livingsocial/keyspace livingsocial/keyspace

  • Stars
    star
    122
  • Rank 292,031 (Top 6 %)
  • Language
    Ruby
  • Created about 12 years ago
  • Updated over 11 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
livingsocial/keyspace
github

livingsocial

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Capability-based secure key management and credential storage

Keyspace

Build Status Code Climate Coverage Status

End-to-end (i.e. client-side) encryption for key/value stores, using RbNaCl for security and Moneta for persistence.

About

Keyspace is an encrypted name/value store which emphasizes a "least authority" philosophy for information sharing. All data is stored as encrypted name/value pairs, and data can be organized into "vaults" which each have independent encryption tokens and access control.

Keyspace uses capability-based security to manage access to vaults. Each capability takes the form of cryptographic tokens which are unique to a particular vault. Knowledge of these tokens is necessary and sufficient to gain access to a particular vault. Such an access scheme is known as "capabilities as keys" or "cryptographic capabilities". This approach provides secure sharing of access to vaults.

This means there is no access control system (e.g. RBAC) other than the capability tokens themselves. Authorization is handled completely by whether or not you have the necessary cryptographic tokens to carry out a desired action. This straightforward approach leaves little room for error and reduces the entire attack surface to vulnerabilities in the cryptographic code or leaked capability tokens.

Keyspace is built on Moneta, an abstract API to many kinds of key/value stores including all ActiveRecord compatible databases, Redis, Riak, Cassandra, CouchDB, MongoDB, and many others. If there's a key/value store you would like to persist to, Moneta probably supports it.

Cryptography in Keyspace is handled by RbNaCl, a Ruby wrapper to the Networking and Cryptography library by Daniel J. Bernstein.

Status

DANGER: EXPERIMENTAL

Keyspace is still experimental and the design is subject to change.

Mailing List

If you're interested in using Keyspace, join the mailing list by sending a message to:

Capabilities

Capabilities are (relatively) short tokens which grant a specific type of authority within Keyspace. Knowledge of a capability is necessary and sufficient to gain a particular type of access. Capabilities can also be "degraded", so that a capability holder can grant others a limited subset of the authority granted to them by the capability they hold.

A capability token looks like the following:

ks.write:foobar@d2hotnrmcxsqgibpszqoj6mowovsmmq4ajgy626qavbtk74tsbk5bqjypkhjlmbsqy7266umric6vn7iasaa6ccljqzrr7d35dqrh7i

There are 3 parts to the capability token:

  • "ks.write": URI scheme indicating this is a Keyspace (i.e. "ks") writecap There are three capability levels (see below)
  • "foobar": the name of the vault this writecap provides access to
  • "d2hotnrmcxsqgibpsz...": A Base32-encoded string containing the cryptographic keys which control access to this vault.

There are three capability levels for each vault:

  • verifycap (ks.verify): Can determine a value is authentic, but can't decrypt it
  • readcap (ks.read): Can read values from within the vault, but cannot write to it
  • writecap (ks.write): Can write new values into the vault

Each set of capabilities builds upon the last: users with the read capability can also verify, and users with the write capability can also read. Users who have access to a vault can delegate access to other users simply by sharing their capability token. Users can also degrade capabilities, i.e. they can produce read-verify tokens from a write-read-verify token, and verify only tokens from a read-verify token (or write-read-verify token).

Data Flow

Data Flow Diagram

Keyspace provides a separation between the powers of system administrators to alter the system configuration, system users who want to consume and verify the authenticity of configuration data, and the server, which is a dumb datastore which will save any values it can verify.

Server

Keyspace provides a Sinatra service for writing to and reading from vaults. The Sinatra service itself has only the verify capability, meaning that if it is ever compromised, the attacker cannot read the contents of the Keyspace. Furthermore, they cannot alter the system configuration, because they will be unable to sign new values without the writecap.

All encryption of plaintext happens client-side via a command line tool which runs on a computer under the control of a trusted administrator. Data is encrypted using NaCl's "SecretBox" primitive (i.e. XSalsa20 + Poly1305) and signed with the Ed25519 digital signature algorithm prior to transmission to the server, and remains encrypted until accessed by another client with the read (or verify) capabilities.

Ruby Client

Keyspace provides a simple Ruby client for storing and retrieving encrypted data from the server. In this example, a system operator creates a vault, puts a value inside of it, and then saves the vault to the server:

>> vault = Keyspace::Client::Vault.create("myvault")
 => #<Keyspace::Client::Vault ks.write:[email protected]>
>> vault[:foobar] = "baz"
 => "baz"
>> vault.save!
 => true

The system administrator can then degrade the capability for this vault to a readcap prior to disseminating it to a system user:

>> vault.capability.degrade(:readcap).to_s
 => "ks.read:myvault@d4u5qekdyezqlugxmhtuerytyyjp4fqjqsgbqjhfgm5mnw...daokugjdi"

We'll now switch to the perspective of a system user who has been given the readcap created above. First, they'll set the server URL and create a new vault object from the readcap. They'll then be able to access values from this vault by key, but they cannot make changes:

