From 00aae4e42cb6ad93960955a6bd9f45e092129a89 Mon Sep 17 00:00:00 2001 From: Christian Grothoff Date: Sun, 22 Nov 2020 13:32:28 +0100 Subject: document exchange crypto helper design --- taler-exchange-manual.rst | 54 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 53 insertions(+), 1 deletion(-) (limited to 'taler-exchange-manual.rst') diff --git a/taler-exchange-manual.rst b/taler-exchange-manual.rst index b156eb90..74118a7a 100644 --- a/taler-exchange-manual.rst +++ b/taler-exchange-manual.rst @@ -152,6 +152,58 @@ components: only supports Postgres, but the code could be easily extended to support another DBMS. + +Exchange online signing private key management (v0.9) +----------------------------------------------------- + +The following text only applies starting with exchange version 0.9. + +To provide an additional level of protection for the private online signing +keys used by the exchange, the actual cryptographic signing operations are +performed by two helper processes, the ``taler-exchange-helper-rsa`` and the +``taler-exchange-helper-eddsa``. + +Functionality +^^^^^^^^^^^^^ + +The two helper processes will create the required private keys, and allow +anyone with access to the UNIX domain socket to sign arbitrary messages with +the keys or to inform them about a key being revoked. The helper processes +are also responsible for deleting the private keys if their validity period +expires or if they are informed about a key having been revoked. + +Security goals +^^^^^^^^^^^^^^ + +From a security point of view, the helpers are designed to *only* make it +harder for an attacker who took control of the HTTP daemon's account to +extract the private keys, limiting the attackers ability to creating +signatures to the duration of their control of that account. + +In the future, the helper processes should additionally provide a mechanism to +track the number of signatures they have made for the various keys. + +Setup +^^^^^ + +The helper processes should be run under a user ID that is separate from that +of the user running the main ``taler-exchange-httpd`` service. The +``taler-exchange-httpd`` service's will securely communicate with the helpers +using UNIX domain sockets. To enable access to the keys, the service's user +must be in the group of the helper processes (and no other users should be in +that group). + +Configuration +^^^^^^^^^^^^^ + +The helpers and the HTTP service need both access to the same configuration +information. Having divergent configurations may result in run-time failures. +It is recommended that the configuration file (``-c`` option) is simply shared +between all of the different processes, even though they run as different +system users. The configuration does not contain any sensitive information. + + + Installation ============ @@ -207,7 +259,7 @@ To download and install libgnunetutil, proceed as follows: :: - $ git clone https://git.gnunet.org/gnunet/ + $ git clone git://git.gnunet.org/gnunet $ cd gnunet/ $ ./bootstrap $ ./configure [--prefix=GNUNETPFX] -- cgit v1.2.3