consistent pkcs 11 consistent pkcs 11
play

CONSISTENT PKCS#11 CONSISTENT PKCS#11 IN OPERATING SYSTEMS IN - PowerPoint PPT Presentation

Nov 06, 2023 •559 likes •961 views

CONSISTENT PKCS#11 CONSISTENT PKCS#11 IN OPERATING SYSTEMS IN OPERATING SYSTEMS IMPROVING USER EXPERIENCE AND SECURITY IN RHEL AND FEDORA IMPROVING USER EXPERIENCE AND SECURITY IN RHEL AND FEDORA Jakub Jelen Software Engineer Red Hat

  1. CONSISTENT PKCS#11 CONSISTENT PKCS#11 IN OPERATING SYSTEMS IN OPERATING SYSTEMS IMPROVING USER EXPERIENCE AND SECURITY IN RHEL AND FEDORA IMPROVING USER EXPERIENCE AND SECURITY IN RHEL AND FEDORA Jakub Jelen Software Engineer Red Hat jjelen@redhat.com @JakujeCZ Jakuje

  2. PRIVATE KEYS, CERTIFICATES PRIVATE KEYS, CERTIFICATES WHAT ARE THEY USED FOR? WHAT ARE THEY USED FOR?

  3. PRIVATE KEYS, CERTIFICATES PRIVATE KEYS, CERTIFICATES WHAT ARE THEY USED FOR? WHAT ARE THEY USED FOR? Email signatures & decryption

  4. PRIVATE KEYS, CERTIFICATES PRIVATE KEYS, CERTIFICATES WHAT ARE THEY USED FOR? WHAT ARE THEY USED FOR? Email signatures & decryption SSH authentication, remote git

  5. PRIVATE KEYS, CERTIFICATES PRIVATE KEYS, CERTIFICATES WHAT ARE THEY USED FOR? WHAT ARE THEY USED FOR? Email signatures & decryption SSH authentication, remote git Git commit/tag signing

  6. PRIVATE KEYS, CERTIFICATES PRIVATE KEYS, CERTIFICATES WHAT ARE THEY USED FOR? WHAT ARE THEY USED FOR? Email signatures & decryption SSH authentication, remote git Git commit/tag signing TLS client authentication (eGovernment, banking)

  7. PRIVATE KEYS, CERTIFICATES PRIVATE KEYS, CERTIFICATES WHAT ARE THEY USED FOR? WHAT ARE THEY USED FOR? Email signatures & decryption SSH authentication, remote git Git commit/tag signing TLS client authentication (eGovernment, banking) More secure password replacement

  8. WHERE ARE THEY STORED? WHERE ARE THEY STORED? Hard drive Computer memory Backup in cloud

  9. ARE THEY SECURE? ARE THEY SECURE?

  10. ARE THEY SECURE? ARE THEY SECURE? ZERO DAY EXPLOITS? ZERO DAY EXPLOITS?

  11. Last year

  12. Last year

  13. Last year $ pkcs11-tool --read-object --id 01 --type cert \ --output-file cert.der $ pkcs11-tool --sign --id 01 --mechanism RSA-PKCS --login \ --input-file data --output-file data.sig $ ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so $ ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so example.com

  14. Last year $ pkcs11-tool --read-object --id 01 --type cert \ --output-file cert.der DEDICATED HARDWARE IN OS IS NOT DEDICATED HARDWARE IN OS IS NOT $ pkcs11-tool --sign --id 01 --mechanism RSA-PKCS --login \ --input-file data --output-file data.sig EASY EASY $ ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so $ ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so example.com

  15. PKCS#11 in OS curl nginx httpd wget OpenSSL Firefox LibreSwan GnuTLS OpenSSL-pkcs11 NSS OpenSSH PKCS#11 p11-kit-proxy OpenSC 3rd party module PC/SC pcsc-lite + CCID: pcscd Card reader USB token Smart Card HSM USB ISO/IEC 7816

  16. User expectations wget nginx httpd Firefox LibreSwan curl magic USB token Smart Card HSM

  17. AGENDA AGENDA PKCS#11 Usability improvements PKCS#11 URI p11-kit-proxy Application support OpenSSH HTTPS clients & servers Firefox Your application? Further work

  18. PKCS#11 PKCS#11 Open Standard for cryptographic tokens controlling authentication information (personal identity, cryptographic keys, certificates, digital signatures, ...) PKCS#11 module: implementation of PKCS#11 interface providing access to cryptographic tokens low-level C API

