|
1 | 1 | # <p align="center">The Update Framework Specification |
2 | 2 |
|
3 | | -Last modified: **10 May 2018** |
| 3 | +Last modified: **19 June 2018** |
4 | 4 |
|
5 | 5 | Version: **1.0 (Draft)** |
6 | 6 |
|
@@ -994,193 +994,190 @@ repo](https://github.com/theupdateframework/specification/issues). |
994 | 994 |
|
995 | 995 | ## **5. Detailed Workflows** |
996 | 996 |
|
997 | | -* **5.1. The client application** |
998 | | - |
999 | | - 0. **Load the trusted root metadata file.** We assume that a good, trusted |
1000 | | - copy of this file was shipped with the package manager / software updater |
1001 | | - using an out-of-band process. |
1002 | | - |
1003 | | - 0.1. Note that the expiration of the trusted root metadata file does not |
1004 | | - matter, because we will attempt to update it in the next step. |
1005 | | - |
1006 | | - 1. **Update the root metadata file.** Since it may now be signed using |
1007 | | - entirely different keys, the client must somehow be able to establish a |
1008 | | - trusted line of continuity to the latest set of keys (see Section 6.1). To |
1009 | | - do so, the client MUST download intermediate root metadata files, until the |
1010 | | - latest available one is reached. |
1011 | | - |
1012 | | - 1.1. Let N denote the version number of the trusted root metadata file. |
1013 | | - |
1014 | | - 1.2. **Try downloading version N+1 of the root metadata file**, up to some |
1015 | | - X number of bytes (because the size is unknown). The value for X is set by |
1016 | | - the authors of the application using TUF. For example, X may be tens of |
1017 | | - kilobytes. The filename used to download the root metadata file is of the |
1018 | | - fixed form VERSION_NUMBER.FILENAME.EXT (e.g., 42.root.json). If this file |
1019 | | - is not available, then go to step 1.8. |
1020 | | - |
1021 | | - 1.3. **Check signatures.** Version N+1 of the root metadata file MUST have |
1022 | | - been signed by: (1) a threshold of keys specified in the trusted root |
1023 | | - metadata file (version N), and (2) a threshold of keys specified in the |
1024 | | - new root metadata file being validated (version N+1). |
1025 | | - |
1026 | | - 1.4. **Check for a rollback attack.** The version number of the trusted |
1027 | | - root metadata file (version N) must be less than or equal to the version |
1028 | | - number of the new root metadata file (version N+1). Effectively, this means |
1029 | | - checking that the version number signed in the new root metadata file is |
1030 | | - indeed N+1. |
1031 | | - |
1032 | | - 1.5. Note that the expiration of the new (intermediate) root metadata |
1033 | | - file does not matter yet, because we will check for it in step 1.8. |
1034 | | - |
1035 | | - 1.6. Set the trusted root metadata file to the new root metadata file. |
1036 | | - |
1037 | | - 1.7. Repeat steps 1.1 to 1.7. |
1038 | | - |
1039 | | - 1.8. **Check for a freeze attack.** The latest known time should be lower |
1040 | | - than the expiration timestamp in the trusted root metadata file. |
1041 | | - |
1042 | | - 1.9. **If the timestamp and / or snapshot keys have been rotated, then |
1043 | | - delete the trusted timestamp and snapshot metadata files.** This is done |
1044 | | - in order to recover from fast-forward attacks after the repository has been |
1045 | | - compromised and recovered. A _fast-forward attack_ happens when attackers |
1046 | | - arbitrarily increase the version numbers of: (1) the timestamp metadata, |
1047 | | - (2) the snapshot metadata, and / or (3) the targets, or a delegated |
1048 | | - targets, metadata file in the snapshot metadata. Please see [the Mercury |
1049 | | - paper](https://ssl.engineering.nyu.edu/papers/kuppusamy-mercury-usenix-2017.pdf) |
1050 | | - for more details. |
1051 | | - |
1052 | | - 2. **Download the timestamp metadata file**, up to Y number of bytes |
1053 | | - (because the size is unknown.) The value for Y is set by the authors of the |
