Release v0.6.0

[tarcieri]

Tendermint KMS v0.6.0-rc1 is feature-complete and we are presently running it in production at @iqlusioninc.

Here are some items to consider before a final release:

(Re-)Review Security-Critical Changes

It would be good to get another set of eyes on PRs tagged with security. There are two PRs that are particularly noteworthy:

• #279: tendermint-rs: Reject low order points is a mitigation for a MitM vulnerability in Secret Connection (MITM in secret connection #142) in which an attacker can undetectably overwrite ephemeral keys so the shared secret value is 0. There's a separate PR to eliminate handshake malleability altogether by using transcript hashing (introduces transcipt hashing to secret connection. #254) which I'd consider the "real" solution to this problem (but isn't ready to ship), however in the meantime the "Prime, Order Please!" academic paper contains a formal security analysis of Secret Connection which detected the vulnerability as well as Tamarin proofs of the security of both solutions.
• #300: yubihsm setup: Collect 256-bits entropy from both RNGs is a fix for a potential low-severity issue discovered during a security audit, in which in the event of a silent failure of one of the two RNGs used to derive the randomness for the master YubiHSM2 derivation password, the resulting secret (i.e. the 24-word BIP39 mnemonic phrase) would only have 128-bits entropy instead of the intended 256-bits. Even if this were to happen, 128-bits is still sufficient for security (hence the low severity), but since it addresses an audit finding (or as it were, the only audit finding), I think it deserves a second look.

I also switched to using the hkd32 crate for deriving the key hierarchy from the 24-word mnemonic, which uses the same derivation algorithm (which is a named subset extracted from BIP32) which was validated through the use of test vectors.

README.md updates

Much of the copy in the README.md is out-of-date now, and I think it'd be good to get it updated on the release so it appears on https://crates.io/crates/tmkms as well.

Here are some things I'd suggest updating and/or adding:

Tendermint KMS is currently ALPHA SOFTWARE AND UNAUDITED -- USE AT YOUR OWN RISK

The KMS underwent an audit with one low-severity finding (mentioned above). I think it'd be good to note that, and ideally publish the audit (or the parts of the audit specific to the KMS) and link them from the README.md.

Additionally, I think the KMS is "beta quality" at this point (especially given the large number of usability and feature improvements in this release), but will defer to others to make that call.

Security Issues

All of the security issues presently listed in the README have been addressed and the associated GitHub issues closed (#111, #142). I think this entire section can be removed.

Supported Platforms

This presently lists several 32-bit platforms, which we don't presently test on. Some of these platforms are known to have timing variabilities in core operations which make them unsuitable for cryptographic use (e.g. PPC32 short-circuits multiplication by 0 and 1). I think it'd be good to remove all of the 32-bit platforms (my fault for listing them in the first place), or at the very least remove PPC32.

Add Signing Provider List (w\ Recommendations)

Nowhere in the README.md is there presently a list of the available signing backends, nor is there any guidance anywhere around which ones to use.

I think it'd be good to add a list of the signing backends, in order of their relative maturity (i.e. YubiHSM2, Ledger, Soft Sign), and note that YubiHSM2 or Ledger are "recommended", as well as linking to the respective documentation for YubiHSM2 and Ledger (there is presently no specific documentation for the Soft Sign backend).

[jessysaurusrex]

LGTM, and I could not be happier to see the update to the readme.

[tarcieri]

Release PR open: #329

[tarcieri]

v0.6.0 has been released