question about key access

9 views
Skip to first unread message

Javi D R

unread,
Feb 1, 2021, 11:55:50 AM2/1/21
to in-toto-public
Hi

Apologies if the question is dumb, i just discovered this tool and i am really interested on it.

How i understand it, is that intoto will cryptographically sign every step in a pipeline, correct?

The question i have is...imagine i am an attacker and i want to add malware to a software i am building in that pipeline. If intoto has access to the key to sign those steps as passed, then, i will also have access to the same key, isnt it? If i have access to that key, i can also sign the stepwhere i have built malicious artifact.

I am sure this is under control and i am wrong, but im struggling to understand how intoto can access to that key when it is a genuine step, and how an attacker who has access to the pipeline cant use that key

Thanks


Aditya Sirish A Yelgundhalli

unread,
Feb 2, 2021, 10:45:10 AM2/2/21
to in-toto...@googlegroups.com

Hi Javi,

in-toto intrinsically doesn't have access to any private keys that are used to sign link metadata for steps. The people (or machines) authorized to perform a step must also have access to the corresponding key, and use it while generating in-toto links. in-toto layouts contain public keys that are used to verify the signatures of metadata files generated using private keys.

In your scenario, as an attacker who has gained access to the source code for example, you'd (hopefully!) not have access to the authorized keys that the actual developers have. However, managing private keys is not within the scope of in-toto, and appropriate best practices must be followed. I must note that in-toto minimizes the danger of an attacker gaining access to any one private key by supporting a "threshold" of keys, i.e., a step in the supply chain can be configured to require signatures from more than one key.

I hope this clears it up!

- Aditya

--
You received this message because you are subscribed to the Google Groups "in-toto-public" group.
To unsubscribe from this group and stop receiving emails from it, send an email to in-toto-publi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/in-toto-public/24112fb4-ccd6-477b-8e2a-6525c22c2f68n%40googlegroups.com.
OpenPGP_signature
Reply all
Reply to author
Forward
0 new messages