Utimaco HSM

DNSSEC Integration
Presented By Duy Nguyen (PMS)

Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration

Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration

Hardware
CryptoServer LAN = CryptoServer + communication unit
Industry PC solution Automatic voltage detection (100-240 V) Dual Network Interface (2 x 1Gbit) Flash Disk Hardware Watchdog on board 4 x 40 Display + Navigation Panel Serial + USB Port (e.g. pinpad) External battery exchange

Implementation environment with one or more SafeGuard CryptoServer LAN

Software
CryptoServer LAN

Operating System
Selfmade, hardened kernel, based on Linux from the scratch

DSP_ADMIN

csadm

NTP Client / Server

CSXLAN
TCP Server (daemon) for remote access Maps CryptoServer to Port (default 288) Serialize commands Automatic time synchronization to external time reference
csxlan.conf

CSXLAN

NTP Client / Server

PCI driver

DSP_ADMIN
Display and Keyboard Integrated Administration of CryptoServer (e.g. loading of MBK) and CSXLAN (e.g. setting of IP-address) Menu structure configurable
Operating system LINUX

SSH
Remote Administration

CryptoServer SE / CS

SNMP

Software Update via Partitions

Concept:
Three boot partitions: factory (no permanent storage) User1 User2

Updates do not change running system

Two system states are kept The actual and the old system is kept (for update)

User can revert back to Utimaco defaults User can not change factory partition

Software Update via Partitions (cnt.)

Update: Copy new image from USB device to second boot partition
Activate: Set second boot partition to active Reboot: User settings are copied to new active boot partition

Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration

Install LAN appliance

Connect SafeGuard CryptoServer LAN on the back panel with a 100-240 V mains power supply. Connect SafeGuard CryptoServer LAN with your network by means of a twisted-pair cable (RJ45). Turn the power supply switch on (back panel). Turn SafeGuard CryptoServer LAN on (front panel). If necessary, connect a PIN pad to SafeGuard CryptoServer LAN (ill. front panel 2). This can also be done during operation. SafeGuard CryptoServer LAN is ready for operation after approx. 30 seconds.

Set IP-address
To Set IP: -> LAN Box administration -> Configuration
-> Network

->IP address
The 2 digits after the slash represent the number of consecutive 1 bits in the desired netmask. The number 24 corresponds to the netmask 255.255.255.0.
Note: You should also take note of the network connection, either "eth0" or
"eth1", to which you have connected the network cable to the CryptoServer LAN

Entering the IP address of the default gateway

To set default gateway:
-> LAN Box administration -> Configuration -> Network -> Default Gateway

SSH
To enable the SSH daemon:
-> "LAN Box Administration -> "Configuration" menu item. -> "Services" -> "SSH Daemon -> "Configuration -> "Configuration of SSH Daemon -> "[x]Enable" and confirm by pressing "OK

Set the IP area for which SSH access is to be permitted:

Changing the password for the "root" user

As we have already set the password for accessing the operating system ("root" user), we strongly recommend you change it as soon as possible.

You can change the password for the "root" user in two different ways.
Either via an SSH connection from your Admin PC Or directly on the CryptoServer LAN, by connecting a keyboard and a screen to it.

Enabling the web interface

CryptoServer can display different status information about a web interface in a normal browser. To enable the web interface:
-> LAN Box Administration -> Configuration -> Services -> Web Interface and [X]Enable
You can also access the web interface using a browser via HTTP port 80. In this case, you must enter the CryptoServer LAN's IP address as the URL. You can then use the web interfaces to display status information. However, you cannot configure the CryptoServer LAN or the CryptoServer via the web interface.

