Escolar Documentos
Profissional Documentos
Cultura Documentos
DNSSEC Integration
Presented By Duy Nguyen (PMS)
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Hardware
CryptoServer LAN = CryptoServer + communication unit
Industry PC solution Automatic voltage detection (100-240 V) Dual Network Interface (2 x 1Gbit) Flash Disk Hardware Watchdog on board 4 x 40 Display + Navigation Panel Serial + USB Port (e.g. pinpad) External battery exchange
Software
CryptoServer LAN
Operating System
Selfmade, hardened kernel, based on Linux from the scratch
DSP_ADMIN
csadm
CSXLAN
TCP Server (daemon) for remote access Maps CryptoServer to Port (default 288) Serialize commands Automatic time synchronization to external time reference
csxlan.conf
CSXLAN
PCI driver
DSP_ADMIN
Display and Keyboard Integrated Administration of CryptoServer (e.g. loading of MBK) and CSXLAN (e.g. setting of IP-address) Menu structure configurable
Operating system LINUX
SSH
Remote Administration
CryptoServer SE / CS
SNMP
User can revert back to Utimaco defaults User can not change factory partition
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Set IP-address
To Set IP: -> LAN Box administration -> Configuration
-> Network
->IP address
The 2 digits after the slash represent the number of consecutive 1 bits in the desired netmask. The number 24 corresponds to the netmask 255.255.255.0.
Note: You should also take note of the network connection, either "eth0" or
"eth1", to which you have connected the network cable to the CryptoServer LAN
SSH
To enable the SSH daemon:
-> "LAN Box Administration -> "Configuration" menu item. -> "Services" -> "SSH Daemon -> "Configuration -> "Configuration of SSH Daemon -> "[x]Enable" and confirm by pressing "OK
You can change the password for the "root" user in two different ways.
Either via an SSH connection from your Admin PC Or directly on the CryptoServer LAN, by connecting a keyboard and a screen to it.
Demo
CS LAN: Connect to power and network cable. Set IP address Set Gateway Test connectivity (ping) Enable SSH Changing the password for the "root" user
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Administration Tools
CAT
GUI Java based Windows, Linux, Solaris
csadm
Command line tool Windows, Linux, Solaris, AIX
CSLAN: CSLGetLogFile, CSLShutdown, Init-Key management: GenKey, Backupkey, Master Box Key Management Misc: CMD, GenRandom,
Environment variables could be used for parameter setting. After set CRYPTOSERVER=TCP:192.168.4.161 it is no more necessary to specify the Device Parameter. Commands could be bundled: csadm AuthRSASign=ADMIN,:cs2:cyb:USB LoadFile= LoadFile= loads several files, PIN has to be entered only once.
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
An AES 256 key, 3DES for backward compatibility supported Necessary to backup and restore keys stored at the SafeGuard CryptoServer on the host system Supporting the k out of n key sharing Usable at several SafeGuard CryptoServer to realize high availability Remote administrable (import possible without administrator on site)
utimaco
s a f ew a r e
OK PS/2 COM CS (1) CS (2)
Exit
utimaco
s a f ew a r e
1 4 7 *
2 5 8 0
3 6 9 .
1 4
2 5 8 0
3 6 9 .
DEL
DEL
CLR
OK
Generate key and store on 4 smartcards, whereof 2 are needed to recombine key
7 *
CLR
OK
Key set consists of N smartcards, whereof K are needed to recombine MBK (here: N=4, K=2)
Administration Keys
Administration keys could be stored
on a smartcard recommended as key file plain or password encrypted
Administration keys would be assigned to a administration role
User Manager (0x2000 0000) and Firmware Manager (0x0200 0000) can be created (exclusive permission or 4 eyes)
If a customer specific, fully qualified administration role is created, the default ADMIN user can be deleted If the administration keys are lost, it is possible to reset the SafeGuard CryptoServer to the factory default configuration.
An external erase has to be performed. Afterwards the SafeGuard CryptoServer could be reseted to the factory default configuration
CSAPI
PCI driver
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Basic Administration
How to
generate and assign an administrator key re-initialization of the SafeGuard CryptoServer Se change PIN on a smartcard manage user and keys monitoring
Choose the number of backups to create One backup half of the key could be stored together with the user key (not recommended) on a smartcard. Prepare smartcards for all administrators.
As last step, select the user ADMIN and press Delete user
m&n
"m (shares)" is the number of people to which the key is to be distributed "n (shares)" is the minimum number of people required to use the key.
Choose the number of shares needed to recombine the MBK (k value) and the number of shares you want to create (k value)
Select automatic MBK Import to load the MBK to the SafeGuard CryptoServer, otherwise the Import tab has to be used. Press Generate If an existing MBK should be imported, use the Import tab.
