Remove problematic targets rollback attack check #65
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In the client application workflow, remove rollback attack check for top-level targets file, which is (1) redundant and (2) prevents recovery from a fast-forward attack. (1) rollback attacks, via serving older versions of targets or top-level targets than the previously trusted versions, are already prevented by step 3.3.3 of the client workflow, where version numbers of targets and delegated targets in the new snapshot metadata are asserted to be greater than those in the prior trusted snapshot metadata. This, in combination with the 4.1 check that asserts that hashes and version of the actual targets metadata match the ones in the new trusted snapshot, makes another version number check, i.e the one removed in this commit, obsolete. (2) fast-forward attack recovery, as described in 1.9, works by having the client remove the trusted timestamp and snapshot metadata after a non-root key rotation, so that the client can overcome the version comparison check, and update from a compromised high version to a recovered lower version. However, 1.9 does not mention removing trusted targets metadata after a key rotation. As a consequence, the additional version number check, removed in this commit, would prevent updating recovered targets metadata after a fast-forward attack.
|
An alternative fix for (2) would be updating the fast-forward recovery step to also untrust targets, as sketched out in 84103fc. I do, however, prefer the fix I proposed in this PR here, because it also addresses (1) and thereby makes the spec less complicated. |
mnm678
approved these changes
Nov 25, 2019
There was a problem hiding this comment.
This looks good to me, but I'd recommend another review from @trishankatdatadog or @JustinCappos before merging
|
Ping @JustinCappos. @mnm678 requested another review. |
JustinCappos
approved these changes
Jan 21, 2020
erickt
added a commit
to erickt/tuf-specification
that referenced
this pull request
Sep 23, 2020
This shares the same justification for removal as theupdateframework#65. Step 3.3.1 was made redundant by theupdateframework#106, which modified the workflow to add 2.2.2, where updating the timestamp will also check if the new timestamp contains a snapshot version that is less than the trusted snapshot version. This, in combination with the 3.1 check that asserts hashes and version of the actual snapshot metadata match the ones in the new trusted timestamp, make another version check, i.e, the one removed in this commit, obsolete.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In the client application workflow, remove rollback attack check for top-level targets file, which is (1) redundant and (2) prevents recovery from a fast-forward attack.
(1) rollback attacks, via serving older versions of targets or top-level targets than the previously trusted versions, are already prevented by step 3.3.3 of the client workflow, where version numbers of targets and delegated targets in the new snapshot metadata are asserted to be greater than those in the prior trusted snapshot metadata. This, in combination with the 4.1 check that asserts that hashes and version of the actual targets metadata match the ones in the new trusted snapshot, makes another version number check, i.e the one removed in this PR, obsolete.
(2) fast-forward attack recovery, as described in 1.9, works by having the client remove the trusted timestamp and snapshot metadata after a non-root key rotation, so that the client can overcome the version comparison check, and update from a compromised high version to a recovered lower version. However, 1.9 does not mention removing trusted targets metadata after a key rotation. As a consequence, the additional version number check, removed in this PR, would prevent updating recovered targets metadata after a fast-forward attack.