All ‘Go’ for Thales’s Open Source project
By Richard Kettlewell
Thales has recently embarked on its first fully Open Source project, enabling organisations using cloud-related tools to leverage our hardware security modules (HSMs) for protection.
Platforms such as Docker are used to, very rapidly, bring up applications and services in a cloud environment, a process which partly relies on securely delivering the code for these applications and services into newly created virtual machines or cloud environments.
Currently, this is done using what is, essentially, a pure software signature system. This, in itself, is absolutely fine, but our raison d’etre at Thales is to provide hardware-backed signatures, protecting the key and offering a greater level of security.
We were aware that Notary, the component responsible for securing the delivery of software images through the Docker system, was written in a language called Golang, and identified this as a way in which we could help users of Docker and its ilk to implement our HSMs with as little hassle and cost as possible.
Closely associated with Google, Go - often referred to as Golang - is mostly targeted at application, infrastructure and system development and is used in a fair amount of cloud-related software. An Open Source language, it’s possible to download its entire implementation and, by poking around inside, it doesn’t take long to identify ways in which it can be integrated into other projects; Go can be used as is, adapted, or extended if need be.
Having identified Go as a viable language, we made the decision to put our contribution on Github as a free resource.
We’ve done the heavy lifting as far as a general application is concerned, but it should be relatively straightforward for a Go programmer to add support for any more key types and, by making it Open Source, we’ve removed any barriers to doing just that.
The licence is very permissive, so there’s no need to spend lots of time with lawyers on contracts. There’s no need to pay any money; programmers can just pick it up and get going. They can take a look inside to see how it works; they can review it and, if an audit is required, they’ll find that that what they’re using is actually secure code, instilling a greater sense of confidence.
Go is growing in popularity as a language, competing with C and, to some extent, Java. Most importantly, people are using it for real work right now.
We’re offering exactly what’s needed by those developers who’ve identified cryptographic keys that need protection in an HSM within whatever project they’re working on in Go. Easy to use, flexible and, of course, secure, by making our code available as a free resource we’re lowering the barriers to anyone looking to use our HSMs to protect their cloud-based projects.
This is our first toe in the water of Open Source contributions but, with such obvious benefits, it’s certainly only the beginning. We are Go.
You can find the code online here: https://github.com/ThalesIgnite/crypto11