Some questions about TUF

150 views
Skip to first unread message

Steven Kim

unread,
Apr 7, 2020, 11:24:04 AM4/7/20
to The Update Framework (TUF)
Hi~

I'm new for the TUF.
I read specification and reference code of TUF and I have some questions for TUF.

1. If the root role key is compromised, the new version of root.json should be updated in the Client.
    How the client can know that there is an updated root.json in the repository?
    
    I guess the new root.json is added in the Server(repository) so that timestamp.json and snapshot.json are updated.
    Client downloads timestamp.json and verifies the signature of timestamp.json with the timestamp role key in the trusted root.json on the Client.
    Then, client find snapshot version is updated so that client downloads snapshot.json and then find root.json is updated
    because the version of root.json is updated in the sanpshot.json.
    The new root.json will be validated with the trusted root key and updated root key.

    Is that correct? If not, please let me know how the root.json can be updated?


2. Expiration time is used in the json file. How the time information is synced between the Client and Server?
    Uptane shows the time server. But I cannot find how TUF manage the time information.


3. Is there any criteria to set the thresh hold of keys? 
    The more thresh hold values are used, the better for the security, but the complexity and the spent time are getting increased.


Regards,
Steven

Trishank Karthik Kuppusamy

unread,
Apr 7, 2020, 11:57:42 AM4/7/20
to Steven Kim, The Update Framework (TUF)
Hi Steven,

Thanks for your interest!

On Tue, Apr 7, 2020 at 11:24 AM Steven Kim <mje...@gmail.com> wrote:

1. If the root role key is compromised, the new version of root.json should be updated in the Client.
    How the client can know that there is an updated root.json in the repository?

The first thing the client does is to update to the latest version of the root metadata. See Steps 0-1 in the detailed workflow

2. Expiration time is used in the json file. How the time information is synced between the Client and Server?
    Uptane shows the time server. But I cannot find how TUF manage the time information.

TUF does not update time by itself, and instead depends on the runtime to do this. You may use NTP, Roughtime, or something similar. In Uptane (a fork of TUF for ground vehicles), we propose using a time server to update time on ECUs on vehicles which typically have no real-time clocks.
 
3. Is there any criteria to set the thresh hold of keys? 
    The more thresh hold values are used, the better for the security, but the complexity and the spent time are getting increased.

 Indeed, this depends on how security-critical the role is. The root and targets roles, for example, should use a threshold of keys. You may be interested to see how we manage keys across many roles in the Datadog integration.

Regards,
Trishank

Steven Kim

unread,
Apr 8, 2020, 8:20:21 AM4/8/20
to The Update Framework (TUF)
Hi Trishank~,

Thanks for the quick response~
It was really helpful for me to understand more about TUF.



But there was an error after "Step 4: Obtain and verify the testfile update on a client "
At first, there were generated a bunch of files such as 1.root.json, root.json, timestamp.json, target.json, snapshop.json
After adding testfile in the server, there is not generated 2.root.json.
Is that normal?
It looks the Client finds the 2.root.json from the Server metadata.
But there is no 2.root.json file in the Server.

$ client.py --repo http://localhost:8001 testfile 

Could not download URL: 'http://localhost:8001/metadata/2.root.json' 

Traceback (most recent call last): 

  File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/download.py", line 264, in _download_file 

    response.raise_for_status() 

  File "/home/skim5/.local/lib/python3.6/site-packages/requests/models.py", line 941, in raise_for_status 

    raise HTTPError(http_error_msg, response=self) 

requests.exceptions.HTTPError: 404 Client Error: File not found for urlhttp://localhost:8001/metadata/2.root.json 

Traceback (most recent call last): 

  File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/client/updater.py", line 1502, in _get_metadata_file 

    upperbound_filelength) 

  File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/download.py", line 150, in unsafe_download 

    return _download_file(urlrequired_length, STRICT_REQUIRED_LENGTH=False) 

  File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/download.py", line 264, in _download_file 

    response.raise_for_status() 

