Now, imagine you have personal files, group of files, secret contracts, explicit pictures, even HTTP headers and many more to which you can give a perfect secrecy or files that you can securely share, all of this with only one keyword: an identity.
For instance, there is an exclusive movie coming out next week and you are the only one within the torrent social network KickAssTorrent who was able to have it. However you want to share it with your peers but at the same time, don't want to be caught by the media authorities. [ Yeah, I know ; as a security guy I'm suppose to give delightful examples, but let's be a bit silly for this week, shall we? ]. So you have to protect yourself by protecting the access to the torrent and your identity (keep it private). This is done by giving access to the torrent to only trusted peers.
Such achievement resides in the innovative cradle that we'll call the "Private Trusted Identity (ID for short)" and is brought to you by Codijuana, trademark of Landry Kouajiep.
(1) How does it works?
While publishing the torrent of the brand-new movie, your identity (username or id in the database ...) is encrypted using the alphapad permutation cipher. Then, the torrent T is saved and a list of trusted users for this specific file T is created. Next, both the ciphered id and hash of T are pushed in an array that is serialized in a string which is also hashed.The resulting hash is used to request a RFC3161 timestamp from a TSA via openssl and curl. The TSA's response is collected and the timestamp is extracted. At the end, we have: the torrent file T, the list of trusted users (i.e people who can access T without validation), the timestamp and the TSA response.
Now if a peer wants to access that torrent (the torrent itself and the identity of its owner), he must provide his identity, the encrypted id of the torrent's owner and the hash of that torrent. Unfortunately for the media authorities or the attackers, the last 2 cited credentials are only accessible to peers that are trusted by the torrent's owner :P .
The theory behind this reasoning is the following: If you can prove you knew a file's hash and the encrypted id of its owner at a certain point in time, that guarantees you knew the file content and its owner.
(2) How is it different from the others?
I guess some of you will call it a "deja vu". Well, let me give 3 reasons that'll wipe that impression from your mind:
Better than the usual digital signature: Apart from verification as is the main purpose of digital signature, this method is an authentication-authorization system. For instance, instead of only signing a Git commit on GitHub, we would also be able to control and monitor the access to that commit using only openssl and curl; no more exhaustful tracking codes; only certificates and the lightweight alphapad permutation cipher. Total empowerment of commits' security.
Deeper than passwords: It not only allows you to protect data layers (files, accounts,..) but can also be used to keep the communication layers safe (http header compression for instance)
More powerful than SSL: It has recently been shown that TLS can be broken in less than a minute using the BREACH attack which abuses the difference of size in the response bodies to infer the original response. The embedded alpha-padding permutation cipher takes advantage of its OTP's characteristics to provide the perfect secrecy and the control on the variation of the response bodies' sizes (inherited from the control on the padding parameter) which seriously gives more control on the variation of the BREACH's chances / probabilities of breaking the cipher.
(3) Enough talking. Can you show us the code and explain it?
Sure. I have to precise that the illustrated code is divided into two main sections respecting the above introduction to the concept. The first section covers "WHAT HAPPENS WHEN THE OWNER SAVES HIS DATA/FILE" while the subsequent takes in charge "WHAT HAPPENS WHEN ANOTHER USER TRIES TO ACCESS THE DATA/FILE". Also the data in the first lines of codes of each section are only examples and can be changed at your own taste. However, for less trouble in your experiments, I recommend you the following:
- For an identity (the variables $my_id in section 3.1 and $provided_id in section 3.2) you should use characters from the alphabet you defined in the alphapadding permutation cipher. More details about this alphabet here.
- For the hash in section 3.2, please make sure it's 40 characters (letters and digits) long since I'm using sha1 here.You can change the hash algorithm too. But make sure to adjust the request to the TSA to match this change.
