| 1 |
On Tue, Jun 13, 2017 at 1:26 PM, james <garftd@×××××××.net> wrote: |
| 2 |
> Hello one and all, |
| 3 |
> |
| 4 |
> I was looking at planet.gentoo.org and saw several (ultrabug) posts |
| 5 |
> that involve pkcs#11; particularly related to the yubikey device. |
| 6 |
> Looking around, there are SmartCards (SC) that be used in lieu of |
| 7 |
> the Yubikey, and other schemes some with some without 2FactorAuth. |
| 8 |
> |
| 9 |
|
| 10 |
Can you provide a link for those? Is it just the Yubikey-style |
| 11 |
authentication that is at fault, or their smartcard functionality as |
| 12 |
well? |
| 13 |
|
| 14 |
> Here is a source of 'Generic' SC:: |
| 15 |
> https://github.com/OpenSC/OpenSC/wiki/Supported-hardware-%28smart-cards-and-USB-tokens%29 |
| 16 |
> |
| 17 |
> |
| 18 |
> Has anyone a simple, basic implemention of pksc#11 ? That uses one of |
| 19 |
> those Generic SC? |
| 20 |
> |
| 21 |
> |
| 22 |
> I guess what I'm really looking for is a master list of ebuilds |
| 23 |
> (overlays) that one has or possible could use to implement any form of |
| 24 |
> PKCS#11 on a gentoo server, workstation, or embedded system? I've been |
| 25 |
> googling on this a bit, but my keyword combos have not been very fruitful. |
| 26 |
> |
| 27 |
|
| 28 |
What are you trying to do with PKCS? Authenticate user accounts? |
| 29 |
|
| 30 |
> |
| 31 |
> Any of this on a gentoo-hardened profile? Amd64 would be perfect |
| 32 |
> but any processor/platform running any form of gentoo, would be keen. |
| 33 |
> Work on another, like Debian or Arch would be of interest, too. |
| 34 |
> Discussion or suggestions are most welcome, as this is not my normal |
| 35 |
> area of interest. Any PCKS#11 (or as embodied in newer standards) usage |
| 36 |
> on a gentoo cloud would be most exciting, for me. |
| 37 |
> |
| 38 |
|
| 39 |
Most things work by default on hardened, particularly if they don't |
| 40 |
involve multimedia. |
| 41 |
|
| 42 |
|
| 43 |
On Tue, Jun 13, 2017 at 4:41 PM, james <garftd@×××××××.net> wrote: |
| 44 |
> On 06/13/17 14:40, Alon Bar-Lev wrote: |
| 45 |
>> On 13 June 2017 at 21:26, james <garftd@×××××××.net> wrote: |
| 46 |
>> |
| 47 |
>> <snip> |
| 48 |
>> |
| 49 |
>>> I guess what I'm really looking for is a master list of ebuilds |
| 50 |
>>> (overlays) that one has or possible could use to implement any form of |
| 51 |
>>> PKCS#11 on a gentoo server, workstation, or embedded system? I've been |
| 52 |
>>> googling on this a bit, but my keyword combos have not been very fruitful. |
| 53 |
>> |
| 54 |
>> Hi, |
| 55 |
>> |
| 56 |
>> You have at least these: |
| 57 |
>> |
| 58 |
>> https://packages.gentoo.org/packages/dev-libs/softhsm |
| 59 |
>> https://packages.gentoo.org/packages/dev-libs/opensc |
| 60 |
>> https://packages.gentoo.org/packages/dev-libs/opencryptoki |
| 61 |
>> https://packages.gentoo.org/packages/app-crypt/coolkey |
| 62 |
>> |
| 63 |
>> Regards, |
| 64 |
>> Alon |
| 65 |
>> |
| 66 |
> |
| 67 |
> |
| 68 |
> Yes thanks for the info above; and more using eix <-R|-cC> <dev-libs> | |
| 69 |
> grep <pkcs|HSM> and other such searches. |
| 70 |
> |
| 71 |
> |
| 72 |
> I should have been more detailed in my first post, apologies. I'm more |
| 73 |
> or less looking for complete projects where someone at least moderately |
| 74 |
> documented the steps, gotchas, nuances, etc etc. In theory, they're not |
| 75 |
> too difficult. On the practical side, there's an ocean of fragmented |
| 76 |
> minutia, depending on what you try, exactly. I guess I was look for a |
| 77 |
> bit of a 'well worn' pathway, that included experimentation with the |
| 78 |
> physical card side of things, gentoo centric. A book/website on |