  19. CONSISTENT PKCS#11 CONSISTENT PKCS#11 system-wide consistency for usage and configuration

  20. CONSISTENT PKCS#11 CONSISTENT PKCS#11 system-wide consistency for usage and configuration $ p11tool --list-all "pkcs11:manufacturer=piv_II;token=SSH%20key" $ pkcs11-tool --read-object --id 01 --type cert \ --output-file cert.der $ ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so example.com

  21. CONSISTENT PKCS#11 CONSISTENT PKCS#11 system-wide consistency for usage and configuration $ p11tool --list-all "pkcs11:manufacturer=piv_II;token=SSH%20key" $ pkcs11-tool --read-object --id 01 --type cert \ --output-file cert.der $ ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so example.com

  22. PKCS#11 URI ( PKCS#11 URI (RFC 7512) RFC 7512) Strongest and simplest expression pkcs11: uri scheme -- distinguishable from filenames Uniquely identifies each object in the system Non-mandatory filtering by PKCS#11 attributes Can provide also PIN or pkcs11 module pkcs11: pkcs11: manufacturer=piv_II;token=SSH%20key; id=%04 ;object =PIV%20AUTH%20pubkey; type=private

  23. P11-KIT P11-KIT PKCS#11 modules exposed to users System-wide registry of PKCS#11 modules Automatically loaded by applications PKCS#11 modules registered in one place: System and 3rd party $ cat /usr/share/p11-kit/modules/opensc.module module: opensc-pkcs11.so

  24. APPLICATION SUPPORT APPLICATION SUPPORT How does it work?

  25. OPENSSH CLIENTS (WAS) OPENSSH CLIENTS (WAS) Listing keys a $ ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so a ssh-rsa AAAAB3Nza[...]751SVdOhUaBiTXGiClQ== /usr/lib64/pkcs11/opensc-pkcs11.so a a Public key authentication a $ ssh -i /usr/lib64/pkcs11/opensc-pkcs11.so example.com a Enter PIN for 'SSH key': Filtering keys N/A

  26. OPENSSH CLIENTS (WAS) OPENSSH CLIENTS (WAS) Listing keys a $ ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so a ssh-rsa AAAAB3Nza[...]751SVdOhUaBiTXGiClQ== /usr/lib64/pkcs11/opensc-pkcs11.so a a Public key authentication a $ ssh -i /usr/lib64/pkcs11/opensc-pkcs11.so example.com a Enter PIN for 'SSH key': Filtering keys N/A

  27. OPENSSH CLIENTS (WAS) OPENSSH CLIENTS (WAS) Listing keys a $ ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so a ssh-rsa AAAAB3Nza[...]751SVdOhUaBiTXGiClQ== /usr/lib64/pkcs11/opensc-pkcs11.so a a Public key authentication a $ ssh -i /usr/lib64/pkcs11/opensc-pkcs11.so example.com a Enter PIN for 'SSH key': Filtering keys N/A

  28. OPENSSH CLIENTS (WAS) OPENSSH CLIENTS (WAS) Listing keys a $ ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so a ssh-rsa AAAAB3Nza[...]751SVdOhUaBiTXGiClQ== /usr/lib64/pkcs11/opensc-pkcs11.so a a Public key authentication a $ ssh -i /usr/lib64/pkcs11/opensc-pkcs11.so example.com a Enter PIN for 'SSH key': Filtering keys N/A

  29. OPENSSH CLIENTS OPENSSH CLIENTS Listing keys a $ ssh-keygen -D pkcs11: a ssh-rsa AAAAB3Nza[...]751SVdOhUaBiTXGiClQ== pkcs11:id=%03;[...]?module-path=/usr/lib64/p11-kit-proxy.so a ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzd[...]SStk3J0hkYnnsM= a Public key authentication a $ ssh -i pkcs11: example.com a Enter PIN for 'SSH key': Filtering keys $ ssh -i pkcs11:id=%02 localhost Enter PIN for 'SSH key':

  30. OPENSSH CLIENTS 2 OPENSSH CLIENTS 2 Using ssh-agent a $ ssh-add pkcs11:id=%02 a Enter passphrase for PKCS#11: Card added: pkcs11:id=%02 a $ ssh-add -l a 521 SHA256:5BrE5wevULd[...]+kF5hA9X8 ECDSA jjelen (ECDSA) $ ssh example.com a Configuration $ cat ~/.ssh/config IdentityFile "pkcs11:id=%01?module-path=/usr/lib64/opensc-pkcs11.so"

