Skip to content
This repository has been archived by the owner on Mar 15, 2023. It is now read-only.

Releases: apache/incubator-milagro-dta

apache-milagro-dta-0.1.0-incubating

12 Sep 11:17
07932e2
Compare
Choose a tag to compare
Pre-release

Introduction

Apache Milagro Decentralized Trust Authority 0.1.0-incubating is the first Apache Software foundation release of this server.

Software Description

The Apache Milagro (Incubating) Decentralized Trust Authority (D-TA) is a collaborative key management server. It has two primary functions.

  1. Issue shares of identity-based Type-3 pairing secrets for initializing zero-knowledge proof multi-factor authentication (ZKP-MFA) networks of clients and authentication servers.
  2. Safeguards shares of generic secrets, acting independently but in conjunction with other D-TA nodes, for the benefit of other D-TA nodes.

In the use case where it issues shares, the D-TA holds nothing except for its Master Secret and acts as a distributed private key generation server. In the use case where it is safeguarding shares of secrets, it is up to the application developer to implement back-end application logic to hold those shares securely. Examples include using Hardware Security Modules (HSMs) via an on-board PKCS#11 implementation to create a realm of key encryption keys, or multi-party computation through BLS signature aggregation.

Roles

Operators of Decentralized Trust Authorities are segmented into three roles.

  1. Principals - These entities operate a Milagro D-TA node to securely communicate with other D-TA nodes (Fiduciaries), employing them to issues shares of secrets or safeguard shares of secrets.

  2. Fiduciaries - These entities operate \( 1 + n \) Milagro D-TAs to issue shares of secrets or safeguard shares of secrets.

  3. Beneficiaries - These entities receive shares of secrets from Fiduciaries.

A D-TA facilitates secure and auditable communication between entities and service providers who can keep shares of secret keys safe (Fiduciaries). The D-TA is written in Go and uses REST services based on the GoKit microservices framework. The D-TA uses IPFS to create a shared immutable log of transactions and relies on Milagro-Crypto-C for it's crypto. Future release candidates will incorporate Tendermint for consensus protocol.

v0.1.0 Release Rationale

By default, the D-TA allows requests from a Principal's D-TA for an secp256k1 public key from a Fiduciary D-TA and then to subsequently allow the Principal to request its corresponding private key. Whilst this may have utility on its own, the Milagro community's intention is to extend the capability of the server over time to meet many key generation, key storage and distribution use cases. This will be achieved using the D-TA's plugin architecture, and to this end, the initial release includes two plugins to demonstrate the D-TA's extensibility:

  • SafeGuard Secret - allows an arbitrary message to be encrypted with an elliptic curve public key using the ECIES protocol and subsequently decrypted using the corresponding private key.
  • Bitcoin Wallet Security - generates a bitcoin wallet address and subsequently releases the private key to unlock this wallet

Subsequent releases will enable the D-TA to issue Type-3 pairing/identity based secrets for "M-Pin" clients and servers ("M-Pin" is a zero-knowledge authentication protocol in the milagro-crypto-c library that also facilitates multi-factor authentication). In parallel with this will be a rewritten release of the Milagro MFA Authentication server (the original authentication server was conflated with the D-TA function limiting its security efficacy).

The Milagro community is publishing this release now to elicit feedback from a wider community that may have interest in an open source, decentralized key generation, storage and distribution solution. Our intention is to then to release a series of enhanced versions culminating with a production-ready GA version.

Please see the README for build/test instructions and https://milagro.apache.org/docs/d-ta-overview for a full overview and usage guide.

Disclaimer

Apache Milagro Crypto C (incubating) is an effort undergoing incubation at The Apache Software Foundation (ASF), sponsored by the Apache Incubator. Incubation is required of all newly accepted projects until a further review indicates that the infrastructure, communications, and decision making process have stabilized in a manner consistent with other successful ASF projects. While incubation status is not necessarily a reflection of the completeness or stability of the code, it does indicate that the project has yet to be fully endorsed by the ASF.