A transparent and secure way to look up public keys.
Go Protocol Buffer Shell Makefile
Latest commit 12e915f Feb 23, 2017 @gdbelvin gdbelvin committed on GitHub Merge pull request #501 from gdbelvin/proxy
Start a Trillian Log Server inside the front end.


Key Transparency

Build Status Go Report Card GoDoc

Key Transparency Logo

Key Transparency provides a lookup service for generic records and a public, tamper-proof audit log of all record changes. While being publicly auditable, individual records are only revealed in response to queries for specific IDs.

Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable. It can be used by account owners to reliably see what keys have been associated with their account, and it can be used by senders to see how long an account has been active and stable before trusting it.

Key Transparency is inspired by CONIKS and Certificate Transparency. It is a work-in-progress with the following milestones under development.

Using the Key Transparency Client

  1. Install Go 1.7. Set $GOPATH variable to point to your Go workspace directory and add $GOPATH/bin to the $PATH variable.

  2. Install prerequisites, Key Transparency client code, and sync all dependencies

    apt-get install build-essential libssl-dev
    go get -u github.com/kardianos/govendor
    go get -u github.com/google/keytransparency/cmd/...
    cd $GOPATH/src/github.com/google/keytransparency
    govendor sync
  3. Get an OAuth client ID and download the generated JSON file.

  4. Run the client setup tool

  5. Set/Update a user's keys.

    ./keytransparency-client authorized-keys add --generate --type=ecdsa --activate
    ./keytransparency-client post <email> -d '{"app1": "dGVzdA=="}' --config=./.keytransparency.yaml
    {Keys:map[app1:[116 101 115 116]}

    Key material is base64 encoded.

    Note: Use ./keytransparency-client authorized-keys --help for more information about authorized key managements.

  6. Fetch and verify a user's keys:

    ./keytransparency-client get <email> --config=.keytransparency.yaml --verbose
    ✓ Commitment verified.
    ✓ VRF verified.
    ✓ Sparse tree proof verified.
    ✓ Signed Map Head signature verified.
    CT ✓ STH signature verified.
    CT ✓ Consistency proof verified.
    CT   New trusted STH: 2016-09-12 15:31:19.547 -0700 PDT
    CT ✓ SCT signature verified. Saving SCT for future inclusion proof verification.
    ✓ Signed Map Head CT inclusion proof verified.
    keys:<key:"app1" value:"test" >
    ./keytransparency-client history <email> --config=.keytransparency.yaml
    Epoch |Timestamp                    |Profile
    4     |Mon Sep 12 22:23:54 UTC 2016 |keys:<key:"app1" value:"test" >

Running a Key Transparency Cluster

  1. Install etcd v3.0.0.

  2. Install Key Transparency

    apt-get install build-essential libssl-dev
    go get -u github.com/mattn/goreman
    go get -u github.com/kardianos/govendor
    go get -u github.com/google/keytransparency/...
    cd $GOPATH/src/github.com/google/keytransparency
    govendor sync
  3. Get a service account key and download the generated JSON file.

    The service account key is used to verify client OAuth tokens.

  4. Run server setup


    The tool will build the server binaries, generate keys, and configure the server. Clients will need the following public keys in order to verify server responses:

    • genfiles/vrf-pubkey.pem
    • genfiles/server.crt
    • genfile/p256-pubkey.pem
  5. Run

    goreman start