github.com/jlmucb/cloudproxy@v0.0.0-20170830161738-b5aa0b619bc4/README (about) 1 This directory contains the source code and design material for the 2 CloudProxy Project. This project was started at the Intel Science and 3 Technology Center for Secure Computing at University of California at 4 Berkeley. Google joined the project in January 2013 and is a major 5 contributor. 6 7 The code and accompanying material is licensed for general use under 8 the Apache 2.0 License. Please consult the LICENSE file for details 9 and terms. By using this software you agree to those terms. 10 11 The repository contains the complete CloudProxy source and a number of examples 12 as well as rather complete instructions. The current version supports both Go 13 and C++ programming interfaces to Cloudproxy and support for the following "root" 14 security hosts: 15 1. Support for TPM 1.2. 16 2. Support for TPM 2.0. 17 3. Support for the Soft Tao: a software root of trust which can be used 18 for development on hardware without TPM's. 19 In the case of TPM 2.0, the TPM can either be a discrete TPM part or a firmware 20 based TPM. 21 22 Cloudproxy runs in or on the following platforms: 23 1. A Linux based KVM. 24 2. A Linux OS (either running as a VM over KVM or as the "root" platform. 25 3. Mac OS-X, version 10. Macs generally do not have TPMs but can run 26 using the "Soft Tao." This is very convenient for development. 27 28 Each Cloudproxy (Tao) host presents the same programming interface to "hosted 29 systems" or applications, so you can develop on, for example, a "SoftTao" 30 based Mac Cloudproxy and run, without programming changes on a root Tao using 31 a TPM or hosted Tao's. 32 33 To get started, follow the "Cloudproxy Nuts and Bolts" tutorial, in Doc 34 directory, which comprehensively describes Cloudproxy concepts, 35 installation and a fully implemented sample application, called simpleexample. 36 Although the Nuts and Bolts paper is long, you can follow the installation and 37 simple example sample code by reading only the first half of the document. 38 Simple example, although simple, covers the entire Cloudproxy API, 39 called the "Tao." Most applications can be built by simply copying 40 and pasting sample code from simple example. Our experience is 41 that someone can install and build cloudproxy and complete the simpleexample 42 tutorial in about a day and program relatively complex applications the next 43 day. Most installation scripts and tests can also be used, with minor changes 44 for configuring and running your own applications. The tutorial covers both 45 Go and C++ interfaces on a SoftTao running on Mac OS-X or Linux. It 46 covers the important concept of Tao Principal Names in depth. 47 48 "CloudProxy Deployment Nuts and Bolts" covers complete installation and 49 configuration information for TPM installations whether directly hosted on 50 Linux or hosted in a Linux VM running on KVM. The instructions are also 51 rather comprehensive and may be copied an pasted in a variety of deployment 52 scenarios. "CloudProxy Deployment Nuts and Bolts" also covers important 53 key management tools and techniques for Cloudproxy applications and hosts. 54 Since programs are "first class" principals in Cloudproxy and are completely 55 and unforgeably identified by Cloudproxy for the purpose of authentication 56 and key management, first time programmers often worry about distribution 57 and update of new applications and new versions of applications. 58 "CloudProxy Deployment Nuts and Bolts" describes several simple 59 mechanisms to do automatic key management and provides prototypical 60 tools and infrastructure components to generate keys including 61 foundational "policy keys," certify program and data protection 62 keys, rotate keys, support key storage hierarchies, provision keys using 63 a keystore and transfer keys between applications and different versions 64 of the same applications. All these tools and techniques are implemented 65 in this repository. Simpleexample itself contains a simple tao 66 library ("taosupport") which allows most applications to interface with 67 the Tao using a few simple stylized calls. This library can be used 68 across a large application set with very little change. 69 70 Eric Grosse pointed out that "simple example" may still be a big 71 "first step," so there is an even simpler starting application called 72 "simple-http-server" which demonstrates just about the simplest possible 73 use case. 74 75 There are a number of sample applications provided. These include: 76 1. Newfileproxy: This is a new version of the very first 77 "real" cloudproxy application called fileproxy. The 78 fileproxy application provides confidentiality and 79 integrity protection and access control for files 80 stored in a cloud by a set of cloudproxy service 81 applications. Fileproxy demonstrates "insider protection" 82 in a cloud application in an intuitive setting. 83 Newfileproxy is a newer version of a fileproxy. It is 84 simpler than the original and is based on the simpleexample code 85 you learned in the tutorial. The old version of fileproxy 86 is deprecated. 87 2. Mixnet: This is a cloudproxy based mixnet router and is 88 fully functional. 89 3. Roughtime: This is a secure time implementation based on 90 cloudproxy that can be used to support "secure network time" 91 to cloudproxy or non-cloudproxy programs. 92 4. Simple-http-server: A cloudproxy secured http service (server only). 93 94 Several older applications remain the distribution but are not maintained. 95 They include: 96 1. Bidproxy: A secure bidding service that is secure against 97 tampering by the organization conducting the bid. It protects 98 the confidentiality of bids and designates the winning bid. 99 2. Authproxy: A distributed authentication service hosted on 100 Cloudproxy. 101 102 The directory Doc also contains older documentation and commentary including the 103 original Cloudproxy paper by Manferdelli, Roeder and Schneider. There is 104 also Docker container support, although we have not kept this current 105 nor is there extensive use documentation yet. 106 107 News: Cloudproxy now has state rollback protection and supports more crypto 108 suites (as well as enabling adding new crypto suites. Current crypto suites include 109 1. The original "128 bit" security suite which includes aes-128, 110 aes-128-CTR with SHA-256 HMAC and P-256 based Eliptic Curve Public Key support. 111 2. A Suite B compliant "192 bit" security suite which includes aes-256, 112 aes-256-CTR with SHA-384 HMAC and P-384 based Eliptic Curve Public Key support. 113 3. A new "256 bit" security suite which includes aes-256, 114 aes-256-CTR with SHA-512 HMAC and P-521 based Eliptic Curve Public Key support. 115 116 Please send feedback, comments and suggestions and bug reports to 117 johnmanferdelli@hotmail.com or j.manferdelli@northeastern.edu 118 Unless expressly noted in any such submitted material, you agree that any 119 feedback, comments or suggestions can be used and distributed under the Apache 120 License in this directory. 121 122 The Cloudproxy developers --- John Manferdelli, Tom Roeder, Kevin Walsh, Sid Telang, 123 Albert Kwon. Thanks to Paul England who answered a number of questions on TPM 2.0. 124