Description
Key Transparency provides a lookup service for generic records and a public,
tamper-proof audit log of all record changes. While being publicly auditable,
individual records are only revealed in response to queries for specific IDs.
Key Transparency can be used as a public key discovery service to authenticate
users and provides a mechanism to keep the service accountable. It can be used
by account owners to reliably see what keys have been
associated with their account, and it can be used by senders to see how long an
account has been active and stable before trusting it.
Key Transparency alternatives and similar packages
Based on the "Server Applications" category.
Alternatively, view Key Transparency alternatives based on common mentions on social networks and blogs.
-
etcd
Distributed reliable key-value store for the most critical data of a distributed system -
Caddy
Fast and extensible multi-platform HTTP/1-2-3 web server with automatic HTTPS -
Vault
A tool for secrets management, encryption as a service, and privileged access management -
consul
Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure. -
apex
Build, deploy, and manage AWS Lambda functions with ease (with Go support!). -
RoadRunner
π€― High-performance PHP application server, process manager written in Go and powered with plugins -
SFTPGo
Fully featured and highly configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support - S3, Google Cloud Storage, Azure Blob -
Jocko
Kafka implemented in Golang with built-in coordination (No ZK dep, single binary install, Cloud Native) -
Ponzu
Headless CMS with automatic JSON API. Featuring auto-HTTPS from Let's Encrypt, HTTP/2 Server Push, and flexible server framework written in Go. -
Flagr
Flagr is a feature flagging, A/B testing and dynamic configuration microservice -
algernon
:tophat: Small self-contained pure-Go web server with Lua, Markdown, HTTP/2, QUIC, Redis and PostgreSQL support -
discovery
A registry for resilient mid-tier load balancing and failover. -
Trickster
Open Source HTTP Reverse Proxy Cache and Time Series Dashboard Accelerator -
Rendora
dynamic server-side rendering using headless Chrome to effortlessly solve the SEO problem for modern javascript websites -
jackal
π¬ Instant messaging server for the Extensible Messaging and Presence Protocol (XMPP). -
Golang API Starter Kit
Go Server/API boilerplate using best practices DDD CQRS ES gRPC -
go-feature-flag
GO Feature Flag is a simple, complete and lightweight feature flag solution 100% Open Source. ποΈ -
Euterpe
Self-hosted music streaming server πΆ with RESTful API and Web interface. Think of it as your very own Spotify! βοΈπ§ -
Walrus
π₯ Fast, Secure and Reliable System Backup, Set up in Minutes. -
goproxy
π¦ goproxy is a proxy server which can forward http or https requests to remote servers./ goproxy ζ―δΈδΈͺεε代ηζε‘ε¨οΌζ―ζ转ε http/https θ―·ζ±γ -
Eru
Eru, a simple, stateless, flexible, production-ready orchestrator designed to easily integrate into existing workflows. Can run any virtualization things in long or short time. -
marathon-consul Β Β Β
Integrates Marathon apps with Consul service discovery. -
cortex-tenant
Prometheus remote write proxy that adds Cortex/Mimir tenant ID based on metric labels -
go-proxy-cache
Simple Reverse Proxy with Caching, written in Go, using Redis. -
lets-proxy2
Reverse proxy with automatically obtains TLS certificates from Let's Encrypt -
Simple CRUD App w/ Gorilla/Mux, MariaDB
Simple CRUD Application with Go, Gorilla/mux, MariaDB, Redis. -
psql-streamer
Stream database events from PostgreSQL to Kafka -
autobd
autobd is an automated, networked and containerized backup solution -
nginx-prometheus
Turn Nginx logs into Prometheus metrics -
protoxy
A proxy server than converts JSON request bodies to protocol buffers -
simple-jwt-provider
Simple and lightweight provider which exhibits JWTs, supports login, password-reset (via mail) and user management. -
go-fitbit
Fitbit API for Go to fetch, add, update and delete data on Fitbit using REST API -
riemann-relay
Service for relaying Riemann events to Riemann/Carbon destinations
ONLYOFFICE Docs β document collaboration in your environment
Do you think we are missing an alternative of Key Transparency or a related project?
README
Key Transparency
[Key Transparency Logo](docs/images/logo.png)
Key Transparency provides a lookup service for generic records and a public, tamper-proof audit log of all record changes. While being publicly auditable, individual records are only revealed in response to queries for specific IDs.
Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable.
Key Transparency empowers account owners to [reliably see](docs/verification.md) what public keys have been associated with their account, and it can be used by senders to see how long an account has been active and stable before trusting it.