1054 | | - application using TUF. For example, Y may be tens of kilobytes. The |
1055 | | - filename used to download the timestamp metadata file is of the fixed form |
1056 | | - FILENAME.EXT (e.g., timestamp.json). |
1057 | | - |
1058 | | - 2.1. **Check signatures.** The new timestamp metadata file must have been |
1059 | | - signed by a threshold of keys specified in the trusted root metadata file. |
1060 | | - |
1061 | | - 2.2. **Check for a rollback attack.** The version number of the trusted |
1062 | | - timestamp metadata file, if any, must be less than or equal to the version |
1063 | | - number of the new timestamp metadata file. |
1064 | | - |
1065 | | - 2.3. **Check for a freeze attack.** The latest known time should be lower |
1066 | | - than the expiration timestamp in the new timestamp metadata file. If so, |
1067 | | - the new timestamp metadata file becomes the trusted timestamp |
1068 | | - metadata file. |
1069 | | - |
1070 | | - 3. **Download and check the snapshot metadata file**, up to the number of |
1071 | | - bytes specified in the timestamp metadata file. If consistent snapshots |
1072 | | - are not used (see Section 7), then the filename used to download the |
1073 | | - snapshot metadata file is of the fixed form FILENAME.EXT (e.g., |
1074 | | - snapshot.json). Otherwise, the filename is of the form |
1075 | | - VERSION_NUMBER.FILENAME.EXT (e.g., 42.snapshot.json), where VERSION_NUMBER |
1076 | | - is the version number of the snapshot metadata file listed in the timestamp |
1077 | | - metadata file. In either case, the client MUST write the file to |
1078 | | - non-volatile storage as FILENAME.EXT. |
1079 | | - |
1080 | | - 3.1. **Check against timestamp metadata.** The hashes and version number |
1081 | | - of the new snapshot metadata file MUST match the hashes and version number |
1082 | | - listed in timestamp metadata. |
1083 | | - |
1084 | | - 3.2. **Check signatures.** The snapshot metadata file MUST have been signed |
1085 | | - by a threshold of keys specified in the trusted root metadata file. |
1086 | | - |
1087 | | - 3.3. **Check for a rollback attack.** |
1088 | | - |
1089 | | - 3.3.1. Note that the trusted snapshot metadata file may be checked for |
1090 | | - authenticity, but its expiration does not matter for the following |
| 997 | +### **The client application** |
| 998 | + |
| 999 | + **0**. **Load the trusted root metadata file.** We assume that a good, trusted |
| 1000 | + copy of this file was shipped with the package manager or software updater |
| 1001 | + using an out-of-band process. Note that the expiration of the trusted root |
| 1002 | + metadata file does not matter, because we will attempt to update it in the |
| 1003 | + next step. |
| 1004 | + |
| 1005 | + **1**. **Update the root metadata file.** |
| 1006 | + Since it may now be signed using entirely different keys, the client must |
| 1007 | + somehow be able to establish a trusted line of continuity to the latest set |
| 1008 | + of keys (see Section 6.1). To do so, the client MUST download intermediate |
| 1009 | + root metadata files, until the latest available one is reached. |
| 1010 | + |
| 1011 | + * **1.1**. Let N denote the version number of the trusted root metadata file. |
| 1012 | + |
| 1013 | + * **1.2**. **Try downloading version N+1 of the root metadata file**, up to |
| 1014 | + some X number of bytes (because the size is unknown). The value for X is set |
| 1015 | + by the authors of the application using TUF. For example, X may be tens of |
| 1016 | + kilobytes. The filename used to download the root metadata file is of the |
| 1017 | + fixed form VERSION_NUMBER.FILENAME.EXT (e.g., 42.root.json). If this file is |
| 1018 | + not available, then go to step 1.8. |
| 1019 | + |
| 1020 | + * **1.3. Check signatures.** Version N+1 of the root metadata file MUST have |
| 1021 | + been signed by: (1) a threshold of keys specified in the trusted root |
