Skip to content

Latest commit

 

History

History
123 lines (89 loc) · 4.09 KB

README.md

File metadata and controls

123 lines (89 loc) · 4.09 KB

Key Transparency

Go Report Card GoDoc

Key Transparency Logo

Key Transparency provides a lookup service for generic records and a public, tamper-proof audit log of all record changes. While being publicly auditable, individual records are only revealed in response to queries for specific IDs.

Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable. It can be used by account owners to reliably see what keys have been associated with their account, and it can be used by senders to see how long an account has been active and stable before trusting it.

Key Transparency is inspired by CONIKS and Certificate Transparency. It is a work-in-progress with the following milestones under development.

Using the Key Transparency Client

  1. Install Go. Set $GOPATH variable to point to your Go workspace directory and add $GOPATH/bin to the $PATH variable.

  2. Install prerequisites, Key Transparency client code, and sync all dependencies

apt-get install build-essential libssl-dev
go get -u github.com/kardianos/govendor
go get -u github.com/google/key-transparency/cmd/...
cd $GOPATH/src/github.com/google/key-transparency
govendor sync
  1. Get an OAuth client ID and download the generated JSON file.

  2. Run the client setup tool

./scripts/prepare_client.sh
  1. Set/Update a user's keys.
./key-transparency-client authorized-keys add --generate --type=ecdsa --activate
./key-transparency-client post <email> -d '{"app1": "dGVzdA=="}' --config=./.key-transparency.yaml
{Keys:map[app1:[116 101 115 116]}

Key material is base64 encoded.

Note: Use ./key-transparency-client authorized-keys --help for more information about authorized key managements.

  1. Fetch and verify a user's keys:
./key-transparency-client get <email> --config=.key-transparency.yaml --verbose
✓ Commitment verified.
✓ VRF verified.
✓ Sparse tree proof verified.
✓ Signed Map Head signature verified.
CT ✓ STH signature verified.
CT ✓ Consistency proof verified.
CT   New trusted STH: 2016-09-12 15:31:19.547 -0700 PDT
CT ✓ SCT signature verified. Saving SCT for future inclusion proof verification.
✓ Signed Map Head CT inclusion proof verified.
keys:<key:"app1" value:"test" >
./key-transparency-client history <email> --config=.key-transparency.yaml
Epoch |Timestamp                    |Profile
4     |Mon Sep 12 22:23:54 UTC 2016 |keys:<key:"app1" value:"test" >

Running a Key Transparency Cluster

  1. Install etcd v3.0.0.

  2. Install Key Transparency

apt-get install build-essential libssl-dev
go get -u github.com/mattn/goreman
go get -u github.com/kardianos/govendor
go get -u github.com/google/key-transparency/...
cd $GOPATH/src/github.com/google/key-transparency
govendor sync
  1. Get a service account key and download the generated JSON file.

The service account key is used to verify client OAuth tokens.

  1. Run server setup
./scripts/prepare_server.sh

The tool will build the server binaries, generate keys, and configure the server. Clients will need the following public keys in order to verify server responses:

  • genfiles/vrf-pubkey.pem
  • genfiles/server.crt
  • genfile/p256-pubkey.pem
  1. Run
goreman start