Experiences running sks-keyservers.net Norwegian Unix User ...1/28 A brief introduction to OpenPGPsks-keyservers.netCode baseKeyserver network and community Experiences running sks-keyservers.net

1/28

A brief introduction to OpenPGP sks-keyservers.net Code base Keyserver network and community

Experiences running sks-keyservers.netNorwegian Unix User’s Group

Kristian Fiskerstrand0x0B7F8B60E3EDFAE3

9 September 2014

2/28


Table of Contents

1 A brief introduction to OpenPGP

2 sks-keyservers.net

3 Code base

4 Keyserver network and community

3/28


Introduction I

B PGP is an abbreviation for “Pretty Good Privacy” and wasoriginally created by Phil Zimmermann in 1991.

B OpenPGP is a framework for cryptographic operationsdefined as a standard by IETF and described in RFC4880and RFC6637 (Elliptic Curves)

B The most popular implementation of OpenPGP forGNU/Linux environments is the GNU Privacy Guard(GnuPG), but alternatives exists both as free softwareand commercially (e.g. PGP).

4/28


Introduction II

B OpenPGP is a hybrid scheme using– Asymmetric keys for integrity, authentication and

encryption of a random session key per message.– Symmetric encryption is used to ensure confidentiality

of the data itself.B A default key generated by GnuPG today contains:

– A primary key capable of Certification and Signing– An encryption capable subkey.– At least one User ID (e.g. “Kristian Fiskerstrand<[email protected]>”)

5/28


Table of Contents



3 Code base


6/28


Introduction I

B http://sks-keyservers.net provide a convenient way forend users of OpenPGP to retrieve and update keys fromsynchronised and responsive HKP keyservers

B The project was started in 2006B The servers are mainly based on SKS (p. 9).B Several pools of keyservers are available

pool. Main pool (on port 11371)hkps.pool. TLS enabled pool (HKPS) (more

on p. 14){NA,EU,OC}.pool. Geographical pools (more on p. 13)p80.pool. Firewall friendly, servers

responding on port 80.

http://sks-keyservers.net

7/28


Introduction II

subset.pool. Supports latest functionalities.Currently SKS 1.1.5 only; ensuringsupport for e.g. Elliptic Curve keysc.f. RFC6637.

ha.pool. High availability. Historicallyincluded only instances that wererunning behind reverse proxies, butsince making that a hardrequirement for the main pool it iscurrently not different - howeverkeeping it and intend to re-use forclustered setups.

8/28


Introduction III

B These pools are functioning as a DNS Round RobinB Currently ∼ 110 servers included in the main pool and

another ∼ 60 detected but rejected (inclusion criteria onp. 12)

B The pools are accessible using both IPv4 and IPv6 (withsome special pools limited to a single stack, e.g.ipv{4,6}.pool.sks-keyservers.net)

B GnuPG defaults to keys.gnupg.net which is a DNSCNAME to pool.sks-keyservers.net

9/28


Quick intro to keyservers, protocols etc I

B Synchronizing Key Server (SKS) is the most usedkeyserver today.

B One notable feature of SKS is the implementation of thefast reconciliation algorithms that were part of YaronMinksy’s PhD thesis.

B SKS replaced PKS that synchronized using email and didnot include the updated features of OpenPGP presented inRFC4880.

B SKS is written in objective caml, and the maindevelopment team is Yaron, John Clizbe and myself.Contributions are welcome.

10/28


Quick intro to keyservers, protocols etc II

B The keyservers in the pool is accessed based on theHorowitz Key Protocol (HKP). Although alternativeimplementations exists (e.g. PGP Corp’s keyserver is usingLDAP)

B HKP is a layer on top of HTTP defining how to access thekeyserver. It was never formally accepted as a standardbut the basis is found in http://tools.ietf.org/html/draft-shaw-openpgp-hkp-00.

B Developments since the initial draft is based on communityconsensus, mainly between GnuPG and SKS as referenceimplementations.

