Root Metadata Root: Timestamp: USA Snapshot: Switzerland Targets: China Expiry: ...
Offline for security • Backup in bank vault • Use signing hardware
TUF repository packages ?
Targets Metadata java : { hashes } openssl : { hashes } … Expiry: ...
Targets Metadata Keys: { Alice: A Bob: B } java: [Alice] openssl: [Bob] Expiry: ...
Delegation Metadata java-8-jre : { hashes } A java-7-jre : { hashes } ... Expiry: ... openssl-1.0.1t : { hashes } B openssl-1.0.2h : { hashes } ... Expiry: ...
java-8-jre A java-7-jre openssl-1.0.1t B openssl-1.0.2h
jdk java java-8-jdk C java-7-jdk A jre apt java-8-jre A java-7-jre openssl openssl-1.0.1t B openssl-1.0.2h
jdk java java-8-jdk C java-7-jdk A jre apt java-8-jre A java-7-jre openssl openssl-1.0.1t B openssl-1.0.2h D E
• authenticity • integrity • freshness • survivable key compromise • thresholding
• authenticity • integrity • freshness • survivable key compromise • thresholding
• authenticity • integrity • freshness • survivable key compromise • thresholding
Snapshot Metadata Root : { hashes } Targets : { hashes } Alice : { hashes } Bob : { hashes } … Expiry: ...
• authenticity • integrity • freshness • survivable key compromise • thresholding
Timestamp Metadata Snapshot : { hashes } … Expiry: 24 hours from now
jdk java java-8-jdk C java-7-jdk A jre apt java-8-jre A java-7-jre openssl X openssl-1.0.1t B openssl-1.0.2h D E
• authenticity • integrity • freshness • survivable key compromise • thresholding
#
# # #
#
#
Metadata Lifetime Timestamp Snapshot Targets/ Delegations Root Lifetime t
Keeping Freshness Timestamp Snapshot Targets/ Delegations Root Lifetime t
Snapshot Expired! Timestamp Snapshot Targets/ Delegations Root Lifetime t
Sign a new Snapshot Timestamp Snapshot Targets/ Delegations Root Lifetime t
Sign a new Timestamp to point the Snapshot Timestamp Snapshot Targets/ Delegations Root Lifetime t
Want to publish something? Timestamp Snapshot Targets/ Delegations Root Lifetime t
Sign the hash into a new Targets or Delegation file Timestamp Snapshot Targets/ Delegations Root Lifetime t
Sign a new Snapshot that references this Targets file Timestamp Snapshot Targets/ Delegations Root Lifetime t
Sign a new Timestamp that references the new Snapshot Timestamp Snapshot Targets/ Delegations Root Lifetime t
Situation normal Timestamp Snapshot Targets/ Delegations Root Lifetime t
Oh no, I think my Snapshot key was compromised! Timestamp Snapshot Targets/ Delegations Root Lifetime t
Compromise is “when” not “if”
Root: Root Timestamp: Metadata Snapshot: Targets:
Root: Root Timestamp: Metadata Snapshot: Targets: Snapshot Metadata
Before recovery Timestamp Snapshot Targets/ Delegations Root Lifetime t
Create and sign the new Snapshot key into Root Timestamp Snapshot Targets/ Delegations Root Lifetime t
Sign a new Snapshot with the new key Timestamp Snapshot Targets/ Delegations Root Lifetime t
Sign new Timestamp to reference new Snapshot Timestamp Snapshot Targets/ Delegations Root Lifetime t
GPG TUF • authenticity • integrity • freshness • survivable key compromise • thresholding • ease of use coming soon!
• … • auditability
?
How can we start using TUF?
Demo • ease of use?
Demo
• authenticity • integrity • freshness • survivable key compromise • thresholding • ease of use
github.com/docker/notary
$> export DOCKER_CONTENT_TRUST=1
alpine
alpine latest: {hash} edge: {hash} 2.6: {hash} 3.3: {hash} 3.4: {hash}
$> $pkg-manager install openssl
Design Goals: - root of trust in package manager maintainers - with thresholding - freshness guarantees - signed index of all packages - signed package targets by package maintainers - name to hash resolution - with thresholding
Recommend
More recommend