| 1022 | + metadata file (version N), and (2) a threshold of keys specified in the new |
| 1023 | + root metadata file being validated (version N+1). |
| 1024 | + |
| 1025 | + * **1.4. Check for a rollback attack.** The version number of the trusted |
| 1026 | + root metadata file (version N) must be less than or equal to the version |
| 1027 | + number of the new root metadata file (version N+1). Effectively, this means |
| 1028 | + checking that the version number signed in the new root metadata file is |
| 1029 | + indeed N+1. |
| 1030 | + |
| 1031 | + * **1.5**. Note that the expiration of the new (intermediate) root metadata |
| 1032 | + file does not matter yet, because we will check for it in step 1.8. |
| 1033 | + |
| 1034 | + * **1.6**. **Set the trusted root metadata file** to the new root metadata |
| 1035 | + file. |
| 1036 | + |
| 1037 | + * **1.7**. **Repeat steps 1.1 to 1.7**. |
| 1038 | + |
| 1039 | + * **1.8**. **Check for a freeze attack.** The latest known time should be |
| 1040 | + lower than the expiration timestamp in the trusted root metadata file. |
| 1041 | + |
| 1042 | + * **1.9**. **If the timestamp and / or snapshot keys have been rotated, then |
| 1043 | + delete the trusted timestamp and snapshot metadata files.** This is done in |
| 1044 | + order to recover from fast-forward attacks after the repository has been |
| 1045 | + compromised and recovered. A _fast-forward attack_ happens when attackers |
| 1046 | + arbitrarily increase the version numbers of: (1) the timestamp metadata, (2) |
| 1047 | + the snapshot metadata, and / or (3) the targets, or a delegated targets, |
| 1048 | + metadata file in the snapshot metadata. Please see [the Mercury |
| 1049 | + paper](https://ssl.engineering.nyu.edu/papers/kuppusamy-mercury-usenix-2017.pdf) |
| 1050 | + for more details. |
| 1051 | + |
| 1052 | +**2**. **Download the timestamp metadata file**, up to Y number of bytes |
| 1053 | +(because the size is unknown.) The value for Y is set by the authors of the |
| 1054 | +application using TUF. For example, Y may be tens of kilobytes. The filename |
| 1055 | +used to download the timestamp metadata file is of the fixed form FILENAME.EXT |
| 1056 | +(e.g., timestamp.json). |
| 1057 | + |
| 1058 | + * **2.1**. **Check signatures.** The new timestamp metadata file must have |
| 1059 | + been signed by a threshold of keys specified in the trusted root metadata |
| 1060 | + file. |
| 1061 | + |
| 1062 | + * **2.2**. **Check for a rollback attack.** The version number of the trusted |
| 1063 | + timestamp metadata file, if any, must be less than or equal to the version |
| 1064 | + number of the new timestamp metadata file. |
| 1065 | + |
| 1066 | + * **2.3**. **Check for a freeze attack.** The latest known time should be |
| 1067 | + lower than the expiration timestamp in the new timestamp metadata file. If |
| 1068 | + so, the new timestamp metadata file becomes the trusted timestamp metadata |
| 1069 | + file. |
| 1070 | + |
| 1071 | +**3**. **Download snapshot metadata file**, up to the number of bytes specified |
| 1072 | +in the timestamp metadata file. If consistent snapshots are not used (see |
| 1073 | +Section 7), then the filename used to download the snapshot metadata file is of |
| 1074 | +the fixed form FILENAME.EXT (e.g., snapshot.json). Otherwise, the filename is |
| 1075 | +of the form VERSION_NUMBER.FILENAME.EXT (e.g., 42.snapshot.json), where |
| 1076 | +VERSION_NUMBER is the version number of the snapshot metadata file listed in |
| 1077 | +the timestamp metadata file. In either case, the client MUST write the file to |
| 1078 | +non-volatile storage as FILENAME.EXT. |
| 1079 | + |
| 1080 | + * **3.1**. **Check against timestamp metadata.** The hashes and version number |
| 1081 | + of the new snapshot metadata file MUST match the hashes and version number |
| 1082 | + listed in timestamp metadata. |
| 1083 | + |
| 1084 | + * **3.2**. **Check signatures.** The snapshot metadata file MUST have been |
