Revision as of 17:50, 15 December 2013 editNameless23 (talk | contribs)Extended confirmed users2,136 editsmNo edit summary← Previous edit | Latest revision as of 13:29, 20 December 2024 edit undoJoshZ (talk | contribs)39 edits Undid revision 1264086888 by 2001:44C8:6425:EA7D:1812:D2A2:3257:AF4 (talk)Tag: Undo | ||
(61 intermediate revisions by 46 users not shown) | |||
Line 1: | Line 1: | ||
{{Short description|Security model}} | |||
{{distinguish|tofu}} | |||
{{Other uses|Tofu (disambiguation)}} | |||
'''Trust on first use''' ('''TOFU'''), or '''trust upon first use''' ('''TUFU'''), is an ] scheme<ref>, Walfield, Koch (EUROSEC’16, April 18–21, 2016)</ref> used by client software which needs to establish a trust relationship with an unknown or not-yet-trusted endpoint. In a TOFU model, the client will try to look up the endpoint's identifier, usually either the ] of the endpoint, or the ] of said identity key, in its local trust database. If no identifier exists yet for the endpoint, the client software will either prompt the user to confirm they have verified the purported identifier is authentic, or if manual verification is not assumed to be possible in the protocol, the client will simply trust the identifier which was given and record the trust relationship into its trust database. If in a subsequent connection a different identifier is received from the opposing endpoint, the client software will consider it to be untrusted. | |||
{{Refimprove|date=August 2010}} | |||
==TOFU implementations== | |||
⚫ | {{Wiktionary|TOFU}} | ||
In the ] protocol, most client software (though not all<ref> Retrieved November 19, 2020</ref>) will, upon connecting to a not-yet-trusted server, display the server's public key fingerprint, and prompt the user to verify they have indeed authenticated it using an ]. The client will then record the trust relationship into its trust database. New identifier will cause a blocking warning that requires manual removal of the currently stored identifier. | |||
'''TOFU''' or '''TUFU''' are ] slang ]s which mean '''Trust On First Use''' or '''Trust Upon First Use'''. | |||
The XMPP client ] uses Blind Trust Before Verification,<ref>{{cite web|url=https://gultsch.de/trust.html|author=Daniel Gultsch|title=Blind Trust Before Verification|date=November 20, 2016|access-date=January 19, 2017}}</ref> where all identifiers are blindly trusted until the user demonstrates will and ability to authenticate endpoints by scanning the ] representation of the identifier. After the first identifier has been scanned, the client will display a shield symbol for messages from authenticated endpoints, and red background for others. | |||
==Examples of this Model in Practice== | |||
This model refers to the network software security model whereby a client software, upon connecting to a new server, is prompted to accept and record some form of token to identify the remote server. For Example, ] protocol implementations are designed to issue a warning when the IP or domain name of a server has changed: ''WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!''. Perhaps more commonly, the secure HTTPS protocol for web browsers is widely accepted, but has one fatal flaw: users ignore certificate error warnings. | |||
In ] the endpoints initially blindly trust the identifier and display non-blocking warnings when it changes. The identifier can be verified either by scanning a QR-code, or by exchanging the decimal representation of the identifier (called Safety Number) over an authenticated channel. The identifier can then be marked as verified. This changes the nature of identifier change warnings from non-blocking to blocking.<ref>{{Cite web|url=https://signal.org/blog/safety-number-updates/|title=Safety number updates}}</ref> | |||
==Model Strengths== | |||
⚫ | The single largest strength of any TOFU |
||
In e.g. ] and ] the identifier is the user's call-sign itself. The ID can be exchanged over any channel, but until the identifier is verified over an authenticated channel, it is effectively blindly trusted. The identifier change also requires an account change, thus a MITM attack for same account requires access to endpoint's private key. | |||
==Model Weaknesses== | |||
The largest weakness of any TOFU style model is that a human being must initially validate every interaction, which does not scale infinitely, and can quickly scale beyond the capabilities of any group of people using and managing computers with a need for trusted and secure protocols. People tend to approve without verification, not to mention the increased surface area for human error. | |||
In ] the endpoint initially blindly trusts the identifier, and by default no warning is displayed when the identifier changes. If the user demonstrates will and ability to authenticate endpoints by accessing the key fingerprint (called Security Code), the client will prompt the user to enable non-blocking warnings when the identifier changes. The WhatsApp client does not allow the user to mark the identifier as verified. | |||
⚫ | ==First |
||
⚫ | The first known formal use of the term TOFU or TUFU was by CMU researchers Dan Wendlandt, David Andersen, and Adrian Perrig in their research paper "Perspectives: Improving SSH-Style Host Authentication With Multi-Path Probing" published in 2008 at the Usenix Annual Technical Conference |
||
In ]'s optional secret chats the endpoints blindly trust the identifier. Changed identifier spawns a new secret chat window instead of displaying any warning. The identifiers can be verified by comparing the visual or hexadecimal representation of the identifier. The Telegram client does not allow the user to mark the identifier as verified. | |||
