When the going gets tough, Get TUF going! Riyaz Faizullabhoy - - - PowerPoint PPT Presentation

when the going gets tough get tuf going
SMART_READER_LITE
LIVE PREVIEW

When the going gets tough, Get TUF going! Riyaz Faizullabhoy - - - PowerPoint PPT Presentation

Jan 02, 2024 383 likes •1.53k views

When the going gets tough, Get TUF going! Riyaz Faizullabhoy - @riyazdf Motivation What is TUF? Using TUF Hermetic Builds Where does software come from? $> _ $>curl | sudo bash $>apt-get install authenticity $>apt-get

slide-1
SLIDE 1

When the going gets tough, Get TUF going!

Riyaz Faizullabhoy - @riyazdf

slide-2
SLIDE 2

Motivation What is TUF? Using TUF Hermetic Builds

slide-3
SLIDE 3

Where does software come from?

slide-4
SLIDE 4

$> _

slide-5
SLIDE 5

$>curl | sudo bash

slide-6
SLIDE 6

$>apt-get install

slide-7
SLIDE 7
  • authenticity
slide-8
SLIDE 8

$>apt-get install

slide-9
SLIDE 9
slide-10
SLIDE 10
  • authenticity
  • integrity
slide-11
SLIDE 11

$>apt-get install really-old-foo

slide-12
SLIDE 12

$>#not after 2007 $>apt-get install really-old-foo

slide-13
SLIDE 13
  • authenticity
  • integrity
  • freshness
slide-14
SLIDE 14

$> $pkg-manager install foo

slide-15
SLIDE 15
  • authenticity (TLS)
  • integrity (TLS)
  • freshness
slide-16
SLIDE 16
  • authenticity (TLS - transport only)
  • integrity (TLS - transport only)
  • freshness
slide-17
SLIDE 17
slide-18
SLIDE 18
slide-19
SLIDE 19

foo

slide-20
SLIDE 20
  • ----BEGIN PGP SIGNATURE-----

Version: GnuPG v1 iQIcBAABCAAGBQJXUtcbAAoJEItIrWJGklVTp6oP/ROIMdfBerB+sKswke8mau1w aalsr6MmQgARItPhsQvFUaRXEXDJvefRdPJl+xDl1zUkJJhLJIsW9VmpBk19l2pU

  • Wuiy6Ou9BWWA2qmS/3BKdmriuXp8LtjpQ2prj3jefOfIcUUlWtusATp0qM3JvGr

UWFDkxzQAqZycwuY7n1e4YNyE30iAbPtWB3cKs6Bi7nNWREeQ9cAsJJPnVIl/e6t H3KI8F2QkQ/HwfN9KYfZKyChMubBKsl1txOlgHs1QLrrhft6kP3RDoKRhJTuPvnr 3QWH3Hlo6B/nqpX7hOcAkw6gfnpVe+SHBKOE8b93nTR4Gh7l1R1hjdUdO46rQLVy iz1WcWgJkMj13kePrDC3gM+CaT7O0ug4dQ1b1brPzuJwz7j7mHIIOUdwOZ+7OWf5 ppdxXB5E6/XJN2X26V3KdHTgfsFmu2eX9PaDIjA26XP8DtPOSaz6sYrPxQtRPS2w

  • Sp8Kkgh4kVTftymKvDcbFp7OF1qhCxWkwvCB+StTI5s+aRfkIUqQkYS12EYI6b7

uQq0r5QjM6DzsnCRKrRh2EUzgHdfax1iIEY+kC2BvG+Xw6wHro47iR4gaRzR1c7x LRm5uxrGCq5zV9Lp+LBNGkAQJzivkm8ka7yYss5DIk6gVeTsHbcSLnmt4rUViZOp BsAoXDQUdfv80oIg39BMiQIcBAABCAAGBQJXUtcbAAoJEHY40EQrkNAQp6oQAIsl 7tPJpwTzKrv6r8gEQggyRvFEp8Ubi+/8wPf+AawutClXNONB5lLvceA0SEgwPH0L js+kDrmNZRQ65PAEUf0mWwq8kdNWTcVDfKvI/Te2tr65/yaVFTLDDoAsC9M5Q9QX i3h0xCZAT6hQSl7oSzWQIJkAqAer/9ctvYE6S9hAyiUIj9MQUA/PPBmEUcxKlADd Rjg2JHJJFODkciHWyQboU7UAOwpGIW/LFgFlr+nMomP/wQoZdOKyKS0QG8I0dxbh

