Utimaco HSM
DNSSEC Integration
Presented By Duy Nguyen (PMS)
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Hardware
CryptoServer LAN = CryptoServer + communication unit
Industry PC solution Automatic voltage detection (100-240 V) Dual Network Interface (2 x 1Gbit) Flash Disk Hardware Watchdog on board 4 x 40 Display + Navigation Panel Serial + USB Port (e.g. pinpad) External battery exchange
Implementation environment with one or more SafeGuard CryptoServer LAN
Software
CryptoServer LAN
Operating System
Selfmade, hardened kernel, based on Linux from the scratch
DSP_ADMIN
csadm
NTP Client / Server
CSXLAN
TCP Server (daemon) for remote access Maps CryptoServer to Port (default 288) Serialize commands Automatic time synchronization to external time reference
csxlan.conf
CSXLAN
NTP Client / Server
PCI driver
DSP_ADMIN
Display and Keyboard Integrated Administration of CryptoServer (e.g. loading of MBK) and CSXLAN (e.g. setting of IP-address) Menu structure configurable
Operating system LINUX
SSH
Remote Administration
CryptoServer SE / CS
SNMP
Software Update via Partitions
Concept:
Three boot partitions: factory (no permanent storage) User1 User2
Updates do not change running system
Two system states are kept The actual and the old system is kept (for update)
User can revert back to Utimaco defaults User can not change factory partition
Software Update via Partitions (cnt.)
Update: Copy new image from USB device to second boot partition
Activate: Set second boot partition to active Reboot: User settings are copied to new active boot partition
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Install LAN appliance
Connect SafeGuard CryptoServer LAN on the back panel with a 100-240 V mains power supply. Connect SafeGuard CryptoServer LAN with your network by means of a twisted-pair cable (RJ45). Turn the power supply switch on (back panel). Turn SafeGuard CryptoServer LAN on (front panel). If necessary, connect a PIN pad to SafeGuard CryptoServer LAN (ill. front panel 2). This can also be done during operation. SafeGuard CryptoServer LAN is ready for operation after approx. 30 seconds.
Set IP-address
To Set IP: -> LAN Box administration -> Configuration
-> Network
->IP address
The 2 digits after the slash represent the number of consecutive 1 bits in the desired netmask. The number 24 corresponds to the netmask 255.255.255.0.
Note: You should also take note of the network connection, either "eth0" or
"eth1", to which you have connected the network cable to the CryptoServer LAN
Entering the IP address of the default gateway
To set default gateway:
-> LAN Box administration -> Configuration -> Network -> Default Gateway
SSH
To enable the SSH daemon:
-> "LAN Box Administration -> "Configuration" menu item. -> "Services" -> "SSH Daemon -> "Configuration -> "Configuration of SSH Daemon -> "[x]Enable" and confirm by pressing "OK
Set the IP area for which SSH access is to be permitted:
Changing the password for the "root" user
As we have already set the password for accessing the operating system ("root" user), we strongly recommend you change it as soon as possible.
You can change the password for the "root" user in two different ways.
Either via an SSH connection from your Admin PC Or directly on the CryptoServer LAN, by connecting a keyboard and a screen to it.
Enabling the web interface
CryptoServer can display different status information about a web interface in a normal browser. To enable the web interface:
-> LAN Box Administration -> Configuration -> Services -> Web Interface and [X]Enable
You can also access the web interface using a browser via HTTP port 80. In this case, you must enter the CryptoServer LAN's IP address as the URL. You can then use the web interfaces to display status information. However, you cannot configure the CryptoServer LAN or the CryptoServer via the web interface.
