Signatures And Receipts In The Supply Chain Security by Ivar Prudnikovas

talking tonight about signatures and receipts in the supply chain security so thoughts are in my own don't quote me and I'm not representing my employer whatsoever uh let's kick it off so I'm just gonna frame it through the fact that um so there is an issue and everybody knows this public sector is constantly being attacked um and um basically the problem is that after public sector um or various agencies buy the software that software is just not maintained right so there are a bunch of vulnerabilities nobody actually knows what is inside they have kind of ways of dealing with this they say okay let's just do pen tests let's do pen tests every year that's just not enough right

so there's just not enough transparency and we've got solarwinds right so which totally triggered everybody and that was like the Pinnacle of everything and what happened was that it ended up converting into a an executive order um in the states and then everybody was in the industry was afraid because that meant that suddenly you couldn't really sell to a federal government right because unless you comply with the requirements uh so a bunch of folks jumped in together and um this way sort of a skit was born in amongst other ideas as well that are currently being serviced so scattered supply chain Integrity change currency and trust a catchy thing the box with receipts actually represents what I

think that's the way I imagine this um but getting back to this right so why would you even listen to me so I actually forgot to introduce myself but um I'm talking about this purely because for the past year uh so I'm a developer and I've been thrown into a security thrown into one room with security researchers to kind of work on these things related to soft uh to supply chain security so we've got a box of receipts effectively and I think that's the way you can picture this whole idea um we're going to get to signatures quickly um right so just here I've got some kind of evolution being presented it's not that nice uh Blossom

um contrast nonetheless the gist is there so basically we're you know Public Credit is encryption and um object claiming and encryption is there for for quite a while with that we've had it for like 50 years I I'd like to stress the fact that you know jainability was effectively very very popular and it's it's very successful and I think it's Simplicity in the fact that you can adopt it's very easy to work with you know it's Json um so the whole success was there and it all kind of culminates in Josie which is basically a set of rfcs that we can work with for signing an encryption and like if you can see like there are basically

two years difference and the Cozy comes out and so what the hell is cozy and because he's the same as Josie right so it's it's just instead of working on top of Json to do signing encryption actually works on cboard a c board stands for a concise binary object representation um it's a bit of a mouthful if you want to kind of unwrap it all um but the it has its own kind of use cases and what happens in skit sort of in these recent ideas is that they adapt codes they basically say like you should use cozy instead of Josie well it caused some um um discussions but um well that's their stance um right so high level overview so what

skit uh in theory is and what does cozy and and the specs or rfcs related this allow us to do so we have and if we think about a supply chain in itself so Essential Software supply chain um when you're selling a product you're selling something so you might have additional documents to this so you have a pen test that you have to do before selling in addition to that you uh you would have additional vulnerability disclosures that would come in um along the way so the idea is that you're able you you sign these sort of related documents kind of representing your product and additional uh supported documentation and you put that into sort

of a storage um what type of storage the the skip doesn't really talk about doesn't really force on top of you but the idea is that it should be audible so at any point in time like after five years you should be able to um go back and if there's an issue you could bought it what happened was the product what sort of maybe there were issues maybe maybe there are additional vulnerabilities you know there was a vulnerability it was fixed et cetera so and a side effect of actually uh falling back on on cozy and and it's the ability to do counter signatures is the fact that you can get a distributable receipt so the you basically uh pretty much your

signatures and and you can't resign them in this sort of big storage place and you can take that distributable receipt and actually give it to your customer and this is basically the the point of this and I'm going to get to this to the deals what that is so um so yeah so cozy what it is so um see more object signing encryption um it's if if you're familiar with datability is basically the same thing uh we we you have headers you have yeah the structure is going to be shorter there um but why would you even choose this why would you ever consider cozy instead of like using Json um so it's smaller but it's smaller

including a encoding decoder and especially in small environments so if you if you're future proofing that means that if you're on a small device you would probably want to make sure that it it takes us as little places as possible one of the things is obviously or if you if you're transmitting data on something like larawan right so you want to make sure that you transfer it as little as possible and that's what kind of makes sense obviously the other thing is that you can kind of embed bytes without actually encoding them into using something like Basics 4 that you would use in in jsons that's uh great and standardized kind of signatures sort of

you you have a receipts you can work with which makes it an easy to adapt and the amount of library is actually growing now um now I'm saying almost standardized counter signatures I'm going to get to there um so General structure is just um on the left side we have uh the cozy signed envelope example on the right hand side we have a country signature example so as I've mentioned before so cozy envelope is just we have headers product and protected we have payload and signature that's pretty much it and with counter signature is another thing you so these two things separately if you think about this so you could equally verify a signed payload uh by just making sure that its