| 1085 | + signed by a threshold of keys specified in the trusted root metadata file. |
| 1086 | + |
| 1087 | + * **3.3**. **Check for a rollback attack.** |
| 1088 | + |
| 1089 | + * **3.3.1**. Note that the trusted snapshot metadata file may be checked |
| 1090 | + for authenticity, but its expiration does not matter for the following |
1091 | 1091 | purposes. |
1092 | 1092 |
|
1093 | | - 3.3.2. The version number of the trusted snapshot metadata file, if any, |
1094 | | - MUST be less than or equal to the version number of the new snapshot |
1095 | | - metadata file. |
1096 | | - |
1097 | | - 3.3.3. The version number of the targets metadata file, and all delegated |
1098 | | - targets metadata files (if any), in the trusted snapshot metadata file, if |
1099 | | - any, MUST be less than or equal to its version number in the new snapshot |
1100 | | - metadata file. Furthermore, any targets metadata filename that was listed |
1101 | | - in the trusted snapshot metadata file, if any, MUST continue to be listed |
1102 | | - in the new snapshot metadata file. |
1103 | | - |
1104 | | - 3.4. **Check for a freeze attack.** The latest known time should be lower |
1105 | | - than the expiration timestamp in the new snapshot metadata file. If so, |
1106 | | - the new snapshot metadata file becomes the trusted snapshot metadata |
1107 | | - file. |
1108 | | - |
1109 | | - 4. **Download and check the top-level targets metadata file**, up to either |
1110 | | - the number of bytes specified in the snapshot metadata file, or some Z |
1111 | | - number of bytes. The value for Z is set by the authors of the application |
1112 | | - using TUF. For example, Z may be tens of kilobytes. If consistent |
1113 | | - snapshots are not used (see Section 7), then the filename used to download |
1114 | | - the targets metadata file is of the fixed form FILENAME.EXT (e.g., |
1115 | | - targets.json). Otherwise, the filename is of the form |
1116 | | - VERSION_NUMBER.FILENAME.EXT (e.g., 42.targets.json), where VERSION_NUMBER |
1117 | | - is the version number of the targets metadata file listed in the snapshot |
1118 | | - metadata file. In either case, the client MUST write the file to |
1119 | | - non-volatile storage as FILENAME.EXT. |
1120 | | - |
1121 | | - 4.1. **Check against snapshot metadata.** The hashes (if any), and version |
1122 | | - number of the new targets metadata file MUST match the trusted snapshot metadata. |
1123 | | - This is done, in part, to prevent a mix-and-match attack by man-in-the-middle |
1124 | | - attackers. |
1125 | | - |
1126 | | - 4.2. **Check for an arbitrary software attack.** The new targets metadata file |
1127 | | - MUST have been signed by a threshold of keys specified in the trusted root |
| 1093 | + * **3.3.2**. The version number of the trusted snapshot metadata file, if |
| 1094 | + any, MUST be less than or equal to the version number of the new snapshot |
1128 | 1095 | metadata file. |
1129 | 1096 |
|
1130 | | - 4.3. **Check for a rollback attack.** The version number of the trusted |
1131 | | - targets metadata file, if any, MUST be less than or equal to the version |
1132 | | - number of the new targets metadata file. |
1133 | | - |
1134 | | - 4.4. **Check for a freeze attack.** The latest known time should be lower |
1135 | | - than the expiration timestamp in the new targets metadata file. If so, |
1136 | | - the new targets metadata file becomes the trusted targets metadata file. |
1137 | | - |
1138 | | - 4.5. **Perform a preorder depth-first search for metadata about the desired |
1139 | | - target, beginning with the top-level targets role.** |
1140 | | - |
1141 | | - 4.5.1. If this role has been visited before, then skip this role (so that |
1142 | | - cycles in the delegation graph are avoided). |
1143 | | - Otherwise, if an application-specific maximum number of roles have been |
1144 | | - visited, then go to step 5 (so that attackers cannot cause the client to |
