"Clevis and Tang: securing your secrets at rest" - Fraser Tweedale (LCA 2020)
ฝัง
- เผยแพร่เมื่อ 14 ม.ค. 2020
- Fraser Tweedale
lca2020.linux....
Full disk encryption and, more generally, encryption of secrets at
rest are essential tools in the security toolbox. But deploying
encryption at rest can have costs: latency (downtime), repetition
(productivity loss), proneness to error (typos; "was that '1' or
'l'?"), challenges in supplying a passphrase when needed (e.g.
headless systems). Automated decryption often relies on delivery of
escrowed keys (a third party knows your secret).
We can do better.
Tang [1] is a protocol and (along with the client-side program
Clevis [2]) software implementation of *network bound encryption*;
that is, automatic decryption of secrets when a client has access to
a particular server on a secure network. It uses McCallum-Relyea
exchange, a two-party key computation protocol based on Diffie-Hellman
where only the client can compute the key! Clevis [2] uses the
amazing Shamir's Secret Sharing algorithm to implement unlock
policies with thresholds that can include passphrases, Tang servers
and TPM-sealed secrets.
In this talk I will outline the use cases, explain the algorithms
and demonstrate these tools. The live demo will set up a machine to
automatically decrypt a LUKS volume when a required number of Tang
servers are available. I will conclude with a discussion of
limitations, assumptions and threats.
[1] github.com/lat...
[2] github.com/lat...
linux.conf.au is a conference about the Linux operating system, and all aspects of the thriving ecosystem of Free and Open Source Software that has grown up around it. Run since 1999, in a different Australian or New Zealand city each year, by a team of local volunteers, LCA invites more than 500 people to learn from the people who shape the future of Open Source. For more information on the conference see linux.conf.au/
Produced by NDV: / @nextdayvideo
#linux.conf.au #linux #foss #opensource
Wed Jan 15 14:25:00 2020 at Room 8
![โฮ่ง! (SUGOI) - LYKN [ OFFICIAL MV ]](http://i.ytimg.com/vi/nFp4zjAARFs/mqdefault.jpg)
