Palo Alto Networks PANOS 5.0 Radius Authentication OTP using Yubikey
Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr....
Transcript of Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr....
![Page 1: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/1.jpg)
Secure your Docker images
With Notary and Yubikey
Dr. Udo Seidel
![Page 2: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/2.jpg)
CEBIT Opensource Forum 2016
Agenda
● Introduction● The Update Framework● Notary● Yubikey● Getting started● Summary
![Page 3: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/3.jpg)
CEBIT Opensource Forum 2016
Me :-)● Teacher of mathematics and physics● PhD in experimental physics● Started with Linux in 1996● With Amadeus since 2006● Before:
● Linux/UNIX trainer● Solution Engineer in HPC and CAx
environment● Now: Architecture & Technical Governance
![Page 4: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/4.jpg)
CEBIT Opensource Forum 2016
Introduction
![Page 5: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/5.jpg)
CEBIT Opensource Forum 2016
Docker for Dummies
● Set of ● Libraries● Executables● Other files
● Very image-based● Separation via several namespaces
![Page 6: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/6.jpg)
CEBIT Opensource Forum 2016
Docker work-flow
● $ docker pull
● $ docker run/start/stop/...
● $ docker commit/create/...
● $ docker push
![Page 7: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/7.jpg)
CEBIT Opensource Forum 2016
Docker security
● Host● Docker Daemon● Docker Image● Docker Instance
![Page 8: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/8.jpg)
CEBIT Opensource Forum 2016
Docker work-flow security
● Store● Upload● Download● Run
![Page 9: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/9.jpg)
CEBIT Opensource Forum 2016
The Update Framework
![Page 10: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/10.jpg)
CEBIT Opensource Forum 2016
Link to software management
● Source● Target● Download● Content
![Page 11: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/11.jpg)
CEBIT Opensource Forum 2016
Basic idea
● Plugin architecture● Easier integration● Easier to expand
● Digital signatures● Proven technology● Key management is crucial
● Meta data
![Page 12: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/12.jpg)
CEBIT Opensource Forum 2016
Meta-Data
● Enhanced security● Whom to trust● Version system● Cryptographic checksums
● Enhanced role model● Delegation● Separation of duties
![Page 13: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/13.jpg)
CEBIT Opensource Forum 2016
TUF Roles I
● Root● Delegates trust● Uses keys
● Target● What is trusted by clients● Can delegate too
![Page 14: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/14.jpg)
CEBIT Opensource Forum 2016
TUF Roles II
● Snapshot● (latest) version of meta data● Update info for clients
● Timestamp● Prevent out-of-data attacks● Keys kept online
● Mirror● Optional
![Page 15: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/15.jpg)
CEBIT Opensource Forum 2016
The two aspects of TUF
● Several implementations● Python● Ruby● Haskell● ...● Go :-)
● Specification!
![Page 16: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/16.jpg)
CEBIT Opensource Forum 2016
Notary
![Page 17: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/17.jpg)
CEBIT Opensource Forum 2016
Notary and TUF
● Go implementation● Base of Docker Content Trust● Not limited to docker
![Page 18: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/18.jpg)
CEBIT Opensource Forum 2016
High level architecture
● Client-Server model● 3 server components
● Server● Signer● Database
● TCP/IP based communication● TLS possible ... mandatory
![Page 19: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/19.jpg)
CEBIT Opensource Forum 2016
High level architecture
![Page 20: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/20.jpg)
CEBIT Opensource Forum 2016
Notary Server
● PoC for client● REST API● Port
● Default: 443 or 4443● Configurable ● Client need to know
![Page 21: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/21.jpg)
CEBIT Opensource Forum 2016
Notary Signer
● Cryptographic operations● Data store
● Database● Memory
● PKCS#11 via softhsm2● Ports
● 4444 for HTTP● 7899 for GRPC
![Page 22: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/22.jpg)
CEBIT Opensource Forum 2016
Notary Database
● ATM: MySQL only● Standard port: 3306● 3 tables
● Private keys● Timestamp keys● Meta data
![Page 23: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/23.jpg)
CEBIT Opensource Forum 2016
Roles and keys
● TUF specification● 4 different roles
● See TUF before● Mirror droped
● Keys per role● Data format: JSON
![Page 24: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/24.jpg)
CEBIT Opensource Forum 2016
Root
● The base/start/entry point● Two kinds
● Global● Local
● Like root-CA in SSL/TLS world
![Page 25: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/25.jpg)
CEBIT Opensource Forum 2016
Target
● Main user interaction● Corresponds to file, directory, repository● Meta data
● Files● File sizes● Default validity: 3 years● BASE64 coded SHA256 checksums● Signed by target role
![Page 26: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/26.jpg)
CEBIT Opensource Forum 2016
Snapshot
● Management of root|target.json● Consistent view of software repository● Meta Data
● Files● File sizes● Default validity: 3 years● BASE64 coded SHA256 checksums● Signed by Snapshot role
![Page 27: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/27.jpg)
CEBIT Opensource Forum 2016
Timestamp
● Management of snapshot.json● Meta Data
● File● File size● Default validity: 14 days● BASE64 coded SHA256 checksums● Signed by Timestamp role
● Key stored on server only
![Page 28: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/28.jpg)
CEBIT Opensource Forum 2016
The client
● notary
● $HOME/.notary/
![Page 29: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/29.jpg)
CEBIT Opensource Forum 2016
Docker Content Trust (DCT)
● Since Engine version 1.8● Notary: foundation but 'hidden'
![Page 30: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/30.jpg)
CEBIT Opensource Forum 2016
Docker Content Trust
● Interaction via docker● Mixed repository content● (De-)Activation
● $ DOCKER_CONTENT_TRUST=0|1● $ disablecontenttrust=true|false”
![Page 31: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/31.jpg)
CEBIT Opensource Forum 2016
Yubikey
![Page 32: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/32.jpg)
CEBIT Opensource Forum 2016
Secure your (root) keys
● See root CA keys for SSL● Secure and mobile → How?
