ISiseko seLinux, iBastionZero kunye neDocker zibonise iprojekthi entsha evulekileyo i-OpenPubKey, ephuhlisa iprotocol ye-cryptographic yegama elifanayo lokutyikitya ngedijithali izinto ezingafanelekanga. Itekhnoloji yaphuhliswa njengeprojekthi edibeneyo ye-BastionZero kunye ne-Docker ngenjongo yokwenza lula utyikityo lwedijithali lwemifanekiso yesikhongozeli se-Docker ukuthintela ukutshintshwa kwayo kunye nokuqinisekisa ukwakhiwa komdali obhengeziweyo. Le projekthi iya kuphuhliswa kwiqonga elingathathi hlangothi phantsi kwe-Linux Foundation, eya kuphelisa ukuxhomekeka kwiinkampani zorhwebo ezizodwa kunye nokwenza lula ukusebenzisana nokubandakanyeka kwamaqela esithathu. Ukuphunyezwa kwereferensi ye-OpenPubKey ibhalwe kwi-Go kwaye isasazwe phantsi kwelayisensi ye-Apache 2.0.
Izakhono ze-OpenPubKey azikhawulelwanga kwimifanekiso yesikhongozeli kwaye itekhnoloji ingasetyenziselwa ukuqinisekisa umthombo waso nasiphi na isibonelelo, ukuthintela ukuxhomekeka endaweni yokuxhomekeka, kunye nokuphucula ukhuseleko lweendlela zokuhambisa idatha. Umzekelo, itekhnoloji iyasebenza ekuqinisekiseni iindibano zeprogram, imiyalezo yomntu ngamnye kunye nokuzibophelela. Abadali beSiginitsha kufuneka babe ne-akhawunti kuphela kwinkonzo exhasa i-OpenID, kwaye abathengi banikwa ithuba lokuqinisekisa iisiginitsha ezincanyathiselweyo kwaye baqinisekise uqhagamshelo lwabo kunye nesazisi se-OpenID esibhengeziweyo.
Ngokwenjongo yayo, i-OpenPubKey ifana nenkqubo ye-Sigstore eyenziwe kuGoogle kwaye yagqithiselwa kwi-Linux Foundation, kodwa iyahluka kuyo ngokwenza lula kakhulu ukuphunyezwa, ukusetyenziswa kunye nokugcinwa ngokususa amacandelo eseva ephakathi anoxanduva lokugcina ilog yoluntu eqinisekisa ubunyani. yotshintsho (ilog engafihliyo), kunye nokuqinisekisa ukusebenza kwabasemagunyeni bezatifiketi (uGunyaziwe weSatifikethi).
Endaweni yokuthumela abasemagunyeni besatifikethi sakho, i-OpenPubKey isebenzisa itekhnoloji yoqinisekiso ye-OpenID kwaye inxibelelanisa iisayinwa ezenziweyo kubaboneleli abakhoyo be-OpenID Connect. Ngamanye amagama, i-OpenPubkey ikuvumela ukuba ubophe izitshixo ze-cryptographic kubasebenzisi abathile usebenzisa ababoneleli be-OpenID Connect (ii-IdP) endaweni yabasemagunyeni bezatifikethi. Itekhnoloji ihambelana ngokupheleleyo nababoneleli be-OpenID abakhoyo, njengeGitHub, i-Azure / iMicrosoft, i-Okta, i-OneLogin, i-Keycloak kunye ne-Google, kwaye ayifuni utshintsho kwicala labo (i-ID ye-ID esemgangathweni enikezelwa ngumnikezeli isetyenziswa, ekuvumela ukuba sebenzisa i-OpenPubKey kuphela ngotshintsho kwicala lomxhasi i-OpenID Qhagamshela).
Umqondiso okhutshwe ngumboneleli we-OpenID uguqulwa ube sisatifikethi esibophelela ngokufihlakeleyo isichongi kwi-OpenID Qhagamshela kwisitshixo sikawonke-wonke. Umsebenzisi emva koko usebenzisa isitshixo esenziweyo ukusayina nayiphi na idatha kwaye ezi zisayino zinokuqinisekiswa ngokuchasene nesichongi kwi-OpenID Connect. I-OpenPubKey isebenzisa izitshixo ze-ephemeral ezinobomi obulinganiselweyo - izitshixo zenziwe ngexesha lokungena kwe-OpenID kwaye ziyacinywa xa iseshoni kunye nomboneleli we-OpenID iphela.