  • 19tvoxBN32KS6yQM1oQDhvXIlvZiirohBCXSVXiLYIzEzZfcLqP9cRGOUlzMtKw

P9m1tM0Lx+yY8OZTshedR+u+6lW+vdPQ0Ar3MzE+98DE3zT+NDgGUJQNAtfkFesW az6bMS07c947zbBZIAg0iO0ys2PCI7bwNdJAJ9VjujAKZ5R5c9IZOltF3RRiQcn9 QODaFM4cGrndS53tmtjR2vPNoEk8jVR0mbp6Nyr7t4sgCGkiDyqO1xZOIOX1pCMQ seD6XOq2cWTSSisIRo8Cccdo3ciE4yfYZQ/3+gLaqDOrtBIGxj9iumS1ELI6XHb7 7LjYz72Z5gjzK2X+jQCJFD/QNZv4n8dkoYgRVk4ZgEg+BuctUA85RggaLR2R9JCV NRcXJtGybbGDQ85vFuzLYyUrSnfc5Vcm31tcy94h =nSRR

  • ----END PGP SIGNATURE-----
slide-21
SLIDE 21
  • ----BEGIN PGP SIGNATURE-----

Version: GnuPG v1 iQIcBAABCAAGBQJXUtcbAAoJEItIrWJGklVTp6oP/ROIMdfBerB+sKswke8mau1w aalsr6MmQgARItPhsQvFUaRXEXDJvefRdPJl+xDl1zUkJJhLJIsW9VmpBk19l2pU

  • Wuiy6Ou9BWWA2qmS/3BKdmriuXp8LtjpQ2prj3jefOfIcUUlWtusATp0qM3JvGr

UWFDkxzQAqZycwuY7n1e4YNyE30iAbPtWB3cKs6Bi7nNWREeQ9cAsJJPnVIl/e6t H3KI8F2QkQ/HwfN9KYfZKyChMubBKsl1txOlgHs1QLrrhft6kP3RDoKRhJTuPvnr 3QWH3Hlo6B/nqpX7hOcAkw6gfnpVe+SHBKOE8b93nTR4Gh7l1R1hjdUdO46rQLVy iz1WcWgJkMj13kePrDC3gM+CaT7O0ug4dQ1b1brPzuJwz7j7mHIIOUdwOZ+7OWf5 ppdxXB5E6/XJN2X26V3KdHTgfsFmu2eX9PaDIjA26XP8DtPOSaz6sYrPxQtRPS2w

  • Sp8Kkgh4kVTftymKvDcbFp7OF1qhCxWkwvCB+StTI5s+aRfkIUqQkYS12EYI6b7

uQq0r5QjM6DzsnCRKrRh2EUzgHdfax1iIEY+kC2BvG+Xw6wHro47iR4gaRzR1c7x LRm5uxrGCq5zV9Lp+LBNGkAQJzivkm8ka7yYss5DIk6gVeTsHbcSLnmt4rUViZOp BsAoXDQUdfv80oIg39BMiQIcBAABCAAGBQJXUtcbAAoJEHY40EQrkNAQp6oQAIsl 7tPJpwTzKrv6r8gEQggyRvFEp8Ubi+/8wPf+AawutClXNONB5lLvceA0SEgwPH0L js+kDrmNZRQ65PAEUf0mWwq8kdNWTcVDfKvI/Te2tr65/yaVFTLDDoAsC9M5Q9QX i3h0xCZAT6hQSl7oSzWQIJkAqAer/9ctvYE6S9hAyiUIj9MQUA/PPBmEUcxKlADd Rjg2JHJJFODkciHWyQboU7UAOwpGIW/LFgFlr+nMomP/wQoZdOKyKS0QG8I0dxbh