⚫ | ] mentioned Perspectives and the term TOFU the ] 18 proceedings, with reference to comments made by ], during the panel |
||
In ] the clients can cross-sign each other's keys, which means trusting a single identifier allows verification of multiple identifiers. Keybase acts as a trusted third party that verifies a link between a Keybase account and the account's signature chain that contains the identifier history. The identifier used in Keybase is either the hash of the root of the user's signature chain, or the Keybase account name tied to it. Until the user verifies the authenticity of the signature chain's root hash (or the keybase account) over an authenticated channel, the account and its associated identifiers are essentially blindly trusted, and the user is susceptible to a MITM attack.{{Citation needed|date=May 2020}} | |||
An audience suggestion was raised implying the superiority of the ] ] model, over the ] ] model- whereby Moxie replied: | |||
==Model strengths and weaknesses== | |||
⚫ | |||
⚫ | The single largest strength of any TOFU-style model is that a human being must initially validate every interaction. A common application of this model is the use of ssh-rpc 'bot' users between computers, whereby public keys are distributed to a set of computers for automated access from centralized hosts. The TOFU aspect of this application forces a sysadmin (or other trusted user) to validate the remote server's identity upon first connection. | ||
For end-to-end encrypted communication the TOFU model allows authenticated encryption without the complex procedure of obtaining a personal certificate which are vulnerable to ]. Compared to ], TOFU has less maintenance overhead. | |||
⚫ | |||
The largest weakness of TOFU that requires manual verification is its inability to scale for large groups or computer networks. The maintenance overhead of keeping track of identifiers for every endpoint can quickly scale beyond the capabilities of the users. | |||
⚫ | |||
In environments where the authenticity of the identifier cannot be verified easily enough (for example, the IT staff of workplace or educational facility might be hard to reach), the users tend to blindly trust the identifier of the opposing endpoint. Accidentally approved identifiers of attackers may also be hard to detect if the ] persists. | |||
⚫ | ==Related |
||
⚫ | * Work toward creating |
||
⚫ | * The originator of the 'TUFU' acronym was describing the inspiration for the ' |
||
As a new endpoint always involves a new identifier, no warning about potential attack is displayed. This has caused misconception among users that it's safe to proceed without verifying the authenticity of the initial identifier, regardless of whether the identifier is presented to the user or not. | |||
⚫ | ==Prior |
||
] has pushed many messaging applications to remove blocking warnings to prevent users from reverting to less secure applications that do not feature ] in the first place. | |||
Out-of-sight identifier verification mechanisms reduce the likelihood that secure authentication practices are discovered and adopted by the users. | |||
⚫ | ==First known use of the term== | ||
⚫ | The first known formal use of the term TOFU or TUFU was by CMU researchers Dan Wendlandt, David Andersen, and Adrian Perrig in their research paper "Perspectives: Improving SSH-Style Host Authentication With Multi-Path Probing" published in 2008 at the Usenix Annual Technical Conference.<ref>{{Cite web|url=http://www.usenix.org/events/usenix08/tech/full_papers/wendlandt/wendlandt_html/index.html|title=Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing}}</ref> | ||
⚫ | ] mentioned Perspectives and the term TOFU the ] 18 proceedings, with reference to comments made by ], during the panel discussion "An Open Letter, A Call to Action". An audience suggestion was raised implying the superiority of the ] ] (PKI) model, over the ] PKI model - whereby Moxie replied: | ||
⚫ | {{quote|'''Anonymous''': "...so, if we dislike the certificate model in the (tls) PKI, but we like, say, the SSH PKI, which seems to work fairly well, basically the fundamental thing is: if I give my data to someone, I trust them with the data. So I should be remembering their certificate. If someone else comes in with a different certificate, signed by a different authority, I still don't trust them. And if we did it that way, then that would solve a lot of the problems- it would solve the problems of rogue CAs, to some extent, it wouldn't help you with the initial bootstrapping but the initial bootstrapping would use the initial model, and then for continued interaction with the site you would use the ssh model which would allow you continued strength beyond what we have now. So the model we have now can be continued to be re-used, for only the initial acceptance. So why don't we do this?" | ||
⚫ | '''Dan''': "So, I'm a former SSH developer, and let me walk very quickly, every time there's an error in the ssh key generation, the user is asked, 'please type yes to trusting this new key', or, 'please go into your known hosts file and delete that value', and every last time they do it, because it's ''always'' the fault of a server misconfiguration. The SSH model is cool, ''it don't scale". | ||
