Red Hat engineers have been working to more securely distribute container images. In this post we look at where we’ve come from, where we need to go, and how we hope to get there.
History
When the Docker image specification was introduced it did not have a cryptographic verification model. The most significant reason (for not having one) was the lack of a reliable checksum hash of image content. Two otherwise identical images could have different checksum values. Without a consistent tarsum mechanism, cryptographic verification would be very challenging. With Docker version 1.10, checksums are more consistent and could be used as a stable reference for
cryptographic verification. The version 2 image format provides an image manifest digest hash value that is useful for this.
New Packaging Format, Old Problem
Language-specific package formats such as npm and pip have struggled to implement signing models. The Docker image format is unique but ultimately is just another software packaging format. Meanwhile, software vendors and system administrators have had years of experience with securing RPM packages. While RPM signatures have served the industry for a long time, there are improvements that can be made to satisfy the following use cases:
- Verify image integrity and authorship offline or from within an “air gapped” data center
- Support multiple signatures to assert chain of trust/custody
- Easily integrate with existing enterprise infrastructure
The Human Factor
One of the guiding principles that should be used when designing a security model is to recognize the importance of how humans interact with technology. If the interaction is awkward or cumbersome it leads to insecurity. Software vendors, developers, and system administrators should be able to understand the security model with minimal documentation.
We want a system that serves developers and system administrators and doesn’t get in the way. I’m looking at you, “self-signed certificate” and “proceed insecure?” warnings. We don’t want to force application developers into a model that requires centrally managed CAs or container-specific signing servers. Complex security models often result in insecure systems, whether through a false sense of security (XCodeGhost, anyone?) or user workarounds that circumvent security.
We want a system that passes rigorous security review, namely it must:
- Use well-established protocols, standards, and processes.
- Be robust, but (also) simple enough to be understood by security auditors.
- Easily integrate with existing infrastructure (including existing signing servers and processes).
Introducing: Simple Signing
The approach Red Hat engineers have developed is powerfully simple. Each signature generates a signature claim, in the form of a simple json file, one that includes the image manifest digest hash. The following illustrates how an example signature claim might look in practice:
{ "critical": { "identity": { "docker-reference": "testing/manifest" }, "image": { "Docker-manifest-digest": "sha256:20be...fe55" }, "type": "atomic container signature" }, "optional": { "creator": "atomic", "timestamp": 1458239713 } }
Signing involves using the OpenPGP standard to encrypt the signature claim text file with a private key, creating a binary signature file.
Sign: generate a signature claim
While this is being integrated into OpenShift and Atomic Registry as a first-class object, this file can be proliferated on systems all over the world and may be served independent of the image and originating registry.
To verify an image, the signature claim is decoded using the signer’s public key. If the image manifest digest hash matches you have a very high level of certainty the image from the signer has been unaltered.
Verify: signature claim must match image manifest digest
The signature claim files are simple to distribute using a basic web server that relies on standard transport security protocols.
Chain of Trust and Policy
With this model any number of signature claims may be created. Different parties may assert trust against the same image hash. This provides an opportunity for software vendors and enterprise users to add policy around which signatures are required to run on a given cluster. For example, policy could require three signatures to run on the production cluster: from Red Hat, a certified software vendor and the corporate key, or even multiple specialist teams within a company such as operations, security, middleware, and individual developer teams.
Integrate All the Things
Finally, we want to enable integration. This model will work with your existing keys and workflows for securing keys, such as signing servers, hardware security modules, or even your home-grown script for signing with a key on an USB flash drive. There’s no need to retool for a container-specific key format and key management tools. We’re simply trying to sign container images, not design a new key format with specialized key management tooling.
What’s Next?
Red Hat is contributing this work as part of an open source shared library that can be used by anyone to work towards common signature semantics across technologies. It also provides a policy framework where trusted public keys and other aspects only need to be defined once per system. Red Hat is driving signing innovation in an inclusive, open, and community driven approach to make containers more secure for us all.
Interested in joining this work? Thoughts? Questions? We’d love to know what you think. Reach out using the comments section (below).
저자 소개
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.