| 79 |
> practical pkcs#11 linux implementation? |
| 80 |
> |
| 81 |
|
| 82 |
You would probably be interested in https://inversepath.com/usbarmory. |
| 83 |
|
| 84 |
You should read the technical explanations of the technology involved |
| 85 |
and then ask specific questions. |
| 86 |
|
| 87 |
> |
| 88 |
> I also have look at some of the semiconductor vendor solutions, but |
| 89 |
> there is little detail other than 'purchase' the interesting parts |
| 90 |
> inside of fpga code or an asic, which does me no good. But implemented |
| 91 |
> on an embedded microP with some flexibility would be good, as long as |
| 92 |
> the processor is one that also runs embedded (gentoo) linux. So any |
| 93 |
> dev-boards (RaspPI-3 or ?) would be keen that have any sort of pkcs |
| 94 |
> demo, I could purchase from a semiconductor vendor? Any ideas along that |
| 95 |
> venue would also work for me. |
| 96 |
> |
| 97 |
|
| 98 |
This topic is probably a bit too specific for a vendor to have created |
| 99 |
a demo board for it. You will find most parts have development boards, |
| 100 |
most of them including some kind of USB connectivity. See above for an |
| 101 |
example part - the part used for the USB Armory is interesting because |
| 102 |
it supports what is essentially Secure Boot and you can ensure that |
| 103 |
only signed code is run, barring expensive (~$1-10m) reverse |
| 104 |
engineering of the processor's die. |
| 105 |
|
| 106 |
> |
| 107 |
> Perhaps some detail on hardening the platform, tool-chain and |
| 108 |
> musl/ulibc/glibc as that's another fundamental part of the effort, I |
| 109 |
> find scant info on. Codes bases such as this one in python [A] are |
| 110 |
> interesting, but not complete. Basically trying to stand on the |
| 111 |
> shoulders of folks that know what they are doing, and the CI or |
| 112 |
> automated test best for penetration testing what you actually implement |
| 113 |
> going forward, is another integral part of a complete solution. |
| 114 |
> |
| 115 |
> |
| 116 |
> Theoretical or practical experience or just a good comprehensive |
| 117 |
> document/book to read. Anything complete, not just a piece of code that |
| 118 |
> is a fragment of a complete (FOSS?) pkcs#11 system? Gaining |
| 119 |
> practical/working knowledge of these details seems to be fleeting, at |
| 120 |
> least for me. I had just assumed in was a well-worn pathway, publically |
| 121 |
> discuss in some detail. Perhaps a hacker/penetration forum, where the is |
| 122 |
> expertise is what I seek? |
| 123 |
> |
| 124 |
> |
| 125 |
> Are other folks interested in rolling their own solution, or am I |
| 126 |
> pursuing an impossible DIYS project? |
| 127 |
> |
| 128 |
|
| 129 |
You're not alone but most of the devices that could implement what you |
| 130 |
want are either underpowered and lack features, are uselessly complex, |
| 131 |
or have nonfree components that undermine an estimate of their |
| 132 |
security. My first attempt at wading through an NXP part's |
| 133 |
documentation showed me it would take about a month before I had |
| 134 |
anything useful that compiled. |
| 135 |
|
| 136 |
For example those NXP parts that the USB Armory uses do not have a |
| 137 |
easily to use toolchain and the header files are hard to obtain and |
| 138 |
the example projects are nearly inscrutable. Atmel/Microchip XMega |
| 139 |
parts may be more suitable and do some with security of sorts, but are |
| 140 |
still not as capable. All FPGAs are either too large, too small, or |
| 141 |
too costly, and in any case the synthesis tools and the cell layout |
| 142 |
are proprietary. |
| 143 |
|
| 144 |
R0b0t1. |
Archives