signature is actually valid so provided you have access to public keys the same thing you could do to the counter signature so if you if you could just validate it against the public keys but the the neat trick here is that once you count your sign you could just ignore the initial site in payload and and provided that you trust the counter signature and in the issuer who issue that counter signature because it already has the details so in within the signature that refer back to the protected headers and and soar signature and and payload so it has this sort of um so it's like these are like a two puzzle pieces and then you can just

um distribute that counter signature and the customer should be basically content and they could just if you distribute that along with the public keys they could just validate that thing um um and even like in air gap environments so um the important thing is like so so far I've been talking about supply chain security but like okay envelopes great so so what sort of uses that like why would you even use it why why complicated your life with with all of this why not just use like digest or checksums that that have been used for forever and and to check check the Integrity of binaries that are being used and so the payloads actually the the

Crux here and that skip doesn't really talk about payload space as you can sign anything you want um but I think here the important bit is that like or after solarwinds and and if you look into the states and uh the federal government of what they're doing uh so the National Institute of status and Technology comes uh and just helps with this so they basically now even now they come out and said well if you want to sell something to government you should at least include esbom and that's bomb is like soft software bill of materials uh kind of lists all of the dependencies so if you are pin testing right so if you have a s bomb but like

it just makes your life much much easier because you can see what's inside uh contrary to now where you basically do like a blind reconnaissance and trying to guess what what is inside to to understand how far it can go um in addition to that there is a now movement to include bdrs which is a vulnerability disclosure report uh there's also there are also talks on the background of including more uh pen test reporting also as as being kind of uh standardized and not just PDF um right there are some other challenges and [Music] as I've mentioned so although there is a cozy rfcs mentioned the fact that you have a signing envelope and you can have

a counter signature if you look then into skit that kind of was born out of all of this uh like solar winds um we actually have a very slightly different signature and even if you look wider into various Solutions uh currently being and we can buy for instance on Amazon or on Azure they also in some storage solutions they use receipts but they would just use for instance their own made-up structure which is which might be similar but might be using for instance Json or not c bar so it's different um and again missing tooling just because you know with Json it's very easy there's a bunch of libraries obviously with their only issues but

they exist Seaboard is fairly new and there are libraries and they're penetrating into various uh libraries and and various languages and and their package managers but it's still early days um uh problems with receipt verification recertification although you might think that you have RCS but the recipient in itself because there there are slight differences you might not always actually get a easily accessible Library which is is pain and then you know you have to work with rfcs and and Seaborn in that case it's just pain one of the big issues as well which is not obvious although the the idea is oh look uh Bitcoin they're selling something they're just gonna come in and dump in

all of these says bomb all of these documents uh into this big storage and then um some customer who's buying they're going to be able to verify all of this and just by looking at public keys but the actual problem is how do you how do you link all of that together how do if you want to do a vulnerability disclosure against some product how do you do this so like how do we reference this if even if there is something exists and it's somewhere maybe public and you want to publish it so how do you do this in in various other environments in GitHub you could say okay this is the dependency this is the version and you

just you just publish it that's so it's difficult um yeah so just to summarize I think uh so it was by short first uh Speech in the conference uh that I was allowed to to make and the goal of this was to highlight the fact that it's not that easy and and although it's this idea is being sold and even Google is trying to push salsa on on npm and uh sort of similar but different ways of solving the problem um but I think that the problem is that there needs to be a lot of more work done and especially in open source we just need more and more libraries to help out with with

um uh for for various organizations who are building software and to to make sure that they're they can they're able to use these tools they they're able to use instead of signing and and proper encryption and and they're able to share that with their customers so um yeah so I think it's just a call out and there is a bit of a opportunity because there are not enough libraries so if you're uh want to introduce your own vulnerabilities in the public service in in the user land so yes feel free to do that um yeah so a bit of references I actually had to do the the first link is um I had to do the playground for myself

uh related to Cozy's signatures and counter signatures purely because it's hard to work with so it's and especially so I was lying I was using the um decentralized identifiers the ads uh to make sure that the public keysight is discoverable but and it's very hard right so if you're working there and on your machine and you want to do something it's it's just so hard so I saw that I'm just gonna go do this um there's a skit dot Io if you want to expand on additional information about um and there is a link to s-bombs and the pub publication minus about as moms and the fact that you kind of need to use them

and what they are um so yeah that's it um hopefully it didn't take too much time so thanks