  31. HTTPS CLIENTS HTTPS CLIENTS wget a $ wget --certificate 'pkcs11:id=%01;type=cert' \ a --private-key 'pkcs11:id=%01;type=private' https://example.com/ a curl $ curl --cert 'pkcs11:id=%01;type=cert' \ --key 'pkcs11:id=%01;type=private' https://example.com/

  32. HTTPS SERVERS HTTPS SERVERS httpd configuration file a SSLCertificateFile pkcs11:id=%01;type=cert a SSLCertificateKeyFile pkcs11:id=%01;type=private a nginx configuration file # ssl_certificate # does not work ssl_certificate_key "engine:pkcs11:id=%01;type=private";

  33. FIREFOX FIREFOX a a a a a a a a a

  34. FIREFOX FIREFOX No more adding PKCS#11 modules a a a a a a a a a

  35. FIREFOX FIREFOX No more adding PKCS#11 modules a a a a a a a a a Just works

  36. YOUR OTHER APPLICATION? YOUR OTHER APPLICATION? might already work high-level crypto applications p11-kit Available tokens PKCS#11 URI Identify objects Handled p11-kit

  37. TRY IT AT HOME TRY IT AT HOME TPM2.0 any computer from last years alternative to storing private keys on hard drive tied to specific machine TCG provides PKCS#11 module (tpm2-pkcs11) SoftHSM PKCS#11 module data stored on filesystem integrated in p11-kit

  38. SUMMARY SUMMARY Security bugs in processors, OS, software Smart cards and HSMs to store secrets in HW Consistent identification using PKCS#11 URI System-wide registration in p11-kit-proxy Support for most important system applications QUESTIONS? QUESTIONS? jjelen@redhat.com @JakujeCZ Jakuje

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Provable Security RSA-PKCS Encryption - Signature Lawrence Berkeley National Lab August 2003

Provable Security RSA-PKCS Encryption - Signature Lawrence Berkeley National Lab August 2003

Provable Security RSA-PKCS Encryption - Signature Lawrence Berkeley National Lab August 2003 David Pointcheval LIENS-CNRS Ecole normale suprieure Summary Summary Encryption PKCS #1 v1.5 PKCS #1 v2.0 : OAEP Signature

286 views • 17 slides
Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH

Provable Security Meets the Real World Kenny Paterson Information Security Group 1 Outline RSA encryption in PKCS#1 The SSH Binary Packet Protocol IPsec MAC-then-Encrypt Lessons learned? 2 Outline RSA encryption in PKCS#1

948 views • 61 slides
Attacking and Fixing PKCS#11 Security Tokens Matteo Bortolozzo, Matteo Centenaro Riccardo Focardi

Attacking and Fixing PKCS#11 Security Tokens Matteo Bortolozzo, Matteo Centenaro Riccardo Focardi

Attacking and Fixing PKCS#11 Security Tokens Matteo Bortolozzo, Matteo Centenaro Riccardo Focardi and Graham Steel Universit` a Ca Foscari, Venezia and LSV, INRIA & CNRS & ENS-Cachan RSA PKCS#11 Describes cryptoki:

520 views • 35 slides
Padding Oracle Attack for non-standard PKCS#1 v1.5 Can non-standard implementation provide us a

Padding Oracle Attack for non-standard PKCS#1 v1.5 Can non-standard implementation provide us a

Padding Oracle Attack for non-standard PKCS#1 v1.5 Can non-standard implementation provide us a shelter? Si Gao Hua Chen Limin Fan Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences

442 views • 40 slides
Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Security APIs ARSPA-WITS10 () Formal Analysis of Key Integrity in PKCS#11s 2 / 17 Security

Formal Analysis of Key Integrity in PKCS#11 Andrea Falcone 1 Riccardo Focardi 1 1 Universit` a Ca Foscari di Venezia, Italy focardi@dsi.unive.it ARSPA-WITS10 Paphos, Cyprus March 27-28, 2010 Work partially supported by: Miur07

729 views • 17 slides
Feasibility of Consistent, Feasibility of Consistent, Feasibility of Consistent, Feasibility of

Feasibility of Consistent, Feasibility of Consistent, Feasibility of Consistent, Feasibility of

Feasibility of Consistent, Feasibility of Consistent, Feasibility of Consistent, Feasibility of Consistent, Available, Partition Available, Partition- -Tolerant Tolerant Web Services Web Services Meng Wang Jingxin Feng Feb 14, 2011 Feb