1145 | | - waste excessive bandwidth or time). |
1146 | | - Otherwise, if this role contains metadata about the desired target, then go |
1147 | | - to step 5. |
1148 | | - |
1149 | | - 4.5.2. Otherwise, recursively search the list of delegations in order of |
1150 | | - appearance. |
1151 | | - |
1152 | | - 4.5.2.1. If the current delegation is a multi-role delegation, recursively |
1153 | | - visit each role, and check that each has signed exactly the same non-custom |
1154 | | - metadata (i.e., length and hashes) about the target (or the lack of any |
1155 | | - such metadata). |
1156 | | - |
1157 | | - 4.5.2.2. If the current delegation is a terminating delegation, then jump |
1158 | | - to step 5. |
1159 | | - |
1160 | | - 4.5.2.3. Otherwise, if the current delegation is a non-terminating |
1161 | | - delegation, continue processing the next delegation, if any. Stop the |
1162 | | - search, and jump to step 5 as soon as a delegation returns a result. |
1163 | | - |
1164 | | - 5. Verify the desired target against its targets metadata |
1165 | | - |
1166 | | - 5.1. If there is no targets metadata about this target, then report that |
| 1097 | + * **3.3.3**. The version number of the targets metadata file, and all |
| 1098 | + delegated targets metadata files (if any), in the trusted snapshot metadata |
| 1099 | + file, if any, MUST be less than or equal to its version number in the new |
| 1100 | + snapshot metadata file. Furthermore, any targets metadata filename that was |
| 1101 | + listed in the trusted snapshot metadata file, if any, MUST continue to be |
| 1102 | + listed in the new snapshot metadata file. |
| 1103 | + |
| 1104 | + * **3.4**. **Check for a freeze attack.** The latest known time should be |
| 1105 | + lower than the expiration timestamp in the new snapshot metadata file. If |
| 1106 | + so, the new snapshot metadata file becomes the trusted snapshot metadata |
| 1107 | + file. |
| 1108 | + |
| 1109 | +**4**. **Download the top-level targets metadata file**, up to either the |
| 1110 | +number of bytes specified in the snapshot metadata file, or some Z number of |
| 1111 | +bytes. The value for Z is set by the authors of the application using TUF. For |
| 1112 | +example, Z may be tens of kilobytes. If consistent snapshots are not used (see |
| 1113 | +Section 7), then the filename used to download the targets metadata file is of |
| 1114 | +the fixed form FILENAME.EXT (e.g., targets.json). Otherwise, the filename is |
| 1115 | +of the form VERSION_NUMBER.FILENAME.EXT (e.g., 42.targets.json), where |
| 1116 | +VERSION_NUMBER is the version number of the targets metadata file listed in the |
| 1117 | +snapshot metadata file. In either case, the client MUST write the file to |
| 1118 | +non-volatile storage as FILENAME.EXT. |
| 1119 | + |
| 1120 | + * **4.1**. **Check against snapshot metadata.** The hashes (if any), and |
| 1121 | + version number of the new targets metadata file MUST match the trusted |
| 1122 | + snapshot metadata. This is done, in part, to prevent a mix-and-match attack |
| 1123 | + by man-in-the-middle attackers. |
| 1124 | + |
| 1125 | + * **4.2**. **Check for an arbitrary software attack.** The new targets |
| 1126 | + metadata file MUST have been signed by a threshold of keys specified in the |
| 1127 | + trusted root metadata file. |
| 1128 | + |
| 1129 | + * **4.3**. **Check for a rollback attack.** The version number of the trusted |
| 1130 | + targets metadata file, if any, MUST be less than or equal to the version |
| 1131 | + number of the new targets metadata file. |
| 1132 | + |
| 1133 | + * **4.4**. **Check for a freeze attack.** The latest known time should be |
| 1134 | + lower than the expiration timestamp in the new targets metadata file. If so, |
| 1135 | + the new targets metadata file becomes the trusted targets metadata file. |
| 1136 | + |
| 1137 | + * **4.5**. **Perform a preorder depth-first search for metadata about the |
