWiki Release Verification Key (WikkaWiki Release Signing Key) <admin@wikkawiki.org>
sig 3 60AFDF6F 2007-04-01 Brian Koontz (Personal key) <brian@pongonova.net>
%%
This indicates that not only is the key "self-signed," but that an additional person (me, in this case) has also signed the key. Using the steps outlined above, you can then determine if //my// signature is authentic (to some degree), maybe by looking up my digital fingerprint on my [[BrianKoontz | wiki page]]. Other developers may have also signed the key; by verifying multiple signatures, you can increase your "comfort level" as to the authenticity of the signing key.
(If this discussion has piqued your interest in PKI and digital signatures, the [[http://www.gnupg.org | GnuPG]] site is a great place to start your research.)
CategoryEN