Key Transparency can add [verifiable](docs/verification.md) and user-friendly auditing to any [scenario](docs/scenarios.md) that involves authenticating users with public keys, including Universal Second Factor Security Keys and end-to-end encryption.
- [Overview](docs/overview.md)
- [Design document](docs/design.md)
- [API](docs/api.md)
Project Status
Key Transparency is a work-in-progress with the following milestones under development.
Key Transparency Client
Setup
- Install Go 1.13.
GO111MODULE=on go get github.com/google/keytransparency/cmd/keytransparency-client
Client operations
View a Directory's Public Keys
The Key Transparency server publishes a separate set of public keys for each directory that it hosts. By hosting multiple directories, a single domain can host directories for multiple apps or customers. A standardized pattern for discovering domains and directories is a TODO in issue #389.
Within a directory the server uses the following public keys to sign its responses:
log.public_key
signs the top-most Merkle tree root, covering the ordered list of map roots.map.public_key
signs each snapshot of the key-value database in the form of a sparse Merkle tree.vrf.der
signs outputs of the Verifiable Random Function which obscures the key values in the key-value database.
A directory's public keys can be retrieved over HTTPS/JSON with curl
or over gRPC with grpcurl.
The sandboxserver has been initialized with a domain named default
.
$ curl -s https://sandbox.keytransparency.dev/v1/directories/default | json_pp
$ grpcurl -d '{"directory_id": "default"}' sandbox.keytransparency.dev:443 google.keytransparency.v1.KeyTransparency/GetDirectory
Show output
{
"directory_id" : "default",
"log" : {
"hash_algorithm" : "SHA256",
"hash_strategy" : "RFC6962_SHA256",
"public_key" : {
"der" : "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEXPi4Ut3cRY3OCXWvcSnE/sk6tbDEgBeZapfEy/BIKfsMbj3hPLG+WEjzh1IP2TDirc9GpQ+r9HVGR81KqRpbjw=="
},
"signature_algorithm" : "ECDSA",
"tree_id" : "4565568921879890247",
"tree_type" : "PREORDERED_LOG"
},
"map" : {
"hash_algorithm" : "SHA256",
"hash_strategy" : "CONIKS_SHA256",
"public_key" : {
"der" : "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgX6ITeFrqLmclqH+3XVhbaEeJO37vy1dZYRFxpKScERdeeu3XRirJszc5KJgaZs0LdvJqOccfNc2gJfInLGIuA=="
},
"signature_algorithm" : "ECDSA",
"tree_id" : "5601540825264769688",
"tree_type" : "MAP"
},
"max_interval" : "60s",
"min_interval" : "1s",
"vrf" : {
"der" : "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvuqCkY9rM/jq/8hAoQn2PClvlNvVeV0MSUqzc67q6W+MzY/YZKmPLY5t/n/VUEqeSgwU+/sXgER3trsL6nZu+A=="
}
}
Generate Update Signing Keys
Every update to a user record in key transparency must be signed by an authorized-key
.
Update signatures are saved in the Merkle tree data structure, producing a record of who made each change to a user's account, allowing products to distinguish between changes signed by a user key, the provider's key, or a reset-provider's key.
Each account has an updatable policy that lists the current set of authorized public keys that are allowed to make updates to the user's record.
To create an initial set of update signing keys, run the authorized-keys create-keyset
command.
Keys will be saved in a .keyset
file in the current working directory.
$ PASSWORD=[[YOUR-KEYSET-PASSWORD]]
$ keytransparency-client authorized-keys create-keyset --password=${PASSWORD}
Show output
$ PASSWORD=[[YOUR-KEYSET-PASSWORD]]
$ keytransparency-client authorized-keys create-keyset --password=${PASSWORD}
$ keytransparency-client authorized-keys list-keyset --password=${PASSWORD}
My Authorized Keys:
primary_key_id:17445529 key_info:<type_url:"type.googleapis.com/google.crypto.tink.EcdsaPrivateKey" status:ENABLED key_id:17445529 output_prefix_type:TINK >
Publish the public key
Any number of protocols may be used to prove to the server that a client owns a userID. The sandbox server supports a fake authentication string and OAuth.