  • 19tvoxBN32KS6yQM1oQDhvXIlvZiirohBCXSVXiLYIzEzZfcLqP9cRGOUlzMtKw

P9m1tM0Lx+yY8OZTshedR+u+6lW+vdPQ0Ar3MzE+98DE3zT+NDgGUJQNAtfkFesW az6bMS07c947zbBZIAg0iO0ys2PCI7bwNdJAJ9VjujAKZ5R5c9IZOltF3RRiQcn9 QODaFM4cGrndS53tmtjR2vPNoEk8jVR0mbp6Nyr7t4sgCGkiDyqO1xZOIOX1pCMQ seD6XOq2cWTSSisIRo8Cccdo3ciE4yfYZQ/3+gLaqDOrtBIGxj9iumS1ELI6XHb7 7LjYz72Z5gjzK2X+jQCJFD/QNZv4n8dkoYgRVk4ZgEg+BuctUA85RggaLR2R9JCV NRcXJtGybbGDQ85vFuzLYyUrSnfc5Vcm31tcy94h =nSRR

  • ----END PGP SIGNATURE-----
slide-22
SLIDE 22
  • ----BEGIN PGP SIGNATURE-----

Version: GnuPG v1 iQIcBAABCAAGBQJXUtcbAAoJEItIrWJGklVTp6oP/ROIMdfBerB+sKswke8mau1w aalsr6MmQgARItPhsQvFUaRXEXDJvefRdPJl+xDl1zUkJJhLJIsW9VmpBk19l2pU

  • Wuiy6Ou9BWWA2qmS/3BKdmriuXp8LtjpQ2prj3jefOfIcUUlWtusATp0qM3JvGr

UWFDkxzQAqZycwuY7n1e4YNyE30iAbPtWB3cKs6Bi7nNWREeQ9cAsJJPnVIl/e6t H3KI8F2QkQ/HwfN9KYfZKyChMubBKsl1txOlgHs1QLrrhft6kP3RDoKRhJTuPvnr 3QWH3Hlo6B/nqpX7hOcAkw6gfnpVe+SHBKOE8b93nTR4Gh7l1R1hjdUdO46rQLVy iz1WcWgJkMj13kePrDC3gM+CaT7O0ug4dQ1b1brPzuJwz7j7mHIIOUdwOZ+7OWf5 ppdxXB5E6/XJN2X26V3KdHTgfsFmu2eX9PaDIjA26XP8DtPOSaz6sYrPxQtRPS2w

  • Sp8Kkgh4kVTftymKvDcbFp7OF1qhCxWkwvCB+StTI5s+aRfkIUqQkYS12EYI6b7

uQq0r5QjM6DzsnCRKrRh2EUzgHdfax1iIEY+kC2BvG+Xw6wHro47iR4gaRzR1c7x LRm5uxrGCq5zV9Lp+LBNGkAQJzivkm8ka7yYss5DIk6gVeTsHbcSLnmt4rUViZOp BsAoXDQUdfv80oIg39BMiQIcBAABCAAGBQJXUtcbAAoJEHY40EQrkNAQp6oQAIsl 7tPJpwTzKrv6r8gEQggyRvFEp8Ubi+/8wPf+AawutClXNONB5lLvceA0SEgwPH0L js+kDrmNZRQ65PAEUf0mWwq8kdNWTcVDfKvI/Te2tr65/yaVFTLDDoAsC9M5Q9QX i3h0xCZAT6hQSl7oSzWQIJkAqAer/9ctvYE6S9hAyiUIj9MQUA/PPBmEUcxKlADd Rjg2JHJJFODkciHWyQboU7UAOwpGIW/LFgFlr+nMomP/wQoZdOKyKS0QG8I0dxbh

  • 19tvoxBN32KS6yQM1oQDhvXIlvZiirohBCXSVXiLYIzEzZfcLqP9cRGOUlzMtKw

P9m1tM0Lx+yY8OZTshedR+u+6lW+vdPQ0Ar3MzE+98DE3zT+NDgGUJQNAtfkFesW az6bMS07c947zbBZIAg0iO0ys2PCI7bwNdJAJ9VjujAKZ5R5c9IZOltF3RRiQcn9 QODaFM4cGrndS53tmtjR2vPNoEk8jVR0mbp6Nyr7t4sgCGkiDyqO1xZOIOX1pCMQ seD6XOq2cWTSSisIRo8Cccdo3ciE4yfYZQ/3+gLaqDOrtBIGxj9iumS1ELI6XHb7 7LjYz72Z5gjzK2X+jQCJFD/QNZv4n8dkoYgRVk4ZgEg+BuctUA85RggaLR2R9JCV NRcXJtGybbGDQ85vFuzLYyUrSnfc5Vcm31tcy94h =nSRR