  File "/home/skim5/.local/lib/python3.6/site-packages/requests/models.py", line 941, in raise_for_status 

    raise HTTPError(http_error_msg, response=self) 

requests.exceptions.HTTPError: 404 Client Error: File not found for urlhttp://localhost:8001/metadata/2.root.json 

Failed to update '2.root.json' from all mirrors: {'http://localhost:8001/metadata/2.root.json': HTTPError('404 Client Error: File not found for urlhttp://localhost:8001/metadata/2.root.json',)} 

ERROR:root:HTTP error for root version 2 

Traceback (most recent call last): 

  File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/client/updater.py", line 1145, in _update_root_metadata 

    version=next_version) 

  File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/client/updater.py", line 1781, in _update_metadata 

    upperbound_filelength, version) 

  File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/client/updater.py", line 1597, in _get_metadata_file 

    raise tuf.exceptions.NoWorkingMirrorError(file_mirror_errors) 

tuf.exceptions.NoWorkingMirrorError: No working mirror was found: 

  'localhost:8001': HTTPError('404 Client Error: File not found for urlhttp://localhost:8001/metadata/2.root.json',) 

INFO:tuf.download:Downloading: 'http://localhost:8001/metadata/timestamp.json' 

INFO:tuf.download:Downloaded 704 bytes out of an upper limit of 16384 bytes. 

INFO:tuf.download:Downloading: 'http://localhost:8001/metadata/snapshot.json' 

INFO:tuf.download:Downloaded 431 bytes out of an upper limit of 2000000 bytes. 

INFO:tuf.download:Downloading: 'http://localhost:8001/metadata/targets.json' 

INFO:tuf.download:Downloaded 735 bytes out of an upper limit of 5000000 bytes. 

INFO:tuf.client.updater:'targets.json' up-to-date. 

INFO:tuf.client.updater:'targets.json' up-to-date. 

INFO:tuf.download:Downloading: 'http://localhost:8001/targets/testfile' 

INFO:tuf.download:Downloaded 10 bytes out of the expected 10 bytes. 

INFO:tuf.client.updater:The file's sha256 hash is correct: 114811b0b8998cb9853a5379598021410feddf69bb2ee7b7145d052a7e9b5d45 

INFO:tuf.client.updater:The file's sha512 hash is correct: 9484ec641bd36078436a993000045bbc380f77d8897e9dcc1b784c10642abe31f5469b9b6c31afa3a286abb4d0ce618468043883bce231c99aa984ea9ff14a64 


Regards,
Steven

2020년 4월 8일 수요일 오전 12시 57분 42초 UTC+9, Trishank Karthik Kuppusamy 님의 말:

Lukas Puehringer

unread,
Apr 8, 2020, 9:15:46 AM4/8/20
to theupdate...@googlegroups.com
Hi Steven,

unfortunately there are some known but not yet resolved issues [1] with the TUF
command line tools from the Quickstart Guide.

May I suggest that you take look at the advanced tutorial [2] instead.

Thanks,
Lukas

[1] https://github.com/theupdateframework/tuf/issues/881
[2] https://github.com/theupdateframework/tuf/blob/develop/docs/TUTORIAL.md


