secure your docker images · 2017-03-23 · secure your docker images with notary and yubikey dr....

Secure your Docker images

With Notary and Yubikey

Dr. Udo Seidel

CEBIT Opensource Forum 2016

Agenda

● Introduction● The Update Framework● Notary● Yubikey● Getting started● Summary

CEBIT Opensource Forum 2016

Me :-)● Teacher of mathematics and physics● PhD in experimental physics● Started with Linux in 1996● With Amadeus since 2006● Before:

● Linux/UNIX trainer● Solution Engineer in HPC and CAx

environment● Now: Architecture & Technical Governance

CEBIT Opensource Forum 2016

Introduction

CEBIT Opensource Forum 2016

Docker for Dummies

● Set of ● Libraries● Executables● Other files

● Very image-based● Separation via several namespaces

CEBIT Opensource Forum 2016

Docker work-flow

● $ docker pull

● $ docker run/start/stop/...

● $ docker commit/create/...

● $ docker push

CEBIT Opensource Forum 2016

Docker security

● Host● Docker Daemon● Docker Image● Docker Instance

CEBIT Opensource Forum 2016

Docker work-flow security

● Store● Upload● Download● Run

CEBIT Opensource Forum 2016

The Update Framework

CEBIT Opensource Forum 2016

Link to software management

● Source● Target● Download● Content

CEBIT Opensource Forum 2016

Basic idea

● Plugin architecture● Easier integration● Easier to expand

● Digital signatures● Proven technology● Key management is crucial

● Meta data

CEBIT Opensource Forum 2016

Meta-Data

● Enhanced security● Whom to trust● Version system● Cryptographic checksums

● Enhanced role model● Delegation● Separation of duties

CEBIT Opensource Forum 2016

TUF Roles I

● Root● Delegates trust● Uses keys

● Target● What is trusted by clients● Can delegate too

CEBIT Opensource Forum 2016

TUF Roles II

● Snapshot● (latest) version of meta data● Update info for clients

● Timestamp● Prevent out-of-data attacks● Keys kept online

● Mirror● Optional

CEBIT Opensource Forum 2016

The two aspects of TUF

● Several implementations● Python● Ruby● Haskell● ...● Go :-)

● Specification!

CEBIT Opensource Forum 2016

Notary

CEBIT Opensource Forum 2016

Notary and TUF

● Go implementation● Base of Docker Content Trust● Not limited to docker

CEBIT Opensource Forum 2016

High level architecture

● Client-Server model● 3 server components

● Server● Signer● Database

● TCP/IP based communication● TLS possible ... mandatory

CEBIT Opensource Forum 2016

High level architecture

CEBIT Opensource Forum 2016

Notary Server

● PoC for client● REST API● Port

● Default: 443 or 4443● Configurable ● Client need to know

CEBIT Opensource Forum 2016

Notary Signer

● Cryptographic operations● Data store

● Database● Memory

● PKCS#11 via softhsm2● Ports

● 4444 for HTTP● 7899 for GRPC

CEBIT Opensource Forum 2016

Notary Database

● ATM: MySQL only● Standard port: 3306● 3 tables

● Private keys● Timestamp keys● Meta data

CEBIT Opensource Forum 2016

Roles and keys

● TUF specification● 4 different roles

● See TUF before● Mirror droped

● Keys per role● Data format: JSON

CEBIT Opensource Forum 2016

Root

● The base/start/entry point● Two kinds

● Global● Local

● Like root-CA in SSL/TLS world

CEBIT Opensource Forum 2016

Target

● Main user interaction● Corresponds to file, directory, repository● Meta data

● Files● File sizes● Default validity: 3 years● BASE64 coded SHA256 checksums● Signed by target role

CEBIT Opensource Forum 2016

Snapshot

● Management of root|target.json● Consistent view of software repository● Meta Data

● Files● File sizes● Default validity: 3 years● BASE64 coded SHA256 checksums● Signed by Snapshot role

CEBIT Opensource Forum 2016

Timestamp

● Management of snapshot.json● Meta Data

● File● File size● Default validity: 14 days● BASE64 coded SHA256 checksums● Signed by Timestamp role

● Key stored on server only

CEBIT Opensource Forum 2016

The client

● notary

● $HOME/.notary/

CEBIT Opensource Forum 2016

Docker Content Trust (DCT)

● Since Engine version 1.8● Notary: foundation but 'hidden'

CEBIT Opensource Forum 2016

Docker Content Trust

● Interaction via docker● Mixed repository content● (De-)Activation

● $ DOCKER_CONTENT_TRUST=0|1● $ ­­disable­content­trust=true|false”

CEBIT Opensource Forum 2016

Yubikey

CEBIT Opensource Forum 2016

Secure your (root) keys

● See root CA keys for SSL● Secure and mobile → How?

● Encrypted $HOME● Encrypted USB sticks● …???

=> Yubikey (4)

CEBIT Opensource Forum 2016

Yubikey 4

● Personal Identity Verification● Two-Factor-Authentication

● Different Standards● Here: FIDO and U2F

● One-Time-Passwords● Chip Card Interface Device

CEBIT Opensource Forum 2016

Yubikey-PIV and Docker/Notary

● Notary root key● Storage

– 4 in total– In addition to $HOME

● Access

● Docker-Speak● Changing content of repository● New/change docker images

CEBIT Opensource Forum 2016

Yubikey-U2F and Docker/Notary

● Enhance security● Generation of root keys● Access to root keys

● Humans no machines/robots● Fine for manual tasks

CEBIT Opensource Forum 2016

Universal 2 Factor Authentication

CEBIT Opensource Forum 2016

Yubikey in Docker action

CEBIT Opensource Forum 2016

Yubikey 4 – Beyond Docker

● Github● Dropbox● Gmail● Google apps● …● Disk encryption

CEBIT Opensource Forum 2016

Getting Started

CEBIT Opensource Forum 2016

Getting Started – Notary (easy)

● Use official Docker Hub image :-)● TLS quite tricky

● Drop docker and use notary● Yubikey optional

CEBIT Opensource Forum 2016

Getting Started – Notary (less easy)

● Setup GO build environment● Download and compile notary● Configure and startup

● Manually● Via Docker Compose

● TLS quite tricky● Yubikey optional

CEBIT Opensource Forum 2016

Getting Started – Yubikey (easy)

● Yubikey mandatory :-)● Test Repo on Docker Hub● Enable DCT

● Insert Yubikey before pcscd 

● $ docker pull/push

CEBIT Opensource Forum 2016

Getting Started – Yubikey (less easy)

● Yubikey mandatory● Setup own Registry● Setup Notary (see before)● Enable DCT

● Insert Yubikey before pcscd

● $ docker pull/push

CEBIT Opensource Forum 2016

Summary

CEBIT Opensource Forum 2016

Take Aways

● Good start● Early days● Only Docker Image security● What is next?

● Other Yubikey functions?● Other Tokens?

CEBIT Opensource Forum 2016

References

● http://www.docker.com● http://theupdateframework.com● http://www.yubico.com/docker ● http://github.com/docker/notary● http://docs.docker.com/engine/security/trust

CEBIT Opensource Forum 2016

Thank you!

CEBIT Opensource Forum 2016

Secure your Docker images Linux ?!?

With Notary and Yubikey

Dr. Udo Seidel