  • ----END PGP SIGNATURE-----

$>apt-get install really-old-foo

Freeze and Rollback Attacks?

slide-23
SLIDE 23
  • ----BEGIN PGP SIGNATURE-----

Version: GnuPG v1 iQIcBAABCAAGBQJXUtcbAAoJEItIrWJGklVTp6oP/ROIMdfBerB+sKswke8mau1w aalsr6MmQgARItPhsQvFUaRXEXDJvefRdPJl+xDl1zUkJJhLJIsW9VmpBk19l2pU

  • Wuiy6Ou9BWWA2qmS/3BKdmriuXp8LtjpQ2prj3jefOfIcUUlWtusATp0qM3JvGr

UWFDkxzQAqZycwuY7n1e4YNyE30iAbPtWB3cKs6Bi7nNWREeQ9cAsJJPnVIl/e6t H3KI8F2QkQ/HwfN9KYfZKyChMubBKsl1txOlgHs1QLrrhft6kP3RDoKRhJTuPvnr 3QWH3Hlo6B/nqpX7hOcAkw6gfnpVe+SHBKOE8b93nTR4Gh7l1R1hjdUdO46rQLVy iz1WcWgJkMj13kePrDC3gM+CaT7O0ug4dQ1b1brPzuJwz7j7mHIIOUdwOZ+7OWf5 ppdxXB5E6/XJN2X26V3KdHTgfsFmu2eX9PaDIjA26XP8DtPOSaz6sYrPxQtRPS2w

  • Sp8Kkgh4kVTftymKvDcbFp7OF1qhCxWkwvCB+StTI5s+aRfkIUqQkYS12EYI6b7

uQq0r5QjM6DzsnCRKrRh2EUzgHdfax1iIEY+kC2BvG+Xw6wHro47iR4gaRzR1c7x LRm5uxrGCq5zV9Lp+LBNGkAQJzivkm8ka7yYss5DIk6gVeTsHbcSLnmt4rUViZOp BsAoXDQUdfv80oIg39BMiQIcBAABCAAGBQJXUtcbAAoJEHY40EQrkNAQp6oQAIsl 7tPJpwTzKrv6r8gEQggyRvFEp8Ubi+/8wPf+AawutClXNONB5lLvceA0SEgwPH0L js+kDrmNZRQ65PAEUf0mWwq8kdNWTcVDfKvI/Te2tr65/yaVFTLDDoAsC9M5Q9QX i3h0xCZAT6hQSl7oSzWQIJkAqAer/9ctvYE6S9hAyiUIj9MQUA/PPBmEUcxKlADd Rjg2JHJJFODkciHWyQboU7UAOwpGIW/LFgFlr+nMomP/wQoZdOKyKS0QG8I0dxbh

  • 19tvoxBN32KS6yQM1oQDhvXIlvZiirohBCXSVXiLYIzEzZfcLqP9cRGOUlzMtKw

P9m1tM0Lx+yY8OZTshedR+u+6lW+vdPQ0Ar3MzE+98DE3zT+NDgGUJQNAtfkFesW az6bMS07c947zbBZIAg0iO0ys2PCI7bwNdJAJ9VjujAKZ5R5c9IZOltF3RRiQcn9 QODaFM4cGrndS53tmtjR2vPNoEk8jVR0mbp6Nyr7t4sgCGkiDyqO1xZOIOX1pCMQ seD6XOq2cWTSSisIRo8Cccdo3ciE4yfYZQ/3+gLaqDOrtBIGxj9iumS1ELI6XHb7 7LjYz72Z5gjzK2X+jQCJFD/QNZv4n8dkoYgRVk4ZgEg+BuctUA85RggaLR2R9JCV NRcXJtGybbGDQ85vFuzLYyUrSnfc5Vcm31tcy94h =nSRR

  • ----END PGP SIGNATURE-----

Survivable Key Compromise?

slide-24
SLIDE 24
  • authenticity
  • integrity
  • freshness
  • survivable key compromise
slide-25
SLIDE 25
  • ----BEGIN PGP SIGNATURE-----

Version: GnuPG v1 iQIcBAABCAAGBQJXUtcbAAoJEItIrWJGklVTp6oP/ROIMdfBerB+sKswke8mau1w aalsr6MmQgARItPhsQvFUaRXEXDJvefRdPJl+xDl1zUkJJhLJIsW9VmpBk19l2pU

