secure your docker images · 2017-03-23 · secure your docker images with notary and yubikey dr....
TRANSCRIPT
Secure your Docker images
With Notary and Yubikey
Dr. Udo Seidel
CEBIT Opensource Forum 2016
Agenda
● Introduction● The Update Framework● Notary● Yubikey● Getting started● Summary
CEBIT Opensource Forum 2016
Me :-)● Teacher of mathematics and physics● PhD in experimental physics● Started with Linux in 1996● With Amadeus since 2006● Before:
● Linux/UNIX trainer● Solution Engineer in HPC and CAx
environment● Now: Architecture & Technical Governance
CEBIT Opensource Forum 2016
Introduction
CEBIT Opensource Forum 2016
Docker for Dummies
● Set of ● Libraries● Executables● Other files
● Very image-based● Separation via several namespaces
CEBIT Opensource Forum 2016
Docker work-flow
● $ docker pull
● $ docker run/start/stop/...
● $ docker commit/create/...
● $ docker push
CEBIT Opensource Forum 2016
Docker security
● Host● Docker Daemon● Docker Image● Docker Instance
CEBIT Opensource Forum 2016
Docker work-flow security
● Store● Upload● Download● Run
CEBIT Opensource Forum 2016
The Update Framework
CEBIT Opensource Forum 2016
Link to software management
● Source● Target● Download● Content
CEBIT Opensource Forum 2016
Basic idea
● Plugin architecture● Easier integration● Easier to expand
● Digital signatures● Proven technology● Key management is crucial
● Meta data
CEBIT Opensource Forum 2016
Meta-Data
● Enhanced security● Whom to trust● Version system● Cryptographic checksums
● Enhanced role model● Delegation● Separation of duties
CEBIT Opensource Forum 2016
TUF Roles I
● Root● Delegates trust● Uses keys
● Target● What is trusted by clients● Can delegate too
CEBIT Opensource Forum 2016
TUF Roles II
● Snapshot● (latest) version of meta data● Update info for clients
● Timestamp● Prevent out-of-data attacks● Keys kept online
● Mirror● Optional
CEBIT Opensource Forum 2016
The two aspects of TUF
● Several implementations● Python● Ruby● Haskell● ...● Go :-)
● Specification!
CEBIT Opensource Forum 2016
Notary
CEBIT Opensource Forum 2016
Notary and TUF
● Go implementation● Base of Docker Content Trust● Not limited to docker
CEBIT Opensource Forum 2016
High level architecture
● Client-Server model● 3 server components
● Server● Signer● Database
● TCP/IP based communication● TLS possible ... mandatory
CEBIT Opensource Forum 2016
High level architecture
CEBIT Opensource Forum 2016
Notary Server
● PoC for client● REST API● Port
● Default: 443 or 4443● Configurable ● Client need to know
CEBIT Opensource Forum 2016
Notary Signer
● Cryptographic operations● Data store
● Database● Memory
● PKCS#11 via softhsm2● Ports
● 4444 for HTTP● 7899 for GRPC
CEBIT Opensource Forum 2016
Notary Database
● ATM: MySQL only● Standard port: 3306● 3 tables
● Private keys● Timestamp keys● Meta data
CEBIT Opensource Forum 2016
Roles and keys
● TUF specification● 4 different roles
● See TUF before● Mirror droped
● Keys per role● Data format: JSON
CEBIT Opensource Forum 2016
Root
● The base/start/entry point● Two kinds
● Global● Local
● Like root-CA in SSL/TLS world
CEBIT Opensource Forum 2016
Target
● Main user interaction● Corresponds to file, directory, repository● Meta data
● Files● File sizes● Default validity: 3 years● BASE64 coded SHA256 checksums● Signed by target role
CEBIT Opensource Forum 2016
Snapshot
● Management of root|target.json● Consistent view of software repository● Meta Data
● Files● File sizes● Default validity: 3 years● BASE64 coded SHA256 checksums● Signed by Snapshot role
CEBIT Opensource Forum 2016
Timestamp
● Management of snapshot.json● Meta Data
● File● File size● Default validity: 14 days● BASE64 coded SHA256 checksums● Signed by Timestamp role
● Key stored on server only
CEBIT Opensource Forum 2016
The client
● notary
● $HOME/.notary/
CEBIT Opensource Forum 2016
Docker Content Trust (DCT)
● Since Engine version 1.8● Notary: foundation but 'hidden'
CEBIT Opensource Forum 2016
Docker Content Trust
● Interaction via docker● Mixed repository content● (De-)Activation
● $ DOCKER_CONTENT_TRUST=0|1● $ disablecontenttrust=true|false”
CEBIT Opensource Forum 2016
Yubikey
CEBIT Opensource Forum 2016
Secure your (root) keys
● See root CA keys for SSL● Secure and mobile → How?
● Encrypted $HOME● Encrypted USB sticks● …???
=> Yubikey (4)
CEBIT Opensource Forum 2016
Yubikey 4
● Personal Identity Verification● Two-Factor-Authentication
● Different Standards● Here: FIDO and U2F
● One-Time-Passwords● Chip Card Interface Device
CEBIT Opensource Forum 2016
Yubikey-PIV and Docker/Notary
● Notary root key● Storage
– 4 in total– In addition to $HOME
● Access
● Docker-Speak● Changing content of repository● New/change docker images
CEBIT Opensource Forum 2016
Yubikey-U2F and Docker/Notary
● Enhance security● Generation of root keys● Access to root keys
● Humans no machines/robots● Fine for manual tasks
CEBIT Opensource Forum 2016
Universal 2 Factor Authentication
CEBIT Opensource Forum 2016
Yubikey in Docker action
CEBIT Opensource Forum 2016
Yubikey 4 – Beyond Docker
● Github● Dropbox● Gmail● Google apps● …● Disk encryption
CEBIT Opensource Forum 2016
Getting Started
CEBIT Opensource Forum 2016
Getting Started – Notary (easy)
● Use official Docker Hub image :-)● TLS quite tricky
● Drop docker and use notary● Yubikey optional
CEBIT Opensource Forum 2016
Getting Started – Notary (less easy)
● Setup GO build environment● Download and compile notary● Configure and startup
● Manually● Via Docker Compose
● TLS quite tricky● Yubikey optional
CEBIT Opensource Forum 2016
Getting Started – Yubikey (easy)
● Yubikey mandatory :-)● Test Repo on Docker Hub● Enable DCT
● Insert Yubikey before pcscd
● $ docker pull/push
CEBIT Opensource Forum 2016
Getting Started – Yubikey (less easy)
● Yubikey mandatory● Setup own Registry● Setup Notary (see before)● Enable DCT
● Insert Yubikey before pcscd
● $ docker pull/push
CEBIT Opensource Forum 2016
Summary
CEBIT Opensource Forum 2016
Take Aways
● Good start● Early days● Only Docker Image security● What is next?
● Other Yubikey functions?● Other Tokens?
CEBIT Opensource Forum 2016
References
● http://www.docker.com● http://theupdateframework.com● http://www.yubico.com/docker ● http://github.com/docker/notary● http://docs.docker.com/engine/security/trust
CEBIT Opensource Forum 2016
Thank you!
CEBIT Opensource Forum 2016
Secure your Docker images Linux ?!?
With Notary and Yubikey
Dr. Udo Seidel