On 4/8/20 2:20 PM, Steven Kim wrote:
> Hi Trishank~,
>
> Thanks for the quick response~
> It was really helpful for me to understand more about TUF.
>
>
> Today I tried to follow this Quickstart guide
> https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_theupdateframework_tuf_blob_develop_docs_QUICKSTART.md&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=R--UdWsbs6NSeu-TcRxPiyaA18jvPZwz7Tl9D8X7UHA&e=
>
> But there was an error after "Step 4: Obtain and verify the testfile update
> on a client "
> At first, there were generated a bunch of files such as 1.root.json,
> root.json, timestamp.json, target.json, snapshop.json
> After adding testfile in the server, there is not generated 2.root.json.
> Is that normal?
> It looks the Client finds the 2.root.json from the Server metadata.
> But there is no 2.root.json file in the Server.
>
> $ client.py --repo https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=csGWO5oZKBx4yUIGkwXjoChDNa63XWT6DF0fC7ckV4Y&e= testfile
>
> Could not download URL: 'https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_2.root.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=-o996nXIrQLYaxjdpwYyY2nMrwsWESUFWNzMT57NLwQ&e= '
>
> Traceback (most recent call last):
>
> File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/download.py",
> line 264, in _download_file
>
> response.raise_for_status()
>
> File "/home/skim5/.local/lib/python3.6/site-packages/requests/models.py",
> line 941, in raise_for_status
>
> raise HTTPError(http_error_msg, response=self)
>
> requests.exceptions.HTTPError: 404 Client Error: File not found for url:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_2.root.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=-o996nXIrQLYaxjdpwYyY2nMrwsWESUFWNzMT57NLwQ&e=
>
> Update failed from https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_2.root.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=-o996nXIrQLYaxjdpwYyY2nMrwsWESUFWNzMT57NLwQ&e= .
>
> Traceback (most recent call last):
>
> File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/client/updater.py",
> line 1502, in _get_metadata_file
>
> upperbound_filelength)
>
> File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/download.py",
> line 150, in unsafe_download
>
> return _download_file(url, required_length,
> STRICT_REQUIRED_LENGTH=False)
>
> File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/download.py",
> line 264, in _download_file
>
> response.raise_for_status()
>
> File "/home/skim5/.local/lib/python3.6/site-packages/requests/models.py",
> line 941, in raise_for_status
>
> raise HTTPError(http_error_msg, response=self)
>
> requests.exceptions.HTTPError: 404 Client Error: File not found for url:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_2.root.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=-o996nXIrQLYaxjdpwYyY2nMrwsWESUFWNzMT57NLwQ&e=
>
> Failed to update '2.root.json' from all mirrors:
> {'https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_2.root.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=-o996nXIrQLYaxjdpwYyY2nMrwsWESUFWNzMT57NLwQ&e= ': HTTPError('404 Client Error:
> File not found for url: https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_2.root.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=-o996nXIrQLYaxjdpwYyY2nMrwsWESUFWNzMT57NLwQ&e= ',)}
>
> ERROR:root:HTTP error for root version 2
>
> Traceback (most recent call last):
>
> File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/client/updater.py",
> line 1145, in _update_root_metadata
>
> version=next_version)
>
> File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/client/updater.py",
> line 1781, in _update_metadata
>
> upperbound_filelength, version)
>
> File "/usr/local/lib/python3.6/dist-packages/tuf-0.12.2-py3.6.egg/tuf/client/updater.py",
> line 1597, in _get_metadata_file
>
> raise tuf.exceptions.NoWorkingMirrorError(file_mirror_errors)
>
> tuf.exceptions.NoWorkingMirrorError: No working mirror was found:
>
> 'localhost:8001': HTTPError('404 Client Error: File not found for url:
> https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_2.root.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=-o996nXIrQLYaxjdpwYyY2nMrwsWESUFWNzMT57NLwQ&e= ',)
>
> INFO:tuf.download:Downloading: '
> https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_timestamp.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=AGvsWmYsJoUJjF7XQi8Qt2oQ7qvoSiO7j17Jh-iBdh4&e= '
>
> INFO:tuf.download:Downloaded 704 bytes out of an upper limit of 16384 bytes.
>
>
> INFO:tuf.download:Downloading: 'https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_snapshot.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=nlgRuyT0oXeYObL0NwxmHH2cU1pBnndMhOn8Y2y4Qkg&e=
> '
>
> INFO:tuf.download:Downloaded 431 bytes out of an upper limit of 2000000
> bytes.
>
> INFO:tuf.download:Downloading: 'https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_metadata_targets.json&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=ITBUepEp6uEZ4TT4RuTghGNcb3aBz5X5czwnjERXD34&e= '
>
>
> INFO:tuf.download:Downloaded 735 bytes out of an upper limit of 5000000
> bytes.
>
> INFO:tuf.client.updater:'targets.json' up-to-date.
>
> INFO:tuf.client.updater:'targets.json' up-to-date.
>
> INFO:tuf.download:Downloading: 'https://urldefense.proofpoint.com/v2/url?u=http-3A__localhost-3A8001_targets_testfile&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=bQchZnHYkwMujwCRwXwxIY5bCyVi_nsnq3b6ocyiEAc&e= '
>
> INFO:tuf.download:Downloaded 10 bytes out of the expected 10 bytes.
>
> INFO:tuf.client.updater:The file's sha256 hash is correct:
> 114811b0b8998cb9853a5379598021410feddf69bb2ee7b7145d052a7e9b5d45
>
> INFO:tuf.client.updater:The file's sha512 hash is correct:
> 9484ec641bd36078436a993000045bbc380f77d8897e9dcc1b784c10642abe31f5469b9b6c31afa3a286abb4d0ce618468043883bce231c99aa984ea9ff14a64
>
>
> Regards,
> Steven
>
> 2020년 4월 8일 수요일 오전 12시 57분 42초 UTC+9, Trishank Karthik Kuppusamy 님의 말:
>>
>> Hi Steven,
>>
>> Thanks for your interest!
>>
>> On Tue, Apr 7, 2020 at 11:24 AM Steven Kim <mje...@gmail.com <javascript:>>
>> wrote:
>>
>>>
>>> 1. If the root role key is compromised, the new version of root.json
>>> should be updated in the Client.
>>> How the client can know that there is an updated root.json in the
>>> repository?
>>>
>>
>> The first thing the client does is to update to the latest version of the
>> root metadata. See Steps 0-1 in the detailed workflow
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_theupdateframework_specification_blob_69b8456614796b57c6076d3894568a83b3f7ce1a_tuf-2Dspec.md-235-2Ddetailed-2Dworkflows&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=X6V1JjQlRvwTWpm_Znyy4aJXP1ghv-6aTLkMUy1El_U&e= >
>> .
>>
>> 2. Expiration time is used in the json file. How the time information is
>>> synced between the Client and Server?
>>> Uptane shows the time server. But I cannot find how TUF manage the
>>> time information.
>>>
>>
>> TUF does not update time by itself, and instead depends on the runtime to
>> do this. You may use NTP, Roughtime, or something similar. In Uptane (a
>> fork of TUF for ground vehicles), we propose using a time server to update
>> time on ECUs on vehicles which typically have no real-time clocks.
>>
>>
>>> 3. Is there any criteria to set the thresh hold of keys?
>>> The more thresh hold values are used, the better for the security,
>>> but the complexity and the spent time are getting increased.
>>>
>>
>> Indeed, this depends on how security-critical the role is. The root and
>> targets roles, for example, should use a threshold of keys. You may be
>> interested to see how we manage keys across many roles in the Datadog
>> integration
>> <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.datadoghq.com_blog_engineering_secure-2Dpublication-2Dof-2Ddatadog-2Dagent-2Dintegrations-2Dwith-2Dtuf-2Dand-2Din-2Dtoto_&d=DwIFaQ&c=slrrB7dE8n7gBJbeO0g-IQ&r=2YMLsMLCML1EOEAeVc1Mhx6J99vqRVHSnZUnatehIDg&m=aoEGHua3xteyx1QFDETJ417lMlSEyJ2fRMj0AgrhmVU&s=rVZdPwjjgYNqxzJ8FHUdO3Faj9Jw81dq5q4qAOUxhkI&e= >
>> .
>>
>> Regards,
>> Trishank
>>
>

--
lukas.pu...@nyu.edu
PGP fingerprint: 8BA6 9B87 D43B E294 F23E 8120 89A2 AD3C 07D9 62E8

signature.asc
Reply all
Reply to author
Forward
0 new messages