⚫ | '''Moxie''': "'''And I would just add, what you're talking about is called 'Trust on First Use', or 'tofu'''', and there's a project that I'm involved in called perspectives, that tries to leverage that to be less confusing than the pure SSH model, and I think it's a really great project and you should check it out if you're interested in alternatives to the CA system." | ||
}} | |||
⚫ | ==Related work on the subject== | ||
⚫ | * Work toward creating visual representations of server certificate 'fingerprint' hashes has been implemented into ] in the form of ]. The intention is for users to visually recognize a 'graphical' image, instead of a long string of letters and numbers. The original research paper was written by ] and ], at the ] Computer Science Department. | ||
⚫ | * The originator of the 'TUFU' acronym was describing the inspiration for the 'Perspectives Firefox Plug In', which was designed to strengthen the ] PKI model by contacting network notaries whenever your browser connects an ] website | ||
⚫ | ==Prior work== | ||
The topics of trust, validation, ] are fundamental to all work in the field of ] and ]. | The topics of trust, validation, ] are fundamental to all work in the field of ] and ]. | ||
==See also== | ==See also== | ||
* ] | * ] | ||
* ] | |||
* ] | |||
* ] | * ] | ||
⚫ | ==External links== | ||
⚫ | * | ||
⚫ | * | ||
⚫ | *]] | ||
] | |||
] | |||
==References== | ==References== | ||
{{reflist}} | |||
⚫ | ==External links== | ||
<references/> | |||
⚫ | {{Wiktionary|TOFU}} | ||
⚫ | * | ||
⚫ | * | ||
⚫ | * in ] | ||
] |
Latest revision as of 13:29, 20 December 2024
Security model For other uses, see Tofu (disambiguation).Trust on first use (TOFU), or trust upon first use (TUFU), is an authentication scheme used by client software which needs to establish a trust relationship with an unknown or not-yet-trusted endpoint. In a TOFU model, the client will try to look up the endpoint's identifier, usually either the public identity key of the endpoint, or the fingerprint of said identity key, in its local trust database. If no identifier exists yet for the endpoint, the client software will either prompt the user to confirm they have verified the purported identifier is authentic, or if manual verification is not assumed to be possible in the protocol, the client will simply trust the identifier which was given and record the trust relationship into its trust database. If in a subsequent connection a different identifier is received from the opposing endpoint, the client software will consider it to be untrusted.
TOFU implementations
In the SSH protocol, most client software (though not all) will, upon connecting to a not-yet-trusted server, display the server's public key fingerprint, and prompt the user to verify they have indeed authenticated it using an authenticated channel. The client will then record the trust relationship into its trust database. New identifier will cause a blocking warning that requires manual removal of the currently stored identifier.
The XMPP client Conversations uses Blind Trust Before Verification, where all identifiers are blindly trusted until the user demonstrates will and ability to authenticate endpoints by scanning the QR-code representation of the identifier. After the first identifier has been scanned, the client will display a shield symbol for messages from authenticated endpoints, and red background for others.
In Signal the endpoints initially blindly trust the identifier and display non-blocking warnings when it changes. The identifier can be verified either by scanning a QR-code, or by exchanging the decimal representation of the identifier (called Safety Number) over an authenticated channel. The identifier can then be marked as verified. This changes the nature of identifier change warnings from non-blocking to blocking.
In e.g. Jami and Ricochet the identifier is the user's call-sign itself. The ID can be exchanged over any channel, but until the identifier is verified over an authenticated channel, it is effectively blindly trusted. The identifier change also requires an account change, thus a MITM attack for same account requires access to endpoint's private key.
In WhatsApp the endpoint initially blindly trusts the identifier, and by default no warning is displayed when the identifier changes. If the user demonstrates will and ability to authenticate endpoints by accessing the key fingerprint (called Security Code), the client will prompt the user to enable non-blocking warnings when the identifier changes. The WhatsApp client does not allow the user to mark the identifier as verified.
In Telegram's optional secret chats the endpoints blindly trust the identifier. Changed identifier spawns a new secret chat window instead of displaying any warning. The identifiers can be verified by comparing the visual or hexadecimal representation of the identifier. The Telegram client does not allow the user to mark the identifier as verified.
In Keybase the clients can cross-sign each other's keys, which means trusting a single identifier allows verification of multiple identifiers. Keybase acts as a trusted third party that verifies a link between a Keybase account and the account's signature chain that contains the identifier history. The identifier used in Keybase is either the hash of the root of the user's signature chain, or the Keybase account name tied to it. Until the user verifies the authenticity of the signature chain's root hash (or the keybase account) over an authenticated channel, the account and its associated identifiers are essentially blindly trusted, and the user is susceptible to a MITM attack.