B Alternative keyservers still exists, including Hockeypuckthat is written in Go and that has preliminary support forSKS synchronization.

http://tools.ietf.org/html/draft-shaw-openpgp-hkp-00

http://tools.ietf.org/html/draft-shaw-openpgp-hkp-00

11/28


Quick intro to keyservers, protocols etc III

B Some HKP examples http://pool.sks-keyservers.net:11371Stats request:/pks/lookup?op=stats − operationVerbose index:/pks/lookup?op=vindex&[email protected] − searchparametersGet:/pks/lookup?op=get&options=mr − Machine readable output&search=0x0b7f8b60e3edfae3

12/28


Inclusion criteria

B Server responds to HKP queriesB Number of keys can’t contain less than median number of

keys – ∆ where ∆ is calculated during a two-stage process.First excluding outliers (diff exceeding ±0.5σ) then∆ = Max (0.5σ, 300) of the recalculated σ

B Upgraded to a compatibility level of SKS 1.1.3 or higher.B Server name reported is a fully qualified domain nameB HTTP/1.1 POST does not result in HTTP status 417B Reverse Proxy (providing via header or based on server

header)B Server is not in the global exclude listB Responds to port 80 as well as 11371 (for p80 pool)B Not vulnerable to CVE-2014-3207 (for HKPS pool)

13/28


Geographical pools

(1) During an update run, determinethe response time from multipleclient measuring stations (groupedby pool) as the mean of N attemptsand the bandwidth capacity foreach individual server.

(2) Calculate the mean (µ) andstandard deviation (σ) of theaforementioned parameters acrossthe servers in the pool.

(3) Exclude outliers to the results basedon N (σ) rejection criteria.

(4) Calculate new µ and σ for theremainder of the servers.

(5) Calculate the SRV weights for theindividual servers.

(6) Sort the servers by weights and picktop 10 for each individual pool

SRV weights are defined as:

weight = α

+ Min(βR

( 1(R − (µR − 2σR))y

), φ

)

+ βB

Bm∑

j=1Bj

+ βP ·DP · ρ

(1)

where:α is a constant to provide a basis weightβi is the loading (weight) of the respective factor indetermining the SRV weightDP is a dummy variable that is 1 if a reverse proxy existsand 0 otherwiseρ is the additional weight given for a reverse proxy enabledservery is a constant (even number) that define penalization fordeviationφ is the ceiling of weight to be added for R

Further information is available at http://kfwebs.com/sks-keyservers-SRV.pdf

http://kfwebs.com/sks-keyservers-SRV.pdf

14/28


HKPS Pool I

B HKPS is regular HKP over TLS (port 443)B In order to achieve such a setup across multiple

independent servers, all participants in the pool needs acertificate signed by the sks-keyservers.net CA (SCA)

B The certificates contains the CN of the individual serversand include the pool hostnames as subjectAltNames.

B The SCA issued certificate needs to be issued whenever thehkps SNI is presented, but several operators also maintaintheir own certificates from the global PKIX system fortheir individual hostname.

15/28


HKPS Pool II

B The public SCA cert is available at https://sks-keyservers.net/sks-keyservers.netCA.pem andis signed by my OpenPGP key in a detached signature with.pem.asc suffix.

B The Cetificate Revocation List (CRL) is published athttps://sks-keyservers.net/ca/crl.pem

B the SCA cert is also included in GnuPG:http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=dirmngr/sks-keyservers.netCA.pem;hb=refs/heads/master

https://sks-keyservers.net/sks-keyservers.netCA.pem

https://sks-keyservers.net/sks-keyservers.netCA.pem

https://sks-keyservers.net/ca/crl.pem

http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=blob_plain;f=dirmngr/sks-keyservers.netCA.pem;hb=refs/heads/master



16/28


HKPS Pool III

B More info onhttps://sks-keyservers.net/verify_tls.php

B To use the HKPS pool require the following configuration:

∼/.gnupg/gpg.conf for GnuPG 1.4 and 2.0 brancheskeyserver hkps://hkps.pool.sks-keyservers.netkeyserver-optionsca-cert-file=/path/to/CA/sks-keyservers.netCA.pem

https://sks-keyservers.net/verify_tls.php

17/28


Global reachDespite not having any data on actual usage, as this is handledby the slave DNS servers, visitors on the website indicate aglobal reach (based on last months visitors, the number of usersof the service is expected to be higher than the number ofvisitors of the website)

18/28


SRV compatibility issues

B However, some issues still remain in GnuPG:– Issue 1446: hkps SRV lookup discards port from SRV– Issue 1447: TLS hostname selection uses insecure SRV

dataB Until these are fixed and been present in standard versions

for a while, a large-scale use of SRV records will not beused in the pool (it is currently disabled for everythingexcept for the geographical pools)

B This restricts e.g. the possibility of using HKPS pool onnon-standard port (restricted to 443)

B Note: Even when clients are expected to handle it, it mightmake sense to keep the restriction, e.g. due to firewalls.

