README
¶
Key Transparency
Key Transparency provides a lookup service for generic records and a public, tamper-proof audit log of all record changes. While being publicly auditable, individual records are only revealed in response to queries for specific IDs.
Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable. It can be used by account owners to reliably see what keys have been associated with their account, and it can be used by senders to see how long an account has been active and stable before trusting it.
Key Transparency is inspired by CONIKS and Certificate Transparency. It is a work-in-progress with the following milestones under development.
Using the Key Transparency Client
-
Install Go 1.7. Set
$GOPATHvariable to point to your Go workspace directory and add$GOPATH/binto the$PATHvariable. -
Install prerequisites, Key Transparency client code, and sync all dependencies
go get -u github.com/kardianos/govendor
go get -u github.com/google/keytransparency/cmd/...
cd $GOPATH/src/github.com/google/keytransparency
govendor sync
-
Get an OAuth client ID and download the generated JSON file.
-
Run the client setup tool
./scripts/prepare_client.sh
- Set/Update a user's keys.
./keytransparency-client authorized-keys add --generate --type=ecdsa --activate
./keytransparency-client post <email> -d '{"app1": "dGVzdA=="}' --config=./.keytransparency.yaml
{Keys:map[app1:[116 101 115 116]}
Key material is base64 encoded.
Note: Use ./keytransparency-client authorized-keys --help for more information about authorized key managements.
- Fetch and verify a user's keys:
./keytransparency-client get <email> --config=.keytransparency.yaml --verbose
✓ Commitment verified.
✓ VRF verified.
✓ Sparse tree proof verified.
✓ Signed Map Head signature verified.
CT ✓ STH signature verified.
CT ✓ Consistency proof verified.
CT New trusted STH: 2016-09-12 15:31:19.547 -0700 PDT
CT ✓ SCT signature verified. Saving SCT for future inclusion proof verification.
✓ Signed Map Head CT inclusion proof verified.
keys:<key:"app1" value:"test" >
./keytransparency-client history <email> --config=.keytransparency.yaml
Epoch |Timestamp |Profile
4 |Mon Sep 12 22:23:54 UTC 2016 |keys:<key:"app1" value:"test" >
Running a Key Transparency Cluster
- Install
- Install Key Transparency
go get -u github.com/mattn/goreman
go get -u github.com/kardianos/govendor
go get -u github.com/google/keytransparency/...
cd $GOPATH/src/github.com/google/keytransparency
govendor sync
- Get a service account key and download the generated JSON file.
The service account key is used to verify client OAuth tokens.
- Run server setup
./scripts/prepare_server.sh
The tool will build the server binaries, generate keys, and configure the server. Clients will need the following public keys in order to verify server responses:
genfiles/vrf-pubkey.pemgenfiles/server.crtgenfile/p256-pubkey.pem
- Run the server and the signer using
goreman start
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
core
|
|
|
admin
Package admin supports configuing Key Transparency with multiple Trillian backends.
|
Package admin supports configuing Key Transparency with multiple Trillian backends. |
|
authentication
Package authentication implements authentication mechanisms.
|
Package authentication implements authentication mechanisms. |
|
crypto/commitments
Package commitments implements a cryptographic commitment.
|
Package commitments implements a cryptographic commitment. |
|
crypto/vrf
Package vrf defines the interface to a verifiable random function.
|
Package vrf defines the interface to a verifiable random function. |
|
crypto/vrf/p256
Package p256 implements a verifiable random function using curve p256.
|
Package p256 implements a verifiable random function using curve p256. |
|
keyserver
Package keyserver implements a transparent key server for End to End.
|
Package keyserver implements a transparent key server for End to End. |
|
mapserver
Package mapserver implements the TrillianMapClient interface.
|
Package mapserver implements the TrillianMapClient interface. |
|
mutation
Package mutation implements the monitor service.
|
Package mutation implements the monitor service. |
|
mutator
Package mutator defines the operations to transform mutations into changes in the map as well as operations to write and read mutations to and from the database.
|
Package mutator defines the operations to transform mutations into changes in the map as well as operations to write and read mutations to and from the database. |
|
mutator/entry
Package entry implements a simple replacement strategy as a mapper.
|
Package entry implements a simple replacement strategy as a mapper. |
|
mutator/replace
Package replace implements a simple replacement strategy as a mapper.
|
Package replace implements a simple replacement strategy as a mapper. |
|
proto/keymaster
Package keymaster is a generated protocol buffer package.
|
Package keymaster is a generated protocol buffer package. |
|
proto/keytransparency_v1_types
Package keytransparency_v1_types is a generated protocol buffer package.
|
Package keytransparency_v1_types is a generated protocol buffer package. |
|
testutil/ctutil
Package ctutil implements helper functions for testing against Certificate Transparency.
|
Package ctutil implements helper functions for testing against Certificate Transparency. |
|
tree
Package tree contains functions for manipulating generic tree representations.
|
Package tree contains functions for manipulating generic tree representations. |
|
tree/sparse/verifier
Package verifier allows client to verify a tree proof.
|
Package verifier allows client to verify a tree proof. |
|
impl
|
|
|
config
Package config has utilitites for loading configuration files from disk.
|
Package config has utilitites for loading configuration files from disk. |
|
mutation
Package mutation implements the monitor service.
|
Package mutation implements the monitor service. |
|
proto/keytransparency_v1_service
Package keytransparency_v1_service is a generated protocol buffer package.
|
Package keytransparency_v1_service is a generated protocol buffer package. |
|
proto/mutation_v1_service
Package mutation_v1_service is a generated protocol buffer package.
|
Package mutation_v1_service is a generated protocol buffer package. |
|
sql/mutations
Package mutations defines operations to write and read mutations to and from the database.
|
Package mutations defines operations to write and read mutations to and from the database. |
|
sql/sequenced
Package sequenced stores a list of objects that have been sequenced.
|
Package sequenced stores a list of objects that have been sequenced. |
|
sql/sqlhist
Package sqlhist implements a temporal sparse merkle tree using SQL.
|
Package sqlhist implements a temporal sparse merkle tree using SQL. |
|
sql/testutil
Package testutil contains test supporting functionality for 'impl/sql/...'.
|
Package testutil contains test supporting functionality for 'impl/sql/...'. |
Click to show internal directories.
Click to hide internal directories.