1PGP Moose 2========= 3by Greg Rose <ggr@usenix.org> 4 5The aim of this software is to monitor the news 6postings of moderators of USENET newsgroups, and to 7automatically cancel forged messages purporting to 8be approved. This can be extended to the approvals 9of individual users to automatically cancel messages 10that appear without having been authorised by the 11user. This has (obviously) been prompted by the 12recent spammings and other events. 13 14This software and protocol is designed around 15cryptographic signatures. The protocol is designed 16to allow the use of different signature techniques. 17This implemention assumes the use of PGP signatures, 18but can be easily modified to use others, such as 19the Digital Signature Standard. PGP was chosen for 20its widespread availability around the world. 21 22PGP, the crux of the cryptographic software, was 23written by Phil Zimmermann <prz@acm.org>, who 24otherwise has nothing to do with this. The 25cryptographic framework was written by Greg Rose 26<ggr@usenix.org>, as were the INN 27news system hooks. 28 29 30Contents: 31-------- 32 33How Does It Work? 34The Bits: 35How Do You Register For The Service? 36Handling Multiple Moderated Groups: 37Possible Problems We've Forseen: 38Status: 39Obtaining, installing, configuring: 40The mailing list. 41It Really Wasn't That Hard. 42License Terms: 43Version: 44 45How Does It Work? 46----------------- 47 48This document is written from the point of view of 49a newsgroup moderator, but individual users could 50also use the facility in analagous ways. 51 52When a moderator wants to protect their group 53from forged/unapproved postings, they should 54register their interest with one or more of the 55sites running PGP Moose by sending mail to the 56mailing list (see below), and pick up the 57submission script. As part of this process, the 58moderator would specify one or more PGP public 59keys that are allowed to approve postings. 60 61When a post comes in, and the moderator wishes to 62approve it, they do whatever they would normally 63do before actually using inews (or whatever) to 64post the message. As their last action, they run 65the PGP Moose Approval program "pmapp". This 66inserts a special header which 67looks like this: 68 69X-Auth: PGPMoose V1.0 PGP sci.crypt.research 70 iQBVAgUBL1/Kg2zWcw3p062JAQEYIgH/Xyrz6LaGG+fHaSxoexMECovzkIoADrQx 71 l73IXlUQEIoFl5jnDBBdHVvqTMEPS0118ytYVQZoQrdStuXB9Oc9gQ== 72 =azqs 73 74If there are multiple moderated newsgroups, there 75might be multiple X-Auth: headers, one 76for each group that has requested assistance from 77the PGP Moose daemon. In this example you can 78see that the authentication carries the name of 79the authenticating program, a protocol version 80number, an identifier of the type of digital 81signature (currently only PGP) and the name of 82the newsgroup in question. These, as well as the 83From:, Subject: and Message-Id: lines, the list 84of newsgroups, and the non-blank lines of the 85message itself, are used as input to the PGP 86program to generate a signature. 87 88The lines of the message body are preprocessed in 89a way that is meant to render harmless any mangling 90that a typical news system might do to the article. 91The article itself is not changed, only the input 92to the signature generation. If a news system 93subsequently mangles the article in a "normal" way, 94for instance by inserting a ">" in front of a line 95starting with "From", it will still pass the signature 96check. 97 98The list of newsgroups must be handled specially, 99so that an article posted to multiple moderated 100controlled newsgroups can be appropriately 101handled. See below for a more detailed treatment 102of the issues of posting to multiple moderated 103newsgroups. 104 105The PGP signature is then inserted into the 106X-Auth: header, mostly so that it won't 107interfere with, or be confused with, any signature 108in the body of the message. 109 110Anybody can check whether the message has been 111modified in any significant way, simply by running 112the PGP Moose Approval Checking program "pmcheck". 113More importantly, though, the sites running the PGP 114Moose Checking Daemon will be doing this automatically 115for every posting to the registered newsgroups, or 116from the registered users. And, if a posting fails 117the checks, it may be automatically cancelled, and 118a notification sent to the moderator. (Initially, 119the automatic cancellation will be disabled, since 120it is a pretty powerful sledgehammer, but that is 121the intention anyway.) 