3.1 WHAT HAPPENS WHEN THE OWNER SAVES HIS DATA/FILE
<?php
include_once "class.alphapad.php";
//- (1) We 1st set user data and the system
$system_pad = 300;
$system_key = 90;
$permutation = new alphaPad($system_key,$system_pad);
$my_id = "john smith"; //- The owner id provided by the system
$my_id = $permutation->_encrypt($my_id); //- set private by encryption
$data = $my_id."_movie_name_".time();
$saved_file = $my_id."/".$data.".torrent"; //- the original document to protect
chmod($saved_file,600); //- to make sure nobody except the owner can access it
$trusted_ids = $my_id."/".$my_id."-list.txt"; //- and create a list of trusted people
$cmd = "grep '".$my_id."' ".$trusted_ids." > result-".$my_id.".out"; exec($cmd);
if (filesize("result-".$my_id.".out") == 0) file_put_contents($trusted_ids, $my_id."\n"); //- starting by the owner himself
chmod($saved_file,600);
// Another way to build a trusted list is by using suPHP to chown files from here to the appropriate user/group and add trusted ids to the owner's group, but the effect will be that the web server no longer can read/edit those files once you change ownership of them.
$my_hash = sha1($data);
$data_string = serialize(array("hash" => $my_hash,"alpha_pad_id" => $my_id)); $fhash = sha1($data_string);
//- (2) Then request a timestamp using OpenSSL and capture the response
// The request is HTTP POST binary data in the header that is passed to the server using curl. You'll need to have a bit of info for this:
// URL - An RFC3161 time-stamping service (DFN-Verein in our case)
// FHASH - The final hash (set up earlier) you want a timestamp for. Must be a full hash.
$cmd0 = '
CONTENT_TYPE="Content-Type: application/timestamp-query"
ACCEPT_TYPE="Accept: application/timestamp-reply"
URL = "http://zeitstempel.dfn.de" ';
exec($cmd0);
$cmd1 = 'openssl ts -query -cert -digest '.escapeshellarg($fhash).' -sha1 \
| curl -s -S -H "$CONTENT_TYPE" -H "$ACCEPT_TYPE" --data-binary @- "$URL" -o response.tsr ';
//- What $cmd1 does is the following: we create a time stamp request
//- The output is a time stamp request that contains the SHA1 hash value of your data; ready to be sent to the TSA (DFN-Verein in our case - see the bottom of the article for more TSA).
//- Then after the "|" in the command,i.e once the request is ready, the curl program transmits your request to the DFN-Verein servers.
//- If an error occurs then the output file will contain information to help debug (see the parameter -S in the command).
//- Otherwise the output file (.tsr file) is the RFC3161 timestamp response of your file is returned
exec($cmd1." 2>&1", $array, $status);
if ($status !== 0) throw new Exception("OpenSSL does not seem to be installed: ".implode(", ", $array));
if (stripos($array[0], "openssl:Error") !== false) throw new Exception("There was an error with OpenSSL. Is version >= 0.99 installed?: ".implode(", ", $retarray));
//- (3) We now verify the response by extracting the timestamp and if valid, we save that response string/token
$cmd2 = "openssl ts -reply -in response.tsr -text";
$timestamp_response_array = execute_reply($cmd2, $my_id."_".$my_hash);
$matches = array();
$response_time = 0;
foreach ($timestamp_response_array as $retline){
if (preg_match("~^Time\sstamp\:\s(.*)~", $retline, $matches)){
$response_time = strtotime($matches[1]);
break;
}
}
//- For a better understanding of this extraction, please take a look at the post following this section
if (!$response_time)throw new Exception("The Timestamp was not found");
echo "File and identity saved, safe and sound! \n
Here are the credentials for your trusted peers:\n
hashID:".$my_id."\n
hashTorrent: ".$my_hash;
function execute_reply($command, $storage_name) {
$retarray = array();
exec($command." 2>&1", $retarray, $retcode);
// 2>&1 appendix redirects the error-stream STDERR to STDOUT
// all the STDOUTed lines are then sequentially pushed in the returned array $retarray
// $retcode contains the return status of the executed command
if ($retcode !== 0) throw new Exception("The reply failed: ".implode(", ", $retarray));
else {
//- We gather the response token in a file for future authentications
$tmpfname = tempnam("/responses", $storage_name); //- tempnam will chmod the file to 600 i.e unalterable except by the owner of the file
$save_cmd = "echo '".$command."' > ".$tmpfname."";
unlink("request.tsq"); unlink ("response.tsr");
}
return $retarray;
}
During the request for a timestamp via the execute_reply(), the STDOUTed lines are the content chunks of the timestamp response that look like this:
Using configuration from C:\OpenSSL-Win64\bin\openssl.cfg
Status info:
Status: Granted.
