Expand Key Crypt Library - Key Management Server Application

[GENERAL] Name and surname of main applicant

John Huthmaker

[GENERAL] Email address of main applicant

john@themorphium.io

Additional applicants

None

[GENERAL] Please specify how many months you expect your project to last (from 2-12 months)

3

[GENERAL] Please indicate if your proposal has been auto-translated into English from another language.

No

[GENERAL] Does your project have any dependencies on other organizations, technical or otherwise?

No

[GENERAL] If YES, please describe what the dependency is and why you believe it is essential for your project’s delivery. If NO, please write “No dependencies.” .

No dependancies

[GENERAL] Will your project’s output/s be fully open source?

Yes

[GENERAL] If NO, please describe which outputs are not going to be open source. If YES, please write “Project will be fully open source.”

Project will be fully open source

[METADATA] Category of Proposal

Data tools

[IMPACT] Please describe your proposed solution.

In early 2023, The Morphium developed a simple Python based key management toolset to secure important application passwords (database passwords, skeys, etc) behind a gatekeeper. The tool is already available and has been fully open source since day one. The package uses the following logic:

1) Have a list of allowed IP Addresses to initiate access requests.

2) Have a list of servers allowed to retrieve keys.

3) An API request is sent from an authorized computer to enable a 5 minute access window.

4) Request uses 2FA as part of this authorization attempt.

5) If the request fails 3 times within a short period of time, the interface is entirely locked out for an hour, with no option to reset.

6) If the request is authenticated, the gatekeeper will allow retrieval of keys for the next 5 minutes.

7) An application requests a key as part of its start up procedure to access a database, etc.

8) The key is never stored on the application server, and only ever held in the applications running memory.

https://github.com/TheMorphium/crypt_keeper

This proposal is to expand on this library to make the tool even more usable. We would like to build a precompiled binary package (docker image, iso, etc) that can be installed easily to a virtual machine or raspberry pi, further tighten security, and create a web console to manage access. Presently the tool is built to be innaccessible except from a direct console connection. But it should be possible to create a one way interface that can onboard new servers and passwords, without exposing keys.

As a stretch goal, we would like to set up the web interface to support code updates, as well as support seed phrase key creation, so that a new instance would be able to reproduce identical keys to a previous installation.

[IMPACT] How does your proposed solution address the challenge and what benefits will this bring to the Cardano ecosystem?

This proposal allows for a significantly higher level of protection for application developers, with little to no cost for implementing.

[IMPACT] How do you intend to measure the success of your project?

Success will be measured by ease of use, and ease of installation.

[IMPACT] Please describe your plans to share the outputs and results of your project?

The entire project is open source, and will forever remain as such. Anyone with an interest will be able to monitor the progress in the repository.

[CAPABILITY/ FEASIBILITY] What is your capability to deliver your project with high levels of trust and accountability?

Success should be easy to achieve, as the original key management logic has been written and proven. The functionality that would be added should follow well known paths to accomplishment.

[CAPABILITY/ FEASIBILITY] What are the main goals for the project and how will you validate if your approach is feasible?

The main goal is to make the package as easy to implement as possible. Currently the package is fully functional, but requires knowledge of how to use set it up withing a python environment, how to harden a virtual appliance, and tedious console configuration.

[CAPABILITY/ FEASIBILITY] Please provide a detailed breakdown of your project’s milestones and each of the main tasks or activities to reach the milestone plus the expected timeline for the delivery.

Entire project should be completed within a 3 month timeframe.

[CAPABILITY/ FEASIBILITY] Please describe the deliverables, outputs and intended outcomes of each milestone.

The following are the deliverables for this project:

Packaged installation for application

Harden security

Web Interface to manage Key Management

[RESOURCES & VALUE FOR MONEY] Please provide a detailed budget breakdown of the proposed work and resources.

All monies recieved would be used to cover labor costs, which are being highly subsidized by the developer.

[RESOURCES & VALUE FOR MONEY] How does the cost of the project represent value for money for the Cardano ecosystem?

Security is paramount for all blockchain developers. If this Key Management Server prevents a single attack, it will have served its purpose.

[IMPORTANT NOTE] The Applicant agreed to Fund10 rules and also that data in the Submission Form and other data provided by the project team during the course of the project will be publicly available.

I Accept