Demo
CS LAN: Connect to power and network cable. Set IP address Set Gateway Test connectivity (ping) Enable SSH Changing the password for the "root" user
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Administration Tools
CAT
GUI Java based Windows, Linux, Solaris
csadm
Command line tool Windows, Linux, Solaris, AIX
Command Line Tool
Command groups:
Basic: Load Preparation: Raw Commands: Bootloader:
Help, PrintError, Version MakeMTC, Pack, Unpack, Reset, ResetToBL, GetInfo, StartOS, RecoverOS, BLChangeInitKey, BLLoadFile, BLSetRTC, BLResetAlarm GetState, GetAlarmLog, ListFiles, LoadPkg, LoadFile, DeleteFile, ListModulesActive, GetBootLog ListUser, AddUserRSASign, ChangeUser, DeleteUser, LogonSign, LogonPass, AuthRSASign, AuthClearPwd, Login, Logoff,
Administration: Usermanagement: Authentication:
CSLAN: CSLGetLogFile, CSLShutdown, Init-Key management: GenKey, Backupkey, Master Box Key Management Misc: CMD, GenRandom,
Command Line Tool
Help available: csadm help=<cmd> Parameter (selection):
Parameter Dev= Description Address of SafeGuard CryptoServer, e.g.: TCP:
[email protected], PCI:0, /dev/cs2a Key identifier of private init key User authentication Used by nearly all
InitPrvKey= AuthRSASign= AuthSHA1PWD= AuthClrPWD=
many boot loader commands nearly all
Command Line Tool
Parameter:
Key identifier C:\my_keys\initprv.key :cs2:cyb:USB Description Local key file Specifies a connected PIN-Pad. The name has the following form :smartcard-id:pinpad-id:port -id :cs2 CryptoServer Smartcard :cyb cyberjack ReinerSCT PINPad used :USB USB port (COM1 for serial port 1)
Environment variables could be used for parameter setting. After set CRYPTOSERVER=TCP:192.168.4.161 it is no more necessary to specify the Device Parameter. Commands could be bundled: csadm AuthRSASign=ADMIN,:cs2:cyb:USB LoadFile= LoadFile= loads several files, PIN has to be entered only once.
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Master Box Key
MBK is ..
An AES 256 key, 3DES for backward compatibility supported Necessary to backup and restore keys stored at the SafeGuard CryptoServer on the host system Supporting the k out of n key sharing Usable at several SafeGuard CryptoServer to realize high availability Remote administrable (import possible without administrator on site)
Master Box Key
Exit
utimaco
s a f ew a r e
OK PS/2 COM CS (1) CS (2)
Exit
utimaco
s a f ew a r e
OK PS/2 COM CS (1) CS (2)
1 4 7 *
2 5 8 0
3 6 9 .
1 4
2 5 8 0
3 6 9 .
DEL
DEL
CLR
OK
Generate key and store on 4 smartcards, whereof 2 are needed to recombine key
7 *
CLR
OK
Import MBK from two smartcards
Key set consists of N smartcards, whereof K are needed to recombine MBK (here: N=4, K=2)
Administration Keys
Administration keys could be stored
on a smartcard recommended as key file plain or password encrypted
Administration keys would be assigned to a administration role
User Manager (0x2000 0000) and Firmware Manager (0x0200 0000) can be created (exclusive permission or 4 eyes)
If a customer specific, fully qualified administration role is created, the default ADMIN user can be deleted If the administration keys are lost, it is possible to reset the SafeGuard CryptoServer to the factory default configuration.
An external erase has to be performed. Afterwards the SafeGuard CryptoServer could be reseted to the factory default configuration
Customer Keys overview
Administrator Keys
CAT or CSADM Administration Tool Standard Interfaces CXI, PKCS#11, Customer Interface
CSAPI
PCI driver
Client PC (Windows, Linux, Solaris)
Master Box Key (MBK)
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Basic Administration
How to
generate and assign an administrator key re-initialization of the SafeGuard CryptoServer Se change PIN on a smartcard manage user and keys monitoring
Basic Administration - Users
Basic Administration User Group
User groups 6,7: CryptoServer administration purposes. User groups 0 to 5: application-specific access rights. The following user groups are predefined:
Permissions and authentication status
Generate and assign administrator keys
In CAT select KeyTools -> SmartCard Management
Select the algorithm The Key-Info text is the name of the key at the smartcard (shown when
calling KeyTools -> SmartCard -> Show SmartCard info)
Choose the number of backups to create One backup half of the key could be stored together with the user key (not recommended) on a smartcard. Prepare smartcards for all administrators.
