dnssec keys in smartcardhsm
play

DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza - PowerPoint PPT Presentation

Jul 16, 2023 •12 likes •202 views

DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez & Eberhard W Lisse University of Costa Rica & Namibian Network Information Centre 2015-02-09 Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 1 / 19

  1. DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez & Eberhard W Lisse University of Costa Rica & Namibian Network Information Centre 2015-02-09 Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 1 / 19

  2. Introduction DNSSEC is Easy! Is it Secure? Secure DNSSEC is Expensive! Is it really? So, what were we looking for? An easy, secure and cheap DNSSEC solution for .NA; for demonstration purposes; for fun (see slide 19) Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 2 / 19

  3. Introduction Registry System without DNSSEC Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 3 / 19

  4. Introduction Registry System with DNSSEC Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 4 / 19

  5. Introduction Hardware Keys Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 5 / 19

  6. Introduction Why Mac? SmartcardHSM Different Brands Smartcard Readers Different Brands Open Source Sofware OpenSC BIND 9 Homebrew MacPorts Virtual Box Centos 6 OS X 10.10.2 Native Drivers for the Readers Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 6 / 19

  7. Proof of Concept Not Production Grade. Yet. Why Mac? Name Servers usually don’t run on Netbooks BSD Ubuntu Centos It’s fun (see slide 19) No auditing (Ceremony) Can be added later from Richard Lamb’s Ceremony documentation Key in Hardware adds some security Physical Access to Server is required Servers are usually in secure data center Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 7 / 19

  8. Implementation Bash Consolidate Richard Lamb’s Ceremony Scripts into 1 single script 50 lines dialog to display/modify Environment Variables Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 8 / 19

  9. Set Environment Variables Bash DATE=‘date -u +%Y%m%d%H%M%S‘ DOMAIN=na PASSWORD=RichardLamb PATH=~/Downloads/dccom:$PATH PIN1=123456 PKCS11_LIBRARY_PATH=/Library/OpenSC/lib/opensc- pkcs11.so SOPIN="3537363231383830" CKALABEL="ksk.""$DOMAIN"".""$DATE" Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 9 / 19

  10. Initialization Prepare the Card sc-hsm-tool –initialize –so-pin $SOPIN \ –pin $PIN1 Erase the Card sc-hsm-tool –initialize –so-pin $SOPIN \ –pin $PIN1 –dkek-shares 2 Device Key Encryption Key (DKEK) shares are used to derive the actual keys Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 10 / 19

  11. Create 2 DKEK Shares sc-hsm-tool –create-dkek-share dkek-share-1.pbe \ –so-pin $SOPIN –pin $PIN1 \ –password $PASSWORD sc-hsm-tool –create-dkek-share dkek-share-2.pbe \ –so-pin $SOPIN –pin $PIN1 \ –password $PASSWORD Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 11 / 19

  12. Import the DKEK Shares sc-hsm-tool –import-dkek-share dkek-share-1.pbe \ –so-pin $SOPIN –pin $PIN1 \ –password $PASSWORD sc-hsm-tool –import-dkek-share dkek-share-2.pbe \ –so-pin $SOPIN –pin $PIN1 \ –password $PASSWORD Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 12 / 19

  13. Generate 2 ZSKs Why 2? dnssec-keygen -r /dev/random -a 8 -b 1024 \ $DOMAIN. dnssec-keygen -r /dev/random -a 8 -b 1024 \ $DOMAIN. Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 13 / 19

  14. Generate KSK Inside the Card pkcs11-tool –module $PKCS11_LIBRARY_PATH \ -l –pin $PIN1 –keypairgen –key-type rsa:2048 \ –read-object –type pubkey \ –output-file "$CKALABEL"".pub" \ –label "$CKALABEL" Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 14 / 19

  15. Verification Dump the Card pkcs15-tool -D Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 15 / 19

  16. Wrap the Key Export and encrypt (wrapped with shares) copy of the private key sc-hsm-tool –wrap-key "$CKALABEL"".wrap" \ –key-reference 1 –pin $PIN1 Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 16 / 19

  17. hcardsign (Bash script) Generate pre-KSK-signed DNSKEY RRsets for future use relies on pkcs11-backup -f$CKALABEL:8:257:$DOMAIN. \ -S 0 -P $PIN1 Open Source (Richard Lamb) Doesn’t currently compile on the Mac Will do so RSN Not an issue Works on Linux Not required in production Less Safe Demonstrated here only to show functionality Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 17 / 19

  18. Make Backup Card From Wrapped Key Repeat steps for additional cards sc-hsm-tool –initialize –so-pin $SOPIN –pin $PIN1 sc-hsm-tool –initialize –so-pin $SOPIN \ –pin $PIN1 –dkek-shares 2 sc-hsm-tool –import-dkek-share dkek-share-1.pbe \ –so-pin $SOPIN –pin $PIN1 \ –password $PASSWORD sc-hsm-tool –import-dkek-share dkek-share-2.pbe \ –so-pin $SOPIN –pin $PIN1 \ –password $PASSWORD sc-hsm-tool –unwrap-key $CKALABEL"".wrap" \ –key-reference 1 –pin $PIN1 Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 18 / 19