19/28


Table of Contents



3 Code base


20/28


The code base

B The code base consists of PHP (∼ 14k LOC (excludingembedded libraries)) and bash

B Open Source:https://code.google.com/p/sks-keyservers-pool/

B A crawler is executed once an hour to update the data andis performing a recursive walk across servers detected inthe peering mesh from the other servers.

B The primary DNS server is updated every 15 minutesB Slave DNS servers are provided by a voluntary community,

several of which are AnyCasted clusters.

https://code.google.com/p/sks-keyservers-pool/

21/28


Scalability I

B When I started in 2006 the number of servers was about15–20

B As the number of tests performed as well as the number ofservers increased, so did crawler execution time

B The linear increase in time resulted in a need to rewritecore components to parallel execution.

B The rewrite reduced the execution time for a full crawlfrom 14.5 minutes to 3.5 minutes (most of which is networkdelay and intended sleep() procedures to avoid DoSconditions)

22/28


Scalability II

B The crawler is now executed using libevent– a stand-alone PHP script is executed for each server

lookup that returns data in json format.– peering servers not already checked are added to a

pool of servers to check– iterates until the pool is empty

B This approach also allows for direct testing against specificservers for debugging purposes.

23/28


Customizations I

B In particular setting up the HKPS pool required tweaksoutside of PHP.

B At the time of initial writing, PHP did not supportCURL RESOLVE, as such execution would not accuratelydetect the presence of a X.509 Certificate of the pool dueto connecting to IP address with Host: header of the pool.

B This issue was solved by patching curl directly to use thevalue of the HTTP Host header as value for Server NameIndication.http://curl.haxx.se/mail/lib-2012-11/0104.html

B CURL RESOLVE was added in PHP5.5. This permitted acode rewrite to remove the need for a custom patch of curl.

http://curl.haxx.se/mail/lib-2012-11/0104.html

24/28


Customizations II

B But PHP did not yet allow for specifying a CertificateRevocation List (CRL). As such PHP itself had to bepatched: https://bugs.php.net/bug.php?id=65575

B Support for CRL files were added in the mainline PHPsource in 5.5.4.

B The crawler now operate without need for custom patchesin any external component.

https://bugs.php.net/bug.php?id=65575

25/28


Table of Contents



3 Code base


26/28


Number of keys

B I started recordingstatistics on the number ofkeys in 2011.

B Since then there are about800,000 new keys available

B There has been a sustainedincrease in the growth ratesince the Snowdenrevelations.

B A more detailed breakdownof the keys (key length,algorithms etc) is availableat http://blog.sumptuouscapital.com/2014/01/openpgp-key-statistics/

http://blog.sumptuouscapital.com/2014/01/openpgp-key-statistics/

http://blog.sumptuouscapital.com/2014/01/openpgp-key-statistics/

27/28


Network analysis

B With a growing number ofservers, keys and otherupdates the time toreplicate the data acrossthe network increase

B In order to optimize this,bottlenecks in the networkhave to be detected andfixed.

B This is mostly a manualoperation aided by toolsfor network analysis.

28/28


B The keyserver community is generally friendly and is activein providing support and responding to new requests

B Wiki at https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Home

B Mailing list at [email protected], both for SKSquestions and general keyserver operational procedures

https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Home

https://bitbucket.org/skskeyserver/sks-keyserver/wiki/Home

Documents

Experiences running sks-keyservers.net Norwegian Unix User ...1/28 A brief introduction to OpenPGPsks-keyservers.netCode baseKeyserver network and community Experiences running sks-keyservers.net