Generate and assign administrator keys
OR:
In CAT select KeyTools -> KeyFile Management -> Generate to generate a file based administration key
The key file could be stored password encrypted or plain
Generate and assign administrator keys
Login in the ADMIN user
Select the ADMIN user and clickLogin
Generate and assign an administrator key
Select User Management and press Add user
Generate and assign administrator keys
Create an administration user (here: 4-eyes-principle)
Group 7 = 1 Group 6 = 1
Assign the key created before
Generate and assign administrator keys
Perform these steps for the second administrator
As last step, select the user ADMIN and press Delete user
Generate and Import the Master Box Key MBK
First login a user to the SafeGuard CryptoServer
Select an Admin user from the list and click Login
Follow the instructions
m&n
"m (shares)" is the number of people to which the key is to be distributed "n (shares)" is the minimum number of people required to use the key.
Generate and Import the Master Box Key MBK
Open the Remote MBK Management dialog Key Management -> Remote MBK Management Enter the name of the MBK, select the type (AES is recommended)
Choose the number of shares needed to recombine the MBK (k value) and the number of shares you want to create (k value)
Select automatic MBK Import to load the MBK to the SafeGuard CryptoServer, otherwise the Import tab has to be used. Press Generate If an existing MBK should be imported, use the Import tab.
SafeGuard CryptoServer CS/Se : Basic Administration Change PIN of a smartcard
In CAT select KeyTools -> SmartCard Management
Switch to tab Change PIN
Press Change PIN
Follow the instructions at the PIN-Pad
This command changes the User PIN of a smartcard, the MBK PIN of a smartcard is changed with the MBK Management dialogs
Monitoring
Extended SNMP support
CryptoServer objects Status, internal temperature, alarm state, firmware module state, operational mode, bootloader version, serial number, battery state, system time CryptoServer LAN objects Load, CryptoServer LAN software version, serial number, battery state, system time, number of client connections
SNMP traps when
Temperature, load, number of clients exceed min/max threshold Configurable threshold Battery low, alarm state, CryptoServer changes operating mode, CryptoServer LAN boot/shutdown/restart
Configuration through CryptoServer LAN front panel menu or ssh Monitoring could be done by a script on the host evaluating the following commands:
Get actual state of the SafeGuard CryptoServer with the csadm GetState command. Check if the SafeGuard CryptoServer is alive and state is operational and temperature is in range Check if the needed functionality is available with the csadm ListModulesActive command All modules have state INIT_OK ? Check battery state with csadm GetBattState command
Demo
Create Administrators Generate and import MasterBoxKeys
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Product Portfolio
SafeGuard CryptoServer Se-Series SafeGuard CryptoServer CS-Series
SafeGuard SecurityServer
PKCS#11, JCE, MS CSP/CNG/SQL EKM, OpenSSL, CXI
SafeGuard TimestampServer SafeGuard CryptoServer SDK
RFC 3161, CTS API
RFC 3161, CTS API
Software Development Kit for Customized Functionality
SafeGuard CryptoServer Roadmap September 2012
45
Security Server Overview
Security Server including the following interfaces:
PKCS#11 CSP and CNG for Microsoft CryptoAPI (MSCAPI) Utimaco Cryptographic Extended Interface (CXI) JCE Open SSL
Product CD with installation on Windows systems
Select the aim of installation: Runtime/Development/Custom Including CAT
Security Server Overview
Supported operating systems:
Microsoft Windows XP, Vista, Server 2003, Server 2008 Linux kernel 2.4.0 and higher RHEL 6, SUSE 10 Solaris 8 and higher AIX
Security Server PKCS#11
Benefits
2 operation modes:
In cluster mode every device is accessible separately by different slotIDs In failover mode transparent failover functionality available
Secure channel between application and SafeGuard CryptoServer available Strong authentication available, 2 FA, 4 Eyes Thread-save for use in multi threading applications Multiple SafeGuard CryptoServer support for each application Up to 256 parallel sessions/applications per SafeGuard CryptoServer
Security Server PKCS#11
Architecture
PKCS#11 libraries: cs2_pkcs11_R2.dll libcs2_pkcs11_R2.so
CXI Firmware module
Security Server PKCS#11
Configuration of the PKCS#11 interface:
cs_pkcs11_R2.cfg file can contain several sections: [Global] section for general configuration (timeout, logging) Several [CryptoServer] sections for each SafeGuard CryptoServer device that should be addressed by the application. Several [Slot] sections, the slot number must be defined, non standard authentication can be configured
Microsoft CSP / CNG
Benefits
Multitenancy: Assign a key to a user group, these keys are not visible for user not in the assigned group
When SafeGuard CryptoServer LAN is employed, several clients/applications can use one single SafeGuard CryptoServer.
