Website Signature Verifier
by Joel R. Voss aka. Javantea
jvoss@altsci.com
jvoss@myuw.net
Nov 13, 2005

Site Sign 0.3 Source [sig]

DESCRIPTION

Sends an e-mail when your site has a cryptographic error. This is good to detect changes, intrusions, and mistakes. There are three levels of testing:

Level 1: Check that remote page concurs with remote signature.
Level 1 ensures that someone has signed the file with a key that we have in our public keyring. Level 1 ensures that if your page is changed, it is because of an intended change and has been signed by the developer. Level 1 is not a perfect guarantee of security since an attacker who is in your public keyring could sign it with their key and Level 1 would pass.

Level 2: Check that the remote page has been signed with the correct key.
Level 2 fills the hole that Level 1 leaves: it ensures that the keyid is the same. If an attacker has the same key ID as you (unlikely), then Level 2 will be attackable.

Level 3: Check that the remote page has been signed with the local key.
Level 3 fills the gap that Level 1 and 2 leave: it ensures that the page has not changed since we updated the local signature. This is more involved than the other levels because it requires you to update the remote server with the signature every time you update the page.

REQUIREMENTS

This program requires Bash, GnuPG, Curl, and Mail. If you get errors saying that -a doesn't exist, you're probably not using bash. call site_sign.sh with bash explicitly to get around this problem.

USAGE

gen_index_sig1.sh is the script that generates the signature for the index file. It is terrifically simple:
gpg -a -b index.html
This creates a detached signature: index.html.asc
To pass Level 3, you need to run:

scp index.html.asc $REMOTE_SERVER:$TESTDIR/index.html.asc.local

Before it works you need to get the public key in your keyring. If you're using the example of altsci.com, simply import jvoss.asc like this: gpg --import jvoss.asc

You will _definitely_ need to edit the first 5 variables in site_sign.sh:

# TESTDIR is the directory to do the testing.
# You need write access.
TESTDIR=/home/jvoss/site_sign

# FILE is the remote file that you wish to test.
FILE=index.html

# SITE is the server that you wish to test.
SITE=http://www.altsci.com

# KEY is the Key ID that you wish to ensure in Level 2.
KEY=1954FED2

# EMAIL is the address that you wish to send an 
# e-mail to when a compromise has been found.
EMAIL=jvoss@altsci.com
NEW IMPLEMENTATIONS

If you're using this for your own server, you'll need to use a key from your own server. You need to export the public key and copy it to the destination server.

# Export the key.
gpg -a --export $KEY > key.asc

# Copy the key to the remote server.
scp key.asc $REMOTE_SERVER

# SSH into to the remote server.
ssh $REMOTE_SERVER

# Import the key.
gpg --import key.asc

If you are interested in developing Website Signature Verifier, feel free to e-mail me.

Permalink

Comments: 0

Leave a reply »

 
  • Leave a Reply
    Your gravatar
    Your Name