1 |
On 06/13/17 23:07, R0b0t1 wrote: |
2 |
> On Tue, Jun 13, 2017 at 1:26 PM, james <garftd@×××××××.net> wrote: |
3 |
>> Hello one and all, |
4 |
>> |
5 |
>> I was looking at planet.gentoo.org and saw several (ultrabug) posts |
6 |
>> that involve pkcs#11; particularly related to the yubikey device. |
7 |
>> Looking around, there are SmartCards (SC) that be used in lieu of |
8 |
>> the Yubikey, and other schemes some with some without 2FactorAuth. |
9 |
>> |
10 |
> |
11 |
> Can you provide a link for those? Is it just the Yubikey-style |
12 |
> authentication that is at fault, or their smartcard functionality as |
13 |
> well? |
14 |
|
15 |
Opensc website lists national and generic Smart card information. |
16 |
|
17 |
> |
18 |
>> Here is a source of 'Generic' SC:: |
19 |
>> https://github.com/OpenSC/OpenSC/wiki/Supported-hardware-%28smart-cards-and-USB-tokens%29 |
20 |
>> |
21 |
>> |
22 |
>> Has anyone a simple, basic implemention of pksc#11 ? That uses one of |
23 |
>> those Generic SC? |
24 |
>> |
25 |
>> |
26 |
>> I guess what I'm really looking for is a master list of ebuilds |
27 |
>> (overlays) that one has or possible could use to implement any form of |
28 |
>> PKCS#11 on a gentoo server, workstation, or embedded system? I've been |
29 |
>> googling on this a bit, but my keyword combos have not been very fruitful. |
30 |
>> |
31 |
> |
32 |
> What are you trying to do with PKCS? Authenticate user accounts? |
33 |
|
34 |
Implement pkcs#11 using/testing a variety of schemes with various IoT |
35 |
devices, like printers |
36 |
|
37 |
https://twitter.com/flashman/status/871896475902631936 |
38 |
|
39 |
> |
40 |
>> |
41 |
>> Any of this on a gentoo-hardened profile? Amd64 would be perfect |
42 |
>> but any processor/platform running any form of gentoo, would be keen. |
43 |
>> Work on another, like Debian or Arch would be of interest, too. |
44 |
>> Discussion or suggestions are most welcome, as this is not my normal |
45 |
>> area of interest. Any PCKS#11 (or as embodied in newer standards) usage |
46 |
>> on a gentoo cloud would be most exciting, for me. |
47 |
>> |
48 |
> |
49 |
> Most things work by default on hardened, particularly if they don't |
50 |
> involve multimedia. |
51 |
|
52 |
Every used 'DPI' or deep packet inspection or similar tools? Just look |
53 |
at embedded systems from 10 years ago; many are compromised. The modern |
54 |
(IoT) devices that use MQTT are even more hacked. Got to defcon |
55 |
and poke around a bit.... |
56 |
|
57 |
> |
58 |
> |
59 |
> On Tue, Jun 13, 2017 at 4:41 PM, james <garftd@×××××××.net> wrote: |
60 |
>> On 06/13/17 14:40, Alon Bar-Lev wrote: |
61 |
>>> On 13 June 2017 at 21:26, james <garftd@×××××××.net> wrote: |
62 |
>>> |
63 |
>>> <snip> |
64 |
>>> |
65 |
>>>> I guess what I'm really looking for is a master list of ebuilds |
66 |
>>>> (overlays) that one has or possible could use to implement any form of |
67 |
>>>> PKCS#11 on a gentoo server, workstation, or embedded system? I've been |
68 |
>>>> googling on this a bit, but my keyword combos have not been very fruitful. |
69 |
>>> |
70 |
>>> Hi, |
71 |
>>> |
72 |
>>> You have at least these: |
73 |
>>> |
74 |
>>> https://packages.gentoo.org/packages/dev-libs/softhsm |
75 |
>>> https://packages.gentoo.org/packages/dev-libs/opensc |
76 |
>>> https://packages.gentoo.org/packages/dev-libs/opencryptoki |
77 |
>>> https://packages.gentoo.org/packages/app-crypt/coolkey |
78 |
>>> |
79 |
>>> Regards, |
80 |
>>> Alon |
81 |
>>> |
82 |
>> |
83 |
>> |
84 |
>> Yes thanks for the info above; and more using eix <-R|-cC> <dev-libs> | |
85 |
>> grep <pkcs|HSM> and other such searches. |
86 |
>> |
87 |
>> |
88 |
>> I should have been more detailed in my first post, apologies. I'm more |
89 |
>> or less looking for complete projects where someone at least moderately |
90 |
>> documented the steps, gotchas, nuances, etc etc. In theory, they're not |
91 |
>> too difficult. On the practical side, there's an ocean of fragmented |
