3. Mobile API Web Front End POS API
TicketsSubscriptions
Billing
Members DB
4. Web Front End Subscriptions
4. Acknowledge
* Or key/secret, signed nonce etc.
2. Supply username and password*
with authentication handshake
Accounts
1. Retrieve
username and
password from
configuration
Model 1: Destination workload
authentication
3. Verify
username
and
password
?
?
Source workload Destination
workload
5. Model 2: Platform mediated identity
Web Front End Subscriptions
4. Acknowledge
2. Send proof of identity with
authentication handshake
1. Retrieve
proof-of-identity from
the platform
3. Verify source
workload
identity
Platform (eg. AWS, or Kubernetes)
Eg. AWS IAM, Kubernetes Service Accounts
Privaliged API Privaliged API
Source workload
Destination
workload
7. Platform B
Secure Production Identity Framework For
Everyone
Web Front End Subscriptions
4. Acknowledge
1. Retrieve SPIFFE ID
and SVIDs from the
worklaod API
3. Verify source
workload
identity
Platform A
Workload API Workload API
2. Send proof of identity with
authentication handshake
10. The SPIFFE project
A set of specifications that cover how a workload should
retrieve and use it’s identity.
● SPIFFE ID
● SPIFFE Verifiable Identity Documents (SVIDs)
● The SPIFFE Workload API
The SPIFFE Runtime Environment. Open-source software
that implements the SPIFFE Workload API for a variety of
platforms.
Apache 2.0 license. Independent governance. Highly
extensible through plug-ins.
github.com/spiffe/spiffe
github.com/spiffe/spire
12. SPIFFE Verifiable Identity Document
spiffe://acme.com/billing/payments
Today only one form of SVID (X509-SVID).
Other document types under consideration
(including JWT-SVID)
Typically short-lived
14. SPIFFE Integrations so far
A Go client library for parsing SVIDs (github.com/spiffe/go-spiffe)
Using SVIDs to authenticate Ghost-tunnel proxies
https://blog.scytale.io/securing-the-service-mesh-with-spire-0-3-38775f767653
Using SVIDs to authenticate Envoy proxies
https://blog.scytale.io/securing-the-service-mesh-with-spire-0-3-38775f767653
In development:
● A C client library for parsing SVIDs (github.com/spiffe/c-spiffe)
● Using SVIDs to authenticate gRPC clients (w. Google)
● Using SVIDs as an authentication backend to Vault (w. QAware, Hashicorp and Redhat)
● Using SVIDs to authenticate to nginx (Scytale)
18. Workload attestation
EC2 Instance
Workload
SPIRE Agent
Workload API
SPIRE Server
3. Workload requests identity
4. Node agent performs an out-of-band
check of the workload process metadata,
compares to known selectorswhoami()
19. SVID Bundle Issuance
EC2 Instance
Workload
SPIRE Agent
Workload API
SPIRE Server
5. If match found, NA generates a key for
the workload
6. NA sends certificate signing request
based on that key to SPIRE Server
20. SVID Bundle Issuance
EC2 Instance
Workload
SPIRE Agent
Workload API
SPIRE Server
6. SPIRE server issues SVID (as well as
certificates for any other workload the
instance should support)
21. SVID Bundle Issuance
EC2 Instance
Workload
SPIRE Agent
Workload API
SPIRE Server
7. Certificate bundle returned to the
workload
23. SPIRE
Workload Attestor Plug-ins Node Attestor Plug-ins
Workload API
Secure Introduction to other services
mTLS JWTs
Identity for proxy services
Linux
Windows
OS X
YubiKey
HSM providersAzure
GCP
Kubernetes
Mesosphere Join Token
AWS Kerberos
Simplify deployment of
distributed systems
CoreWorkloadPlatform
gRPC
24. What SPIFFE is not
● Authorization (however it provides identities upon which
authorization schemes can be deployed)
● Transport level security (however SVIDs can be used to
facilitate things like TLS or JWT signing)
25. Things we didn’t talk about
● Integration into custom datastores and PKI
● Design patterns (secure introduction to secrets stores,
service mesh, etc.)
● Identity translation
● Federation
26. Where to go next
● Github!
○ github.com/spiffe/spiffe
○ github.com/spiffe/spire
○ github.com/spiffe-example
● Evan Gillman’s KubeCon 2017 talk on SPIFFE (YouTube)
● Medium - https://blog.scytale.com/
● Join our next community day (March 9, daytime PST) or
meet us at KubeCon EU 2018 in Copenhagen
Pointers to SIGs, Slack,
mailing lists and more