[tor-bugs] #8887 [Website]: CERT PGP Based GPG KEY Missing In TorProject.org DNS
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu May 16 19:16:56 UTC 2013
#8887: CERT PGP Based GPG KEY Missing In TorProject.org DNS
----------------------+-----------------------------------------------------
Reporter: Bry8Star | Owner:
Type: defect | Status: new
Priority: normal | Milestone:
Component: Website | Version:
Keywords: | Parent:
Points: | Actualpoints:
----------------------+-----------------------------------------------------
I could not find/obtain any CERT PGP DNS Record in torproject.org's DNS
answer, which can be used to verify authenticity of files released, shared
and signed by you.
torproject.org website (zone/domain), is already signed with DNSSEC, and,
TLSA dns record also exist, which declares to public what exact SSL cert
you(TorProject.org) use & have approved.
Now you need to add you GPG KEY which you use to sign your files and share
with public, so that, users/public can authenticate files, by obtaining
GPG KEY from DNS record, by using their own local Full DNSSEC supported
DNS Resolver/Server/Client software.
GPG KEY obtained via DNSSEC AUTHENTCATED data can be trusted at higher
level, than obtain it via PGP/GPG KEYSERVER(s), as all DNS data kept in
DNS Resource Records (RR), which can be authenticated/verified very very
accurately.
To query DNS records via Tor-proxy, such can be done:
Get & install "socat". Create a script file to create/start a "socat"
based port-forwarding tunnel, so that a DNS query can be send on port 54
and then routing/forwarding it toward the Tor's Socks5 Proxy port 9150, by
using a command like below:
{{{
#!html
<table border="0" cellpadding="0" cellspacing="0" width="95%"
style="border: none;"><tr><td width=8 border="0" style="border:
none;"> </td><td border="1" style="border: 1px solid #d7d7d7;
padding: 0.25em; background: #f7f7f7;"><tt>
@start "socat 127.0.0.1:54 127.0.0.1:9150 8.8.8.8"
/D"%ProgramFiles%\socat\" socat.exe TCP4-LISTEN:54,fork
SOCKS4A:127.0.0.1:8.8.8.8:53,socksport=9150
</tt></td></tr></table><br />
}}}
above command line was copied from "socat-54-to-tor-9150.cmd" file from
Windows computer. Binary files of "socat" tool were kept inside C:\Program
Files\socat\ folder.
DNS queries can be done ANONYMOUSLY like this:
{{{
#!html
<table border="0" cellpadding="0" cellspacing="0" width="95%"
style="border: none;"><tr><td width=8 border="0" style="border:
none;"> </td><td border="1" style="border: 1px solid #d7d7d7;
padding: 0.25em; background: #f7f7f7;"><tt>
dig @127.0.0.1 -c in -t any -p 54 torproject.org. +dnssec +additional +vc
</tt></td></tr></table><br />
}}}
If answer have "AD" (Authenticated Data) flag and "NOERROR" status, then
answer is DNSSEC authenticated.
But still possible to modify by someone in the middle.
There are other public DNS-Server(s), which supports encrypted DNS
queries, and also respect user's Privacy Rights. Correct SSL
certificate(cert)/key has to be obtained first, and then can be used with
"socat", for creating encrypted tunnels toward such DNS-Server via Tor-
proxy, and then DNS queries can be done and very accurate answer/result
can be obtained/received. See more info on "socat" doc/manual, and German
& Swiss Privacy Foundation's Public DNS Server, etc.
At-least 1 DNS record like below must exist:
Since Erinn Clark (erinn at torproj...org) signs binary files, a CERT GPG dns
record would look like:
{{{
#!html
<table border="0" cellpadding="0" cellspacing="0" width="95%"
style="border: none;"><tr><td width=8 border="0" style="border:
none;"> </td><td border="1" style="border: 1px solid #d7d7d7;
padding: 0.25em; background: #f7f7f7;"><tt>
erinn._pka.torproject.org. TXT
"v=pka1\;fpr=FINGERPRINT-HEX-NUMS-OF-SIGNING-GPG-
KEY\;uri=https://www.torproject.org/erinn-clark-torproject.pubkey.txt"
</tt></td></tr></table><br />
}}}
or, it can also look like:
{{{
#!html
<table border="0" cellpadding="0" cellspacing="0" width="95%"
style="border: none;"><tr><td width=8 border="0" style="border:
none;"> </td><td border="1" style="border: 1px solid #d7d7d7;
padding: 0.25em; background: #f7f7f7;"><tt>
erinn.torproject.org. CERT PGP 0 0 LONG-BASE64-ENTIRE-PGP/GPG-KEY-CODE
</tt></td></tr></table><br />
}}}
"CERT" is aka "TYPE37".
The actual "FINGERPRINT-HEX-NUMS-OF-SIGNING-GPG-KEY" code portion would
look like:
8738A680B84B3031A630F2DB416F061063FEE659
The actual "LONG-BASE64-ENTIRE-PGP/GPG-KEY-CODE" code portion can be
obtained by using below two commands by the TorProject.org zone/domain's
actual owner/holder:
{{{
#!html
<table border="0" cellpadding="0" cellspacing="0" width="95%"
style="border: none;"><tr><td width=8 border="0" style="border:
none;"> </td><td border="1" style="border: 1px solid #d7d7d7;
padding: 0.25em; background: #f7f7f7;"><tt>
gpg --export 63FEE659 > 63FEE659.pub.bin<br />
<br />
make-dns-cert -n erinn.torproject.org. -k 63FEE659.pub.bin
</tt></td></tr></table><br />
}}}
I/end-user would prefer to obtain the entire (master-signing or 2nd-level-
signing) KEY code from "CERT PGP" record, even if it is as large as 4KB.