  19. The Real Reason This is fun! Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 19 / 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DNSSEC with SmartcardHSM Not as Easy as One Thinks Eberhard W Lisse Namibian Network Information

DNSSEC with SmartcardHSM Not as Easy as One Thinks Eberhard W Lisse Namibian Network Information

DNSSEC with SmartcardHSM Not as Easy as One Thinks Eberhard W Lisse Namibian Network Information Centre 2015-06-24 Lisse (NA-NiC) SmartcardHSM 2015-06-24 1 / 10 Introduction Why? So, what are we looking for? Easy off the shelf DNSSEC

739 views • 10 slides
*.fedoraproject.org PGP keys now in DNSSEC All Fedora Account System users have a

*.fedoraproject.org PGP keys now in DNSSEC All Fedora Account System users have a

New DNSSEC Technologies Paul Wouters Senior software engineer, Red Hat February 9, 2015 1 Paul Wouters <pwouters@redhat.com> *.fedoraproject.org PGP keys now in DNSSEC All Fedora Account System users have a user@fedoraproject.org

380 views • 12 slides
Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina

Deploying New DNSSEC Algorithms ICANN 53 DNSSEC Workshop June 24, 2015 Buenos Aires, Argentina Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used in DNSSEC

490 views • 18 slides
Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins

Technical Parameter Decisions for DNSSEC Technical Parameter Decisions for DNSSEC By Mark Elkins July 2013 ZSK - Zone Signing Keys ZSK - Zone Signing Keys Its a security key - use secure algorithms Create it to be flexible in use

255 views • 7 slides
Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech,

Challenges To Deploying New DNSSEC Algorithms ICANN 55 DNSSEC Workshop March 8, 2016 Marrakech, Morocco Dan York, Internet Society www.internetsociety.org/deploy360 DNSSEC Algorithms Used to generate keys for signing DNSKEY Used

417 views • 15 slides
Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris Shrishak TU Darmstadt, Germany

Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris Shrishak TU Darmstadt, Germany

Securing DNSSEC Keys via Threshold ECDSA From Generic MPC Kris Shrishak TU Darmstadt, Germany November 6, 2020 NIST Workshop on Multi-Party Threshold Schemes 2020 Based on work published at ESORICS20 with Anders Dalskov, Marcel Keller,

775 views • 63 slides
.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

.SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the

. SE-DNSSEC . SEs DNSSEC service Staffan.Hagnell@iis.se .SE-DNSSEC Commercial launch of .SE-DNSSEC Feb 16, 2007 Signing Soft launch of service the .SE zone Sep 2005 2006 Start of project 2001 .SEs challenge To make DNSSEC

584 views • 24 slides
DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN 50 DNSSEC in .at (and beyond) Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 25 2014 Alexander Mayrhofer London, UK alexander.mayrhofer@nic.at ICANN 50 DNSSEC Services n ccTLD: .at l DNSSEC in production

109 views • 10 slides
DNSSEC ROLLING KEYS Presented by Olaf Kolkman (NLnet Labs) and Alain Aina(TRS) Rabat,

DNSSEC ROLLING KEYS Presented by Olaf Kolkman (NLnet Labs) and Alain Aina(TRS) Rabat,

DNSSEC ROLLING KEYS Presented by Olaf Kolkman (NLnet Labs) and Alain Aina(TRS) Rabat, Morocco, 1 June 2008 http://www.nlnetlabs.nl/ Rabat, Morocco, June 1 2008 page 2 DNSKEY in flavours Zone Signin Key (ZSK) Key Signing Key (KSK)

155 views • 13 slides
DNSSEC Tutorial: Public / Private Key Refresher Hervey Allen Phil Regnauld 26 February 2009

DNSSEC Tutorial: Public / Private Key Refresher Hervey Allen Phil Regnauld 26 February 2009

DNSSEC Tutorial: Public / Private Key Refresher Hervey Allen Phil Regnauld 26 February 2009 Manila, Philippines http://nsrc.org/tutorials/2009/apricot/dnssec/ Public-Private Keys Refresher Ciphers Ciphertext Symmetric Cipher /

465 views • 20 slides
DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop

ICANN44 DNSSEC activities @ nic.at Panel discussion DNSSEC activities in Europe DNSSEC workshop Jun 27 2012 Alexander Mayrhofer Prague, CZ alexander.mayrhofer@nic.at ICANN44 .at DNSSEC Timeline Testbed DS in root Feb 2011 Feb 09

404 views • 8 slides
DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you

DNSSEC CS 161: Computer Security Prof. David Wagner April 11, 2016 DNSSEC Last lecture, you invented DNSSEC. Well, the basic ideas, anyway: Sign all DNS records. Signatures let you verify answer to DNS query, without having to trust the

835 views • 49 slides
DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative

DNSSEC Trust Anchor Repositories (TAR) Update Russ Mundy Co-Chair DNSSEC Deployment Initiative Russ.Mundy@cobham.com / mundy@sparta.com www.dnssec-deployment.org DNSSEC Trust Anchors Starting point for DNSSEC validation Choice of

375 views • 16 slides
An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security

An Overview of DNSSEC Cesar Diaz cesar@ lacnic.net 1 DNSSEC??? The DNS Security Extension (DNS SEC) attach special kind of information called criptographic signatures to the queries and response that let your computer false

609 views • 34 slides
Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction

Deployment of DNSSEC at .ee ICANN 49: DNSSEC Workshop Timo Vhmar | 26.03.2014 | Introduction About Estonian Internet Foundation DNSSEC what, why, when Techie stuff Actual work Current situation | 26.03.2014 | Estonian

240 views • 9 slides
A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key

A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key

A Threshold Cryptographic Backend for DNSSEC Francisco Cifuentes francisco@niclabs.cl 1 Key Management Implementations Back to ICANN 40 2 Key Management Implementations Needs Zones need to be re-signed PKCS#11 periodically. Keys

507 views • 14 slides
at Gwens Girls Lisa Ripper University of Pittsburgh Graduate School of Public Health

at Gwens Girls Lisa Ripper University of Pittsburgh Graduate School of Public Health

Empowering the Girls at Gwens Girls Lisa Ripper University of Pittsburgh Graduate School of Public Health Department of Behavioral and Community Health Sciences Summer 2013 Practicum Experience Bridging the Gaps What is BTG? My BTG Team:

652 views • 16 slides
Hindustan Unilever Limited SQ 2016 Results Presentation, 26th October 2016 1 Safe Harbor

Hindustan Unilever Limited SQ 2016 Results Presentation, 26th October 2016 1 Safe Harbor

Hindustan Unilever Limited SQ 2016 Results Presentation, 26th October 2016 1 Safe Harbor Statement This Release / Communication, except for the historical information, may contain statements, including the words or phrases such as expects,

674 views • 28 slides
The mathematics of football Location of goals scored in Premier League 2011-12 Season. Look at

The mathematics of football Location of goals scored in Premier League 2011-12 Season. Look at

The mathematics of football Location of goals scored in Premier League 2011-12 Season. Look at 0.094! That means a goalie scored from his own area? Any idea who it was? We will show you at the end if you dont! Break down of Attacking areas in

317 views • 27 slides
Evaluation of the Tiger Brands Foundations Pilot In-School Breakfast Feeding Programme

Evaluation of the Tiger Brands Foundations Pilot In-School Breakfast Feeding Programme

Evaluation of the Tiger Brands Foundations Pilot In-School Breakfast Feeding Programme Centre for Social Development in Africa University of Johannesburg 8 March 2013 TBF In-School Feeding Programme Purpose: to supplement the NSNP lunch

479 views • 22 slides
Towards Unified System Modeling with the ModelicaML UML Profile Adrian Pop, David Akhvlediani,

Towards Unified System Modeling with the ModelicaML UML Profile Adrian Pop, David Akhvlediani,

Towards Unified System Modeling with the ModelicaML UML Profile Adrian Pop, David Akhvlediani, Peter Fritzson Programming Environments Laboratory, Department of Computer and Information Science Linkping University adrpo@ ida.liu.se

451 views • 28 slides
Expert Group Meeting on THE BEST PRACTICES IN IMPLEMENTATION OF MOBILE IDENTIFICATION (mID)

Expert Group Meeting on THE BEST PRACTICES IN IMPLEMENTATION OF MOBILE IDENTIFICATION (mID)

Expert Group Meeting on THE BEST PRACTICES IN IMPLEMENTATION OF MOBILE IDENTIFICATION (mID) 18-19 October 2016 Warsaw, Poland Ministry of Digital Affairs Expert Group Meeting on mID 1 Session 1: Overview about Estonian eID Population:

421 views • 14 slides
A Domain Specific Visual Language for Modelica Daniel Riegelhaupt - 20071521 What is Modelica ?

A Domain Specific Visual Language for Modelica Daniel Riegelhaupt - 20071521 What is Modelica ?

A Domain Specific Visual Language for Modelica Daniel Riegelhaupt - 20071521 What is Modelica ? Modelica is a freely available, dynamic (notion of time) declarative ( mathematical equations ) OO language for multi-domain modeling. 1 - OO

300 views • 25 slides
IEEE P1149.8.1 Selective Toggle Fault Detection and Isolation Steve Butkovich Cisco Systems,

IEEE P1149.8.1 Selective Toggle Fault Detection and Isolation Steve Butkovich Cisco Systems,

IEEE P1149.8.1 Selective Toggle Fault Detection and Isolation Steve Butkovich Cisco Systems, Inc . y , Goal of the Fault Evaluation Goal of the Fault Evaluation Using the faults Using the faults portrayed in figure 6 expand on the

369 views • 8 slides

More recommend