Demo
CS LAN: Connect to power and network cable. Set IP address Set Gateway Test connectivity (ping) Enable SSH Changing the password for the "root" user

Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration

Administration Tools
CAT
GUI Java based Windows, Linux, Solaris

csadm
Command line tool Windows, Linux, Solaris, AIX

Command Line Tool

Command groups:
Basic: Load Preparation: Raw Commands: Bootloader:
Help, PrintError, Version MakeMTC, Pack, Unpack, Reset, ResetToBL, GetInfo, StartOS, RecoverOS, BLChangeInitKey, BLLoadFile, BLSetRTC, BLResetAlarm GetState, GetAlarmLog, ListFiles, LoadPkg, LoadFile, DeleteFile, ListModulesActive, GetBootLog ListUser, AddUserRSASign, ChangeUser, DeleteUser, LogonSign, LogonPass, AuthRSASign, AuthClearPwd, Login, Logoff,

Administration: Usermanagement: Authentication:

CSLAN: CSLGetLogFile, CSLShutdown, Init-Key management: GenKey, Backupkey, Master Box Key Management Misc: CMD, GenRandom,

Command Line Tool

Help available: csadm help=<cmd> Parameter (selection):
Parameter Dev= Description Address of SafeGuard CryptoServer, e.g.: TCP:[email protected], PCI:0, /dev/cs2a Key identifier of private init key User authentication Used by nearly all

InitPrvKey= AuthRSASign= AuthSHA1PWD= AuthClrPWD=

many boot loader commands nearly all

Command Line Tool

Parameter:
Key identifier C:\my_keys\initprv.key :cs2:cyb:USB Description Local key file Specifies a connected PIN-Pad. The name has the following form :smartcard-id:pinpad-id:port -id :cs2 CryptoServer Smartcard :cyb cyberjack ReinerSCT PINPad used :USB USB port (COM1 for serial port 1)

Environment variables could be used for parameter setting. After set CRYPTOSERVER=TCP:192.168.4.161 it is no more necessary to specify the Device Parameter. Commands could be bundled: csadm AuthRSASign=ADMIN,:cs2:cyb:USB LoadFile= LoadFile= loads several files, PIN has to be entered only once.

Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration

Master Box Key

MBK is ..

An AES 256 key, 3DES for backward compatibility supported Necessary to backup and restore keys stored at the SafeGuard CryptoServer on the host system Supporting the k out of n key sharing Usable at several SafeGuard CryptoServer to realize high availability Remote administrable (import possible without administrator on site)

Master Box Key

Exit

utimaco
s a f ew a r e
OK PS/2 COM CS (1) CS (2)

Exit

utimaco
s a f ew a r e

OK PS/2 COM CS (1) CS (2)

1 4 7 *

2 5 8 0

3 6 9 .

1 4

2 5 8 0

3 6 9 .

DEL

DEL

CLR

OK

Generate key and store on 4 smartcards, whereof 2 are needed to recombine key

7 *

CLR

OK

Import MBK from two smartcards

Key set consists of N smartcards, whereof K are needed to recombine MBK (here: N=4, K=2)

Administration Keys
Administration keys could be stored
on a smartcard recommended as key file plain or password encrypted
Administration keys would be assigned to a administration role
User Manager (0x2000 0000) and Firmware Manager (0x0200 0000) can be created (exclusive permission or 4 eyes)

If a customer specific, fully qualified administration role is created, the default ADMIN user can be deleted If the administration keys are lost, it is possible to reset the SafeGuard CryptoServer to the factory default configuration.
An external erase has to be performed. Afterwards the SafeGuard CryptoServer could be reseted to the factory default configuration

Customer Keys overview

Administrator Keys
CAT or CSADM Administration Tool Standard Interfaces CXI, PKCS#11, Customer Interface

CSAPI

PCI driver

Client PC (Windows, Linux, Solaris)

Master Box Key (MBK)

Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration

Basic Administration
How to
generate and assign an administrator key re-initialization of the SafeGuard CryptoServer Se change PIN on a smartcard manage user and keys monitoring

Basic Administration - Users

Basic Administration User Group

User groups 6,7: CryptoServer administration purposes. User groups 0 to 5: application-specific access rights. The following user groups are predefined:

Permissions and authentication status

Generate and assign administrator keys

In CAT select KeyTools -> SmartCard Management
Select the algorithm The Key-Info text is the name of the key at the smartcard (shown when
calling KeyTools -> SmartCard -> Show SmartCard info)

Choose the number of backups to create One backup half of the key could be stored together with the user key (not recommended) on a smartcard. Prepare smartcards for all administrators.

