A desktop "secrets" API
There is often a fair amount of secret information that a Linux user might store on their computer—things like passwords for sensitive sites, private ssh keys, and Swiss bank account numbers. If multiple applications, typically desktop applications, need to access that information, there are solutions in the form of GNOME Keyring and KDE Wallet, but those solutions are only available to applications written for those specific desktop environments. A new freedesktop.org initiative, started by the developers of those two solutions, aims to create a "Secrets API" that can be used across desktop environments so that users can have access to their secrets from any application, regardless of which desktop it comes from.
The project was announced by KDE Wallet developer Michael Leupold on the XDG mailing list (as well as on his blog). The basic idea is fairly straightforward: users will still run Keyring or Wallet as part of their login session—which will depend on the desktop they use—but there will be an API that allows applications to extract these secrets without caring which secret storage program is providing them.
Not surprisingly, given that it is a cross-desktop API, D-Bus will be used
to implement a protocol for extracting the needed secrets. Applications
will then use the new API so that they are insulated from the underlying
secret storage service. In his blog posting, Leupold notes that he will be
trying to provide backward compatibility: "While I expect a new
client-side API (which I imagine to be more OO style than KWallet::Wallet),
I'll keep an eye on providing something the current class can wrap so even
applications using the old API will be able to use the new system.
"
It seems likely that Stef Walter, the Keyring developer, will do something
similar for GNOME applications.
In the Secrets API, secrets are just arrays of bytes that get transferred, possibly encrypted, between the application and the storage facility. Each secret is associated with a simple dictionary (i.e. set of name, value pairs) called "lookup attributes", which are to be used to find the secret. In addition, secrets have a label and properties associated with them. Secrets can then be grouped into "collections", which more or less correspond to today's keyrings or wallets.
Items and collections can be locked, such that an unlocking process needs to happen before they can be accessed. In practice, that would generally mean that the user was prompted for a password before the item or collection could be retrieved by the application.
Clients can negotiate encryption of the secret information as it is transferred to or from the storage service. While that may seem like a good idea overall, the API documentation comes with some fairly strong caveats:
Many client applications may choose not to make use of the provisions to encrypt secrets in transit. In fact for applications unable to prevent their own memory from being paged to disk (eg: Java, C# or Python apps), [transferring] encrypted secrets would be an [exercise] of questionable value.
There are more details, of course, and the API specification is being discussed and revised on the freedesktop.org Authentication mailing list. In addition, there is discussion of higher-level topics on the list, such as how browsers will identify their secrets so that moving between browsers, while still being able to use the password information stored for the user, is easy. As Leupold notes that is one of the most likely scenarios for users needing the Secrets API.
With this API in place, GNOME users could use Konqueror and still have access to their passwords, and the same goes for KDE users and Epiphany. As Leupold points out in his blog posting, though, Mozilla has not shown any interest, at least yet. Integrating with the Linux desktop has not really ever been a priority for Mozilla, so one might expect Firefox, et al. to lag in this area.
Even for those not running one of the "big two" desktop environments, a suitably configured system—with D-Bus and one of the secret storage services enabled—could take advantage of the Secrets API. Interoperability between desktop environments is a good thing, and not having to store passwords somewhere external, so that one can "browser hop" can only be a good thing as well. As it matures, other applications needing to store secrets will presumably use it too. Having a single, hopefully well-vetted, location for storing this kind of information—encrypted and password-protected—may also lead to better security for users.
| Index entries for this article | |
|---|---|
| Security | Desktop |
Posted Jul 30, 2009 4:00 UTC (Thu)
by thedevil (guest, #32913)
[Link] (3 responses)
How about "None"? Why exactly is it the business of _desktop environments_ (basically suites of programs with the same graphical user interface style) to define an API for this purpose?