92 |
>> minutia, depending on what you try, exactly. I guess I was look for a |
93 |
>> bit of a 'well worn' pathway, that included experimentation with the |
94 |
>> physical card side of things, gentoo centric. A book/website on |
95 |
>> practical pkcs#11 linux implementation? |
96 |
>> |
97 |
> |
98 |
> You would probably be interested in https://inversepath.com/usbarmory. |
99 |
> |
100 |
> You should read the technical explanations of the technology involved |
101 |
> and then ask specific questions. |
102 |
> |
103 |
>> |
104 |
>> I also have look at some of the semiconductor vendor solutions, but |
105 |
>> there is little detail other than 'purchase' the interesting parts |
106 |
>> inside of fpga code or an asic, which does me no good. But implemented |
107 |
>> on an embedded microP with some flexibility would be good, as long as |
108 |
>> the processor is one that also runs embedded (gentoo) linux. So any |
109 |
>> dev-boards (RaspPI-3 or ?) would be keen that have any sort of pkcs |
110 |
>> demo, I could purchase from a semiconductor vendor? Any ideas along that |
111 |
>> venue would also work for me. |
112 |
>> |
113 |
> |
114 |
> This topic is probably a bit too specific for a vendor to have created |
115 |
> a demo board for it. You will find most parts have development boards, |
116 |
> most of them including some kind of USB connectivity. See above for an |
117 |
> example part - the part used for the USB Armory is interesting because |
118 |
> it supports what is essentially Secure Boot and you can ensure that |
119 |
> only signed code is run, barring expensive (~$1-10m) reverse |
120 |
> engineering of the processor's die. |
121 |
> |
122 |
>> |
123 |
>> Perhaps some detail on hardening the platform, tool-chain and |
124 |
>> musl/ulibc/glibc as that's another fundamental part of the effort, I |
125 |
>> find scant info on. Codes bases such as this one in python [A] are |
126 |
>> interesting, but not complete. Basically trying to stand on the |
127 |
>> shoulders of folks that know what they are doing, and the CI or |
128 |
>> automated test best for penetration testing what you actually implement |
129 |
>> going forward, is another integral part of a complete solution. |
130 |
>> |
131 |
>> |
132 |
>> Theoretical or practical experience or just a good comprehensive |
133 |
>> document/book to read. Anything complete, not just a piece of code that |
134 |
>> is a fragment of a complete (FOSS?) pkcs#11 system? Gaining |
135 |
>> practical/working knowledge of these details seems to be fleeting, at |
136 |
>> least for me. I had just assumed in was a well-worn pathway, publically |
137 |
>> discuss in some detail. Perhaps a hacker/penetration forum, where the is |
138 |
>> expertise is what I seek? |
139 |
>> |
140 |
>> |
141 |
>> Are other folks interested in rolling their own solution, or am I |
142 |
>> pursuing an impossible DIYS project? |
143 |
>> |
144 |
> |
145 |
> You're not alone but most of the devices that could implement what you |
146 |
> want are either underpowered and lack features, are uselessly complex, |
147 |
> or have nonfree components that undermine an estimate of their |
148 |
> security. My first attempt at wading through an NXP part's |
149 |
> documentation showed me it would take about a month before I had |
150 |
> anything useful that compiled. |
151 |
> |
152 |
> For example those NXP parts that the USB Armory uses do not have a |
153 |
> easily to use toolchain and the header files are hard to obtain and |
154 |
> the example projects are nearly inscrutable. Atmel/Microchip XMega |
155 |
> parts may be more suitable and do some with security of sorts, but are |
156 |
> still not as capable. All FPGAs are either too large, too small, or |
157 |
> too costly, and in any case the synthesis tools and the cell layout |
158 |
> are proprietary. |
159 |
> |
160 |
> R0b0t1. |
161 |
> |
162 |
> |