Generate and assign administrator keys

OR:
In CAT select KeyTools -> KeyFile Management -> Generate to generate a file based administration key

The key file could be stored password encrypted or plain

Generate and assign administrator keys

Login in the ADMIN user
Select the ADMIN user and clickLogin

Generate and assign an administrator key

Select User Management and press Add user

Generate and assign administrator keys

Create an administration user (here: 4-eyes-principle)
Group 7 = 1 Group 6 = 1

Assign the key created before

Generate and assign administrator keys

Perform these steps for the second administrator

As last step, select the user ADMIN and press Delete user

Generate and Import the Master Box Key MBK

First login a user to the SafeGuard CryptoServer
Select an Admin user from the list and click Login

Follow the instructions

m&n
"m (shares)" is the number of people to which the key is to be distributed "n (shares)" is the minimum number of people required to use the key.

Generate and Import the Master Box Key MBK

Open the Remote MBK Management dialog Key Management -> Remote MBK Management Enter the name of the MBK, select the type (AES is recommended)

Choose the number of shares needed to recombine the MBK (k value) and the number of shares you want to create (k value)
Select automatic MBK Import to load the MBK to the SafeGuard CryptoServer, otherwise the Import tab has to be used. Press Generate If an existing MBK should be imported, use the Import tab.

SafeGuard CryptoServer CS/Se : Basic Administration Change PIN of a smartcard

In CAT select KeyTools -> SmartCard Management

Switch to tab Change PIN

Press Change PIN

Follow the instructions at the PIN-Pad

This command changes the User PIN of a smartcard, the MBK PIN of a smartcard is changed with the MBK Management dialogs

Monitoring
Extended SNMP support
CryptoServer objects Status, internal temperature, alarm state, firmware module state, operational mode, bootloader version, serial number, battery state, system time CryptoServer LAN objects Load, CryptoServer LAN software version, serial number, battery state, system time, number of client connections

SNMP traps when

Temperature, load, number of clients exceed min/max threshold Configurable threshold Battery low, alarm state, CryptoServer changes operating mode, CryptoServer LAN boot/shutdown/restart

Configuration through CryptoServer LAN front panel menu or ssh Monitoring could be done by a script on the host evaluating the following commands:
Get actual state of the SafeGuard CryptoServer with the csadm GetState command. Check if the SafeGuard CryptoServer is alive and state is operational and temperature is in range Check if the needed functionality is available with the csadm ListModulesActive command All modules have state INIT_OK ? Check battery state with csadm GetBattState command

Demo
Create Administrators Generate and import MasterBoxKeys

Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration

Product Portfolio
SafeGuard CryptoServer Se-Series SafeGuard CryptoServer CS-Series

SafeGuard SecurityServer

PKCS#11, JCE, MS CSP/CNG/SQL EKM, OpenSSL, CXI

SafeGuard TimestampServer SafeGuard CryptoServer SDK

RFC 3161, CTS API

RFC 3161, CTS API

Software Development Kit for Customized Functionality

SafeGuard CryptoServer Roadmap September 2012

45

Security Server Overview

Security Server including the following interfaces:
PKCS#11 CSP and CNG for Microsoft CryptoAPI (MSCAPI) Utimaco Cryptographic Extended Interface (CXI) JCE Open SSL

Product CD with installation on Windows systems

Select the aim of installation: Runtime/Development/Custom Including CAT

Security Server Overview

Supported operating systems:
Microsoft Windows XP, Vista, Server 2003, Server 2008 Linux kernel 2.4.0 and higher RHEL 6, SUSE 10 Solaris 8 and higher AIX

Security Server PKCS#11

Benefits
2 operation modes:
In cluster mode every device is accessible separately by different slotIDs In failover mode transparent failover functionality available

Secure channel between application and SafeGuard CryptoServer available Strong authentication available, 2 FA, 4 Eyes Thread-save for use in multi threading applications Multiple SafeGuard CryptoServer support for each application Up to 256 parallel sessions/applications per SafeGuard CryptoServer

Security Server PKCS#11

Architecture
PKCS#11 libraries: cs2_pkcs11_R2.dll libcs2_pkcs11_R2.so

CXI Firmware module

Security Server PKCS#11

Configuration of the PKCS#11 interface:
cs_pkcs11_R2.cfg file can contain several sections: [Global] section for general configuration (timeout, logging) Several [CryptoServer] sections for each SafeGuard CryptoServer device that should be addressed by the application. Several [Slot] sections, the slot number must be defined, non standard authentication can be configured

Microsoft CSP / CNG

Benefits
Multitenancy: Assign a key to a user group, these keys are not visible for user not in the assigned group
When SafeGuard CryptoServer LAN is employed, several clients/applications can use one single SafeGuard CryptoServer.