Create or fetch the public key for your specific application.
openssl genpkey -algorithm X25519 -out xkey.pem
openssl pkey -in xkey.pem -pubout
-----BEGIN PUBLIC KEY-----
MCowBQYDK2VuAyEAtCAsIMDyVUUooA5yhgRefcEr7edVOmyNCUaN1LCYl3s=
-----END PUBLIC KEY-----
keytransparency-client post [email protected] \
--kt-url sandbox.keytransparency.dev:443 \
--fake-auth-userid [email protected] \
--password=${PASSWORD} \
--verbose \
--logtostderr \
--data='MCowBQYDK2VuAyEAtCAsIMDyVUUooA5yhgRefcEr7edVOmyNCUaN1LCYl3s=' #Your public key in base64
Get and verify a public key
keytransparency-client get <email> --kt-url sandbox.keytransparency.dev:443 --verbose
β Commitment verified.
β VRF verified.
β Sparse tree proof verified.
β Signed Map Head signature verified.
CT β STH signature verified.
CT β Consistency proof verified.
CT New trusted STH: 2016-09-12 15:31:19.547 -0700 PDT
CT β SCT signature verified. Saving SCT for future inclusion proof verification.
β Signed Map Head CT inclusion proof verified.
keys:<key:"app1" value:"test" >
Verify key history
keytransparency-client history [email protected] --kt-url sandbox.keytransparency.dev:443
Revision |Timestamp |Profile
4 |Mon Sep 12 22:23:54 UTC 2016 |keys:<key:"app1" value:"test" >
Checks
Running the server locally with Docker Compose
Prerequisites
- GoLang
- OpenSSL
- Docker
- Docker Engine 1.17.6+
docker version -f '{{.Server.APIVersion}}'
- Docker Compose 1.11.0+
docker-compose --version
- Docker Engine 1.17.6+
Deploy the KeyTransparency service
- Run the deployment script ```sh # Download the latest version of keytransparency git clone https://github.com/google/keytransparency.git cd keytransparency
# Run the deployment script for local environment ./scripts/deploy_local.sh deploy
2. Check Docker's running containers
```sh
docker container ls
You should see 8 new running containers:
- gcr.io/key-transparency/keytransparency-monitor
- gcr.io/key-transparency/keytransparency-sequencer
- gcr.io/trillian-opensource-ci/map_server
- gcr.io/trillian-opensource-ci/log_signer
- gcr.io/trillian-opensource-ci/log_server
- gcr.io/key-transparency/keytransparency-server
- gcr.io/trillian-opensource-ci/db_server
- prom/prometheus
- Watch it Run
- Proof for [email protected]
- Server configuration info
Terminate the KeyTransparency service
The script will remove all the containers and their networks.
# Run the script to undeploy
./scripts/deploy_local.sh undeploy
Development and Testing
Key Transparency and its Trillian backend use a MySQL database, which must be setup in order for the Key Transparency tests to work.
docker-compose up -d db
will launch the database in the background.
Directory structure
The directory structure of Key Transparency is as follows:
- [cmd](cmd): binaries
- [keytransparency-client](cmd/keytransparency-client): Key Transparency CLI client.
- [keytransparency-sequencer](cmd/keytransparency-sequencer): Key Transparency backend.
- [keytransparency-server](cmd/keytransparency-sequencer): Key Transparency frontend.
- [core](core): main library source code. Core libraries do not import [impl](impl).
- [adminserver](core/adminserver): private API for creating new directories.
- [api](core/api): gRPC API definitions.
- [crypto](core/crypto): verifiable random function and commitment implementations.
- [directory](core/directory): interface for retrieving directory info from storage.
- [keyserver](core/keyserver): keyserver implementation.
- [mutator](core/mutator): "smart contract" implementation.
- [sequencer](core/sequencer): mutation executor.
- [deploy](deploy): deployment configs:
- [docker](deploy/docker): init helper.
- [kubernetes](deploy/kubernetes): kube deploy configs.
- [prometheus](deploy/prometheus): monitoring docker module.
- [docs](docs): documentation.
- [impl](impl): environment specific modules:
- [authentication](impl/authentication): authentication policy grpc interceptor.
- [authorization](impl/authorization): OAuth and fake auth grpc interceptor.
- [integration](impl/integration): environment specific integration tests.
- [mysql](impl/mysql): mysql implementations of storage modules.
- [scripts](scripts): scripts
- [deploy](scripts/deploy.sh): deploy to Google Compute Engine.
Support
Acknowledgements
Key Transparency would not have been possible without a whole host of collaborators including researchers, interns, and open source contributors.
Key Transparency was inspired by CONIKS and Certificate Transparency.
Related
- Google Security Blog Post
- CONIKS Project
- Why Making Johnny's Key Management Transparent is So Challenging
- Google Launches Key Transparency While a Trade-Off in WhatsApp Is Called a Backdoor
- On Ghost Users and Messaging Backdoors
- Verifiable Random Functions
- Message Layer Security
- OpenPGP Email Summit 2019