122 123This software is made freely available for just 124about any purpose, but I've retained copyright so 125as to keep some semblance of involvement. See the 126last section of this file. 127 128 129The Bits: 130--------- 131 132The approval and checking part of the PGP Moose 133consists of a number of Bourne Shell scripts calling 134standard Unix utilities and PGP. I could have used 135perl more elegantly, but this stuff is marginally 136more widely available. If there are Unix version 137dependencies, they should be considered to be bugs 138and I'll happily attempt to remove them. 139 140pmapp usage: pmapp [newsgroup|user] [file] 141 142 This script takes the not-yet-posted 143 article, specified either by filename or 144 from standard input, and creates a 145 signature for it, which is then inserted 146 in the X-Auth: header. The article, 147 ready for posting, appears on the standard 148 output. 149 150 In the configuration section at the top of 151 the script, the moderator may build in the 152 default name of the newsgroup or user, PGP 153 User Id to be used for the signature, and 154 the corresponding password. This is simply 155 for convenience, since spammers are not so 156 likely to go cracking the computer to get 157 the password, and it is a relatively simple 158 matter to generate a new user if it is, 159 indeed, compromised. For the paranoid, like 160 myself, if the password is not configured 161 into the script it is read from the terminal 162 instead. 163 164pmcheck usage: pmcheck [newsgroup|user] [article] 165 166 This script takes the article, specified 167 either by filename or from standard 168 input, and checks that the 169 X-Auth: line is something it 170 considers to be correct and that the 171 article has not been tampered with. 172 Pmcheck returns successfully if 173 everything checks out. Otherwise it will 174 return failure and issue one of a number 175 of error messages, for example: 176 177 Posting for $NEWSGROUP not approved with PGP Moose. 178 Invalid designated signature from $GROUP 179 No public key for signature $GROUP 180 Signature doesn't match $FILE for $GROUP 181 '$SIG' not accepted for $GROUP. 182 183 Anybody can run pmcheck. It behaves slightly 184 differently depending on the existence of 185 a file called (by default) 186 PGP_Moose_accept, and the presence or 187 absence of a newsgroup or user argument. 188 This file, if it exists, should contain 189 lines with a newsgroup name or email address, 190 some whitespace, and the PGP User Id approved 191 by the moderator or user (usually made up 192 specifically for this purpose). Multiple 193 lines for the same newsgroup/user are allowed. 194 For example: 195 196 sci.crypt.research moderator <ggr@sydney.sterling.com> 197 sci.crypt.research moderator <pgut01@cs.auckland.ac.nz> 198 ggr@sydney.sterling.com Greg's News <ggr@sydney.sterling.com> 199 200 If such a file exists, and a specific 201 newsgroup or user is specified, pmcheck is silent 202 if all is well, and issues the last of the 203 error messages above if everything else 204 was all right but the signature was from 205 the wrong person. There must, in this 206 case, be a signature applying to the 207 designated newsgroup or user. 208 209 Without such a file, or if no specific 210 newsgroup or user is given, all the signatures 211 in the article are checked. In this case 212 it is not considered an error if the signature 213 cannot be checked due to a missing public 214 key. If each signature is otherwise valid 215 you will get a message like: 216 217 Valid signature from '$SIG'. 218 219 In any case, if there is a problem with a 220 signature mentioned in the PGP_Moose_accept 221 file, it will be reported and an error status 222 will be returned. 223 224pmcanon 225pmnewsgroups 226 These two scripts are used by pmapp and 227 pmcheck to recreate the exact input for 228 the signature, and to extract the list of 229 newsgroups in the header, respectively. 230 More documentation is in their manual 231 pages. 232 233The PGP Moose checking daemon is packaged 234separately, as there would not seem to be a lot 235of value in having too many people running it. 236Accordingly, I was less precise in making it run 237absolutely everywhere. It requires the Korn shell 238or equivalent, and perl, and currently only 239interfaces to INN. I expect it would be easy to 240interface it to CNews, but I don't have one. 241 242pmdaemon 243 Runs pmcheck to check the X-Auth: header 244 for each controlled newsgroup for each 245 article that arrives in an appropriate 246 newsgroup. Mail is sent about any errant 247 articles, and automatic cancellation may 248 be enabled. 