Model strengths and weaknesses
The single largest strength of any TOFU-style model is that a human being must initially validate every interaction. A common application of this model is the use of ssh-rpc 'bot' users between computers, whereby public keys are distributed to a set of computers for automated access from centralized hosts. The TOFU aspect of this application forces a sysadmin (or other trusted user) to validate the remote server's identity upon first connection.
For end-to-end encrypted communication the TOFU model allows authenticated encryption without the complex procedure of obtaining a personal certificate which are vulnerable to CA Compromise. Compared to Web of Trust, TOFU has less maintenance overhead.
The largest weakness of TOFU that requires manual verification is its inability to scale for large groups or computer networks. The maintenance overhead of keeping track of identifiers for every endpoint can quickly scale beyond the capabilities of the users.
In environments where the authenticity of the identifier cannot be verified easily enough (for example, the IT staff of workplace or educational facility might be hard to reach), the users tend to blindly trust the identifier of the opposing endpoint. Accidentally approved identifiers of attackers may also be hard to detect if the man-in-the-middle attack persists.
As a new endpoint always involves a new identifier, no warning about potential attack is displayed. This has caused misconception among users that it's safe to proceed without verifying the authenticity of the initial identifier, regardless of whether the identifier is presented to the user or not.
Warning fatigue has pushed many messaging applications to remove blocking warnings to prevent users from reverting to less secure applications that do not feature end-to-end encryption in the first place.
Out-of-sight identifier verification mechanisms reduce the likelihood that secure authentication practices are discovered and adopted by the users.
First known use of the term
The first known formal use of the term TOFU or TUFU was by CMU researchers Dan Wendlandt, David Andersen, and Adrian Perrig in their research paper "Perspectives: Improving SSH-Style Host Authentication With Multi-Path Probing" published in 2008 at the Usenix Annual Technical Conference.
Moxie Marlinspike mentioned Perspectives and the term TOFU the DEF CON 18 proceedings, with reference to comments made by Dan Kaminsky, during the panel discussion "An Open Letter, A Call to Action". An audience suggestion was raised implying the superiority of the SSH Public key infrastructure (PKI) model, over the SSL/TLS PKI model - whereby Moxie replied:
Anonymous: "...so, if we dislike the certificate model in the (tls) PKI, but we like, say, the SSH PKI, which seems to work fairly well, basically the fundamental thing is: if I give my data to someone, I trust them with the data. So I should be remembering their certificate. If someone else comes in with a different certificate, signed by a different authority, I still don't trust them. And if we did it that way, then that would solve a lot of the problems- it would solve the problems of rogue CAs, to some extent, it wouldn't help you with the initial bootstrapping but the initial bootstrapping would use the initial model, and then for continued interaction with the site you would use the ssh model which would allow you continued strength beyond what we have now. So the model we have now can be continued to be re-used, for only the initial acceptance. So why don't we do this?"
Dan: "So, I'm a former SSH developer, and let me walk very quickly, every time there's an error in the ssh key generation, the user is asked, 'please type yes to trusting this new key', or, 'please go into your known hosts file and delete that value', and every last time they do it, because it's always the fault of a server misconfiguration. The SSH model is cool, it don't scale".
Moxie: "And I would just add, what you're talking about is called 'Trust on First Use', or 'tofu', and there's a project that I'm involved in called perspectives, that tries to leverage that to be less confusing than the pure SSH model, and I think it's a really great project and you should check it out if you're interested in alternatives to the CA system."
Related work on the subject
- Work toward creating visual representations of server certificate 'fingerprint' hashes has been implemented into OpenSSH in the form of ASCII Art. The intention is for users to visually recognize a 'graphical' image, instead of a long string of letters and numbers. The original research paper was written by Adrian Perrig and Dawn Song, at the Carnegie Mellon University Computer Science Department.
- The originator of the 'TUFU' acronym was describing the inspiration for the 'Perspectives Firefox Plug In', which was designed to strengthen the SSL/TLS PKI model by contacting network notaries whenever your browser connects an HTTPS website
Prior work
The topics of trust, validation, non-repudiation are fundamental to all work in the field of cryptography and digital security.
See also
References
- TOFU for OpenPGP, Walfield, Koch (EUROSEC’16, April 18–21, 2016)
- What is the secure/correct way of adding github.com to the known_hosts file? Retrieved November 19, 2020
- Daniel Gultsch (November 20, 2016). "Blind Trust Before Verification". Retrieved January 19, 2017.
- "Safety number updates".
- "Perspectives: Improving SSH-style Host Authentication with Multi-Path Probing".
External links
- "DEF CON 18 Schedule, Open Letter - Call to Action"
- Firefox extension that contacts network notaries whenever your browser connects an HTTPS website
- Hash Visualization in OpenSSH