PGP key compromise - threat modelling

jocado · June 22, 2022, 6:08am

Hi,

I’m conducting an academic exercise to try and understand the impact of a the PGP keys we use being compromised, both the key pair used to sign model assertion and the one use dot sign serial assertions.

If Evil Hacker is able to obtain them [ with passphrase of model key ], what can be acheived. Can they be used for any kind of data exfiltration from devices, or gaining access to the private snaps in our Brand Store ?

It seems like it would be easy to create signed model assertions, and signed serial assertions, but what can they realistically do with them ?

Cheers, Just

jamesh · June 23, 2022, 5:57am

They’d be able to sign new assertions of some types that would be trusted by the device. If the attacker has physical access to the device and can connect removable media, then they could introduce these assertions by plugging in a drive containing an auto-import.assert file.

In particular, they could load a system-user assertion and create a new user account on the device that could be used to further compromise the device.

pedronis · June 23, 2022, 9:45am

unless the users.create.automatic system option was set to false.

jocado · June 23, 2022, 9:55am

Thanks both. Yes, I’ve thought about the system-user assertion already, as we are already using that process to add mgmt user where required.

I was not aware of this snap system option: users.create.automatic

Is that documented anywhere ?

Cheers, Just

bugraaydogar · June 23, 2022, 10:01am

Hi @jocado

The assertions and signing keys play an important role in the security and the authentication of the devices to the IoT App Store. There are five major components involved during the authentication and these are simply, serial signing key, model signing key, mode API key, model name and store id which are created or provided to the customers as part of the IoT App Store provisioning.

Model signing keys are used to sign model documents which carry model information including name and store id for the store to access. Devices generate a unique device key, this is used together with the model and a way to prove the device belongs to a model (in the simplest case a model API key) to get a serial document which is basically a certificate for the device unique key. The serial and model documents together with the device unique key are used by the device to authenticate itself to the customer’s IoT App Store that would allow it to download and install snaps that are available in the customer’s IoT App Store. However, it is not possible to access any existing device and fetch data from individual devices.

If you would like to explore detailed cases specific to your setup, please create a Support Ticket for further review.

Thanks, Bugra

bugraaydogar · June 23, 2022, 10:01am

Please see https://snapcraft.io/docs/system-options#heading--users-create-automatic

jocado · June 23, 2022, 10:04am

Thanks

I have been there beofre but perhaps missed htat, or it was added more recently than my visit

Cheers, Just