This command changes the User PIN of a smartcard, the MBK PIN of a smartcard is changed with the MBK Management dialogs
Monitoring
Extended SNMP support
CryptoServer objects Status, internal temperature, alarm state, firmware module state, operational mode, bootloader version, serial number, battery state, system time CryptoServer LAN objects Load, CryptoServer LAN software version, serial number, battery state, system time, number of client connections
Configuration through CryptoServer LAN front panel menu or ssh Monitoring could be done by a script on the host evaluating the following commands:
Get actual state of the SafeGuard CryptoServer with the csadm GetState command. Check if the SafeGuard CryptoServer is alive and state is operational and temperature is in range Check if the needed functionality is available with the csadm ListModulesActive command All modules have state INIT_OK ? Check battery state with csadm GetBattState command
Demo
Create Administrators Generate and import MasterBoxKeys
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Product Portfolio
SafeGuard CryptoServer Se-Series SafeGuard CryptoServer CS-Series
SafeGuard SecurityServer
45
Secure channel between application and SafeGuard CryptoServer available Strong authentication available, 2 FA, 4 Eyes Thread-save for use in multi threading applications Multiple SafeGuard CryptoServer support for each application Up to 256 parallel sessions/applications per SafeGuard CryptoServer
Hardware random number generator for the generation of high-quality RSA keys. Tamper-proof storage of numerous cryptographic keys (e.g. more than 30,000 RSA keys, 1,024 bits). Use 2 factor authentication to backup/restore cryptographic keys. All cryptographic algorithms (also encryption/decryption, hashing) are performed directly in the HSM and are therefore protected against manipulation.
Architecture
CSP libraries: cs2csp.dll cs2csplib.dll
Microsoft CryptoAPI
PCI Driver
CryptoServer PCI
TCP Server
PCI Driver
CryptoServer PCI
HSM hardware: Cluster may consist of CryptoServer PCI(e) and/or CryptoServer LAN Cluster size: 2 or more HSMs in cluster Installation sites: local or remote HSMs
Failover mechanism
Failover from 1st to 2nd to nth to 1st Priorization of HSMs in planning (e.g. local or higherperformance HSMs get higher priority when scheduling next HSM) Re-Use of failed CryptoServer after repair/replacement
Flexibility
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Preparation
This Demo will show in Linux RHEL 6.3 And use the following package:
bind-9.9.2-P2.tar.gz openssl-1.0.0f.tar.gz
Environment Variables
Check environment variables:
export CS_PKCS11_R2_CFG=/dnssec/utimaco/cs_pkcs11_R2.cfg Export CRYPTOSERVER=3001@192.168.66.15 LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/dnssec/utimaco/ export LD_LIBRARY_PATH
Login with
PKCS#11 CryptoServer Administration
Init PIN:
p11tool2 [Lib=<lib_path>] [Slot=<slot_id>] LoginSO=<so_pin> InitPIN=<user_pin>
Example: ./p11tool2 Slot=0 LoginSO=12345678 InitPIN=123456
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Patch OpenSSL
Just run the following command: cd openssl patch -p1 < /dnssec/bind/bin/pkcs11/openssl-1.0.0f-patch Result
[root@dnssec openssl]# patch -p1 < /dnssec/bind/bin/pkcs11/openssl-1.0.0f-patch patching file Configure patching file Makefile.org patching file README.pkcs11 patching file crypto/opensslconf.h patching file crypto/bio/bss_file.c patching file test/clean_test.com patching file util/libeay.num patching file util/mk1mf.pl patching file util/mkdef.pl patching file util/pl/VC-32.pl [root@dnssec openssl]#
Build OpenSSL
Just run the following command: Linux 64Bit:
./Configure linux-generic64 -m64 -pthread \ --pk11-libname=/dnssec/utimaco/libcs_pkcs11_R2.so \ --pk11-flavor=crypto-accelerator \ --prefix=/opt/openssl-p11
Linux 32Bit:
./Configure linux-generic32 -m32 -pthread \ --pk11-libname=/dnssec/utimaco/libcs_pkcs11_R2.so \ --pk11-flavor=crypto-accelerator \ --prefix=/opt/openssl-p11
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
View Keys
Use command:
pkcs11-list [-P] [-m module] [-s slot] [-i ID] [-l label] [-p PIN]
Example:
SLot1:
pkcs11-list -s 1 -p 123456
Slot:0
pkcs11-list -p 123456
Demo
1. Placing Into Operation: Configure HSM IP 2. Administration Tools:
- Install admin tool - Install Pin-pad driver, check configuration in admin tool.