Hi, this is going to be long, I am afraid...
> We are really interested to support other crypto hardware too. Especially > there was an effort for nCipher to do this in the past but nCipher does > not give us any documentation so we abort it. If you want to integrate > this in the official release then we (or at minimum I) are willing to > help. The most code in the LunaCA module are from Bahaa and me. So > questions are welcome. This is great - I think I will have some questions about this, so your help is welcome, too. I've got a good contact both at nCipher and SafeNet/Chrysalis. Both are very cooperative and willing to help. I've been offered a Luna DSM module for testing, so I might be able to test this in about two weeks, too. We considered using the Luna hardware, too, but in our opinion the price tag of LunaCA3 is a bit high. Luna DSM can compete with nFast 150, but simply because of project schedule issues it may well be that we will be using nFast in the end. > 1. How does the authentication works? Luna uses it's own hardware based > approach so we have not to transfer any passphrases. The approach with nCipher is a bit different. It basically works this way - I have to get into some detail now: You create one or more "Operator Card Sets" consisting of an arbitrary number (0..n) of SmartCards that are each protected by an individual PIN. (It is possible to use no SmartCards at all if the key should only be protected by the HSM. In this case no authentication is done at all for private key access.) Then you define a 0..k (k<=n) card set that must be present for private key access. E. g. in a 2 of 3 Operator Card Set two cards must be inserted to allow subsequent private key operations. You create one or more private keys. Each individual key can be protected by an arbitrary Operator Card Set. The OpenSSL API for PIN entry is a bit limited (using a callback function), so nCipher chose to supply a preload executable that is called 'with-nfast'. Using this preload executable it is possible to enable a command for private key operations. It asks for k Operator SmartCards and reads the PIN on the command line. Have a look at this example: --- [EMAIL PROTECTED]:/usr/local/lib/root-ca> /opt/nfast/bin/with-nfast /usr/local/ssl/bin/openssl ca -gencrl -keyfile rsa-rootkey -keyform engine -engine chil -name CA_default -out /usr/local/lib/root-ca/crl/20040506104354.crl -config /usr/local/lib/root-ca/etc/openssl.cnf Loading tokens and/or keys on Module#1, ESN AFC3-50ED-B767 Loading cardset(s) on module #1. Currently inserted card(s) are: Slot#0: Operator Card `RootCA' #1 Enter slot number to load from, or change cards and press return, or type `d' to load no cards on this module. 0 Loading cardset `RootCA' in module #1 ... Enter passphrase for card #1 (in slot #0): Loaded #1; 1 more required. Insert another (or say `q' to quit). Enter passphrase for card #2 (in slot #0): Loaded cardset `RootCA' in module #1. Loading hwcrhk rsa-rootkey key(RSAPrivate) done. 1 cardset(s) and 1 key(s) loaded, in total across all module(s). Executing /usr/local/ssl/bin/openssl ... engine "chil" set. Using configuration from /usr/local/lib/root-ca/etc/openssl.cnf --- Of course this is not acceptable for a web server based application, thus: > 2. Does the module support something like a daemon mode? This mean that we > want to login and logout explicitly. This requires that we can check the > HSM status or we must remember the login state. (The implementation for > Luna is a hack too.) Yes it does, sort of. The 'with-nfast' command has a 'pause' mode that can be called to allow other processes access to private key operations. It keeps the HSM open for private key operations for a specified amount of time (may be infinite) or until the last operator card inserted into the reader for enabling access has been removed. So this 'with-nfast pause' command sits and waits in one shell, while you can call: --- [EMAIL PROTECTED]:~> /opt/nfast/bin/with-nfast pause Loading tokens and/or keys on Module#1, ESN AFC3-50ED-B767 Loading cardset(s) on module #1. Currently inserted card(s) are: Slot#0: Operator Card `RootCA' #2 Enter slot number to load from, or change cards and press return, or type `d' to load no cards on this module. 0 Loading cardset `RootCA' in module #1 ... Enter passphrase for card #2 (in slot #0): Loaded #2; 1 more required. Insert another (or say `q' to quit). Enter passphrase for card #1 (in slot #0): Loaded cardset `RootCA' in module #1. Loading hwcrhk rsa-rootkey key(RSAPrivate) done. 1 cardset(s) and 1 key(s) loaded, in total across all module(s). Pausing. --- The command sleeps until killed or interrupted e. g. by Ctrl-C. In another shell you can now access the HSM without entering pass phrases or swapping cards: --- echo "0" | /opt/nfast/bin/with-nfast /usr/local/ssl/bin/openssl ca -gencrl -keyfile rsa-rootkey -keyform engine -engine chil -name CA_default -out /usr/local/lib/root-ca/crl/20040506104354.crl -config /usr/local/lib/root-ca/etc/openssl.cnf Loading tokens and/or keys on Module#1, ESN AFC3-50ED-B767 Loading cardset(s) on module #1. Currently inserted card(s) are: Slot#0: Operator Card `RootCA' #1 Enter slot number to load from, or change cards and press return, or type `d' to load no cards on this module. Loading cardset `RootCA' in module #1 ... (already loaded) Loading hwcrhk rsa-rootkey (already loaded). 