Homestead and Single Sign-on
The Homestead Project is going to be a fairly significant paradigm shift from the current echosystem of online services. The object of the project is to put as much control over digital identities and their security in the hands of their owners. Modern services online often offer a way for you to sign into something one time in order to authenticate, and then from there on you are free to use these these services without having to log in. In general this is going to be something like a Google or Facebook account. Homestead can’t use this same approach and retain control over identities. It defeats the purpose if to use the system you still need to use some third party to authenticate your person and your devices.
The approach that the Homestead project takes here is to leverage Public Key Infrastructure (PKI) for authentication in addition to the encryption and validation of data. Already the use of PKI is securing the entire internet. First, in the form of X.509 certificates that are used in TLS (https) transmissions to verify that a server one is talking to is the one intended. A “certificate authority” signs a certificate that says a particular key is related to a particular domain. This authority is installed on your system so that it can validate these certificates. Anyone can in fact be a certificate authority and in fact the TLS standard allows this validation process to go both ways, so that both the server and the client can verify who is on the other end of a conversation. Homestead takes advantage of this fact.
The other most common form of PKI is known as “Pretty Good Privacy” (PGP). Instead of a higherarchal certificate structure where all certificates are ultimately signed by one of a few root authorities, PGP keys are certified by any number of other keys in what is called, “The Web of Trust.” When first seeing a new PGP key you can validate these signatures by checking signatures by keys you already know and have validated. Trust in this form is a grey area rather than the white/black of the X.509 certification process that is all or nothing. The trust given a key is based on the level of trust of the keys which have signed it that you can verify–each having its own level of trust based on the same kind of information.
Both of these standards use the same encryption algorithms. This means that a single key can be used in both situations. What is different are file formats (that are somewhat shared as well) and the system of trust. In other words, basically just the certificate system is different. A project called Monkeysphere gives us a nice set of tools to use keys in both domains. They additionally implement a browser plugin that uses PGP rather than X.509 to verify https connections.
These systems have been securing the Internet for decades. Although there have been bugs in particular implementations, as a whole the system has remained secure and will remain so for the forseeable future.
Homestead provides its authentication and authorization by using these systems. The use of X.509 certificates to implement single sign-on is not a new thing. One great method of authentication between systems is the use of a key that has been signed by the appropriate authority. This allows the provision of temporary or one-time-use keys that can be verified to be attached to an ultimate authority. Homestead makes you that authority. When you install a new homestead system and/or create a new homestead user, the first step is the creation of a brand new pki key. You decide what personal information is attached to it. This key is used as a root CA in the creation of keys that represent a login on an authorized device. At no time are you actually required to use a password, though it is encouraged. What this will do is to verify that such and such a server or client is authorized by a particular key to communicate on that identity’s behalf.
What remains then is to verify that a particular key is (as an identifier) attached to the particular person (or alias) and not to someone else with a similar name or an impostor. This is where the web of trust comes in and where Homestead uses PGP to provide a score of authenticity based on who you know and what level of trust they have assigned to this identifier.
Since this key is pretty important to protecting your identity in this system, and since we are protecting our very homes and persons from attack, we need to ensure that any key that is meant to authoritatively identify you as you is protected from misuses and theft. Someone with such a key can invalidate all devices and authenticate with anyone who’s trusted you. It must not end up in “enemy” hands. This key is not only what you use to authenticate with your friends and connections, but also with your own services including personal photo albums, access to home automation devices, etc… Secured with a solid pki key pair that is kept secure your identity is basically impossible to duplicate or break. The key itself however, just like a key to your home or your car, and just like your SSN or driver’s license, must be individually kept safe.
To address this demand, Homestead again takes advantage of tried and true technology: an air-gap. An air gapped device is a device that has never and can never be attached to any network. The software on it is validated secure and has only that which is needed for this single task. Sometimes you’ll need to validate a new device, or renew server keys, or certify a friend’s identity. These need this original key. With the Homestead air-gap device you’ll transfer data to/from this device using a storage device that has encrypted files and commands that is read by the air-gap to walk through the steps needed to perform this operation. At no time is your key ever going to see the Internet, nor will it ever see this key. This way the key can be used to invalidate any subkey that might have been compromized.
Additionally, attached to this air-gap system is a periferal computing device that holds keys that you can never see that will validate that the air-gap device used to perform the signing tasks is the expected one. This device also holds the key itself in encrypted form. To gain access to the services this device offers one must enter an alphanumeric sequence (a password) to retrieve it. It may also be protected by additional passwords that are entered with a simple pinentry on the main display.
We will be performing significant experimentation in this area. Secured in this manner a pki root key is better than government issue identification. The difficulty is simply in making it easy to use in the right way. We believe that through the use of a specialized, purpose built air-gap that is capable of performing the tasks associated with being a certificate authority we can secure your home and your digital identities from unwanted exploitation. Anyone and everyone can make such a device out of an old laptop or a small computer like a pi, but by standardizing something that is built just for this purpose that the layman user will find it natural enough to adequately secure themselves and their digital systems.