Posted Jul 30, 2009 5:01 UTC (Thu)
by xoddam (subscriber, #2322)
[Link] (1 responses)
The problem that a new unified secrets API is proposed to solve is not the absence of a keeping place for secrets or an API for that keeping place, it is the incompatibility of the existing implementations: to date, there is no way to share your secrets among the programs you run, you have to copy them about manually. The exceptions are that you *can* share them amongst GNOME applications and, separately, amongst KDE applications.
See also 'monkeysphere', recently announced, which tries to solve a similar problem (in a completely different way).
Posted Aug 10, 2009 12:09 UTC (Mon)
by gerv (guest, #3376)
[Link]
Gerv
Posted Aug 3, 2009 11:49 UTC (Mon)
by Klavs (guest, #10563)
[Link]
Posted Jul 30, 2009 7:07 UTC (Thu)
by johill (subscriber, #25196)
[Link]
Posted Jul 30, 2009 7:09 UTC (Thu)
by johill (subscriber, #25196)
[Link] (1 responses)
So, for example, if you want to sign an email, all the information necessary to sign is transferred to the daemon, not the key information from it -- the latter might not even be possible once you factor in smartcards etc.
Of course, that's somewhat out of scope for a 'secrets API' but I believe that it should be integrated eventually for more pervasive crypto.
Posted Jul 30, 2009 22:36 UTC (Thu)
by martinfick (subscriber, #4455)
[Link]
For systems without smartcards, we should have "smart user accounts". The API would actually contact a daemon running as another user for me, the "smart user account" which has access to my secrets. My ordinary user account which my apps run as should never be able to access my secrets. This user would only be accessible by me (not a shared 'root' system daemon) and would use my secrets to do things on behalf of the API, authenticate logins, sign documents, encrypt things, but it would not reveal my secrets. A little bit like the user security model from android.
Naturally, as currently, the API could additionnaly be configured to still require pass phrases or other authentication means to access the API, but this should be more granular than the simple all or nothing model of say Firefox. For low security web sites why should I be prompted for a passphrase simply because I want my bank to be passphraseable to the API?
Posted Jul 30, 2009 7:35 UTC (Thu)
by ptman (subscriber, #57271)
[Link] (1 responses)
Posted Jul 30, 2009 12:56 UTC (Thu)
by jond (subscriber, #37669)
[Link]
Posted Jul 30, 2009 11:24 UTC (Thu)
by alex (subscriber, #1355)
[Link] (1 responses)
I take the point that any client storing secrets that can't lock pages in RAM is also exploitable but how about some sort of defense in depth?
Posted Jul 30, 2009 19:17 UTC (Thu)
by rvfh (guest, #31018)
[Link]
Correct me if I'm mistaken... which I might well be!
Posted Jul 31, 2009 20:31 UTC (Fri)
by dps (guest, #5725)
[Link] (1 responses)
I would instead propose that some form of kernel secret storage, which also has the advantage of being immune to things like ptrace(2). Given some mm work it might be possible to mark pages as sensitive and never allow direct user space any access to sensitive pages.
The user space API could be a sepccial file system with more security features. Implementing an OO style API in terms of such a file system should not be rocket science.
There is already an (expensive) version of this available now and it is called a hardware security module. At least one vendor supports Linux.
Posted Jul 31, 2009 20:58 UTC (Fri)
by johill (subscriber, #25196)
[Link]
Posted Aug 6, 2009 18:29 UTC (Thu)
by quintile (guest, #60088)
[Link]
-Steve
A desktop "secrets" API
Why? Becasuse they can and already do!
Why? Becasuse they can and already do!
A desktop "secrets" API
A desktop "secrets" API
A desktop "secrets" API
A desktop "secrets" API
A desktop "secrets" API
A desktop "secrets" API
The no encyption caveat?
The no encyption caveat?
A desktop "secrets" API
A desktop "secrets" API
A desktop "secrets" API
secstore - which holds your secrets as a text file and is unlocked by a single password, and
factotum - which serves secrets if necessary, or keeps them hidden if challange/respose auth is
used. If this is of interest more details here http://plan9.bell-labs.com/sys/doc/auth.pdf