Enigform et mod_openpgp

EnigformThe idea is to create a set of OpenPGP extensions to HTTP, using a client component in the form of a Firefox Add-On (Enigform) and a Server component (Apache Module).

 

Enigform is a Mozilla Firefox AddOn that works on any platform where gpg and firefox work. It implements OpenPGP-based Session Initiation, HTTP Request Signing, HTTP Response Verification and Encryption/Decryption when required (in the future it will also support HTTP Request/Response encryption, server side code is already available for this, see mod_transform inside mod_openpgp's SVN server).

On the other hand, mod_openpgp is an Apache module to support Response Signing, Request Verification and Session management (initiate/end). It works on any platform where Apache and GPGME library are available.

I consider the project a Framework, as it allows a web developer to easily implement secure logins to an existing paltform. For instance, I'm working on a Enigform for Wordpress plugin, and Enigform for PHPBB Modification.

This is not an OpenSSL replacement, but an alternative... or even an add-on to SSL. As Enigform works on the applicaiton layer (not at socket level) we have no specific networking requirements, and can even work behind NON-CONNECT enabled proxies, etc.

Enigform is a Firefox extension that, basicly, adds headers to an outgoing HTTP request. This outgoing request becomes an "OpenPGP Signed Request". A request is signed by Enigform when:

    * A Secure Session request (Initiation/Finalization) is sent.
    * The current request belongs to a site for which a session exists.
    * The current request has ##ENIGFORM_Sign## appended at the end of the URL.

When such a signed request is received by mod_openpgp, it gets processed accordingly. This means the headers and body of the request are analyzed and verified and/or acted upon. The results of these verifications (status of signature, session, etc) are appended to another set of headers. These second set of headers are checked for spoofing. That means no client can append them arbitrarily to a request.

Let's analyze those two sets of headers. First, the headers added by Enigform. Second, the headers added by mod_openpgp.
Enigform-added Headers

    * X-OpenPGP-Type = S

This means the request is Signed. In the future, "E" for Encrypted and "SE" for both Signed and Encrypted will be supported.

    * X-OpenPGP-Sig-Fields = body,session

This states which elements are signed, and in what order they were submitted to the OpenPGP application. As you can see, only the "body" of the request was signed. In the example, the body is the POST payload, or "variable=value". In a GET request, the "body" would be the QUERY STRING; session means the value of the X-OpenPGP-Session header is also included in the signature.

    * X-OpenPGP-Sig = iD8DBQFIfUWyAlpOsGhXcE0RAqbgAJwNhALERSL9Cx6BHG3obfRttPcxwgCdFibnsqhgIDzgtFGPJ1ZoqUYCumM==YPAq

This is the OpenPGP signature itself, converted from its standard three-line form to a simple string.

    * X-OpenPGP-Digest-Algo = SHA1

This is the hash algorithm used, in this case SHA1. This depends on what choices the OpenPGP application provides and what the user chooses to use.

    * X-OpenPGP-Version = GnuPG v1.4.6 (GNU/Linux)

This is the OpenPGP application's name, version, and platform. This is extracted from the "Version:" field of standard, signed, ASCII armored OpenPGP output.

    * X-OpenPGP-Agent = Enigform 0.8.2 for Mozilla Firefox

Name and version of the Enigform plugin, including platform. So far, only Mozilla Firefox is supported (1.5 through 3.0).

    * X-OpenPGP-Session = c118ccd21fe4a24bee4ed2c5bd915a69668343c9

A classic HTTP session hash, obtained through a method known as "Secure Session Initiation".
Mod_Openpgp-added headers

    * X-Auth-OpenPGP-Knownkey = true

Indicates the request is signed by a key which is known to the virtualhost's keyring (See ModOpenpgp.Configuration)

    * X-Auth-OpenPGP-Fingerprint = 7350B06E7AEA78FDE739F3AD025A4EB06857704D

Fingerprint of the public key. 40 bytes for a known key, 16 otherwise.

    * X-Auth-OpenPGP = true

Indicates the request has a good signature. You should not trust this value alone. It ONLY indicates the request's signature itself has been correctly verified, not that the request was actually been sent by the user. See HTTP.ReplayAttacks? for more details.

    * X-Auth-OpenPGP-KeyID = 025A4EB06857704D

ID of the Public Key used to sign the request. Basicly, the last 16 bytes of X-Auth-OpenPGP-Fingerprint.

    * X-OpenPGP-Session-Status = Valid

Can be one of three values: Valid, Invalid, Timeout. (TODO: Add more details. In the meantime, they are explained in mod_openpgp's source code).
For a known public key, these fields get added, which are self-explanatory:

    * X-Auth-OpenPGP-Email = Cet e-mail est protégé contre les robots collecteurs de mails, votre navigateur doit accepter le Javascript pour le voir
    * X-Auth-OpenPGP-Name = Arturo Alberto Busleiman
    * X-Auth-OpenPGP-Comment = aka Buanzo

More details on session-management:

mod_openpgp still needs some of this code polished/implemented, but the idea is that we have a mod_openpgp option to define if we want the client's IP address to be used as countermeasure for replay attack.

If it IS taken into account, then I think there's a very interesting approach for "Automatic IP Change Revalidation", that is, if the LEGIT user has his IP changed during a session, how can mod_openpgp tell the difference between a valid, but with a different IP, request, and an illegal (replayed by an attacker) one?

I think it could be something like this:

 1) User begins session. Uses IP 1.2.3.4
 2) User browses website. IP is still 1.2.3.4.
 3) Suddenly, IP changes to 9.8.7.6. Next request to website is legal, but IP is different.
 4) Server takes into account changes in IP. As the request looks valid (digital signature verifies).
    It answers with a 302 HTTP Redirect to the SAME url, but with a special ##REVALIDATE_SESSION## anchor appended.
 5) Enigform (in User machine) detects this session revalidation request, and requests a new session.
    The new session code is obtained and replaces old one.
 6) Request continues to same url, but is now auto-revalidated!

I'd love to provide more information, feel free to contact me. Thanks for this wonderful opportunity! It's difficult in here, but working for the greater good of the worldwide community is wonderful.

 

Site Web : http://enigform.mozdev.org

 

Pays : Argentine

 

Licence : GPL and MPL

 

Leader du Projet : Arturo Busleiman

 

Public visé : End Users, WEBAPP Programmers, security specialists, platform experts, financial institutions, etc.

 

Spécificités : Currently it supports Secure Session Management (login to mod_openpgp enabled Apache webservers without using a username/password combination, in a very secure way) and Client/Server identification/authentication, using OpenPGP's Web-of-Trust mechanism and RFC 2538 ("Storing Certificates in the Domain Name System (DNS)") support (OpenPGP in DNS).

 

Nombre de développeurs : 1

 

Nombre de contributeurs : 1

 

CVS Public : http://enigform.mozdev.org/source.html

 

Vous souhaitez contribuer ?

No specific contributions, only general support and minimal brainstorming with Simon Joseffsson, Kyle Huff and some members of the OpenPGP Working Group at the IETF.