  • Wuiy6Ou9BWWA2qmS/3BKdmriuXp8LtjpQ2prj3jefOfIcUUlWtusATp0qM3JvGr

UWFDkxzQAqZycwuY7n1e4YNyE30iAbPtWB3cKs6Bi7nNWREeQ9cAsJJPnVIl/e6t H3KI8F2QkQ/HwfN9KYfZKyChMubBKsl1txOlgHs1QLrrhft6kP3RDoKRhJTuPvnr 3QWH3Hlo6B/nqpX7hOcAkw6gfnpVe+SHBKOE8b93nTR4Gh7l1R1hjdUdO46rQLVy iz1WcWgJkMj13kePrDC3gM+CaT7O0ug4dQ1b1brPzuJwz7j7mHIIOUdwOZ+7OWf5 ppdxXB5E6/XJN2X26V3KdHTgfsFmu2eX9PaDIjA26XP8DtPOSaz6sYrPxQtRPS2w

  • Sp8Kkgh4kVTftymKvDcbFp7OF1qhCxWkwvCB+StTI5s+aRfkIUqQkYS12EYI6b7

uQq0r5QjM6DzsnCRKrRh2EUzgHdfax1iIEY+kC2BvG+Xw6wHro47iR4gaRzR1c7x LRm5uxrGCq5zV9Lp+LBNGkAQJzivkm8ka7yYss5DIk6gVeTsHbcSLnmt4rUViZOp BsAoXDQUdfv80oIg39BMiQIcBAABCAAGBQJXUtcbAAoJEHY40EQrkNAQp6oQAIsl 7tPJpwTzKrv6r8gEQggyRvFEp8Ubi+/8wPf+AawutClXNONB5lLvceA0SEgwPH0L js+kDrmNZRQ65PAEUf0mWwq8kdNWTcVDfKvI/Te2tr65/yaVFTLDDoAsC9M5Q9QX i3h0xCZAT6hQSl7oSzWQIJkAqAer/9ctvYE6S9hAyiUIj9MQUA/PPBmEUcxKlADd Rjg2JHJJFODkciHWyQboU7UAOwpGIW/LFgFlr+nMomP/wQoZdOKyKS0QG8I0dxbh

  • 19tvoxBN32KS6yQM1oQDhvXIlvZiirohBCXSVXiLYIzEzZfcLqP9cRGOUlzMtKw

P9m1tM0Lx+yY8OZTshedR+u+6lW+vdPQ0Ar3MzE+98DE3zT+NDgGUJQNAtfkFesW az6bMS07c947zbBZIAg0iO0ys2PCI7bwNdJAJ9VjujAKZ5R5c9IZOltF3RRiQcn9 QODaFM4cGrndS53tmtjR2vPNoEk8jVR0mbp6Nyr7t4sgCGkiDyqO1xZOIOX1pCMQ seD6XOq2cWTSSisIRo8Cccdo3ciE4yfYZQ/3+gLaqDOrtBIGxj9iumS1ELI6XHb7 7LjYz72Z5gjzK2X+jQCJFD/QNZv4n8dkoYgRVk4ZgEg+BuctUA85RggaLR2R9JCV NRcXJtGybbGDQ85vFuzLYyUrSnfc5Vcm31tcy94h =nSRR

  • ----END PGP SIGNATURE-----

Trust Thresholding?

slide-26
SLIDE 26
  • authenticity
  • integrity
  • freshness
  • survivable key compromise
  • thresholding
slide-27
SLIDE 27
  • authenticity
  • integrity
  • freshness
  • survivable key compromise
  • thresholding
slide-28
SLIDE 28
  • authenticity
  • integrity
  • freshness
  • survivable key compromise
  • thresholding
  • ease of use
slide-29
SLIDE 29
slide-30
SLIDE 30

Get TUF

(The Update Framework)

slide-31
SLIDE 31
slide-32
SLIDE 32
  • Diplomat: Using Delegations to Protect Community Repositories
  • Survivable Key Compromise in Software Update Systems
  • A Look in the Mirror: Attacks on Package Managers
  • Package Management Security
slide-33
SLIDE 33

TUF repository

slide-34
SLIDE 34

TUF repository packages

slide-35
SLIDE 35

root timestamp snapshot targets delegation

slide-36
SLIDE 36

Root: Timestamp: Snapshot: Targets:

Expiry: ...