249 250pmcancel 251 prepares a cancellation message based on 252 the headers of another message. 253 254When (if) I get a chance, I will create mail 255server scripts that allow moderators who are not 256using Unix to use these facilities. The first 257allows a moderator to mail a PGP signed copy of 258the article to be posted. The server will then 259verify that the moderator sent it, and post it 260with a (different but corresponding) approval. 261The second will accept an article and return 262something that you can check the signature on. 263Either way, any moderator will still need PGP. 264 265 266How Do You Register For The Service? 267------------------------------------ 268 269Ahhh, this is the hard part. After all, it would 270be pretty undesirable if someone, meaning well, 271took any old body's word for it that some 272important moderated group should start working 273this way, before the moderator was able to start 274approving postings. A great way to hijack a 275newsgroup. Similarly for hijacking some other 276user's postings (tempting though it might be :-). 277 278Another possibility is that someone, having seen 279what the valid signature looks like, simply 280creates a whole new PGP key that happens to have 281the same PGP User ID. Then they can sign and post 282stuff too. 283 284The solution to both of these problems is the 285classical one for public key systems. You need 286either a certifying authority or the PGP Web of 287Trust. We're using the Web of Trust. If you don't 288understand about PGP and the Web of Trust, go away 289now and come back after you really do understand 290it. 291 292For each newsgroup that wants to utilise this 293program, the moderator will have to create a 294special PGP key pair (preferably 512 bits to keep 295the X-Auth: down to two full lines), and sign it. They 296must then establish a path of trust to someone 297who is running the PGP Moose server. It will be 298up to the administrator of that server to make 299sure that only trusted moderators' keys ever get 300into the server's keyring. 301 302THERE CAN BE NO SHORTCUTS TO THIS PROCEDURE. 303Otherwise we are all back where we started. 304 305In the case of an individual user, again you should 306establish this verification path to one of the 307administrators of the PGP Moose service. Contact 308me <ggr@usenix.org> for the time 309being to mutually figure out how to do this. 310 311 312Handling Multiple Moderated Groups: 313---------------------------------- 314 315When I first proposed this tool, I was under the 316impression that postings to multiple moderated 317groups was an abberation that should be stamped 318out. This turns out not to be the case, and 319revisions to support this have been the cause of 320some delay in the deployment of this tool. 321 322When the news system sees that an article has been 323posted to one or more moderated groups, it checks 324for an Approved: header. If the header exists, the 325article is accepted and processed normally, 326otherwise it is mailed to the moderator of the 327first moderated newsgroup mentioned in the 328Newsgroups: header. There seem to be three cases of 329interest. 330 331The trivial case, and the most normal one, is 332that there is only one moderated newsgroup 333mentioned. The moderator approves the posting, and 334it is done. 335 336The next, and probably most important, case, is 337when a moderator wants to cross-post a FAQ to 338their own group, as well as news.answers (for 339example). In this case their approval counts for 340both groups, so they can insert the Approved: 341header and post away. Presumably the other groups 342are not under the control of the PGP Moose Daemon. 343In this case the moderator can just go ahead and 344put in the Approved: header, and save themself 345and pmapp a lot of time. It will be passed right 346through. 