GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → google → Keytransparency

google / Keytransparency

Licence: apache-2.0
A transparent and secure way to look up public keys.

Programming Languages

go
31211 projects - #10 most used programming language
shell
77523 projects
Dockerfile
14818 projects

Labels

secure-by-defaultconikskey-managementblock-chainpublic-keysmerkletreeverifiable-data-structuresverifiable-random-functionvrf

Projects that are alternatives of or similar to Keytransparency

libe4
C library of Teserakt's E4 end-to-end security protocol
Stars: ✭ 15 (-99.04%)
Mutual labels:  key-management
Airship
Secure Content Management for the Modern Web - "The sky is only the beginning"
Stars: ✭ 422 (-72.97%)
Mutual labels:  secure-by-default
Tfc
Tinfoil Chat - Onion-routed, endpoint secure messaging system
Stars: ✭ 781 (-49.97%)
Mutual labels:  secure-by-default
FFF Protocol Core
FFF as a new generation of the underlying chain technology, applying power block chain of innovation and fall to the ground, will help the industry standard. FFF consensus mechanism: the application of a new work-proof mechanism, network contribution proof mechanism, refers to the contribution ability of servers, PC and other devices to improve …
Stars: ✭ 5 (-99.68%)
Mutual labels:  block-chain
Awesome Blockchains
A collection about awesome blockchains - open distributed public databases w/ crypto hashes incl. git ;-). Blockchains are the new tulips 🌷🌷🌷. Distributed is the new centralized.
Stars: ✭ 3,243 (+107.75%)
Mutual labels:  merkletree
Skf Flask
Security Knowledge Framework (SKF) Python Flask / Angular project
Stars: ✭ 573 (-63.29%)
Mutual labels:  secure-by-default
pilot
Simple web-based SDN controller for family and friends
Stars: ✭ 33 (-97.89%)
Mutual labels:  vrf
Wg Install
Wireguard road warrior installer for Ubuntu, Debian, CentOS and Fedora
Stars: ✭ 99 (-93.66%)
Mutual labels:  secure-by-default
Firestr
The Grass Computing Platform
Stars: ✭ 329 (-78.92%)
Mutual labels:  secure-by-default
Age
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
Stars: ✭ 9,409 (+502.75%)
Mutual labels:  secure-by-default
shim
The Userify Shim (cloud agent)
Stars: ✭ 57 (-96.35%)
Mutual labels:  key-management
examples
Examples of NuID's zero knowledge authentication and key management facilities in various languages and frameworks. Open an Issue or PR if you'd like to see your favorite tool here.
Stars: ✭ 42 (-97.31%)
Mutual labels:  key-management
Koa Helmet
Important security headers for koa
Stars: ✭ 595 (-61.88%)
Mutual labels:  secure-by-default
crypto-books
Best of Crypto Books - A collection of books, white papers & more about crypto and blockchains.
Stars: ✭ 40 (-97.44%)
Mutual labels:  merkletree
Rage
A simple, secure and modern encryption tool (and Rust library) with small explicit keys, no config options, and UNIX-style composability.
Stars: ✭ 826 (-47.09%)
Mutual labels:  secure-by-default
zk
Cross-platform zero knowledge proofs
Stars: ✭ 44 (-97.18%)
Mutual labels:  key-management
Csp Builder
Build Content-Security-Policy headers from a JSON file (or build them programmatically)
Stars: ✭ 496 (-68.23%)
Mutual labels:  secure-by-default
System.ben
Who says you can't be super fast and super secure
Stars: ✭ 121 (-92.25%)
Mutual labels:  secure-by-default
Random compat
PHP 5.x support for random_bytes() and random_int()
Stars: ✭ 7,950 (+409.29%)
Mutual labels:  secure-by-default
Easydb
Easy-to-use PDO wrapper for PHP projects.
Stars: ✭ 624 (-60.03%)
Mutual labels:  secure-by-default
View All Similar Projects ➔

Key Transparency

GoDoc Build Status Go Report Card codecov

Key Transparency Logo

Key Transparency provides a lookup service for generic records and a public, tamper-proof audit log of all record changes. While being publicly auditable, individual records are only revealed in response to queries for specific IDs.

Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable.

Key Transparency empowers account owners to reliably see what public keys have been associated with their account, and it can be used by senders to see how long an account has been active and stable before trusting it.

Key Transparency can add verifiable and user-friendly auditing to any scenario that involves authenticating users with public keys, including Universal Second Factor Security Keys and end-to-end encryption.

Project Status

Key Transparency is a work-in-progress with the following milestones under development.

Key Transparency Client

Setup

  1. Install Go 1.13.
  2. GO111MODULE=on go get github.com/google/keytransparency/cmd/keytransparency-client

Client operations

View a Directory's Public Keys

The Key Transparency server publishes a separate set of public keys for each directory that it hosts. By hosting multiple directories, a single domain can host directories for multiple apps or customers. A standardized pattern for discovering domains and directories is a TODO in issue #389.

Within a directory the server uses the following public keys to sign its responses:

  1. log.public_key signs the top-most Merkle tree root, covering the ordered list of map roots.
  2. map.public_key signs each snapshot of the key-value database in the form of a sparse Merkle tree.
  3. vrf.der signs outputs of the Verifiable Random Function which obscures the key values in the key-value database.

A directory's public keys can be retrieved over HTTPS/JSON with curl or over gRPC with grpcurl. The sandboxserver has been initialized with a domain named default.

$ curl -s https://sandbox.keytransparency.dev/v1/directories/default | json_pp
$ grpcurl -d '{"directory_id": "default"}' sandbox.keytransparency.dev:443 google.keytransparency.v1.KeyTransparency/GetDirectory
Show output 
{
   "directory_id" : "default",
   "log" : {
      "hash_algorithm" : "SHA256",
      "hash_strategy" : "RFC6962_SHA256",
      "public_key" : {
         "der" : "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXPi4Ut3cRY3OCXWvcSnE/sk6tbDEgBeZapfEy/BIKfsMbj3hPLG+WEjzh1IP2TDirc9GpQ+r9HVGR81KqRpbjw=="
      },
      "signature_algorithm" : "ECDSA",
      "tree_id" : "4565568921879890247",
      "tree_type" : "PREORDERED_LOG"
   },
   "map" : {
      "hash_algorithm" : "SHA256",
      "hash_strategy" : "CONIKS_SHA256",
      "public_key" : {
         "der" : "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgX6ITeFrqLmclqH+3XVhbaEeJO37vy1dZYRFxpKScERdeeu3XRirJszc5KJgaZs0LdvJqOccfNc2gJfInLGIuA=="
      },
      "signature_algorithm" : "ECDSA",
      "tree_id" : "5601540825264769688",
      "tree_type" : "MAP"
   },
   "max_interval" : "60s",
   "min_interval" : "1s",
   "vrf" : {
      "der" : "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvuqCkY9rM/jq/8hAoQn2PClvlNvVeV0MSUqzc67q6W+MzY/YZKmPLY5t/n/VUEqeSgwU+/sXgER3trsL6nZu+A=="
   }
}

Generate Update Signing Keys

Every update to a user record in key transparency must be signed by an authorized-key.

Update signatures are saved in the Merkle tree data structure, producing a record of who made each change to a user's account, allowing products to distinguish between changes signed by a user key, the provider's key, or a reset-provider's key.

Each account has an updatable policy that lists the current set of authorized public keys that are allowed to make updates to the user's record.

To create an initial set of update signing keys, run the authorized-keys create-keyset command. Keys will be saved in a .keyset file in the current working directory.