Failover and clustering available

External storage of keys available to synchronize several CryptoServer LAN.

Hardware random number generator for the generation of high-quality RSA keys. Tamper-proof storage of numerous cryptographic keys (e.g. more than 30,000 RSA keys, 1,024 bits). Use 2 factor authentication to backup/restore cryptographic keys. All cryptographic algorithms (also encryption/decryption, hashing) are performed directly in the HSM and are therefore protected against manipulation.

Microsoft CSP / CNG

Client Computer

Architecture
CSP libraries: cs2csp.dll cs2csplib.dll

Application (e.g. Microsoft PKI)

Microsoft CryptoAPI

Utimaco CryptoServer CSP Digital Signature (Microsoft)

PCI Driver

CryptoServer PCI

CXI Firmware module

Utimaco CryptoServer LAN

TCP Server

PCI Driver

CryptoServer PCI

CXI - Cryptographic Core Interface

Benefits:
All important platforms supported Comfortable and flexible implementation High performance Nearly all cryptographic functions are available Easy to extend according the needs of the customer FIPS 140 2 Level 3 certification in process Used for PCI DSS implementation

CXI - Cryptographic Core Interface

Based on the CXI firmware module several host API are implemented:
OpenSSL CryptoServerJCE CXI .net CXI C-Interface CXI Java Class Library

Easy to use, fast implementation in your application:

Source code examples for all host APIs are available

Integrated authentication and secure messaging

CXI - Cryptographic Core Interface

CXI Failover Architecture
Host System / application Server
Application
CryptoServer remote Management

CXI DLL / Jar

CXI configuration file

Optional Key Storage

Secure channel over TCP/IP

CXI - Cryptographic Core Interface

CXI Failover Architecture
From application point of view, transparency of

HSM hardware: Cluster may consist of CryptoServer PCI(e) and/or CryptoServer LAN Cluster size: 2 or more HSMs in cluster Installation sites: local or remote HSMs
Failover mechanism

Failover from 1st to 2nd to nth to 1st Priorization of HSMs in planning (e.g. local or higherperformance HSMs get higher priority when scheduling next HSM) Re-Use of failed CryptoServer after repair/replacement
Flexibility

HSM may belong to several clusters Internal or external key storage

Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration

Preparation
This Demo will show in Linux RHEL 6.3 And use the following package:
bind-9.9.2-P2.tar.gz openssl-1.0.0f.tar.gz

Environment Variables
Check environment variables:
export CS_PKCS11_R2_CFG=/dnssec/utimaco/cs_pkcs11_R2.cfg Export [email protected] LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/dnssec/utimaco/ export LD_LIBRARY_PATH

Check PKCS#11 configure file

Logpath = /utimaco # Prevents expiring session after inactivity of 15 minutes KeepAlive = true [CryptoServer] Device = [email protected]

Init slot Create User

Init slot Create SO User

Login with
PKCS#11 CryptoServer Administration

Init slot Create SO/User With Command Line

Init SO PIN:
p11tool2 [Lib=<lib_path>] [Slot=<slot_id>] [Label=<label>] [Force=<force>] [Login=<admin_name>,<admin_auth_token>] InitToken=<so_pin>
Example: ./p11tool2 Slot=0 Login=ADMIN,init_dev_prv.key Force=1 InitToken=12345678

Init PIN:
p11tool2 [Lib=<lib_path>] [Slot=<slot_id>] LoginSO=<so_pin> InitPIN=<user_pin>
Example: ./p11tool2 Slot=0 LoginSO=12345678 InitPIN=123456

