| 1 |
On 06/13/17 23:07, R0b0t1 wrote: |
| 2 |
> On Tue, Jun 13, 2017 at 1:26 PM, james <garftd@×××××××.net> wrote: |
| 3 |
>> Hello one and all, |
| 4 |
>> |
| 5 |
>> I was looking at planet.gentoo.org and saw several (ultrabug) posts |
| 6 |
>> that involve pkcs#11; particularly related to the yubikey device. |
| 7 |
>> Looking around, there are SmartCards (SC) that be used in lieu of |
| 8 |
>> the Yubikey, and other schemes some with some without 2FactorAuth. |
| 9 |
>> |
| 10 |
> |
| 11 |
> Can you provide a link for those? Is it just the Yubikey-style |
| 12 |
> authentication that is at fault, or their smartcard functionality as |
| 13 |
> well? |
| 14 |
|
| 15 |
Opensc website lists national and generic Smart card information. |
| 16 |
|
| 17 |
> |
| 18 |
>> Here is a source of 'Generic' SC:: |
| 19 |
>> https://github.com/OpenSC/OpenSC/wiki/Supported-hardware-%28smart-cards-and-USB-tokens%29 |
| 20 |
>> |
| 21 |
>> |
| 22 |
>> Has anyone a simple, basic implemention of pksc#11 ? That uses one of |
| 23 |
>> those Generic SC? |
| 24 |
>> |
| 25 |
>> |
| 26 |
>> I guess what I'm really looking for is a master list of ebuilds |
| 27 |
>> (overlays) that one has or possible could use to implement any form of |
| 28 |
>> PKCS#11 on a gentoo server, workstation, or embedded system? I've been |
| 29 |
>> googling on this a bit, but my keyword combos have not been very fruitful. |
| 30 |
>> |
| 31 |
> |
| 32 |
> What are you trying to do with PKCS? Authenticate user accounts? |
| 33 |
|
| 34 |
Implement pkcs#11 using/testing a variety of schemes with various IoT |
| 35 |
devices, like printers |
| 36 |
|
| 37 |
https://twitter.com/flashman/status/871896475902631936 |
| 38 |
|
| 39 |
> |
| 40 |
>> |
| 41 |
>> Any of this on a gentoo-hardened profile? Amd64 would be perfect |
| 42 |
>> but any processor/platform running any form of gentoo, would be keen. |
| 43 |
>> Work on another, like Debian or Arch would be of interest, too. |
| 44 |
>> Discussion or suggestions are most welcome, as this is not my normal |
| 45 |
>> area of interest. Any PCKS#11 (or as embodied in newer standards) usage |
| 46 |
>> on a gentoo cloud would be most exciting, for me. |
| 47 |
>> |
| 48 |
> |
| 49 |
> Most things work by default on hardened, particularly if they don't |
| 50 |
> involve multimedia. |
| 51 |
|
| 52 |
Every used 'DPI' or deep packet inspection or similar tools? Just look |
| 53 |
at embedded systems from 10 years ago; many are compromised. The modern |
| 54 |
(IoT) devices that use MQTT are even more hacked. Got to defcon |
| 55 |
and poke around a bit.... |
| 56 |
|
| 57 |
> |
| 58 |
> |
| 59 |
> On Tue, Jun 13, 2017 at 4:41 PM, james <garftd@×××××××.net> wrote: |
| 60 |
>> On 06/13/17 14:40, Alon Bar-Lev wrote: |
| 61 |
>>> On 13 June 2017 at 21:26, james <garftd@×××××××.net> wrote: |
| 62 |
>>> |
| 63 |
>>> <snip> |
| 64 |
>>> |
| 65 |
>>>> I guess what I'm really looking for is a master list of ebuilds |
| 66 |
>>>> (overlays) that one has or possible could use to implement any form of |
| 67 |
>>>> PKCS#11 on a gentoo server, workstation, or embedded system? I've been |
| 68 |
>>>> googling on this a bit, but my keyword combos have not been very fruitful. |
| 69 |
>>> |
| 70 |
>>> Hi, |
| 71 |
>>> |
| 72 |
>>> You have at least these: |
| 73 |
>>> |
| 74 |
>>> https://packages.gentoo.org/packages/dev-libs/softhsm |
| 75 |
>>> https://packages.gentoo.org/packages/dev-libs/opensc |
| 76 |
>>> https://packages.gentoo.org/packages/dev-libs/opencryptoki |
| 77 |
>>> https://packages.gentoo.org/packages/app-crypt/coolkey |
| 78 |
>>> |
| 79 |
>>> Regards, |
| 80 |
>>> Alon |
| 81 |
>>> |
| 82 |
>> |
| 83 |
>> |
| 84 |
>> Yes thanks for the info above; and more using eix <-R|-cC> <dev-libs> | |
| 85 |
>> grep <pkcs|HSM> and other such searches. |
| 86 |
>> |
| 87 |
>> |
| 88 |
>> I should have been more detailed in my first post, apologies. I'm more |
| 89 |
>> or less looking for complete projects where someone at least moderately |
| 90 |
>> documented the steps, gotchas, nuances, etc etc. In theory, they're not |
| 91 |
