[Help-gnutls] Re: Announcement: Yet another GnuTLS-using program: Mandos

Simon Josefsson simon at josefsson.org
Wed Oct 8 10:30:43 CEST 2008


Teddy Hogeborn <teddy at fukt.bsnet.se> writes:

> Hi there; I just wanted all you GnuTLS folks to know about our project
> Mandos' slightly unusual use of GnuTLS.
>
> The goal of the Mandos system is to enable server computers to have an
> encrypted root file system and still be able to reboot automatically
> without anyone having to be there and type in a password.
>
> What happens is that we run a small Mandos client program at boot time
> in the initial RAM disk environment (initrd), before even networking
> is configured, using IPv6 link-local addresses.
>
> The Mandos client connects to the Mandos server.  The Mandos clients
> each have an OpenPGP key, which they use to handshake as TLS *servers*
> to the Mandos server, which in turn handshakes as a TLS *client*.  The
> Mandos server does not have a key, but computes the fingerprint of the
> OpenPGP key received from the Mandos client and looks up that
> fingerprint in an internal list, and, if the fingerprint is found,
> sends the corresponding binary blob to the client.
>
> (This binary blob is an OpenPGP-encrypted password necessary to unlock
> the client's root file system, but this is no longer GnuTLS-related.)

Cool!

I'm not sure you have to do the handshake backwards, couldn't just the
mandos server have a OpenPGP key that the mandos client doesn't need to
validate?

One additional idea I get is to add some mechanism in the Mandos server
to require authorization before sending the blob.  I.e., the
administrator is sent a jabber/e-mail/whatever ping that some machine
needs to reboot, and then she needs to go to a web page and authorize
the operation.  Otherwise, the machine cannot boot.  This might
introduce network timeouts, but if the Mandos client is robust about
that there shouldn't be a problem.

This would protect against someone stealing a server without keeping it
powered.

You'll have a problem if someone also gets control of the Mandos server
though...

Maybe one could extend the scheme, so that N out of M machines have to
participate in reconstructing the blob before any single machine can
boots.  Just getting control of <N of the M machine should not reveal
any information.

Whether this aspect is useful depends on your threat model.  Maybe your
model is different from what I assumed...

> Oh yes, the project's home page:  http://www.fukt.bsnet.se/mandos

Thanks, added to <http://www.gnu.org/software/gnutls/programs.html>.

/Simon





More information about the Gnutls-help mailing list