Root Metadata

slide-37
SLIDE 37

Root: Timestamp: Snapshot: Targets:

Expiry: ...

Root Metadata

USA Switzerland China

slide-38
SLIDE 38

Offline for security

  • Backup in bank

vault

  • Use signing

hardware

slide-39
SLIDE 39

TUF repository packages

?

slide-40
SLIDE 40

java : { hashes }

  • penssl : { hashes }

Expiry: ...

Targets Metadata

slide-41
SLIDE 41

Keys: { Alice: Bob: }

Expiry: ...

Targets Metadata

A B

java:

  • penssl:

[Alice] [Bob]

slide-42
SLIDE 42

Delegation Metadata

A

java-8-jre : { hashes } java-7-jre : { hashes }

...

Expiry: ...

B

  • penssl-1.0.1t : { hashes }
  • penssl-1.0.2h : { hashes }

...

Expiry: ...

slide-43
SLIDE 43

java-8-jre java-7-jre

  • penssl-1.0.1t
  • penssl-1.0.2h

A B

slide-44
SLIDE 44
  • penssl-1.0.1t
  • penssl-1.0.2h

java

java-8-jdk java-7-jdk java-8-jre java-7-jre

apt

  • penssl

A B C A

jdk jre

slide-45
SLIDE 45
  • penssl-1.0.1t
  • penssl-1.0.2h

java

java-8-jdk java-7-jdk java-8-jre java-7-jre

apt

  • penssl

A B C A

jdk jre

E

D

slide-46
SLIDE 46
  • authenticity
  • integrity
  • freshness
  • survivable key compromise
  • thresholding
slide-47
SLIDE 47
  • authenticity
  • integrity
  • freshness
  • survivable key compromise
  • thresholding
slide-48
SLIDE 48
  • authenticity
  • integrity
  • freshness
  • survivable key compromise
  • thresholding
slide-49
SLIDE 49
slide-50
SLIDE 50

Root : { hashes } Targets : { hashes } Alice : { hashes } Bob : { hashes } …

Expiry: ...

Snapshot Metadata

slide-51
SLIDE 51
slide-52
SLIDE 52
  • authenticity
  • integrity
  • freshness
  • survivable key compromise
  • thresholding
slide-53
SLIDE 53

Snapshot : { hashes } …

Expiry: 24 hours from now

Timestamp Metadata

slide-54
SLIDE 54
  • penssl-1.0.1t
  • penssl-1.0.2h

java

java-8-jdk java-7-jdk java-8-jre java-7-jre

apt

  • penssl

A B C A

jdk jre

E

D

X

slide-55
SLIDE 55
  • authenticity
  • integrity
  • freshness
  • survivable key compromise
  • thresholding
slide-56
SLIDE 56
slide-57
SLIDE 57
slide-58
SLIDE 58
slide-59
SLIDE 59

#

slide-60
SLIDE 60

# # #

slide-61
SLIDE 61
slide-62
SLIDE 62

#

slide-63
SLIDE 63
slide-64
SLIDE 64

#

slide-65
SLIDE 65

Timestamp

Lifetime

Snapshot Targets/ Delegations Root

Metadata Lifetime

t

slide-66
SLIDE 66

Timestamp

Lifetime

Snapshot Targets/ Delegations Root

Keeping Freshness

t

slide-67
SLIDE 67

Timestamp

Lifetime

Snapshot Targets/ Delegations Root

Snapshot Expired!

t

slide-68
SLIDE 68

Timestamp

Lifetime

Snapshot Targets/ Delegations Root

Sign a new Snapshot

t

slide-69
SLIDE 69

Timestamp

Lifetime

Snapshot Targets/ Delegations Root

Sign a new Timestamp to point the Snapshot

t

slide-70
SLIDE 70

Timestamp

Lifetime

Snapshot Targets/ Delegations Root

Want to publish something?