0 cardset(s) and 0 key(s) loaded, in total across all module(s). Executing /usr/local/ssl/bin/openssl ... engine "chil" set. Using configuration from /usr/local/lib/root-ca/etc/openssl.cnf [EMAIL PROTECTED]:/usr/local/lib/root-ca> --- Which now creates the CRL without operator interaction. Note the echo "0" which is a hack to make with-nfast happy that requires the slot number to be entered. (Sigh) Perhaps there is a way around it, I will have to figure this out. > 3. Does there be any special issues for the commandline usage of OpenSSL? > This means that we need commandline examples for OpenSSL to check our old > code for possible incompatibilities. > > If you have example code or any other questions simply write us. Perhaps > the support from nCipher is better if there is a real customer. The > experiences with ITS-Chrysalis were really positive. OK, here we are. These examples work for me, they have been extracted from my own shell scripts that compose our Root CA. * key generation (I would prefer to do this manually and not via the web frontend - this is better suited for a proper key ceremony) This is a transscript of my test root key ceremony :-) You can specify all interactively asked parameters on the command line. --- [EMAIL PROTECTED]:~> /opt/nfast/bin/generatekey2 hwcrhk protect: Protected by? (module, token) [token] slot: Slot to read cards from? (minimum 0) [0] cardset: OCS to protect key? (RootCA) [RootCA] recovery: Key recovery? (yes/no) [yes] type: Key type? (RSA, DSA, DH) [RSA] size: Key size? (bits, minimum 1024) [1024] 2048 OPTIONAL: checks: Number of checks? (checks, minimum 0) [] OPTIONAL: pubexp: Public exponent (in hex)? [] ident: Key identifier? [] rootkey nvram: Store blob in NVRAM? (yes/no) [no] key generation parameters: operation Operation to perform generate application Application hwcrhk protect Protected by token slot Slot to read cards from 0 cardset OCS to protect key RootCA recovery Key recovery yes verify Verify security of key yes type Key type RSA size Key size 2048 checks Number of checks pubexp Public exponent (in hex) ident Key identifier rootkey nvram Store blob in NVRAM no ERROR: Missing card Please insert a member of operator cardset 'RootCA' Press RETURN when ready... ERROR: Missing card Please insert a member of operator cardset 'RootCA' Press RETURN when ready... Please enter the passphrase for this card Please insert the next card. Press RETURN when ready... Please enter the passphrase for this card Key successfully generated. Path to key: /opt/nfast/kmdata/local/key_hwcrhk_rsa-rootkey --- * get information about installed operator card sets: [EMAIL PROTECTED]:~> /opt/nfast/bin/nfkminfo -c Cardset summary - 2 cardsets: (P=persistent/N=not, R=remoteable/L=localonly) Operator logical token hash k/n timeout name 028aaa457b2ac72ae91179be6b3ee16533913e0d 2/2 none-NL Level2 c941f7cda7cec80dd896f8249eb99b668ea698ec 2/2 none-NL RootCA * get information about available private keys: [EMAIL PROTECTED]:~> /opt/nfast/bin/nfkminfo -k Key summary - 2 keys AppName hwcrhk Ident rsa-rootkey AppName hwcrhk Ident rsa-sslca * self signed cert generation (taken and adapted from my script, you get the idea): /opt/nfast/bin/with-nfast /usr/local/ssl/bin/openssl req -new -x509 -days $CA_VALIDITY -key $ROOTKEYNAME -keyform engine -engine chil -out $CACERT -config foo * CRL generation (see above) * Certification: /opt/nfast/bin/with-nfast /usr/local/ssl/bin/openssl ca keyfile $ROOTKEYNAME -keyform engine -engine chil -in $INFILE -out newcert.pem -o utdir $CERTDIR -config foo * Revocation: /opt/nfast/bin/with-nfast /usr/local/ssl/bin/openssl ca -keyfile $ROOTKEYNAME -keyform engine -engine chil -revoke $CERTDIR/$SERIAL.pem -config foo All these commands still require a `0` and return typed on the console (or the echo 0 | hack). > BTW does nFast be a real HSM? I think nSure is the HSM from nCipher. I > think nFast is an accelerator but perhaps I'm wrong. Depends on what you expect of an HSM. The nFast device can act both as a RSA accelerator and as a HSM for handling private keys. It supports FIPS Level 2 and 3 (configurable) modes, but I am not sure if Level 3 can be achieved without a safe PIN entry device. When using nFast you get the choice of storing private keys in the HSM or on disk (3DES encrypted). In the latter case only the HSM can decrypt the keys because as I understand the key needed for decryption is stored safely in the HSM. As an alternative the private key can also be stored in NVRAM on the module, but this imposes some limitations about backup and restore procedures. So, yes, it is a real HSM. :-) Martin ------------------------------------------------------- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 _______________________________________________ OpenCA-Devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-devel
