[
https://issues.apache.org/jira/browse/PIRK-23?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ellison Anne Williams updated PIRK-23:
--------------------------------------
Fix Version/s: 0.1.0
> Provide integrity and verification of serialized objects
> ---------------------------------------------------------
>
> Key: PIRK-23
> URL: https://issues.apache.org/jira/browse/PIRK-23
> Project: PIRK
> Issue Type: New Feature
> Components: Querier, Responder
> Reporter: Jacob WIlder
> Assignee: Jacob WIlder
> Fix For: 0.1.0
>
>
> Provide a way to sign and verify serialized output using OpenPGP through
> BouncyCastle's OpenPGP API. BouncyCastle is licensed under the MIT license.
> Mailing list message:
> Given that [deserialization attacks are a ripe attack
> surface|https://www.owasp.org/index.php/Deserialization_of_untrusted_data]
> it's a good idea to make it possible to authenticate serialized objects
> whenever possible. In the case of Pirk—where systems which hold sensitive
> data will be deserializing objects received from other entities—offering
> users the option to sign/verify objects before loading them is valuable. If
> our users were not dealing with sensitive information of some sort, they
> wouldn't be using Pirk.
> I have written some code that uses BouncyCastle to OpenPGP clearsign base64
> encoded Java objects. I'm going to see how cleanly I can integrate it with
> Tim's new Serialization code so that it's automatically available to anything
> that uses the serialization tools.
> Where things get complicated is in how to expose it to users. Below is my
> current thinking. I'd appreciate any feedback.
> By default, all InputStreams used to read data will be checked to see if they
> start with the line "-----BEGIN PGP SIGNED MESSAGE-----". If it does, we'll
> pull the PGP public keyring from a path specified by property
> serialization.openPGPPublicKeyRing and verify the signature. Failed signature
> verifications result in an exit.
> Property serialization.requireSignedInput will reject any input that is not
> signed with a valid signature.
> Property serialization.signOutgoingObjects will sign all outgoing Serialized
> Java objects.
> Properties serialization.openPGPPrivateKey,
> serialization.openPGPPrivateKeyPassword, and
> serialization.openPGPPublicKeyRing will indicate the location of the private
> key, the password used to decrypt it, and the location of the public key ring
> respectively.
> I had considered using SignedObjects but decided to give OpenPGP a shot
> because it's easier to hand-verify signatures or integrate verification of
> signed data into automated data flow (say, between two distinct entities
> sharing data using Pirk).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