828 views • 48 slides
Attacking and Fixing PKCS#11 Security Tokens with Tookan Graham Steel LSV, INRIA & CNRS

Attacking and Fixing PKCS#11 Security Tokens with Tookan Graham Steel LSV, INRIA & CNRS

Attacking and Fixing PKCS#11 Security Tokens with Tookan Graham Steel LSV, INRIA & CNRS & ENS-Cachan (joint work with Riccardo Focardi, Matteo Bortolozzo & Matteo Centenaro, Universit` a Ca Foscari, Venezia) 1/16 RSA Public

569 views • 17 slides
CSS Modules with BEM Consistent Design Consistent Design Different Module Versions Consistent

CSS Modules with BEM Consistent Design Consistent Design Different Module Versions Consistent

CSS Modules with BEM Consistent Design Consistent Design Different Module Versions Consistent Design Different Module Versions Combine Small Modules Non-modular Naming CSS Selector Nesting CSS Selector Nesting #2 Block-Element-Modifier

1.06k views • 24 slides
General Structure of a PW code Self-Consistent KS eqs. or Global Minimization approach

General Structure of a PW code Self-Consistent KS eqs. or Global Minimization approach

General Structure of a PW code Self-Consistent KS eqs. or Global Minimization approach http://www.quantum-espresso.org/ KS self-consistent equations KS self-consistent equations KS self-consistent equations KS self-consistent equations

544 views • 30 slides
1 Summary Consistent strategy Consistent strategy delivering results Niche positions New

1 Summary Consistent strategy Consistent strategy delivering results Niche positions New

Ben Stocks - Chief Executive Chris Tyler - Finance Director 1 Summary Consistent strategy Consistent strategy delivering results Niche positions New product development in growing, regulated markets and intellectual property 2011-2016 10%

415 views • 20 slides
The Art of Consistent SDN Updates Stefan Schmid Aalborg University The Art of Consistent SDN

The Art of Consistent SDN Updates Stefan Schmid Aalborg University The Art of Consistent SDN

The Art of Consistent SDN Updates Stefan Schmid Aalborg University The Art of Consistent SDN Updates Stefan Schmid Aalborg University Smart students in Berlin & Wroclaw: Arne Ludwig, Jan Marcinkowski, Szymon Dudycz, Matthias Rost,

1.3k views • 108 slides
CASA Seminar Self- -consistent Space Charge consistent Space Charge Self Distributions: Theory

CASA Seminar Self- -consistent Space Charge consistent Space Charge Self Distributions: Theory

CASA Seminar Self- -consistent Space Charge consistent Space Charge Self Distributions: Theory and Applications Distributions: Theory and Applications Slava Danilov SNS/ORNL March 12, 2004 Accelerator Physics Oak Ridge National Laboratory

546 views • 26 slides
self-consistent field = 1 1 Z X d d r h m ( ~ r ) 2 i = h m 2 i h m ~ q m ~ q i L d N 2 q

self-consistent field = 1 1 Z X d d r h m ( ~ r ) 2 i = h m 2 i h m ~ q m ~ q i L d N 2 q

Self-consistent field approximation 1 partition function from Gaussian transformation Z + Y ! 1 e S ( i ,H i ) C = Z = C d i (2 k B T ) N/ 2 detJ i S ( i , H i = 0) = 1 ( J 1 ) ij i j 1 X

399 views • 9 slides
Consistent Variance Estimates for Multiple Multiple imputation Imputation in R MI alternative

Consistent Variance Estimates for Multiple Multiple imputation Imputation in R MI alternative

Consistent MI Variances in R James Reilly Consistent Variance Estimates for Multiple Multiple imputation Imputation in R MI alternative R package Summary James Reilly University of Auckland 8 July 2009 James Reilly Consistent MI

600 views • 11 slides
Consistent Biclustering via Fractional 01 Programming Panos Pardalos, Stanislav Busygin and

Consistent Biclustering via Fractional 01 Programming Panos Pardalos, Stanislav Busygin and

Consistent Biclustering via Fractional 01 Programming Panos Pardalos, Stanislav Busygin and Oleg Prokopyev Center for Applied Optimization Department of Industrial & Systems Engineering University of Florida Consistent Biclustering via