347 348The other case is harder to get right. This is when 349the article really is meant to be posted to two (or 350more) unrelated moderated newsgroups. Now, if the 351first moderated group's moderator approves the 352posting, the other ones never hear about the article, 353at all. If this second group is controlled by the 354PGP Moose an automatic cancel will be generated. So 355it becomes very important for the moderators to do 356what they should have been doing already, namely 357forward the article to the next moderator. This tool 358can't help people who don't use it, but it provides 359some support for those who do. 360 361The approval script checks whether there are any 362moderated newsgroups left that don't have 363X-Auth: headers for them. If there are 364none left, an Approved: header is inserted and the 365article gets posted. Otherwise, it issues a warning, 366and re-orders the newsgroups header with a newsgroup 367which is moderated but has no X-Auth: line 368at the start. When the article is posted, the news 369system will forward it to the moderator of the (new) 370first moderated group. If all moderators are sensible, 371and check for moderated newsgroups in this fashion, 372the mess should sort itself out and the last moderator 373will go ahead and post it. A warning nessage to 374the subsequent moderator NOT to change the 375article is also inserted, since such a 376modification would invalidate the previous 377signatures.. 378 379To ease this process, a second type of 380X-Auth: header is supported. this has 381the form: 382 383 X-Auth: None ... Newsgroup 384 385The important fact about this is that 386the newsgroup appears last on the line, allowing a 387sort of partial approval, from moderators who 388don't use the PGP Moose. 389 390The Newsgroups: line is split into a sorted list 391of newsgroups for the purpose of generating the 392digital signature. Note that this means that once 393an article has been approved and authenticated by 394one moderator, it cannot be altered in any way by 395a moderator of a subsequent group, including 396altering the set of newsgroups mentioned in the 397Newsgroups: header, the body of the posting, or 398the other headers mentioned above. 399 400 401Possible Problems We've Forseen: 402-------------------------------- 403 404If an article is truly mangled e.g. by truncation, it 405will fail the authentication and be cancelled. 406Until it is demonstrated otherwise, this is 407assumed to be a rare and minor problem. When a 408cancel is issued, mail is sent to the moderator of 409the group telling them, and they can tell us if it 410becomes a problem. (In the initial deployment we 411expect that no automatic cancels will actually be 412generated, only the notification mail will be 413sent.) 414 415Currently the signature produced is assumed to be 416a PGP version 2.6 compatible one. 417 418 419Obtaining, installing, configuring: 420----------------------------------- 421 422I regret that I don't have a public ftp site, but 423I do have a web page where you can get a 424compressed tar archive of the approval code. It is 425<A HREF=http://people.qualcomm.com/ggr/PGPMoose.html> 426off my home page</A>. 427 428It is hard to talk in detail about installation 429and configuration, since many users are not in 430charge of their own news server configuration. In 431my case, I run all of the things out of a 432subdirectory of my home directory. The only 433thing outside this area which must be changed is 434the INN newsfeeds file, if you are running the 435checking daemon. So, get the distribution file as 436above and unpack it whereever you want it to live. 437 438There are configuration sections at the top of 439pmcheck, pmapp and pmdaemon. I like to think that 440they are relatively self-explanatory. One of the 441harder decisions is whether to use a separate 442keyring for PGP Moose applications or not. It is 443very strongly recommended that you do, if you are 444going to run the PGP Moose checking daemon, as 445the keyring files will need to be readable by the 446userid which INN runs under (usually "news"). 447Most of these options can also be overridden by 448environment variables or command arguments, so it 449is possible to leave the scripts unmodified and 450simply put a wrapper around them (which is what I 451do). 452 453In the case of pmapp, the newsgroup or user that 454the authentication applies to can be specified on 455the command itself; The PGP user id and password, 456and the Approved: header's contents, can be 457specified by environment variables PMUSER, 458PMPASSWORD and APP, respectively. 459 460For pmcheck, the important one is the name of the 461configuration file specifying which signatures 462are valid for which newsgroups or users. 