| 1138 | + desired target, beginning with the top-level targets role.** |
| 1139 | + |
| 1140 | + * **4.5.1**. If this role has been visited before, then skip this role (so |
| 1141 | + that cycles in the delegation graph are avoided). Otherwise, if an |
| 1142 | + application-specific maximum number of roles have been visited, then go to |
| 1143 | + step 5 (so that attackers cannot cause the client to waste excessive |
| 1144 | + bandwidth or time). Otherwise, if this role contains metadata about the |
| 1145 | + desired target, then go to step 5. |
| 1146 | + |
| 1147 | + * **4.5.2**. Otherwise, recursively search the list of delegations in order |
| 1148 | + of appearance. |
| 1149 | + |
| 1150 | + * **4.5.2.1**. If the current delegation is a multi-role delegation, |
| 1151 | + recursively visit each role, and check that each has signed exactly the |
| 1152 | + same non-custom metadata (i.e., length and hashes) about the target (or |
| 1153 | + the lack of any such metadata). |
| 1154 | + |
| 1155 | + * **4.5.2.2**. If the current delegation is a terminating delegation, |
| 1156 | + then jump to step 5. |
| 1157 | + |
| 1158 | + * **4.5.2.3**. Otherwise, if the current delegation is a non-terminating |
| 1159 | + delegation, continue processing the next delegation, if any. Stop the |
| 1160 | + search, and jump to step 5 as soon as a delegation returns a result. |
| 1161 | + |
| 1162 | +**5**. **Verify the desired target against its targets metadata**. |
| 1163 | + |
| 1164 | + * **5.1**. If there is no targets metadata about this target, then report that |
1167 | 1165 | there is no such target. |
1168 | 1166 |
|
1169 | | - 5.2. Otherwise, download the target (up to the number of bytes specified in |
1170 | | - the targets metadata), and verify that its hashes match the targets |
1171 | | - metadata. (We download up to this number of bytes, because in some cases, |
1172 | | - the exact number is unknown. This may happen, for example, if an external |
1173 | | - program is used to compute the root hash of a tree of targets files, and |
1174 | | - this program does not provide the total size of all of these files.) |
1175 | | - If consistent snapshots are not used (see Section 7), then the filename |
1176 | | - used to download the target file is of the fixed form FILENAME.EXT (e.g., |
1177 | | - foobar.tar.gz). |
1178 | | - Otherwise, the filename is of the form HASH.FILENAME.EXT (e.g., |
1179 | | - c14aeb4ac9f4a8fc0d83d12482b9197452f6adf3eb710e3b1e2b79e8d14cb681.foobar.tar.gz), |
1180 | | - where HASH is one of the hashes of the targets file listed in the targets |
1181 | | - metadata file found earlier in step 4. |
1182 | | - In either case, the client MUST write the file to non-volatile storage as |
1183 | | - FILENAME.EXT. |
| 1167 | + * **5.2**. Otherwise, download the target (up to the number of bytes |
| 1168 | + specified in the targets metadata), and verify that its hashes match the |
| 1169 | + targets metadata. (We download up to this number of bytes, because in some |
| 1170 | + cases, the exact number is unknown. This may happen, for example, if an |
| 1171 | + external program is used to compute the root hash of a tree of targets files, |
| 1172 | + and this program does not provide the total size of all of these files.) If |
| 1173 | + consistent snapshots are not used (see Section 7), then the filename used to |
| 1174 | + download the target file is of the fixed form FILENAME.EXT (e.g., |
| 1175 | + foobar.tar.gz). Otherwise, the filename is of the form HASH.FILENAME.EXT |
| 1176 | + (e.g., |
| 1177 | + c14aeb4ac9f4a8fc0d83d12482b9197452f6adf3eb710e3b1e2b79e8d14cb681.foobar.tar.gz), |
| 1178 | + where HASH is one of the hashes of the targets file listed in the targets |
| 1179 | + metadata file found earlier in step 4. In either case, the client MUST write |
| 1180 | + the file to non-volatile storage as FILENAME.EXT. |
1184 | 1181 |
|
1185 | 1182 | ## **6. Usage** |
1186 | 1183 |
|
|
0 commit comments