Failover and clustering available
External storage of keys available to synchronize several CryptoServer LAN.
Hardware random number generator for the generation of high-quality RSA keys. Tamper-proof storage of numerous cryptographic keys (e.g. more than 30,000 RSA keys, 1,024 bits). Use 2 factor authentication to backup/restore cryptographic keys. All cryptographic algorithms (also encryption/decryption, hashing) are performed directly in the HSM and are therefore protected against manipulation.
Microsoft CSP / CNG
Client Computer
Architecture
CSP libraries: cs2csp.dll cs2csplib.dll
Application (e.g. Microsoft PKI)
Microsoft CryptoAPI
Utimaco CryptoServer CSP Digital Signature (Microsoft)
PCI Driver
CryptoServer PCI
CXI Firmware module
Utimaco CryptoServer LAN
TCP Server
PCI Driver
CryptoServer PCI
CXI - Cryptographic Core Interface
Benefits:
All important platforms supported Comfortable and flexible implementation High performance Nearly all cryptographic functions are available Easy to extend according the needs of the customer FIPS 140 2 Level 3 certification in process Used for PCI DSS implementation
CXI - Cryptographic Core Interface
Based on the CXI firmware module several host API are implemented:
OpenSSL CryptoServerJCE CXI .net CXI C-Interface CXI Java Class Library
Easy to use, fast implementation in your application:
Source code examples for all host APIs are available
Integrated authentication and secure messaging
CXI - Cryptographic Core Interface
CXI Failover Architecture
Host System / application Server
Application
CryptoServer remote Management
CXI DLL / Jar
CXI configuration file
Optional Key Storage
Secure channel over TCP/IP
CXI - Cryptographic Core Interface
CXI Failover Architecture
From application point of view, transparency of
HSM hardware: Cluster may consist of CryptoServer PCI(e) and/or CryptoServer LAN Cluster size: 2 or more HSMs in cluster Installation sites: local or remote HSMs
Failover mechanism
Failover from 1st to 2nd to nth to 1st Priorization of HSMs in planning (e.g. local or higherperformance HSMs get higher priority when scheduling next HSM) Re-Use of failed CryptoServer after repair/replacement
Flexibility
HSM may belong to several clusters Internal or external key storage
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Preparation
This Demo will show in Linux RHEL 6.3 And use the following package:
bind-9.9.2-P2.tar.gz openssl-1.0.0f.tar.gz
Environment Variables
Check environment variables:
export CS_PKCS11_R2_CFG=/dnssec/utimaco/cs_pkcs11_R2.cfg Export [email protected] LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/dnssec/utimaco/ export LD_LIBRARY_PATH
Check PKCS#11 configure file
Logpath = /utimaco # Prevents expiring session after inactivity of 15 minutes KeepAlive = true [CryptoServer] Device =
[email protected]Init slot Create User
Init slot Create SO User
Login with
PKCS#11 CryptoServer Administration
Init slot Create SO/User With Command Line
Init SO PIN:
p11tool2 [Lib=<lib_path>] [Slot=<slot_id>] [Label=<label>] [Force=<force>] [Login=<admin_name>,<admin_auth_token>] InitToken=<so_pin>
Example: ./p11tool2 Slot=0 Login=ADMIN,init_dev_prv.key Force=1 InitToken=12345678
Init PIN:
p11tool2 [Lib=<lib_path>] [Slot=<slot_id>] LoginSO=<so_pin> InitPIN=<user_pin>
Example: ./p11tool2 Slot=0 LoginSO=12345678 InitPIN=123456
Some other commands
./p11tool2 ./p11tool2 help=InitPIN
./p11tool2 Slot=1 GetSlotInfo ./p11tool2 Slot=1 LoginUser=123456 ListObjects
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Extract Bind & OpenSSL
cd /dnssec tar zxf openssl-1.0.0f.tar.gz tar zxf bind-9.9.2-P2.tar.gz mv openssl-1.0.0f openssl mv bind-9.9.2-P2 bind WARNING: RHEL will need pcsc-lite-devel package.
