phpBB

Development Wiki

PhpBB4/RFC/Secure Automatic Upgrades

From phpBB Development Wiki

Introduction

If you've ever used Wordpress, you're probably aware of how, when a new version is released, Wordpress can automatically download and install the update for you [1]. As convenient as that is, it does present a small problem. In particular, if phpbb.com or wordpress.com or whatever were hacked, an attacker wouldn't just be compromising phpBB - they'd be potentially compromising most every phpBB install out there.

The solution is to use signed patches. phpBB's public key would be included with every phpBB install and all phpBB releases would be signed with phpBB's private key. phpBB would automatically download the latest release, verify the signature and only if it matches would it install it. This can be done without imposing any additional requirements on the server by using phpseclib's Crypt_RSA library.

Implementation details

RSASSA-PSS, as defined in PKCS#1 v2.1, would be used with a salt length of 0 and with SHA256 as the hash and as the mask generation function. phpBB would download the archive (be it *.zip or *.tar.gz or whatever) and a separate signature for the archive. The signature would then be verified and, if correct, the upgrade would proceed. The public key would only need to be installed in the *.php files doing the downloading (ie. acp_update.php or whatever) and could be stored in the "raw" format (ie. $exponent = new biginteger(65537); $modulo = new biginteger(1234123123.......234234234233);)

Additional applications

This would also enable secure automatic upgrades / installation of plugins.

Discussion

http://area51.phpbb.com/phpBB/viewtopic.php?f=78&t=32529