Key Transparency provides a lookup service for generic records and a public, tamper-proof audit log of all record changes. While being publicly auditable, individual records are only revealed in response to queries for specific IDs.
Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable. It can be used by account owners to reliably see what keys have been associated with their account, and it can be used by senders to see how long an account has been active and stable before trusting it.
Key Transparency is inspired by CONIKS and Certificate Transparency. It is a work-in-progress with the following milestones under development.
-
Install Go. Set
$GOPATH
variable to point to your Go workspace directory and add$GOPATH/bin
to the$PATH
variable. -
Install prerequisites, Key Transparency client code, and sync all dependencies
apt-get install build-essential libssl-dev
go get -u github.com/kardianos/govendor
go get -u github.com/google/key-transparency/cmd/...
cd $GOPATH/src/github.com/google/key-transparency
govendor sync
-
Get an OAuth client ID and download the generated JSON file.
-
Run the client setup tool
./scripts/prepare_client.sh
- Set/Update a user's keys.
./key-transparency-client authorized-keys add --generate --type=ecdsa --activate
./key-transparency-client post <email> -d '{"app1": "dGVzdA=="}' --config=./.key-transparency.yaml
{Keys:map[app1:[116 101 115 116]}
Key material is base64 encoded.
Note: Use ./key-transparency-client authorized-keys --help
for more information about authorized key managements.
- Fetch and verify a user's keys:
./key-transparency-client get <email> --config=.key-transparency.yaml --verbose
✓ Commitment verified.
✓ VRF verified.
✓ Sparse tree proof verified.
✓ Signed Map Head signature verified.
CT ✓ STH signature verified.
CT ✓ Consistency proof verified.
CT New trusted STH: 2016-09-12 15:31:19.547 -0700 PDT
CT ✓ SCT signature verified. Saving SCT for future inclusion proof verification.
✓ Signed Map Head CT inclusion proof verified.
keys:<key:"app1" value:"test" >
./key-transparency-client history <email> --config=.key-transparency.yaml
Epoch |Timestamp |Profile
4 |Mon Sep 12 22:23:54 UTC 2016 |keys:<key:"app1" value:"test" >
-
Install etcd v3.0.0.
-
Install Key Transparency
apt-get install build-essential libssl-dev
go get -u github.com/mattn/goreman
go get -u github.com/kardianos/govendor
go get -u github.com/google/key-transparency/...
cd $GOPATH/src/github.com/google/key-transparency
govendor sync
- Get a service account key and download the generated JSON file.
The service account key is used to verify client OAuth tokens.
- Run server setup
./scripts/prepare_server.sh
The tool will build the server binaries, generate keys, and configure the server. Clients will need the following public keys in order to verify server responses:
genfiles/vrf-pubkey.pem
genfiles/server.crt
genfile/p256-pubkey.pem
- Run
goreman start