It is More Important to deliver correct full/ENTIRE KEY code to USERS,
than, sending it via a file/url, to make sure USERS are really getting
authentic entire GPG/PGP-KEY code data, and then using it to authenticate
files, with lesser chance of failing points, and with lesser complexity.
end-users can do such DNS queries to view GPG related DNS entry:
dig +short erinn._pka.torproject.org. TXT
or, like this:
dig +short erinn.torproject.org. CERT
If ONLY file/URL based TXT option, is mentioned/used, THEN such sensitive
FILE MUST NEED TO BE DELIVERED TO USERS OVER TLS/SSL/HTTPS ENCRYPTED
secured and correct CONNECTION, between TorProject.org server and users
computer, (verified by DANE).
And to be 100% SURE, that both side (TorProejct's-server & user's
computer) are accurately using a CORRECT SSL/TLS cert OWNED BY
TorProject.org itself, entire TLS/SSL certificate hash/checksum and its
fingerprint ALSO need to be placed in DNS as well. See more info on TLSA,
CERT dns-records, related documents. Again, it is more important to make
sure USERS are really getting authentic files, with lesser chance of
failing points, and with lesser complexity, and over correctly secured
connection with correct server, so use BOTH PGP/GPG option mentioned
above.
Adding both "TXT" based and "CERT PGP" based DNS entry, would be better,
since your dns already has TLSA record.
TorProject has now already added their TLSA in DNS RR. :)
dnssec DANE protocol supported / built-into software like : "Extended
DNSSEC Validator" firefox addon (www.os3sec.org) , "DNS-Trigger" (an
"Unbound" based Full DNSSEC Supported DNS-Server/DNS-Resolver,
www.nlnetlabs.nl), etc (along with "DNSSEC Validator" firefox addon www
.dnssec-validator.cz) allows to obtain DNSSEC Authenticated accurate data,
and then these can obtain or extract correct SSL/TLS cert hash/checksum &
fingerprint from TLSA, etc DNSSEC-authenticated data, and then these can
show warning message to user, if correct SSL/TLS cert is NOT used for
encrypted HTTPS connection, or, if a fake/forged cert or fake server is
used. Also use "Cipherfox", "Cert viwer Plus", etc firefox addons to view
SSL cert details and chain, and configure those to show more info. You
would also need to use either a VM based DNS-Serveer (you may use
"VirtualBox", and "Tails"), or, another local computer based DNS-Server,
(which are pre-configured to Transparently forward all traffic including
DNS through Tor-proxy), and specify such DNS-Server inside the "Extended
DNSSEC Validator" firefox addon. Also see "DNS2SOCKS".
To import entire pgp/GPG keycode from DNS , user can do one single
command:
{{{
#!html
<table border="0" cellpadding="0" cellspacing="0" width="95%"
style="border: none;"><tr><td width=8 border="0" style="border:
none;"> </td><td border="1" style="border: 1px solid #d7d7d7;
padding: 0.25em; background: #f7f7f7;"><tt>
gpg --no-default-keyring --keyring /tmp/gpg-$$ --encrypt --armor --auto-
key-locate cert -r erinn@torproject.org
</tt></td></tr></table><br />
}}}
In windows, GPG software was obtained via "Cygwin", it can also be
obtained from "gpg4win". And, to send GPG queries via Tor Socks5 proxy :
First "Polipo" (a HTTP Proxy) tool was obtained and configured, to create
a HTTP-Proxy-to-Socks5-proxy Tunnel (from HTTP Proxy port 8118 to Socks5
Proxy port 9150). See more info on "Polipo" in TorProject wiki area.
When these codes are added as command-line option, in a gpg command, then
gpg query will go through Tor Socks5 proxy, (if polipo based
forwarding/tunnel also exist):
{{{
#!html
<table border="0" cellpadding="0" cellspacing="0" width="95%"
style="border: none;"><tr><td width=8 border="0" style="border:
none;"> </td><td border="1" style="border: 1px solid #d7d7d7;
padding: 0.25em; background: #f7f7f7;"><tt>
--keyserver-options no-auto-key-retrieve,no-try-dns-srv,http-
proxy=http://127.0.0.1:8118 --keyserver
hkps://zimmermann.mayfirst.org,hkp://pgp.surfnet.nl,hkp://2eghzlv2wwcq7u7y.onion,hkp://pool
.sks-keyservers.net,hkp://subkeys.pgp.net
</tt></td></tr></table><br />
}}}
Or, end users can also do such (preferred & recommended by me) : Base64
encoded CERT PGP dns record, can also be copied/used from a DNSSEC
authenticated dns query result/answer, into a text file, and then it can
be decoded, or, imported into gpg directly to get full GPG KEY. See gpg
"import" command section to import from file.
So, PLEASE ADD "CERT PGP" DNS RECORD IN YOUR DNS.
Thank you,
-- Bright Star (Bry8Star).
bry 8 st ar a.t ya hoo d.o.t c om
GPG_FPR=12B7 7F2C 92BF 25C8 38C6 4D9C 8836 DBA2 576C 10EC.
GPG key-ID is last 8 digit of above code.
References:
* CERT (PGP / GPG in DNS) : https://tools.ietf.org/html/rfc4398 ( it
obsoletes http://www.faqs.org/rfcs/rfc2538.html )
* DANE https://tools.ietf.org/html/rfc6394
* http://www.gushi.org/make-dns-cert/HOWTO.html (old article, May 2010)
* http://www.df7cb.de/blog/2007/openpgp-dns.html (old article, 2007)
* http://www.gnupg.org/documentation/manuals/gnupg/ (newer)
* TLSA https://tools.ietf.org/html/rfc6698
* How to authenticate binaries with GPG Key :
https://www.torproject.org/docs/verifying-signatures.html.en
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/8887>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list