Status description: unspecified
Failure info: unspecified
TST info:
Version: 1
Policy OID: 1.3.6.1.4.1.4146.2.2
Hash Algorithm: sha256
Message data:
0000 – 58 df 63 8c 5b bf ff ca-ad 13 c9 6e 93 96 cd 25 X.c.[......n...%
0010 - 66 5e f1 eb ba 8e 7f 74-6d 65 04 3c 5d ea e4 35 f^.....tme.<]..5
Serial number: 0x2487F5EA8A5A085844ED68A8A7426E07E692E1BD
Time stamp: Sep 17 05:08:38 2013 GMT
Accuracy: unspecified
Ordering: no
Nonce: unspecified
TSA: DirName:/C=SG/O=GMO GlobalSign Pte Ltd/CN=GlobalSign TSA for Standard – G1
Extensions:
In other words, the returned array $timestamp_response_array is simply the above splitted by line. The hash that response was requested for is : 58df638c5bbfffcaad13c96e9396cd 25665ef1ebba8e7f746d65043c5deae435 (see the line starting with: "Message data:..."), the used hash algorithm is sha256 and the TSA is GlobalSign.
Also for simplicity, we assume that the TSA servers that we're using have an availability of 99.9%. For a deeper consideration, you might want to consider the failover scenario and schedule a waiting list of alternate servers.
/*
* Summary:
* INPUT: data T, private identity
* OUTPUT: the timestamp for T, a trusted list and the response token from the TSA
*/
3.2 WHAT HAPPENS WHEN ANOTHER USER TRIES TO ACCESS THE DATA/FILE
Before crawling the validation procedure, let's have a brief chat about the certificate chain of an TS authority (let's called it A).
* An authority A's certificate chain is a file that is used to trace back to an offline cryptographic appliance called the root certificate authority (root CA) where all the private keys are kept in a safe and physically secured facility that meets the security, policy and operational practices that all CAs are mandated to meet. By installing such chain in your browser, your browser can tell if the certificate of A was issued by a root CA or not . The time-stamping service A should be signing your timestamp with a certificate that was issued by a root CA. If not, your timestamp doesn't have much credibility (d). Its signature, at the bottom of its response, (For instance, the line starting by "TSA: DirName:/C=SG/...." in the example bove) indicates that the root CA believes that practices of the authority A below it meets that same high bar.
To better understand the relationship between the root CAs and the intermediate authorities like A, I suggest you to take a look at the trust tree from the ICSI certificate notary.
How does a certificate chain look like?A certificate chain is a usually a certificate of extension .pem or a text file (.txt) and looks like this (courtesy of DFN-Verein): https://pki.pca.dfn.de/global-services-ca/pub/cacert/chain.txt
A certificate chain can be easily created using curl or provided to you by your TSA.
You can also download this bigger certificate chain (with more root CAs): http://curl.haxx.se/ca/cacert.pem
WHY AM I TALKING ABOUT AN AUTHORITY CERTIFICATE CHAIN? Because it's an important piece of the authentication procedure as we will se below.
<?php
include_once "class.alphapad.php";
$system_pad = 300;
$system_key = 90;
$permutation = new alphaPad($system_key,$system_pad);
$user_id = "carla joe"; //- user who is trying to access file T
$user_id = $permutation->_encrypt($user_id);
$provided_id = 12232323434439999; //- should be the same as $my_id for the authentication to work
$provided_hash = "e47b8eef9eb2bedca76dcdd4041d3e1755e2324a"; //- should be the same as $my_hash for the authentication to work
$user_string = serialize(array("hash" => $provided_hash,"alpha_pad_id" => $provided_id)); $user_hash = sha1($user_string);
$response_token = $provided_id."_".$provided_hash;
$file_timestamp = $response_time; //- we suppose it has been saved in the system after the process in the precedent section
$tsa_cert_chain_file = "chain.txt"; //- the certificate chain from the TSA of our system
$trusted_ids = $provided_id."/".$provided_id."-list.txt";
if (file_exists($trusted_ids)){
$cmd = "grep '".$user_id."' ".$trusted_ids." > result-".$provided_id."-".$user_id.".out";
exec($cmd);
if (filesize("result-".$provided_id."-".$user_id.".out") == 0) {
$validated = validate($user_hash, $response_token, $file_timestamp, $tsa_cert_chain_file, $user_id);