Some other commands

./p11tool2 ./p11tool2 help=InitPIN
./p11tool2 Slot=1 GetSlotInfo ./p11tool2 Slot=1 LoginUser=123456 ListObjects

Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration

Extract Bind & OpenSSL

cd /dnssec tar zxf openssl-1.0.0f.tar.gz tar zxf bind-9.9.2-P2.tar.gz mv openssl-1.0.0f openssl mv bind-9.9.2-P2 bind WARNING: RHEL will need pcsc-lite-devel package.
pcsc-lite-1.5.2-7.el6.x86_64 pcsc-lite-openct-0.6.19-4.el6.x86_64 pcsc-lite-devel-1.5.2-7.el6.x86_64 pcsc-lite-libs-1.5.2-7.el6.x86_64

Patch OpenSSL
Just run the following command: cd openssl patch -p1 < /dnssec/bind/bin/pkcs11/openssl-1.0.0f-patch Result
[root@dnssec openssl]# patch -p1 < /dnssec/bind/bin/pkcs11/openssl-1.0.0f-patch patching file Configure patching file Makefile.org patching file README.pkcs11 patching file crypto/opensslconf.h patching file crypto/bio/bss_file.c patching file test/clean_test.com patching file util/libeay.num patching file util/mk1mf.pl patching file util/mkdef.pl patching file util/pl/VC-32.pl [root@dnssec openssl]#

Build OpenSSL
Just run the following command: Linux 64Bit:
./Configure linux-generic64 -m64 -pthread \ --pk11-libname=/dnssec/utimaco/libcs_pkcs11_R2.so \ --pk11-flavor=crypto-accelerator \ --prefix=/opt/openssl-p11

Linux 32Bit:
./Configure linux-generic32 -m32 -pthread \ --pk11-libname=/dnssec/utimaco/libcs_pkcs11_R2.so \ --pk11-flavor=crypto-accelerator \ --prefix=/opt/openssl-p11

make make install

[root@dnssec dnssec]# /opt/openssl-p11/bin/openssl engine pkcs11 -t (pkcs11) PKCS #11 engine support (crypto accelerator) [ available ]

Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration

Install BIND Domain Name Server

Run the following command: ./configure CC="gcc -m64" -enable-threads \ --with-openssl=/opt/openssl-p11 \ --with-pkcs11=/dnssec/utimaco/libcs2_pkcsll.so
make make install

Generate Keys and Sign a Domain Zone

1. Generate a zone-signing key and a keysigning key
# pkcs11-keygen -b 2048 -l ksk # pkcs11-keygen -b 1024 -l zsk
The parameter -b specifies the key size and -l the label of the key pair. Since the library path was exported, it is not necessary to specify it using the parameter -m (module) any more. You will be prompted to enter the user pin for the PKCS#11 slot.

View Keys
Use command:
pkcs11-list [-P] [-m module] [-s slot] [-i ID] [-l label] [-p PIN]

Example:
SLot1:
pkcs11-list -s 1 -p 123456

Slot:0
pkcs11-list -p 123456

Generate Keys and Sign a Domain Zone (cont.)

2. Generate the key files for BIND
# dnssec-keyfromlabel -l ksk -f KSK utimaco.com # dnssec-keyfromlabel -l zsk utimaco.com
The parameter -l specifies the label again and after -f follows the key flag. The key files are generated for a specific zone which in this case is utimaco.com. Now you should find the corresponding key files in the current directory which are composed of K<zone name>.+<numeric representation of

the key file>+<key identifier>.(key|private).

Generate Keys and Sign a Domain Zone (cont.)

3. Before you can sign a zone, it is necessary to add the contents of both K*.key files or to include them by reference - using the key file names - to the zone master file. Open the zone file and add the following lines e.g.

$include Kutimaco.com.+005+35677.key $include Kutimaco.com.+005+63263.key

4. Finally sign the zone

# dnssec-signzone -S -o <zone name> <zone file>

Demo
1. Placing Into Operation: Configure HSM IP 2. Administration Tools:
- Install admin tool - Install Pin-pad driver, check configuration in admin tool.

3. Keys and Key Management

- Create administrators - Issue MBK

4. Build DNSSEC 5. DNSSEC Configuration

Questions & Answers

The End