463 464Pmdaemon runs from INN, and needs some special 465care to set it up. "news" needs access permission 466to the directory and files for PGP Moose, and 467also read permission on the public keyring. Note 468that PGP creates keyrings with only owner 469permissions. The search path is rarely correct, 470and should be set at the top of the pmdaemon 471script. There are also a number of file names and 472mail addresses, but the comments should be clear 473enough. 474 475Lastly, you want to incorporate pmapp in your 476moderation script and possibly your posting 477script. In my case, the last line of my posting 478script basically said 479 480 /usr/local/news/inews -S -h <tempfile 481 482but now it says 483 484 pmapp <tempfile | /usr/local/news/inews -S -h 485 486To authenticate postings as an individual (as opposed 487to a moderator) I had to take a copy of the 488installed Pnews script, make sure it came earlier 489on my search path than the normal one, and modify 490that. You have to be careful that no extra 491signature files get appended after the pmapp is 492executed. Again, immediately before the "inews" 493call is the right place. I'm not sure whether 494this will work for all versions of news, this is 495not really my field of competence. 496 497 498Mailing list. 499------------- 500 501There is a mailing list which is read by people 502who are inteerested in the use of the PGP Moose 503and in particular by the people who run the 504checking daemons. When you think you are ready to 505have checking turned on, send mail to 506pgp-moose@ornl.gov including the public key for 507the newsgroup, the email address for notifications 508to be sent to, and the name of the newsgroup in 509question, to that list. Please sign the request 510with your own PGP key. 511 512 513It Really Wasn't That Hard. 514--------------------------- 515 516I wish people had put as much effort into doing 517this as they did into clogging the Moderators' 518mailing list. It wasn't hard. 519 520But you know what was hard? What Phil Zimmermann 521did creating PGP in the first place. Phil is in 522serious legal hassles over PGP, and if you think 523this effort saves you or your company some time 524or money, I'd like you to consider donating some 525of it to Phil's legal defence fund. Write to me 526or Phil's lawyer Phil Dubois <dubois@acm.org> 527regarding how to donate. You can do it over the 528net using PGP! I probably also should thank the 529many people who have worked hard to bring 530encryption back out of the black chambers. Some 531names which directly come to mind are Diffie, 532Hellman, Merkle, Rivest, Shamir, Adelman, Lai, 533Massey, and probably many others. 534 535Share and Enjoy! 536 537 538License Terms: 539------------- 540 541This software is copyrighted by Greg Rose, RoSecure 542Software, and other parties. The following terms 543apply to all files associated with the software 544unless explicitly disclaimed in individual 545files. 546 547The authors hereby grant permission to use, copy, 548modify, distribute, and license this software and 549its documentation for any purpose, provided that 550existing copyright notices are retained in all 551copies and that this notice is included verbatim 552in any distributions. No written agreement, 553license, or royalty fee is required for any of 554the authorized uses. Modifications to this 555software may be copyrighted by their authors and 556need not follow the licensing terms described 557here, provided that the new terms are clearly 558indicated on the first page of each file where 559they apply. 560 561IN NO EVENT SHALL THE AUTHORS OR DISTRIBUTORS BE 562LIABLE TO ANY PARTY FOR DIRECT, INDIRECT, 563SPECIAL, INCIDENTAL, OR CONSEQUENTIAL DAMAGES 564ARISING OUT OF THE USE OF THIS SOFTWARE, ITS 565DOCUMENTATION, OR ANY DERIVATIVES THEREOF, EVEN 566IF THE AUTHORS HAVE BEEN ADVISED OF THE 567POSSIBILITY OF SUCH DAMAGE. 568 569THE AUTHORS AND DISTRIBUTORS SPECIFICALLY 570DISCLAIM ANY WARRANTIES, INCLUDING, BUT NOT 571LIMITED TO, THE IMPLIED WARRANTIES OF 572MERCHANTABILITY, FITNESS FOR A PARTICULAR 573PURPOSE, AND NON-INFRINGEMENT. THIS SOFTWARE IS 574PROVIDED ON AN "AS IS" BASIS, AND THE AUTHORS AND 575DISTRIBUTORS HAVE NO OBLIGATION TO PROVIDE 576MAINTENANCE, SUPPORT, UPDATES, ENHANCEMENTS, OR 577MODIFICATIONS. 578 579 580Version: 581------- 582 583@(#)README 1.7 (PGPMoose) 98/11/26 584