pcsc-lite-1.5.2-7.el6.x86_64 pcsc-lite-openct-0.6.19-4.el6.x86_64 pcsc-lite-devel-1.5.2-7.el6.x86_64 pcsc-lite-libs-1.5.2-7.el6.x86_64
Patch OpenSSL
Just run the following command: cd openssl patch -p1 < /dnssec/bind/bin/pkcs11/openssl-1.0.0f-patch Result
[root@dnssec openssl]# patch -p1 < /dnssec/bind/bin/pkcs11/openssl-1.0.0f-patch patching file Configure patching file Makefile.org patching file README.pkcs11 patching file crypto/opensslconf.h patching file crypto/bio/bss_file.c patching file test/clean_test.com patching file util/libeay.num patching file util/mk1mf.pl patching file util/mkdef.pl patching file util/pl/VC-32.pl [root@dnssec openssl]#
Build OpenSSL
Just run the following command: Linux 64Bit:
./Configure linux-generic64 -m64 -pthread \ --pk11-libname=/dnssec/utimaco/libcs_pkcs11_R2.so \ --pk11-flavor=crypto-accelerator \ --prefix=/opt/openssl-p11
Linux 32Bit:
./Configure linux-generic32 -m32 -pthread \ --pk11-libname=/dnssec/utimaco/libcs_pkcs11_R2.so \ --pk11-flavor=crypto-accelerator \ --prefix=/opt/openssl-p11
make make install
[root@dnssec dnssec]# /opt/openssl-p11/bin/openssl engine pkcs11 -t (pkcs11) PKCS #11 engine support (crypto accelerator) [ available ]
Agenda
Part 1: Utimaco HSM CryptoServer LAN Placing Into Operation Administration Tools Keys and Key Management Basic Administration Application Part 2: Utimaco HSM and DNSSEC integration Init slot Build DNSSEC DNSSEC Configuration
Install BIND Domain Name Server
Run the following command: ./configure CC="gcc -m64" -enable-threads \ --with-openssl=/opt/openssl-p11 \ --with-pkcs11=/dnssec/utimaco/libcs2_pkcsll.so
make make install
Generate Keys and Sign a Domain Zone
1. Generate a zone-signing key and a keysigning key
# pkcs11-keygen -b 2048 -l ksk # pkcs11-keygen -b 1024 -l zsk
The parameter -b specifies the key size and -l the label of the key pair. Since the library path was exported, it is not necessary to specify it using the parameter -m (module) any more. You will be prompted to enter the user pin for the PKCS#11 slot.
View Keys
Use command:
pkcs11-list [-P] [-m module] [-s slot] [-i ID] [-l label] [-p PIN]
Example:
SLot1:
pkcs11-list -s 1 -p 123456
Slot:0
pkcs11-list -p 123456
Generate Keys and Sign a Domain Zone (cont.)
2. Generate the key files for BIND
# dnssec-keyfromlabel -l ksk -f KSK utimaco.com # dnssec-keyfromlabel -l zsk utimaco.com
The parameter -l specifies the label again and after -f follows the key flag. The key files are generated for a specific zone which in this case is utimaco.com. Now you should find the corresponding key files in the current directory which are composed of K<zone name>.+<numeric representation of
the key file>+<key identifier>.(key|private).
Generate Keys and Sign a Domain Zone (cont.)
3. Before you can sign a zone, it is necessary to add the contents of both K*.key files or to include them by reference - using the key file names - to the zone master file. Open the zone file and add the following lines e.g.
$include Kutimaco.com.+005+35677.key $include Kutimaco.com.+005+63263.key
4. Finally sign the zone
# dnssec-signzone -S -o <zone name> <zone file>
Demo
1. Placing Into Operation: Configure HSM IP 2. Administration Tools:
- Install admin tool - Install Pin-pad driver, check configuration in admin tool.
3. Keys and Key Management
- Create administrators - Issue MBK
4. Build DNSSEC 5. DNSSEC Configuration
Questions & Answers
The End