$ PASSWORD=[[YOUR-KEYSET-PASSWORD]]
$ keytransparency-client authorized-keys create-keyset --password=${PASSWORD}
Show output 
$ PASSWORD=[[YOUR-KEYSET-PASSWORD]]
$ keytransparency-client authorized-keys create-keyset --password=${PASSWORD}
$ keytransparency-client authorized-keys list-keyset --password=${PASSWORD}
My Authorized Keys:
primary_key_id:17445529 key_info:<type_url:"type.googleapis.com/google.crypto.tink.EcdsaPrivateKey" status:ENABLED key_id:17445529 output_prefix_type:TINK >

Publish the public key

Any number of protocols may be used to prove to the server that a client owns a userID. The sandbox server supports a fake authentication string and OAuth.

Create or fetch the public key for your specific application.

 openssl genpkey -algorithm X25519 -out xkey.pem
 openssl pkey -in xkey.pem -pubout
 -----BEGIN PUBLIC KEY-----
 MCowBQYDK2VuAyEAtCAsIMDyVUUooA5yhgRefcEr7edVOmyNCUaN1LCYl3s=
 -----END PUBLIC KEY-----
keytransparency-client post [email protected] \
--kt-url sandbox.keytransparency.dev:443 \
--fake-auth-userid [email protected] \
--password=${PASSWORD} \
--verbose \
--logtostderr \
--data='MCowBQYDK2VuAyEAtCAsIMDyVUUooA5yhgRefcEr7edVOmyNCUaN1LCYl3s=' #Your public key in base64

Get and verify a public key

keytransparency-client get <email> --kt-url sandbox.keytransparency.dev:443 --verbose
✓ Commitment verified.
✓ VRF verified.
✓ Sparse tree proof verified.
✓ Signed Map Head signature verified.
CT ✓ STH signature verified.
CT ✓ Consistency proof verified.
CT   New trusted STH: 2016-09-12 15:31:19.547 -0700 PDT
CT ✓ SCT signature verified. Saving SCT for future inclusion proof verification.
✓ Signed Map Head CT inclusion proof verified.
keys:<key:"app1" value:"test" >

Verify key history

keytransparency-client history [email protected] --kt-url sandbox.keytransparency.dev:443
Revision |Timestamp                    |Profile
4        |Mon Sep 12 22:23:54 UTC 2016 |keys:<key:"app1" value:"test" >

Checks

Running the server locally with Docker Compose

Prerequisites

  • GoLang
  • OpenSSL
  • Docker
    • Docker Engine 1.17.6+ docker version -f '{{.Server.APIVersion}}'
    • Docker Compose 1.11.0+ docker-compose --version

Deploy the KeyTransparency service

  1. Run the deployment script

    # Download the latest version of keytransparency
git clone https://github.com/google/keytransparency.git
cd keytransparency

# Run the deployment script for local environment
./scripts/deploy_local.sh deploy

  2. Check Docker's running containers

    docker container ls

    You should see 8 new running containers:

    • gcr.io/key-transparency/keytransparency-monitor
    • gcr.io/key-transparency/keytransparency-sequencer
    • gcr.io/trillian-opensource-ci/map_server
    • gcr.io/trillian-opensource-ci/log_signer
    • gcr.io/trillian-opensource-ci/log_server
    • gcr.io/key-transparency/keytransparency-server
    • gcr.io/trillian-opensource-ci/db_server
    • prom/prometheus

  3. Watch it Run

Terminate the KeyTransparency service

The script will remove all the containers and their networks.

# Run the script to undeploy
./scripts/deploy_local.sh undeploy

Development and Testing

Key Transparency and its Trillian backend use a MySQL database, which must be setup in order for the Key Transparency tests to work.

docker-compose up -d db will launch the database in the background.

Directory structure

The directory structure of Key Transparency is as follows:

Support

Acknowledgements

Key Transparency would not have been possible without a whole host of collaborators including researchers, interns, and open source contributors.

Key Transparency was inspired by CONIKS and Certificate Transparency.

Related

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].