github.com/jlmucb/cloudproxy@v0.0.0-20170830161738-b5aa0b619bc4/README (about)

     1  This directory contains the source code and design material for the
     2  CloudProxy Project.  This project was started at the Intel Science and
     3  Technology Center for Secure Computing at University of California at
     4  Berkeley.  Google joined the project in January 2013 and is a major
     5  contributor.
     6  
     7  The code and accompanying material is licensed for general use under
     8  the Apache 2.0 License. Please consult the LICENSE file for details
     9  and terms.  By using this software you agree to those terms.
    10  
    11  The repository contains the complete CloudProxy source and a number of examples
    12  as well as rather complete instructions.  The current version supports both Go
    13  and C++ programming interfaces to Cloudproxy and support for the following "root"
    14  security hosts:
    15  	1. Support for TPM 1.2.
    16  	2. Support for TPM 2.0.
    17  	3. Support for the Soft Tao: a software root of trust which can be used
    18  	   for development on hardware without TPM's.
    19  In the case of TPM 2.0, the TPM can either be a discrete TPM part or a firmware
    20  based TPM.
    21  
    22  Cloudproxy runs in or on the following platforms:
    23  	1. A Linux based KVM.
    24  	2. A Linux OS (either running as a VM over KVM or as the "root" platform.
    25  	3. Mac OS-X, version 10.  Macs generally do not have TPMs but can run
    26  	   using the "Soft Tao."  This is very convenient for development.
    27  
    28  Each Cloudproxy (Tao) host presents the same programming interface to "hosted
    29  systems" or applications, so you can develop on, for example, a "SoftTao"
    30  based Mac Cloudproxy and run, without programming changes on a root Tao using
    31  a TPM or hosted Tao's.
    32  
    33  To get started, follow the "Cloudproxy Nuts and Bolts" tutorial, in Doc 
    34  directory, which comprehensively describes Cloudproxy concepts,
    35  installation and a fully implemented sample application, called simpleexample.
    36  Although the Nuts and Bolts paper is long, you can follow the installation and
    37  simple example sample code by reading only the first half of the document.
    38  Simple example, although simple, covers the entire Cloudproxy API,
    39  called the "Tao." Most applications can be built by simply copying
    40  and pasting sample code from simple example.  Our experience is
    41  that someone can install and build cloudproxy and complete the simpleexample
    42  tutorial in about a day and program relatively complex applications the next
    43  day.  Most installation scripts and tests can also be used, with minor changes
    44  for configuring and running your own applications.  The tutorial covers both
    45  Go and C++ interfaces on a SoftTao running on Mac OS-X or Linux.  It
    46  covers the important concept of Tao Principal Names in depth.
    47  
    48  "CloudProxy Deployment Nuts and Bolts" covers complete installation and
    49  configuration information for TPM installations whether directly hosted on
    50  Linux or hosted in a Linux VM running on KVM.  The instructions are also
    51  rather comprehensive and may be copied an pasted in a variety of deployment
    52  scenarios.  "CloudProxy Deployment Nuts and Bolts" also covers important
    53  key management tools and techniques for Cloudproxy applications and hosts.
    54  Since programs are "first class" principals in Cloudproxy and are completely
    55  and unforgeably identified by Cloudproxy for the purpose of authentication
    56  and key management, first time programmers often worry about distribution
    57  and update of new applications and new versions of applications.
    58  "CloudProxy Deployment Nuts and Bolts" describes several simple
    59  mechanisms to do automatic key management and provides prototypical
    60  tools and infrastructure components to generate keys including
    61  foundational "policy keys," certify program and data protection
    62  keys, rotate keys, support key storage hierarchies, provision keys using
    63  a keystore and transfer keys between applications and different versions
    64  of the same applications.  All these tools and techniques are implemented
    65  in this repository.  Simpleexample itself contains a simple tao
    66  library ("taosupport") which allows most applications to interface with
    67  the Tao using a few simple stylized calls.  This library can be used
    68  across a large application set with very little change.
    69  
    70  Eric Grosse pointed out that "simple example" may still be a big
    71  "first step," so there is an even simpler starting application called
    72  "simple-http-server" which demonstrates just about the simplest possible
    73  use case.
    74  
    75  There are a number of sample applications provided.  These include:
    76  	1. Newfileproxy: This is a new version of the very first
    77  	  "real" cloudproxy application called fileproxy.  The
    78  	   fileproxy application provides confidentiality and
    79  	   integrity protection and access control for files
    80  	   stored in a cloud by a set of cloudproxy service 
    81  	   applications.  Fileproxy demonstrates "insider protection"
    82  	   in a cloud application in an intuitive setting.
    83  	   Newfileproxy is a newer version of a fileproxy. It is
    84  	   simpler than the original and is based on the simpleexample code
    85  	   you learned in the tutorial.  The old version of fileproxy
    86  	   is deprecated.
    87  	2. Mixnet:  This is a cloudproxy based mixnet router and is
    88  	   fully functional.
    89  	3. Roughtime:  This is a secure time implementation based on
    90  	   cloudproxy that can be used to support "secure network time"
    91  	   to cloudproxy or non-cloudproxy programs.
    92  	4. Simple-http-server: A cloudproxy secured http service (server only).
    93  
    94  Several older applications remain the distribution but are not maintained. 
    95  They include:
    96  	1. Bidproxy: A secure bidding service that is secure against
    97  	   tampering by the organization conducting the bid.  It protects
    98  	   the confidentiality of bids and designates the winning bid.
    99  	2. Authproxy: A distributed authentication service hosted on
   100  	   Cloudproxy.
   101  
   102  The directory Doc also contains older documentation and commentary including the
   103  original Cloudproxy paper by Manferdelli, Roeder and Schneider.  There is
   104  also Docker container support, although we have not kept this current
   105  nor is there extensive use documentation yet.
   106  
   107  News: Cloudproxy now has state rollback protection and supports more crypto
   108  suites (as well as enabling adding new crypto suites.  Current crypto suites include
   109          1. The original "128 bit" security suite which includes aes-128,
   110  	   aes-128-CTR with SHA-256 HMAC and P-256 based Eliptic Curve Public Key support.
   111          2. A Suite B compliant "192 bit" security suite which includes aes-256,
   112  	   aes-256-CTR with SHA-384 HMAC and P-384 based Eliptic Curve Public Key support.
   113          3. A new "256 bit" security suite which includes aes-256,
   114  	   aes-256-CTR with SHA-512 HMAC and P-521 based Eliptic Curve Public Key support.
   115  
   116  Please send feedback, comments and suggestions and bug reports to
   117    johnmanferdelli@hotmail.com or j.manferdelli@northeastern.edu
   118  Unless expressly noted in any such submitted material, you agree that any 
   119  feedback, comments or suggestions can be used and distributed under the Apache 
   120  License in this directory.
   121  
   122  The Cloudproxy developers --- John Manferdelli, Tom Roeder, Kevin Walsh, Sid Telang,
   123  Albert Kwon.  Thanks to Paul England who answered a number of questions on TPM 2.0.
   124