1 |
On Tue, Jun 13, 2017 at 1:26 PM, james <garftd@×××××××.net> wrote: |
2 |
> Hello one and all, |
3 |
> |
4 |
> I was looking at planet.gentoo.org and saw several (ultrabug) posts |
5 |
> that involve pkcs#11; particularly related to the yubikey device. |
6 |
> Looking around, there are SmartCards (SC) that be used in lieu of |
7 |
> the Yubikey, and other schemes some with some without 2FactorAuth. |
8 |
> |
9 |
|
10 |
Can you provide a link for those? Is it just the Yubikey-style |
11 |
authentication that is at fault, or their smartcard functionality as |
12 |
well? |
13 |
|
14 |
> Here is a source of 'Generic' SC:: |
15 |
> https://github.com/OpenSC/OpenSC/wiki/Supported-hardware-%28smart-cards-and-USB-tokens%29 |
16 |
> |
17 |
> |
18 |
> Has anyone a simple, basic implemention of pksc#11 ? That uses one of |
19 |
> those Generic SC? |
20 |
> |
21 |
> |
22 |
> I guess what I'm really looking for is a master list of ebuilds |
23 |
> (overlays) that one has or possible could use to implement any form of |
24 |
> PKCS#11 on a gentoo server, workstation, or embedded system? I've been |
25 |
> googling on this a bit, but my keyword combos have not been very fruitful. |
26 |
> |
27 |
|
28 |
What are you trying to do with PKCS? Authenticate user accounts? |
29 |
|
30 |
> |
31 |
> Any of this on a gentoo-hardened profile? Amd64 would be perfect |
32 |
> but any processor/platform running any form of gentoo, would be keen. |
33 |
> Work on another, like Debian or Arch would be of interest, too. |
34 |
> Discussion or suggestions are most welcome, as this is not my normal |
35 |
> area of interest. Any PCKS#11 (or as embodied in newer standards) usage |
36 |
> on a gentoo cloud would be most exciting, for me. |
37 |
> |
38 |
|
39 |
Most things work by default on hardened, particularly if they don't |
40 |
involve multimedia. |
41 |
|
42 |
|
43 |
On Tue, Jun 13, 2017 at 4:41 PM, james <garftd@×××××××.net> wrote: |
44 |
> On 06/13/17 14:40, Alon Bar-Lev wrote: |
45 |
>> On 13 June 2017 at 21:26, james <garftd@×××××××.net> wrote: |
46 |
>> |
47 |
>> <snip> |
48 |
>> |
49 |
>>> I guess what I'm really looking for is a master list of ebuilds |
50 |
>>> (overlays) that one has or possible could use to implement any form of |
51 |
>>> PKCS#11 on a gentoo server, workstation, or embedded system? I've been |
52 |
>>> googling on this a bit, but my keyword combos have not been very fruitful. |
53 |
>> |
54 |
>> Hi, |
55 |
>> |
56 |
>> You have at least these: |
57 |
>> |
58 |
>> https://packages.gentoo.org/packages/dev-libs/softhsm |
59 |
>> https://packages.gentoo.org/packages/dev-libs/opensc |
60 |
>> https://packages.gentoo.org/packages/dev-libs/opencryptoki |
61 |
>> https://packages.gentoo.org/packages/app-crypt/coolkey |
62 |
>> |
63 |
>> Regards, |
64 |
>> Alon |
65 |
>> |
66 |
> |
67 |
> |
68 |
> Yes thanks for the info above; and more using eix <-R|-cC> <dev-libs> | |
69 |
> grep <pkcs|HSM> and other such searches. |
70 |
> |
71 |
> |
72 |
> I should have been more detailed in my first post, apologies. I'm more |
73 |
> or less looking for complete projects where someone at least moderately |
74 |
> documented the steps, gotchas, nuances, etc etc. In theory, they're not |
75 |
> too difficult. On the practical side, there's an ocean of fragmented |
76 |
> minutia, depending on what you try, exactly. I guess I was look for a |
77 |
> bit of a 'well worn' pathway, that included experimentation with the |
78 |
> physical card side of things, gentoo centric. A book/website on |
79 |
> practical pkcs#11 linux implementation? |
80 |
> |
81 |
|
82 |
You would probably be interested in https://inversepath.com/usbarmory. |
83 |
|
84 |
You should read the technical explanations of the technology involved |
85 |
and then ask specific questions. |
86 |
|
87 |
> |
88 |
> I also have look at some of the semiconductor vendor solutions, but |
89 |
> there is little detail other than 'purchase' the interesting parts |
90 |
> inside of fpga code or an asic, which does me no good. But implemented |
91 |
> on an embedded microP with some flexibility would be good, as long as |
92 |
> the processor is one that also runs embedded (gentoo) linux. So any |
93 |
> dev-boards (RaspPI-3 or ?) would be keen that have any sort of pkcs |
94 |
> demo, I could purchase from a semiconductor vendor? Any ideas along that |
95 |
> venue would also work for me. |
96 |
> |
97 |
|
98 |
This topic is probably a bit too specific for a vendor to have created |
99 |
a demo board for it. You will find most parts have development boards, |
100 |
most of them including some kind of USB connectivity. See above for an |
101 |
example part - the part used for the USB Armory is interesting because |
102 |
it supports what is essentially Secure Boot and you can ensure that |
103 |
only signed code is run, barring expensive (~$1-10m) reverse |
104 |
engineering of the processor's die. |
105 |
|
106 |
> |
107 |
> Perhaps some detail on hardening the platform, tool-chain and |
108 |
> musl/ulibc/glibc as that's another fundamental part of the effort, I |
109 |
> find scant info on. Codes bases such as this one in python [A] are |
110 |
> interesting, but not complete. Basically trying to stand on the |
111 |
> shoulders of folks that know what they are doing, and the CI or |
112 |
> automated test best for penetration testing what you actually implement |
113 |
> going forward, is another integral part of a complete solution. |
114 |
> |
115 |
> |
116 |
> Theoretical or practical experience or just a good comprehensive |
117 |
> document/book to read. Anything complete, not just a piece of code that |
118 |
> is a fragment of a complete (FOSS?) pkcs#11 system? Gaining |
119 |
> practical/working knowledge of these details seems to be fleeting, at |
120 |
> least for me. I had just assumed in was a well-worn pathway, publically |
121 |
> discuss in some detail. Perhaps a hacker/penetration forum, where the is |
122 |
> expertise is what I seek? |
123 |
> |
124 |
> |
125 |
> Are other folks interested in rolling their own solution, or am I |
126 |
> pursuing an impossible DIYS project? |
127 |
> |
128 |
|
129 |
You're not alone but most of the devices that could implement what you |
130 |
want are either underpowered and lack features, are uselessly complex, |
131 |
or have nonfree components that undermine an estimate of their |
132 |
security. My first attempt at wading through an NXP part's |
133 |
documentation showed me it would take about a month before I had |
134 |
anything useful that compiled. |
135 |
|
136 |
For example those NXP parts that the USB Armory uses do not have a |
137 |
easily to use toolchain and the header files are hard to obtain and |
138 |
the example projects are nearly inscrutable. Atmel/Microchip XMega |
139 |
parts may be more suitable and do some with security of sorts, but are |
140 |
still not as capable. All FPGAs are either too large, too small, or |
141 |
too costly, and in any case the synthesis tools and the cell layout |
142 |
are proprietary. |
143 |
|
144 |
R0b0t1. |