Single Sign-On (SSO) has become one of the most common ways for users to access applications and infrastructure. While there is a standard authentication protocol for SSO called OpenID Connect (OIDC), it’s missing a crucial security feature: the ability to bind public keys to identities. That’s why we created OpenPubkey — an open source project that enhances SSO security by introducing a cryptographic object known as a PK Token that binds public keys to identities. In this post, we’ll introduce OpenPubkey and share a few of its early use cases from Docker and BastionZero.
How Is OpenPubkey Different From the OpenID Protocol?
OpenPubkey is open source software that allows Identity Providers (IdPs) to act as certificate authorities (CAs). A CA is a trusted entity that issues certificates, which establish a cryptographic link between an identity and a public key. OpenPubkey leverages this concept to bind public keys to identities in OIDC-based SSO interactions.
OpenPubkey introduces the PK Token — a cryptographic object that securely links an identity (such as a user or a workload) to a public key. With OpenPubkey, any IdP supporting OpenID Connect can bind public keys to identities without requiring the IdPs to make any changes. This lets users sign messages with their signing key, which is authenticated and attributed to the user’s OpenID Connect identity. OpenPubkey upgrades OpenID Connect from bearer authentication to proof-of-possession, eliminating trust assumptions to protect against entire categories of attacks that can happen when OIDC is used on its own.
OpenPubkey Use Cases
By leveraging the PK Token, OpenPubkey allows organizations to build a wide range of cryptographic systems that require user-held signing keys, such as end-to-end encryption and code signing. The flexibility and versatility of OpenPubkey makes it a powerful tool for secure identity management. At BastionZero, we use OpenPubkey to provide secure remote access to infrastructure, mitigating the risk of unauthorized access. Docker plans to integrate OpenPubkey for signing containers in container registries to ensure the integrity and authenticity of containers.
How Does OpenPubkey Work?
Simply put: OpenPubkey turns an IdP into a CA by enabling it to bind public keys to identities. Here’s how.
- The user runs an OpenPubkey client that generates a public-private key pair.
- The OpenPubkey client cryptographically hashes the public key along with some random noise. The resulting hash value will be used as a nonce in OIDC authentication.
- The user’s client uses OIDC to authenticate to the IdP using their credentials and supplying the hash value as the OIDC nonce.
- Once the client completes its OIDC authentication to the IdP, the IdP provides the client with an ID Token that contains the IdP’s signature on the user’s email address and on the cryptographic hash.
- OpenPubkey creates a PK Token, which includes the ID Token, the user’s public key and the random noise. The PK Token is signed using the user’s private key. The user’s signature acts as a cryptographic proof that the user has access to the user-held secret signing key that is certified in the PK Token.
- The PK Token is then presented to an OpenPubkey verifier, which uses OpenID Connect to obtain the IdP’s public key.
- The verifier validates the ID Token using the IdP’s public key, and the rest of the other fields in the PK Token using the user’s public key.
For additional security, BastionZero uses an MFA Cosigner as an additional entity that’s independent of the IdP. When combined with OpenPubkey, BastionZero authenticates the user via independent multi-factor authentication (MFA) and then signs the PK Token. The OpenPubkey verifier must then verify the PK Token using the keys of both the IdP and the MFA Cosigner, which prevents the IdP from being a single point of compromise.
Getting Started With OpenPubkey
OpenPubkey opens doors to a myriad of use cases, ranging from secure container signing to remote infrastructure access. By adopting OpenPubkey, businesses can fortify their applications and infrastructure, ensuring the integrity and authenticity of their interactions with users and workloads.
OpenPubkey is a joint effort between the Linux Foundation, BastionZero and Docker. To learn more about OpenPubkey, visit the OpenPubkey open source project on GitHub.
See BastionZero in Action
BastionZero connects teams to resources and requires no additional infrastructure to deploy or manage. It is the first—and only—cloud-native solution for trustless access providing multi-root authentication while maintaining zero entitlements to your systems.
With BastionZero, you can reclaim your architecture from over-privileged third parties and ensure that the right people have access to the right resources at just the right time—every time.
Schedule a demo now to see how you can trust less and access more with BastionZero.
