Popularity
8.1
Stable
Activity
8.8
Declining
1,450
82
133

Description

Key Transparency provides a lookup service for generic records and a public, tamper-proof audit log of all record changes. While being publicly auditable, individual records are only revealed in response to queries for specific IDs.

Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable. It can be used by account owners to reliably see what keys have been associated with their account, and it can be used by senders to see how long an account has been active and stable before trusting it.

Programming language: Go
Latest version: v0.1.2

Key Transparency alternatives and similar packages

Based on the "Server Applications" category

Do you think we are missing an alternative of Key Transparency or a related project?

Add another 'Server Applications' Package

README

Key Transparency

GoDoc Build Status Go Report Card codecov

[Key Transparency Logo](docs/images/logo.png)

Key Transparency provides a lookup service for generic records and a public, tamper-proof audit log of all record changes. While being publicly auditable, individual records are only revealed in response to queries for specific IDs.

Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable. It can be used by account owners to [reliably see](docs/verification.md) what keys have been associated with their account, and it can be used by senders to see how long an account has been active and stable before trusting it.

  • [Overview](docs/overview.md)
  • [Design document](docs/design.md)
  • [API](docs/api.md)

Key Transparency is inspired by CONIKS and Certificate Transparency. It is a work-in-progress with the following milestones under development.

Key Transparency Client

Setup

  1. Install Go 1.10.
  2. go get -u github.com/google/keytransparency/cmd/keytransparency-client

Client operations

Generate a private key

  PASSWORD=[[YOUR-KEYSET-PASSWORD]]
  keytransparency-client authorized-keys create-keyset --password=${PASSWORD}
  keytransparency-client authorized-keys list-keyset --password=${PASSWORD}

The create-keyset command will create a .keyset file in the user's working directory. To specify custom directory use --keyset-file or -k shortcut.

NB A default for the Key Transparency server URL is being used here. The default value is "35.202.56.9:443". The flag --kt-url may be used to specify the URL of Key Transparency server explicitly.

Publish the public key

  1. Get an OAuth client ID and download the generated JSON file to client_secret.json.
  keytransparency-client post user@domain.com \
  --client-secret=client_secret.json \
  --insecure \
  --password=${PASSWORD} \
  --data='dGVzdA==' #Base64

Get and verify a public key

  keytransparency-client get <email> --insecure --verbose
  ✓ Commitment verified.
  ✓ VRF verified.
  ✓ Sparse tree proof verified.
  ✓ Signed Map Head signature verified.
  CT ✓ STH signature verified.
  CT ✓ Consistency proof verified.
  CT   New trusted STH: 2016-09-12 15:31:19.547 -0700 PDT
  CT ✓ SCT signature verified. Saving SCT for future inclusion proof verification.
  ✓ Signed Map Head CT inclusion proof verified.
  keys:<key:"app1" value:"test" >

Verify key history

  keytransparency-client history <email> --insecure
  Revision |Timestamp                    |Profile
  4        |Mon Sep 12 22:23:54 UTC 2016 |keys:<key:"app1" value:"test" >

Checks

Running the server

  1. OpenSSL
  2. Docker
    • Docker Engine 1.17.6+ docker version -f '{{.Server.APIVersion}}'
    • Docker Compose 1.11.0+ docker-compose --version
go get -u github.com/google/keytransparency/...
go get -u github.com/google/trillian/...
cd $(go env GOPATH)/src/github.com/google/keytransparency
./scripts/prepare_server.sh -f
docker-compose -f docker-compose.yml docker-compose.prod.yml up
  1. Watch it Run
  2. Proof for foo@bar.com
  3. Server configuration info

Development and Testing

Key Transparency and its Trillian backend use a MySQL database, which must be setup in order for the Key Transparency tests to work.

docker-compose up -d db will launch the database in the background.

Directory structure

The directory structure of Key Transparency is as follows:

  • [cmd](cmd): binaries
    • [keytransparency-client](cmd/keytransparency-client): Key Transparency CLI client.
    • [keytransparency-sequencer](cmd/keytransparency-sequencer): Key Transparency backend.
    • [keytransparency-server](cmd/keytransparency-sequencer): Key Transparency frontend.
  • [core](core): main library source code. Core libraries do not import [impl](impl).
    • [adminserver](core/adminserver): private api for creating new directories.
    • [api](core/api): gRPC API definitions.
    • [crypto](core/crypto): verifiable random function and commitment implementations.
    • [directory](core/directory): interface for retrieving directory info from storage.
    • [keyserver](core/keyserver): keyserver implementation.
    • [mutator](core/mutator): "smart contract" implementation.
    • [sequencer](core/sequencer): mutation executor.
  • [deploy](deploy): deployment configs:
    • [docker](deploy/docker): init helper.
    • [kubernetes](deploy/kubernetes): kube deploy configs.
    • [prometheus](deploy/prometheus): monitoring docker module.
  • [docs](docs): documentation.
  • [impl](impl): environment specific modules:
    • [authentication](impl/authentication): authentication policy grpc interceptor.
    • [authorization](impl/authorization): OAuth and fake auth grpc interceptor.
    • [integration](impl/integration): environment specific integration tests.
    • [sql](impl/sql): mysql implementations of storage modules.
  • [scripts](scripts): scripts
    • [deploy](scripts/deploy.sh): deploy to Google Compute Engine.

Support