● Encrypted $HOME● Encrypted USB sticks● …???
=> Yubikey (4)
![Page 33: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/33.jpg)
CEBIT Opensource Forum 2016
Yubikey 4
● Personal Identity Verification● Two-Factor-Authentication
● Different Standards● Here: FIDO and U2F
● One-Time-Passwords● Chip Card Interface Device
![Page 34: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/34.jpg)
CEBIT Opensource Forum 2016
Yubikey-PIV and Docker/Notary
● Notary root key● Storage
– 4 in total– In addition to $HOME
● Access
● Docker-Speak● Changing content of repository● New/change docker images
![Page 35: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/35.jpg)
CEBIT Opensource Forum 2016
Yubikey-U2F and Docker/Notary
● Enhance security● Generation of root keys● Access to root keys
● Humans no machines/robots● Fine for manual tasks
![Page 36: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/36.jpg)
CEBIT Opensource Forum 2016
Universal 2 Factor Authentication
![Page 37: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/37.jpg)
CEBIT Opensource Forum 2016
Yubikey in Docker action
![Page 38: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/38.jpg)
CEBIT Opensource Forum 2016
Yubikey 4 – Beyond Docker
● Github● Dropbox● Gmail● Google apps● …● Disk encryption
![Page 39: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/39.jpg)
CEBIT Opensource Forum 2016
Getting Started
![Page 40: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/40.jpg)
CEBIT Opensource Forum 2016
Getting Started – Notary (easy)
● Use official Docker Hub image :-)● TLS quite tricky
● Drop docker and use notary● Yubikey optional
![Page 41: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/41.jpg)
CEBIT Opensource Forum 2016
Getting Started – Notary (less easy)
● Setup GO build environment● Download and compile notary● Configure and startup
● Manually● Via Docker Compose
● TLS quite tricky● Yubikey optional
![Page 42: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/42.jpg)
CEBIT Opensource Forum 2016
Getting Started – Yubikey (easy)
● Yubikey mandatory :-)● Test Repo on Docker Hub● Enable DCT
● Insert Yubikey before pcscd
● $ docker pull/push
![Page 43: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/43.jpg)
CEBIT Opensource Forum 2016
Getting Started – Yubikey (less easy)
● Yubikey mandatory● Setup own Registry● Setup Notary (see before)● Enable DCT
● Insert Yubikey before pcscd
● $ docker pull/push
![Page 44: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/44.jpg)
CEBIT Opensource Forum 2016
Summary
![Page 45: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/45.jpg)
CEBIT Opensource Forum 2016
Take Aways
● Good start● Early days● Only Docker Image security● What is next?
● Other Yubikey functions?● Other Tokens?
![Page 46: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/46.jpg)
CEBIT Opensource Forum 2016
References
● http://www.docker.com● http://theupdateframework.com● http://www.yubico.com/docker ● http://github.com/docker/notary● http://docs.docker.com/engine/security/trust
![Page 47: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/47.jpg)
CEBIT Opensource Forum 2016
Thank you!
![Page 48: Secure your Docker images · 2017-03-23 · Secure your Docker images With Notary and Yubikey Dr. Udo Seidel. CEBIT Opensource Forum 2016 Agenda Introduction ... Docker security](https://reader030.fdocuments.us/reader030/viewer/2022041105/5f05c8a97e708231d414b037/html5/thumbnails/48.jpg)
CEBIT Opensource Forum 2016
Secure your Docker images Linux ?!?
With Notary and Yubikey
Dr. Udo Seidel