Key Transparency provides a lookup service for generic records and a public, tamper-proof audit log of all record changes. While being publicly auditable, individual records are only revealed in response to queries for specific IDs.
Key Transparency can be used as a public key discovery service to authenticate users and provides a mechanism to keep the service accountable. It can be used by account owners to reliably see what keys have been associated with their account, and it can be used by senders to see how long an account has been active and stable before trusting it.
Key Transparency is inspired by CONIKS and Certificate Transparency. It is a work-in-progress with the following milestones under development.
- Install Go 1.10.
go get -u github.com/google/keytransparency/cmd/keytransparency-client
keytransparency-client authorized-keys create-keyset -p password
keytransparency-client authorized-keys list-keyset -p password- Get an OAuth client ID and download the generated JSON file to
client_secret.json.
keytransparency-client post user@domain.com app1 --client-secret=client_secret.json --insecure -d 'dGVzdA==' #Base64keytransparency-client get <email> <app> --insecure --verbose
✓ Commitment verified.
✓ VRF verified.
✓ Sparse tree proof verified.
✓ Signed Map Head signature verified.
CT ✓ STH signature verified.
CT ✓ Consistency proof verified.
CT New trusted STH: 2016-09-12 15:31:19.547 -0700 PDT
CT ✓ SCT signature verified. Saving SCT for future inclusion proof verification.
✓ Signed Map Head CT inclusion proof verified.
keys:<key:"app1" value:"test" >
keytransparency-client history <email> --insecure
Epoch |Timestamp |Profile
4 |Mon Sep 12 22:23:54 UTC 2016 |keys:<key:"app1" value:"test" >
- OpenSSL
- Docker
- Docker Engine 1.13.0+
docker version -f '{{.Server.APIVersion}}' - Docker Compose 1.11.0+
docker-compose --version
- Docker Engine 1.13.0+
go get -u github.com/google/keytransparency/...go get -u github.com/google/trillian/..../scripts/prepare_server.sh -f
- Run Key Transparency
$ docker-compose up -d
Creating keytransparency_db_1 ... done
Creating keytransparency_map_server_1 ... done
Creating keytransparency_log_server_1 ... done
Creating keytransparency_log_server_1 ... done
Creating keytransparency_server_1 ... done
Creating keytransparency_sequencer_1 ... done
Creating keytransparency_monitor_1 ... done
Creating keytransparency_init_1 ... done
Creating keytransparency_prometheus_1 ... done
Creating keytransparency_monitor_1 ... done- Watch it Run
docker-compose logs --tail=0 --follow- Proof for app1/foo@bar.com
- Server configuration info
- Prometheus graphs
Key Transparency and its Trillian backend use a MySQL database, which must be setup in order for the Key Transparency tests to work.
The directory structure of Key Transparency is as follows:
- cmd: binaries
- keytransparency-client: Key Transparency CLI client.
- keytransparency-sequencer: Key Transparency backend.
- keytransparency-server: Key Transparency frontend.
- core: main library source code. Core libraries do not import impl.
- adminserver: private api for creating new domains and apps.
- api: gRPC API definitions.
- crypto: verifiable random function and commitment implementations.
- domain: interface for retrieving domain info from storage.
- keyserver: keyserver implementation.
- mutator: "smart contract" implementation.
- sequencer: mutation executor.
- deploy: deployment configs:
- docker: init helper.
- kubernetes: kube deploy configs.
- prometheus: monitoring docker module.
- docs: documentation.
- impl: environment specific modules:
- authentication: authentication policy grpc interceptor.
- authorization: OAuth and fake auth grpc interceptor.
- integration: environment specific integration tests.
- sql: mysql implementations of storage modules.
- scripts: scripts
- deploy: deploy to Google Compute Engine.