Umzekelo we-algorithm yokwenza umsayino usebenzisa i-OpenPubKey:
- Ngena usebenzisa umboneleli we-OpenID (uGoogle, GitHub, Microsoft, njl.).
- Cela ithokheni yesazisi kumboneleli we-OpenID.
- Ukubuyisela ithokheni esayinwe sisitshixo somboneleli kunye nokubandakanya indawo ethi "nonce" enedatha engathandabuzekiyo edluliselwe ngexesha lesicelo (i-SHA3 hash yesitshixo sikawonke-wonke iyahanjiswa).
- Sebenzisa kwicala lomsebenzisi lophawu olufunyenweyo njengesatifikethi, kubandakanywa nedatha engundoqo.
- Ukuncamathisela ithokheni kwisiginitsha, efana nesatifikethi.
Ukuqinisekiswa kuthungela ekujongeni ukuba ithokheni eqhotyoshelweyo isayinwe ngumboneleli we-OpenID kwaye kujongwe ukuchaneka kwesiginitsha yedijithali kwisixhobo usebenzisa isitshixo sikawonke-wonke, esikuvumela ukuba uqinisekise ukuba uvimba usayinwe kusetyenziswa isichongi esisuka kwisatifikethi kwaye oku kungqinwa ngumsayino womboneleli we-OpenID. Umzekelo, umenzi wesiginitsha unokufumana ithokheni esayinwe ngumboneleli we-OpenID kaGoogle eneenkcukacha engqinisiswe njenge-bob@gmail.com kwaye isebenzisa isitshixo sikawonke-wonke 0x54A5…FF. Emva koko, xa efumana umyalezo osayinwe kwangelo qhosha linye, umamkeli unokusebenzisa ithokheni esayinwe ngumboneleli ukuqinisekisa ukuba isitshixo bob@gmail.com sithi 0x54A5…FF kwaye umyalezo ngenene usayinwe ngu bob@gmail.com.
Ukwenziwa lula kolwakhiwo kufezekiswa ngolungelelwaniso oluthile (umzekelo, ukuxhomekeka kwababoneleli be-OpenID bangaphandle kunye nokungabikho kwelogi yotshintsho ene-hierarchical hashing), eyamkelekileyo kwezinye iimeko, kodwa hayi kwezinye. Ukunciphisa ukuxhomekeka kubaboneleli be-OpenID, ukuthotyelwa okanye izenzo zabasebenzi abanokuthi bahlambele inkqubo (umzekelo, ababoneleli abagqekeziweyo banokukhupha isitshixo esingeyonyani kumntu wesithathu), kucetywa ukuba kusetyenziswe i-MFA-Cosigner eyongezelelweyo, kodwa enganyanzelekanga. (I-Multi-Factor Authentication Cosigner) ikhonkco yokuqinisekiswa kwezinto ezininzi ( ithokheni mayisayinwe kuphela ngumboneleli oyintloko, kodwa kunye nenkonzo yokuqinisekisa ezimeleyo eqinisekisa umsebenzisi).
Obunye bobuthathaka be-OpenPubKey bubukho bolwazi olungaphandle olunokuthi lusetyenziswe ukulandelela umsebenzi ixesha elide kwaye nokuba uthini na ngokutsha (ukusebenzisa kwakhona ithokheni yesazisi endaweni yesatifikethi esitsha). Ukubophelela ngokuthe ngqo kwi-OpenID Qhagamshela izitshixo ngexesha lokuqinisekisa kuphelisa inxalenye yomncedisi, kodwa inzima kakhulu ukuphunyezwa kwicala lomxhasi kwaye ishiya indawo enkulu yokuqhuba xa uhlaselo (uhlaselo lomhlaba) kumxhasi, umzekelo, ngenxa yokuba umsebenzi ujikelezo olungundoqo luwela kumxhasi. Ukungabikho kwelog yotshintsho ayivumeli umxhasi ukuba alandelele ukuvuza okunokwenzeka okungundoqo.
umthombo: opennet.ru
