RFC/proposal for Thandy changes

Justin Samuel js at justinsamuel.com
Mon Oct 18 02:46:22 UTC 2010

Hi all,

Here's my first pass at proposed Thandy changes as discussed on irc a couple
of weeks ago.


0. Proposed Thandy Changes

This is a set of proposals that includes a section of simple changes that can
be considered on their own (Section 1) as well as a more fundamental Thandy
restructuring proposal (Section 2).

This isn't meant to be at the level of detail needed for a spec and subsequent
implementation. This is to get feedback and promote discussion. It's not an
official proposal at this point but more of a request for comment.

A few relevant documents for reference:

 * Thandy spec:
 * TUF spec: https://www.updateframework.com/browser/specs/tuf-spec.txt
 * High-level differences between Thandy and TUF:
 * Paper on TUF: http://www.freehaven.net/~arma/tuf-ccs2010.pdf

1. Individual Thandy Changes

These are changes that could be made to Thandy without major overhaul and can
be considered separately of the restructuring proposal (Section 2).

1.1. Multiple File Hashes

Make all file hashes be a set of (algorithm, digest) pairs rather than a
single digest of a predefined algorithm. Thus, instead of describing a file's
hash in metadata with:

  "hash" : 349dceb3de2db82e363c3d73063f031c56c5aac5

It would be described as:

  "hash" : ["sha1" : 349dceb3de2db82e363c3d73063f031c56c5aac5,
            "sha256" : 95eaa1682a99fba24b26c94499b545...747d7759ba845c8b5c]

Note that it could still be allowed to list only one digest. This just allows
the ability to use multiple hashes. It's up to the client implementation to
determine which are checked.

1.2. Refer to Keys by Their ID when Delegating

In the Thandy key list file (the "root metadata"), the full keys are listed
each time they are referenced. This may decrease the human readability of the
key list.

An alternative approach is to use a separate section in the file that defines
the keys that will be used in the rest of this metadata file, list them with
their ID (a hash of the canonical format of the key), and then refer to them
later by this ID. This is similar to how signatures are already done in
Thandy: the ID of the key is listed along with the signature.

An implementation of this needs to check for ID collisions when reading keys
from metadata. It's fine to see the same key specified with the same ID, but a
different key with the same ID as one that has been seen indicates something
wrong. (Note that the implementation would always check that the specified IDs
are correct for the corresponding key, even without collisions.)

1.3. Indicate Signature Thresholds

The current Thandy spec isn't clear about how multiple keys are specified for
a role. There also doesn't appear to be a way to specify a threshold that is
less than the total number of keys. The method of specifying multiple keys
should be made clear and the ability to indicate the number of signatures of
those keys that are required should be added. (There's an example of how this
can be specified in metadata in Section 2.2.)

1.4. Add a 'Release' Role

Thandy currently lists the hashes of all other metadata in the timestamp file.
There are certain attacks that could be mitigated if the Timestamp role signed
a separate Release role's metadata that listed the hashes of all other
metadata files. The idea here is that an attacker who compromises only the
Timestamp role cannot present clients with a mix-and-match of signed metadata
files that were available from the repository at different times. The
separation helps because the Timestamp role has a higher likelihood of key
compromise because the keys are used in an automated fashion, whereas the
Release role would not be used in an automated fashion.

Though the idea of a metadata mix-and-match attack is in general something
worth keeping in mind, it may be the case that Thandy isn't at much risk
because bundles serve a similar role of grouping together package versions in
a way that attackers can't cause the clients to use an unintended combination
of package versions. The risk to Thandy depends on whether packagers ever
replace a package version rather than increment it (they aren't supposed to
ever replace a version) and whether Thandy bundles always specify exact
package versions rather than minimum/maximum package versions or package
version ranges.

2. Thandy Restructuring Proposal

Primary goal: Keep Thandy's concepts of bundles and packages but overlay them
on top of the generic 'targets' approach of TUF.

Note: This proposal is not advocating using/maintaining/relying on TUF as a
separate project. That depends on factors such as the future of TUF according
to the current TUF maintainers, whether Python is an appropriate choice for
Windows clients, etc.

2.1 Approach

Two separate layers:

  1. An authentication layer that downloads and authenticates opaque 'target'
     files according to metadata it understands that lists hashes and sizes of
     the target files. This layer doesn't understand what bundles and packages

  2. A decision/installation layer that uses the authentication layer to
     download bundle/package info and associated files. This layer doesn't
     know the details of the authentication mechanisms or roles; it gets
     files from the authentication layer that the authentication layer has
     already authenticated.

     * Note that the update decision and installation code are probably
       separate, but for the sake of this proposal all that matters is that
       the Thandy authentication layer is logically separate from the rest of

For the authentication layer, we start with the following roles (the same as
TUF uses):

  * Root
    o Root of trust for the entire PKI. Indicates through signed
      metadata which keys are trusted for the Release, Targets, Timestamp, and
      Mirror roles.

  * Timestamp
    o Signs a frequently regenerated timestamp file with a short
      expiration indicating the most recent release metadata.

  * Release
    o Signs the release metadata which lists the hashes and sizes of all
      other metadata files (other than the timestamp file). Note that
      bundleinfo and pkginfo are not considered metadata at the authentication

  * Targets
    o Signs a metadata file that lists the hashes and sizes of target
      files: the files that the decision layer ultimately wants to obtain.
    o Can delegate to sub-roles the responsibility for providing target
      files from specific paths on the repository (e.g. Role A is trusted to
      provide files from the /targets/role_a/ directory).

  * Mirror
    o Signs a metadata file that lists the locations and details of
      repository mirrors.

More information about the tor-dev mailing list