secure your docker images · 2017-03-23 · secure your docker images with notary and yubikey dr....

Secure your Docker images

With Notary and Yubikey

Dr. Udo Seidel

CEBIT Opensource Forum 2016

Agenda

● Introduction● The Update Framework● Notary● Yubikey● Getting started● Summary


Me :-)● Teacher of mathematics and physics● PhD in experimental physics● Started with Linux in 1996● With Amadeus since 2006● Before:

● Linux/UNIX trainer● Solution Engineer in HPC and CAx

environment● Now: Architecture & Technical Governance


Introduction


Docker for Dummies

● Set of ● Libraries● Executables● Other files

● Very image-based● Separation via several namespaces


Docker work-flow

● $ docker pull

● $ docker run/start/stop/...

● $ docker commit/create/...

● $ docker push


Docker security

● Host● Docker Daemon● Docker Image● Docker Instance


Docker work-flow security

● Store● Upload● Download● Run


The Update Framework


Link to software management

● Source● Target● Download● Content


Basic idea

● Plugin architecture● Easier integration● Easier to expand

● Digital signatures● Proven technology● Key management is crucial

● Meta data


Meta-Data

● Enhanced security● Whom to trust● Version system● Cryptographic checksums

● Enhanced role model● Delegation● Separation of duties


TUF Roles I

● Root● Delegates trust● Uses keys

● Target● What is trusted by clients● Can delegate too


TUF Roles II

● Snapshot● (latest) version of meta data● Update info for clients

● Timestamp● Prevent out-of-data attacks● Keys kept online

● Mirror● Optional


The two aspects of TUF

● Several implementations● Python● Ruby● Haskell● ...● Go :-)

● Specification!


Notary


Notary and TUF

● Go implementation● Base of Docker Content Trust● Not limited to docker


High level architecture

● Client-Server model● 3 server components

● Server● Signer● Database

● TCP/IP based communication● TLS possible ... mandatory


High level architecture


Notary Server

● PoC for client● REST API● Port

● Default: 443 or 4443● Configurable ● Client need to know


Notary Signer

● Cryptographic operations● Data store

● Database● Memory

● PKCS#11 via softhsm2● Ports

● 4444 for HTTP● 7899 for GRPC


Notary Database

● ATM: MySQL only● Standard port: 3306● 3 tables

● Private keys● Timestamp keys● Meta data


Roles and keys

● TUF specification● 4 different roles

● See TUF before● Mirror droped

● Keys per role● Data format: JSON


Root

● The base/start/entry point● Two kinds

● Global● Local

● Like root-CA in SSL/TLS world


Target

● Main user interaction● Corresponds to file, directory, repository● Meta data

● Files● File sizes● Default validity: 3 years● BASE64 coded SHA256 checksums● Signed by target role


Snapshot

● Management of root|target.json● Consistent view of software repository● Meta Data

● Files● File sizes● Default validity: 3 years● BASE64 coded SHA256 checksums● Signed by Snapshot role


Timestamp

● Management of snapshot.json● Meta Data

● File● File size● Default validity: 14 days● BASE64 coded SHA256 checksums● Signed by Timestamp role

● Key stored on server only


The client

● notary

● $HOME/.notary/


Docker Content Trust (DCT)

● Since Engine version 1.8● Notary: foundation but 'hidden'


Docker Content Trust

● Interaction via docker● Mixed repository content● (De-)Activation

● $ DOCKER_CONTENT_TRUST=0|1● $ disablecontenttrust=true|false”


Yubikey


Secure your (root) keys

● See root CA keys for SSL● Secure and mobile → How?

● Encrypted $HOME● Encrypted USB sticks● …???

=> Yubikey (4)


Yubikey 4

● Personal Identity Verification● Two-Factor-Authentication

● Different Standards● Here: FIDO and U2F

● One-Time-Passwords● Chip Card Interface Device


Yubikey-PIV and Docker/Notary

● Notary root key● Storage

– 4 in total– In addition to $HOME

● Access

● Docker-Speak● Changing content of repository● New/change docker images


Yubikey-U2F and Docker/Notary

● Enhance security● Generation of root keys● Access to root keys

● Humans no machines/robots● Fine for manual tasks


Universal 2 Factor Authentication


Yubikey in Docker action


Yubikey 4 – Beyond Docker

● Github● Dropbox● Gmail● Google apps● …● Disk encryption


Getting Started


Getting Started – Notary (easy)

● Use official Docker Hub image :-)● TLS quite tricky

● Drop docker and use notary● Yubikey optional


Getting Started – Notary (less easy)

● Setup GO build environment● Download and compile notary● Configure and startup

● Manually● Via Docker Compose

● TLS quite tricky● Yubikey optional


Getting Started – Yubikey (easy)

● Yubikey mandatory :-)● Test Repo on Docker Hub● Enable DCT

● Insert Yubikey before pcscd

● $ docker pull/push


Getting Started – Yubikey (less easy)

● Yubikey mandatory● Setup own Registry● Setup Notary (see before)● Enable DCT

● Insert Yubikey before pcscd

● $ docker pull/push


Summary


Take Aways

● Good start● Early days● Only Docker Image security● What is next?

● Other Yubikey functions?● Other Tokens?


References

● http://www.docker.com● http://theupdateframework.com● http://www.yubico.com/docker ● http://github.com/docker/notary● http://docs.docker.com/engine/security/trust


Thank you!


Secure your Docker images Linux ?!?

With Notary and Yubikey

Dr. Udo Seidel

secure your docker images · 2017-03-23 · secure your docker images with notary and yubikey dr....

Documents