if ($validated == 1) {
file_put_contents($trusted_ids, $user_id."\n");
echo "You're in!";
}
else throw new Exception( "Hash mismatch! Please try again");
}
else echo "You're in!";
}
else {
error_log_type(1, $user_id);
throw new Exception("The file you are trying to access doesn't exist");
}
function validate ($hash, $response_token, $response_time, $tsa_cert_file, $user) {
if (strlen($hash) !== 40) {
error_log_type(1, $user, "Provided file's hash");
throw new Exception("Invalid Hash");
}
$response_file = './responses/'.$response_token;
if (!file_exists($response_file)) {
error_log_type(1, $user, "Name of the response token");
throw new Exception("Invalid Hash or owner ID");
}
if (!intval($response_time)){
error_log_type(1, $user, "Provided timestamp");
throw new Exception("There is no valid response-time given");
}
if (!file_exists($tsa_cert_file)) {
error_log_type(1, $user, "Path to the certiificate chain");
throw new Exception("The TSA-Certificate could not be found");
}
$cmd = "openssl ts -verify -digest ".escapeshellarg($hash)." -in ".escapeshellarg($response_file)." -CAfile ".escapeshellarg($tsa_cert_file);
$array = array();
exec($cmd." 2>&1", $array, $status);
/*
* Just 2 valid cases:
* 1) Everything okay -> status 0 + array[0] == "Verification: OK"
* 2) Hash is wrong -> status 1 + strpos(array[somewhere], "message imprint mismatch") !== false
* Every other case (Certificate not found / invalid / openssl is not installed / ts command not known) are being handled the same way -> retcode 1 + any retarray NOT containing "message imprint mismatch"
*/
if ($status === 0 && strtolower(trim($array[0])) == "verification: ok")
return 1;
foreach ($array as $rline)
{
if (stripos($line, "message imprint mismatch") !== false)
{error_log_type(2, $user, "Provided file's hash"); return 0;}
}
error_log_type(3, $user, implode(", ", $array));
throw new Exception("System command failed: ".implode(", ", $array));
}
function error_log_type($severity, $user, $parameter){
date_default_timezone_set('UTC');
$log_file = "./error.log";
switch ($severity){
case(1): $error = "Wrong information provided";break;
case(2): $error = "Hash's print match failed";break;
case(3): $error = "Fatal error - System command failed";break;
}
$error = "[ ".date('l jS \of F Y h:i:s A')." ] - ".$error." - [ Author: ".$user.", Parameter: ".$parameter."] \n";
file_put_contents($log_file, $error);
}
/*
* Summary:
* INPUT: user's private identity, file T owner's private identity and the hash of the file T
* OUTPUT: Access to file F containing T or not (reporting the user's trials)
*/
(4) Important notes
[1] Before running the code, you MUST have the allowance from the TSA (DFN in our case) to use their service. More about it here.
Download source
[2] Due to the presence of the subpadding in the alphapadding permutation cipher, the encrypted identity is subjected to identity collision in a case of a multiple-users system. A solution is, of course, to remove the subpadding substraction from the encryption, but this will increase the inference power of an attacker as explained in the "Extended Work" section of the precedent article.
(5) What are the reference hotlines?
References:
(a) https://www.digistamp.com/technical/software-alternatives/using-openssl-to-request-timestamps/?q=1
(b) http://www.d-mueller.de/blog/dealing-with-trusted-timestamps-in-php-rfc-3161/
(c) http://stackoverflow.com/questions/11913228/how-can-i-use-rfc3161-trusted-timestamps-to-prove-the-age-of-commits-in-my-git
(d) http://unmitigatedrisk.com/?p=395 | http://unmitigatedrisk.com/?p=397
(e) http://notary.icsi.berkeley.edu/trust-tree/
(f) http://searchsecurity.techtarget.com/definition/digital-signature
(g) http://keyserver.trustedtimestamping.com:11371/(h) http://breachattack.com/
More TSAs:
* GlobalSign (https://www.globalsign.com/timestamp-service/)
* DigiStamp (https://www.digistamp.com/)
* DFN-Verein (https://www.dfn.de/en/)
* All CA roots: http://notary.icsi.berkeley.edu/trust-tree/
Thanks for your time and don't forget to comment and share this article, add me on G+ and subscribe to the blog's RSS feeds
No comments:
Post a Comment