>> too difficult. On the practical side, there's an ocean of fragmented |
| 92 |
>> minutia, depending on what you try, exactly. I guess I was look for a |
| 93 |
>> bit of a 'well worn' pathway, that included experimentation with the |
| 94 |
>> physical card side of things, gentoo centric. A book/website on |
| 95 |
>> practical pkcs#11 linux implementation? |
| 96 |
>> |
| 97 |
> |
| 98 |
> You would probably be interested in https://inversepath.com/usbarmory. |
| 99 |
> |
| 100 |
> You should read the technical explanations of the technology involved |
| 101 |
> and then ask specific questions. |
| 102 |
> |
| 103 |
>> |
| 104 |
>> I also have look at some of the semiconductor vendor solutions, but |
| 105 |
>> there is little detail other than 'purchase' the interesting parts |
| 106 |
>> inside of fpga code or an asic, which does me no good. But implemented |
| 107 |
>> on an embedded microP with some flexibility would be good, as long as |
| 108 |
>> the processor is one that also runs embedded (gentoo) linux. So any |
| 109 |
>> dev-boards (RaspPI-3 or ?) would be keen that have any sort of pkcs |
| 110 |
>> demo, I could purchase from a semiconductor vendor? Any ideas along that |
| 111 |
>> venue would also work for me. |
| 112 |
>> |
| 113 |
> |
| 114 |
> This topic is probably a bit too specific for a vendor to have created |
| 115 |
> a demo board for it. You will find most parts have development boards, |
| 116 |
> most of them including some kind of USB connectivity. See above for an |
| 117 |
> example part - the part used for the USB Armory is interesting because |
| 118 |
> it supports what is essentially Secure Boot and you can ensure that |
| 119 |
> only signed code is run, barring expensive (~$1-10m) reverse |
| 120 |
> engineering of the processor's die. |
| 121 |
> |
| 122 |
>> |
| 123 |
>> Perhaps some detail on hardening the platform, tool-chain and |
| 124 |
>> musl/ulibc/glibc as that's another fundamental part of the effort, I |
| 125 |
>> find scant info on. Codes bases such as this one in python [A] are |
| 126 |
>> interesting, but not complete. Basically trying to stand on the |
| 127 |
>> shoulders of folks that know what they are doing, and the CI or |
| 128 |
>> automated test best for penetration testing what you actually implement |
| 129 |
>> going forward, is another integral part of a complete solution. |
| 130 |
>> |
| 131 |
>> |
| 132 |
>> Theoretical or practical experience or just a good comprehensive |
| 133 |
>> document/book to read. Anything complete, not just a piece of code that |
| 134 |
>> is a fragment of a complete (FOSS?) pkcs#11 system? Gaining |
| 135 |
>> practical/working knowledge of these details seems to be fleeting, at |
| 136 |
>> least for me. I had just assumed in was a well-worn pathway, publically |
| 137 |
>> discuss in some detail. Perhaps a hacker/penetration forum, where the is |
| 138 |
>> expertise is what I seek? |
| 139 |
>> |
| 140 |
>> |
| 141 |
>> Are other folks interested in rolling their own solution, or am I |
| 142 |
>> pursuing an impossible DIYS project? |
| 143 |
>> |
| 144 |
> |
| 145 |
> You're not alone but most of the devices that could implement what you |
| 146 |
> want are either underpowered and lack features, are uselessly complex, |
| 147 |
> or have nonfree components that undermine an estimate of their |
| 148 |
> security. My first attempt at wading through an NXP part's |
| 149 |
> documentation showed me it would take about a month before I had |
| 150 |
> anything useful that compiled. |
| 151 |
> |
| 152 |
> For example those NXP parts that the USB Armory uses do not have a |
| 153 |
> easily to use toolchain and the header files are hard to obtain and |
| 154 |
> the example projects are nearly inscrutable. Atmel/Microchip XMega |
| 155 |
> parts may be more suitable and do some with security of sorts, but are |
| 156 |
> still not as capable. All FPGAs are either too large, too small, or |
| 157 |
> too costly, and in any case the synthesis tools and the cell layout |
| 158 |
> are proprietary. |
| 159 |
> |
| 160 |
> R0b0t1. |
| 161 |
> |
| 162 |
> |
Archives