DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza - - PowerPoint PPT Presentation

dnssec keys in smartcardhsm
SMART_READER_LITE
LIVE PREVIEW

DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza - - PowerPoint PPT Presentation

Jul 16, 2023 12 likes •206 views

DNSSEC Keys in SmartcardHSM OpenSC on Mac OS Luis D Espinoza Sanchez & Eberhard W Lisse University of Costa Rica & Namibian Network Information Centre 2015-02-09 Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 1 / 19

slide-1
SLIDE 1

DNSSEC Keys in SmartcardHSM

OpenSC on Mac OS Luis D Espinoza Sanchez & Eberhard W Lisse

University of Costa Rica & Namibian Network Information Centre

2015-02-09

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 1 / 19

slide-2
SLIDE 2

Introduction

DNSSEC is Easy!

Is it Secure?

Secure DNSSEC is Expensive!

Is it really?

So, what were we looking for?

An easy, secure and cheap DNSSEC solution

for .NA; for demonstration purposes; for fun (see slide 19)

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 2 / 19

slide-3
SLIDE 3

Introduction

Registry System without DNSSEC

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 3 / 19

slide-4
SLIDE 4

Introduction

Registry System with DNSSEC

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 4 / 19

slide-5
SLIDE 5

Introduction

Hardware Keys

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 5 / 19

slide-6
SLIDE 6

Introduction

Why Mac?

SmartcardHSM

Different Brands

Smartcard Readers

Different Brands

Open Source Sofware

OpenSC BIND 9

Homebrew MacPorts

Virtual Box

Centos 6

OS X 10.10.2

Native Drivers for the Readers

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 6 / 19

slide-7
SLIDE 7

Proof of Concept

Not Production Grade. Yet.

Why Mac?

Name Servers usually don’t run on Netbooks

BSD Ubuntu Centos

It’s fun (see slide 19)

No auditing (Ceremony)

Can be added later from Richard Lamb’s Ceremony documentation

Key in Hardware adds some security

Physical Access to Server is required

Servers are usually in secure data center

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 7 / 19

slide-8
SLIDE 8

Implementation

Bash

Consolidate Richard Lamb’s Ceremony Scripts

into 1 single script 50 lines

dialog

to display/modify Environment Variables

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 8 / 19

slide-9
SLIDE 9

Set Environment Variables

Bash

DATE=‘date -u +%Y%m%d%H%M%S‘ DOMAIN=na PASSWORD=RichardLamb PATH=~/Downloads/dccom:$PATH PIN1=123456 PKCS11_LIBRARY_PATH=/Library/OpenSC/lib/opensc- pkcs11.so SOPIN="3537363231383830" CKALABEL="ksk.""$DOMAIN"".""$DATE"

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 9 / 19

slide-10
SLIDE 10

Initialization

Prepare the Card

sc-hsm-tool –initialize –so-pin $SOPIN \ –pin $PIN1

Erase the Card

sc-hsm-tool –initialize –so-pin $SOPIN \ –pin $PIN1 –dkek-shares 2

Device Key Encryption Key (DKEK) shares are used to derive the actual keys

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 10 / 19

slide-11
SLIDE 11

Create 2 DKEK Shares sc-hsm-tool –create-dkek-share dkek-share-1.pbe \ –so-pin $SOPIN –pin $PIN1 \ –password $PASSWORD sc-hsm-tool –create-dkek-share dkek-share-2.pbe \ –so-pin $SOPIN –pin $PIN1 \ –password $PASSWORD

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 11 / 19

slide-12
SLIDE 12

Import the DKEK Shares sc-hsm-tool –import-dkek-share dkek-share-1.pbe \ –so-pin $SOPIN –pin $PIN1 \ –password $PASSWORD sc-hsm-tool –import-dkek-share dkek-share-2.pbe \ –so-pin $SOPIN –pin $PIN1 \ –password $PASSWORD

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 12 / 19

slide-13
SLIDE 13

Generate 2 ZSKs

Why 2?

dnssec-keygen -r /dev/random -a 8 -b 1024 \ $DOMAIN. dnssec-keygen -r /dev/random -a 8 -b 1024 \ $DOMAIN.

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 13 / 19

slide-14
SLIDE 14

Generate KSK Inside the Card pkcs11-tool –module $PKCS11_LIBRARY_PATH \

  • l –pin $PIN1 –keypairgen –key-type rsa:2048 \

–read-object –type pubkey \ –output-file "$CKALABEL"".pub" \ –label "$CKALABEL"

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 14 / 19

slide-15
SLIDE 15

Verification

Dump the Card

pkcs15-tool -D

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 15 / 19

slide-16
SLIDE 16

Wrap the Key

Export and encrypt (wrapped with shares) copy of the private key

sc-hsm-tool –wrap-key "$CKALABEL"".wrap" \ –key-reference 1 –pin $PIN1

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 16 / 19

slide-17
SLIDE 17

hcardsign (Bash script)

Generate pre-KSK-signed DNSKEY RRsets for future use

relies on

pkcs11-backup -f$CKALABEL:8:257:$DOMAIN. \

  • S 0 -P $PIN1

Open Source (Richard Lamb)

Doesn’t currently compile on the Mac Will do so RSN

Not an issue

Works on Linux Not required in production

Less Safe

Demonstrated here only to show functionality

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 17 / 19

slide-18
SLIDE 18

Make Backup Card From Wrapped Key

Repeat steps for additional cards

sc-hsm-tool –initialize –so-pin $SOPIN –pin $PIN1 sc-hsm-tool –initialize –so-pin $SOPIN \ –pin $PIN1 –dkek-shares 2 sc-hsm-tool –import-dkek-share dkek-share-1.pbe \ –so-pin $SOPIN –pin $PIN1 \ –password $PASSWORD sc-hsm-tool –import-dkek-share dkek-share-2.pbe \ –so-pin $SOPIN –pin $PIN1 \ –password $PASSWORD sc-hsm-tool –unwrap-key $CKALABEL"".wrap" \ –key-reference 1 –pin $PIN1

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 18 / 19

slide-19
SLIDE 19

The Real Reason

This is fun!

Espinoza & Lisse (NA-NiC) SmartcardHSM 2015-02-09 19 / 19