t

slide-71
SLIDE 71

Timestamp

Lifetime

Snapshot Targets/ Delegations Root

Sign the hash into a new Targets or Delegation file

t

slide-72
SLIDE 72

Timestamp

Lifetime

Snapshot Targets/ Delegations Root

Sign a new Snapshot that references this Targets file

t

slide-73
SLIDE 73

Timestamp

Lifetime

Snapshot Targets/ Delegations Root

Sign a new Timestamp that references the new Snapshot

t

slide-74
SLIDE 74

Timestamp

Lifetime

Snapshot Targets/ Delegations Root

Situation normal

t

slide-75
SLIDE 75

Timestamp

Lifetime

Snapshot Targets/ Delegations Root

Oh no, I think my Snapshot key was compromised!

t

slide-76
SLIDE 76

Compromise is “when” not “if”

slide-77
SLIDE 77
slide-78
SLIDE 78

Root: Timestamp: Snapshot: Targets: Root Metadata

slide-79
SLIDE 79

Root: Timestamp: Snapshot: Targets: Root Metadata Snapshot Metadata

slide-80
SLIDE 80

Timestamp

Lifetime

Snapshot Targets/ Delegations Root

Before recovery

t

slide-81
SLIDE 81

Timestamp

Lifetime

Snapshot Targets/ Delegations Root

Create and sign the new Snapshot key into Root

t

slide-82
SLIDE 82

Timestamp

Lifetime

Snapshot Targets/ Delegations Root

Sign a new Snapshot with the new key

t

slide-83
SLIDE 83

Timestamp

Lifetime

Snapshot Targets/ Delegations Root

Sign new Timestamp to reference new Snapshot

t

slide-84
SLIDE 84
  • authenticity
  • integrity
  • freshness
  • survivable key compromise
  • thresholding
  • ease of use

coming soon!

GPG TUF

slide-85
SLIDE 85
  • auditability
slide-86
SLIDE 86
slide-87
SLIDE 87

?

slide-88
SLIDE 88

How can we start using TUF?

slide-89
SLIDE 89
slide-90
SLIDE 90

Demo

  • ease of use?
slide-91
SLIDE 91

Demo

slide-92
SLIDE 92
  • authenticity
  • integrity
  • freshness
  • survivable key compromise
  • thresholding
  • ease of use
slide-93
SLIDE 93

github.com/docker/notary

slide-94
SLIDE 94

$> export DOCKER_CONTENT_TRUST=1

slide-95
SLIDE 95
slide-96
SLIDE 96
slide-97
SLIDE 97

alpine

slide-98
SLIDE 98

latest: {hash} edge: {hash} 2.6: {hash} 3.3: {hash} 3.4: {hash} alpine

slide-99
SLIDE 99

$> $pkg-manager install openssl

slide-100
SLIDE 100

Design Goals:

  • root of trust in package manager maintainers
  • with thresholding
  • freshness guarantees
  • signed index of all packages
  • signed package targets by package maintainers
  • name to hash resolution
  • with thresholding
slide-101
SLIDE 101

package-manager maintainer(s)

slide-102
SLIDE 102

freshness package-manager maintainer(s)

slide-103
SLIDE 103

signs index freshness package-manager maintainer(s)

slide-104
SLIDE 104

signs index freshness maintainer keys package-manager maintainer(s)

slide-105
SLIDE 105

signs index freshness maintainer keys

  • penssl: {hash}

package-manager maintainer(s)

slide-106
SLIDE 106

Future work: hermetic builds

slide-107
SLIDE 107

Learn More

  • Read the spec:
  • github.com/theupdateframework/tuf/ (docs/tuf-spec.txt)
  • Look at Notary:
  • github.com/docker/notary
  • Read the Docker Content Trust docs:
  • docs.docker.com/engine/security/trust/content_trust/
slide-108
SLIDE 108

THANK YOU

slide-109
SLIDE 109

Root: Timestamp: Snapshot: Targets:

Expiry: ...

Root Metadata

Appendix: root key rotations

slide-110
SLIDE 110

Root: Timestamp: Snapshot: Targets:

Expiry: ...

Root Metadata

Appendix: root key rotations

slide-111
SLIDE 111

Root: Timestamp: Snapshot: Targets:

new

Root: Timestamp: Snapshot: Targets:

  • ld

Appendix: root key rotations

slide-112
SLIDE 112

Root: Timestamp: Snapshot: Targets:

new

Root: Timestamp: Snapshot: Targets:

  • ld

X

Appendix: root key rotations

slide-113
SLIDE 113

Appendix: DCT pull flow

slide-114
SLIDE 114

Appendix: DCT pull flow

uses manifest/layer merkle tree