937 views • 74 slides
Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and

Modern Block Ciphers DES Games with Block Ciphers Modern Block Ciphers DES Games with Block Ciphers Symmetric Key Cryptosystems Modern Symmetric Key Cryptosystems Public key cryptosystems (PKCs) and their applications are the primary focus

521 views • 5 slides
Template based code generation for networks of hybrid systems Cambdridge CodeGen Workshop Boris

Template based code generation for networks of hybrid systems Cambdridge CodeGen Workshop Boris

Template based code generation for networks of hybrid systems Cambdridge CodeGen Workshop Boris Marin Silver Lab University College London January 7, 2014 Boris Marin (University College London) 1 / 7 Model specifiation languages

477 views • 29 slides
Computing Motorcycle Graphs Based on Kinetic Triangulations Willi Mann 1 Martin Held 1 Stefan

Computing Motorcycle Graphs Based on Kinetic Triangulations Willi Mann 1 Martin Held 1 Stefan

Computing Motorcycle Graphs Based on Kinetic Triangulations Willi Mann 1 Martin Held 1 Stefan Huber 2 1 Dept. of Computer Science 2 Dept. of Mathematics University of Salzburg University of Salzburg Austria Austria CCCG 2012 in Charlottetown,

608 views • 22 slides
Gyrokinetic simulations of magnetic fusion plasmas Tutorial 2 Virginie Grandgirard

Gyrokinetic simulations of magnetic fusion plasmas Tutorial 2 Virginie Grandgirard

Gyrokinetic theory a GK vlasov equation a GK quasi-neutrality a Gyrokinetic simulations of magnetic fusion plasmas Tutorial 2 Virginie Grandgirard CEA/DSM/IRFM, Association Euratom-CEA, Cadarache, 13108 St Paul-lez-Durance, France.

530 views • 38 slides
Logistics Embedded Systems and Kinetic Art Class meets M-W from 11:50-2:50 Well start

Logistics Embedded Systems and Kinetic Art Class meets M-W from 11:50-2:50 Well start

Logistics Embedded Systems and Kinetic Art Class meets M-W from 11:50-2:50 Well start meeting in Sculpt 183 CS5968: Erik Brunvand At some point we may also meet in School of Computing MEB 3133 (Merrill Engineering Building) on

313 views • 6 slides
Access: bwUniCluster, bwForCluster, ForHLR Shamna Shamsudeen, SCC, KIT Steinbuch Centre for

Access: bwUniCluster, bwForCluster, ForHLR Shamna Shamsudeen, SCC, KIT Steinbuch Centre for

Access: bwUniCluster, bwForCluster, ForHLR Shamna Shamsudeen, SCC, KIT Steinbuch Centre for Computjng (SCC) www.bwhpc-c5.de Funding: Outline Introductjon Registratjon Processes bwUniCluster bwForCluster ForHLR Phase I & II First Steps

594 views • 27 slides
December 12, 2018 Luis Ceze Welcome to the 1st TVM and Deep Learning Compilation Conference!

December 12, 2018 Luis Ceze Welcome to the 1st TVM and Deep Learning Compilation Conference!

1st TVM and Deep Learning Compilation Conference December 12, 2018 Luis Ceze Welcome to the 1st TVM and Deep Learning Compilation Conference! Welcome to the 1st TVM and Deep Learning Compilation Conference! 180+ ppl! Machine learning is

1.31k views • 115 slides
Awk, Awk Pattern matching and processing language Looks for pattern in file If pattern

Awk, Awk Pattern matching and processing language Looks for pattern in file If pattern

CSC209 Fall 2001 What is AWK? Awk, Awk Pattern matching and processing language Looks for pattern in file If pattern matches, do something Many details handled automatically very easy to one off (write and throw away)

673 views • 12 slides
(.ahp () * L-pt^ce Tr.*'f,**r + ?.qe. Je..u { che 5) !Js- n Sc.oe/ ".y'Pr /rq?.- ,Ft. C

(.ahp () * L-pt^ce Tr.*'f,**r + ?.qe. Je..u { che 5) !Js- n Sc.oe/ ".y'Pr /rq?.- ,Ft. C

L 13 wth 235 ( <4 1) . r srs f.ws ltwaer /'gs of ft " (.ahp () * L-pt^ce Tr.*'f,**r + ?.qe. Je..u { che 5) !Js- n Sc.oe/ ".y'Pr /rq?.- ,Ft. C Che t) * Ftett *J+ klf,. c+t. ( chs z). ou? 5"/.r Cro,r t. /'tx{.

446 views • 19 slides

More recommend