>> Keyspace::Client.url = "http://127.0.0.1:4567"
 => "http://127.0.0.1:4567"
>> vault = Keyspace::Client::Vault.new("ks.read:myvault@d4u5qekdyezqlugxmhtuerytyyjp4fqjqsgbqjhfgm5mnw...daokugjdi")
 => #<Keyspace::Client::Vault "ks.read:myvault@d4u5qekdyezqlugxmhtuerytyyjp4fqjqsgbqjhfgm5mnw...daokugjdi">
>> vault[:foobar]
 => "baz"
>> vault[:foobar] = "can't touch this"
Keyspace::InvalidCapabilityError: don't have write capability for this vault: myvault
        from /Users/tony/dev/keyspace/lib/keyspace/client/vault.rb:56:in `put'
        from (irb):9
        from /Users/tony/.rvm/rubies/ruby-1.9.3-p194/bin/irb:16:in `<main>'

Security Notes

Keyspace is built on state-of-the-art cryptographic primitives, but that alone does not make for a secure system. It is yet to be audited by an expert cryptographer, and for that reason alone should be somewhat suspect in the eyes of anyone interested in its security.

For that reason alone, Keyspace should be experimental until audited by cryptographic experts.

Reporting Security Problems

If you have discovered a bug in Keyspace of a sensitive nature, i.e. one which can compromise the security of Keyspace users, you can report it securely by sending a GPG encrypted message. Please use the following key:

https://raw.github.com/livingsocial/keyspace/master/keyspace.gpg

The key fingerprint is (or should be):

190E 42D6 8327 A515 BFDF AAE0 B210 269D BB2D 8787

Suggested Reading

Keyspace is inspired by the cryptographic capabilities system implemented in Tahoe: The Least Authority Filesystem.

License

This software is released under the MIT license:

Copyright (C) 2013, LivingSocial, Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

More Repositories

1

ls-pair

Advice and some software tools for doing terminal-based remote pair programming
Ruby
310
star
2

rearview

Timeseries data monitoring framework
Ruby
281
star
3

rake-pipeline

An extension to Rake for dealing with a directory of inputs, a number of filters, and a directory of outputs
Ruby
276
star
4

api-design

LivingSocial API Design Guide
107
star
5

HiveSwarm

Helpful user defined fuctions / table generating functions for Hive
Java
101
star
6

ankusa

Text classifier in Ruby that uses Hadoop/HBase, Mongo, or Cassandra for storage. DEPRECATED, use https://github.com/bmuller/ankusa
Ruby
92
star
7

LSCTableView

Objective-C
77
star
8

bundler-patch

Update your gems conservatively to deal with vulnerable gems or just get more current.
Ruby
65
star
9

ganapati

Ruby interface to Hadoop's HDFS via Thrift
Ruby
50
star
10

excelinator

convert your csv data and html tables to excel data.
Ruby
42
star
11

abanalyzer

A/B test analysis library for Ruby - performs Chi-Square tests and G-tests on A/B results
Ruby
40
star
12

lein-dependency-check

A leiningen plugin for detecting vulnerable project dependencies
Clojure
33
star
13

imprint

Logging trace support. Request Tracing, and cross app tracing support.
Ruby
20
star
14

flatfoot

Discover dead view files in your app. Track view layer render usage
Ruby
20
star
15

factory_faster

FactoryFaster optimizes your Rails app's FactoryGirl usage by replacing create with build where it's safe to do so.
Ruby
18
star
16

newrelic_route_check

Compares New Relic controller_summary.csv to the routes defined in a Rails app
Ruby
15
star
17

rails-googleapps-auth

Rails plugin for OpenID auth against Google apps for your domain accounts
Ruby
14
star
18

humperdink

Ruby
11
star
19

smokescreen

Quickly run critical tests on your app, recently changed tests, or tests related to recent changed files
Ruby
10
star
20

swagger_yard-rails

Rails engine to parse and render json for Swagger UI
Ruby
9
star
21

sneaker

Object-oriented jQuery in Coffeescript
CoffeeScript
8
star
22

houdah

Ruby lib for interacting with a Hadoop JobTracker / TaskTrackers
Ruby
8
star
23

resque-web

Rails-based web interface to Resque
Ruby
7
star
24

hashboard

A dashboard for Hadoop
Ruby
7
star
25

rearview-engine

Rails engine for rearview. This project is for rearview developers only. Users should go to livingsocial/rearview.
Ruby
7
star
26

clj-scribe

Scribe logging client for Clojure
Java
6
star
27

klomp

Simplest possible Stomp messaging client
Ruby
5
star
28

impaler

Ruby
4
star
29

boulder-coding-challenges

Coding challenges for Boulder Livingsocial
4
star
30

big_decimal_helper

Helpers for working with BigDecimal values
Ruby
3
star
31

hypercuke

Ruby
2
star
32

cylowess

Python
2
star
33

no_moss

Keep test subjects and doubles in sync to keep your test coverage trustworthy
Ruby
1
star
34

livingsocial.github.com

LivingSocial blog
1
star
35

loudmouth

loudmouth by Pete Campbell
CoffeeScript
1
star
36

braintree_users

Cobbled together Ruby code to help manage user accounts in Braintree.
Ruby
1
star
37

attribute-pair-generator

attribute-pair-generator
Ruby
1
star