PV204 Security technologies

Slides:



Advertisements
Similar presentations
Chapter 2 Accessing Your System and the Common Desktop Environment.
Advertisements

Troubleshooting Guide for Network Hard Disk. Model - NH-200.
Linux Operations and Administration
Accessing Barney Off- Campus How can I get my H: files when I am not on the GU network? Business 111 Edward Mitchell Fall 2006.
1 Guide to Novell NetWare 6.0 Network Administration Chapter 13.
CS Tutorial 1 Getting Started with Visual Studio 2012 (Visual Studio 2010 are no longer available on MSDNAA, please choose Visual Studio 2012 which.
CHAPTER FOUR COMPUTER SOFTWARE.
Module 7: Fundamentals of Administering Windows Server 2008.
C O M P U T E R G R A P H I C S Jie chen Computer graphic -- OpenGL Howto.
BlowFish 2000 Copyright © by Gregory Braun. All rights reserved Installation and Users Guide by Robert Moncrief II.
Managing Disks and Drives Chapter 13 powered by dj.
Refworks Part I. How can I access Refworks Refworks can be accessed from: – The homepage of the Jotello F Soga Library (
OpenDNSSEC Deployment Tianyi Xing. Roadmap By mid-term – Establish a DNSSEC server within the mobicloud system (Hopfully be done by next week) Successfully.
The Diagnostic Pathfinder System Introduction Getting Started.
Copy of the from the secure website - click on the AccoridaLife.zip link.
Open project in Microsoft Visual Studio → build program in “Release” mode.
1 © 2004 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Cisco Technical Support Seminar Using the Cisco Technical Support Website.
Downloading and Installing GRASP-AF Workshop Ian Robson Information Analyst, North of England Cardiovascular Network.
PV204 Security technologies Reverse engineering of binary applications Petr Švenda Faculty of Informatics, Masaryk University.
VMware Recovery Software RECOVER DATA FROM CORRUPT VMDK FILE.
How to Create and Use a VericrYPT CONTAINER
PV204 Security technologies Labs: Secure authentication and authorization Petr Švenda Faculty of Informatics, Masaryk.
Application program interface (API)
PV204 Security technologies
PV204 Security technologies
Development Environment
Introduction to the new robust security system from SCC.
SQA Incident Tracking System Overview
Session
Chapter 2: The Visual Studio .NET Development Environment
SPen & Camera Kit Experience App
Software Application Overview
Training Objectives About D2F Download Installation Configuration
Homework 1 Hints.
Guide to Linux Installation and Administration, 2e
Refworks Part I.
WikID installation/training
RSA Laboratories’ PKCS Series - a Tutorial
OS X Yosemite Troubleshooting 9L0-066 Exam Questions Pack
PV204 Security technologies
Chapter 5 : Designing Windows Server-Level Security Processes
Auburn University COMP 2710 Software Construction xCode Development Environment for C++ Programming in Mac OS Dr. Xiao.
Chapter 11: Managing Users
Outline What does the OS protect? Authentication for operating systems
PV204 Security technologies
Deploying and Configuring SSIS Packages
Introduction to Computers
Outline What does the OS protect? Authentication for operating systems
CS691 M2009 Semester Project PHILIP HUYNH
IBM Certified WAS 8.5 Administrator
GSP 215 Competitive Success-- snaptutorial.com
GSP 215 Education for Service-- snaptutorial.com
GSP 215 Teaching Effectively-- snaptutorial.com
Windows Internals Brown-Bag Seminar Chapter 1 – Concepts and Tools
CS691 M2009 Semester Project PHILIP HUYNH
Lesson #7 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 7 Configuring Devices and Updates.
Unreal Engine and C++ We’re finally at a point where we can start working in C++ with Unreal Engine To get everything set up for this properly, we’re going.
HC Hyper-V Module GUI Portal VPS Templates Web Console
Introduction to Algorithm Design
1. Open Visual Studio 2008.
VeraCrypt User Guide Cross platform desktop encryption made easy
Using TrueCrypt 6th May 2009.
POS 408 Week 1 Individual Assignment Individual: Console Display Message//tutorfortune.com Click on below link to buy
Macrosystems EDDIE: Getting Started + Troubleshooting Tips
Computer Security Protection in general purpose Operating Systems
Review of Previous Lesson
Welcome to Intro to C/C++ CISC 192
Getting Started With LastPass Enterprise
Presentation transcript:

PV204 Security technologies Hardware Security Modules (HSM), PKCS#11 Petr Švenda svenda@fi.muni.cz Faculty of Informatics, Masaryk University

Laboratory Utilization of HSM capabilities over PKCS#11 interface SoftHSM PKCS#11 token Login user Import keys Use keys PKCS#11 usage in other software Using PKCS#11 token as keyfiles storage for TrueCrypt | PV204: Hardware Security Modules

Order of steps Intro into PKCS#11 API (not covered at lecture) Install and create own virtual SoftHSM token Commented debug throw PKCS11Example code Homework assignment | PV204: Hardware Security Modules

Prepare SoftHSM (Windows) Download binary for your OS https://github.com/disig/SoftHSM2-for-Windows Prepare system variables set SOFTHSM2_CONF=h:\Apps\SoftHSM2\etc\softhsm2.conf Create and initialize new software token softhsm2-util.exe --init-token --slot 0 --label "My token 1" Troubleshooting: Softhsm2-util crash: dll is not available (PATH, try to put softhsm2.dll into current folder) Still crash, check if softhsm2.dll is used (NOT softhsm2-x64.dll) Error: Could not initialize library (check your system variable SOFTHSM2_CONF – name of file should be also included) Check also directories.tokendir inside softhsm2.conf ERROR 30: Could not initialize the token (wrong path to software tokens in softhsm2.conf - check) | PV204: Hardware Security Modules

Prepare SoftHSM (Linux) Use libsofthsm http://manpages.ubuntu.com/manpages/utopic/man1/softhsm.1.html | PV204: Hardware Security Modules

Software token(s) >softhsm2-util.exe --init-token --slot 0 --label "MyToken 1" *** SO PIN (4-255 characters) *** Please enter SO PIN: ****** Please reenter SO PIN: ****** *** User PIN (4-255 characters) *** Please enter user PIN: **** Please reenter user PIN: **** The token has been initialized. New directory (GUID) with software token created in SoftHSM2\var\softhsm2\tokens\ folder Multiple tokens can be created Change --slot 0 to --slot X for additional tokens Otherwise token in slot 0 is overwritten | PV204: Hardware Security Modules

Management of software PKCS#11 token >softhsm2-util.exe Support tool for PKCS#11 Usage: softhsm2-util [ACTION] [OPTIONS] Action: -h Shows this help screen. --help Shows this help screen. --import <path> Import a key pair from the given path. The file must be in PKCS#8-format. Use with --file-pin, --slot, --label, --id, --no-public-key, and --pin. --init-token Initialize the token at a given slot. Use with --slot or --free, --label, --so-pin, and --pin. WARNING: Any content in token token will be erased. --show-slots Display all the available slots. -v Show version info. --version Show version info. Options: --file-pin <PIN> Supply a PIN if the file is encrypted. --force Used to override a warning. --free Initialize the first free token. --id <hex> Defines the ID of the object. Hexadecimal characters. Use with --force if multiple key pairs may share the same ID. --label <text> Defines the label of the object or the token. --module <path> Use another PKCS#11 library than SoftHSM. --no-public-key Do not import the public key. --pin <PIN> The PIN for the normal user. --slot <number> The slot where the token is located. --so-pin <PIN> The PIN for the Security Officer (SO). | PV204: Hardware Security Modules

At this moment, we have at least one initialized token | PV204: Hardware Security Modules

Use of PKCS#11 – program API Pre-prepared project for Visual Studio PKCS11Example inside 06_SoftHSM Example tests of functionality in PKCS11Test List available tokens (slot, token) List of supported cryptographic mechanisms PIN login/change (user CKU_USER, admin CKU_SO) Create and find objects (public, private) Generate random data on token Compile, run and inspect in debug mode Try to understand what functions are doing | PV204: Hardware Security Modules

Own work – during this lab Write own function, which will insert private object with label “VeraCrypt secret1” into token Private object => user must be logged in (C_Login) Write own function, which will list all private objects on token including values C_FindObjectsInit, C_FindObjects, C_FindObjectsFinal Change insert function so that value of objects will be randomly data generated by token itself obtained previously via C_GenerateRandom() function | PV204: Hardware Security Modules

Use of PKCS#11 – TrueCrypt/VeraCrypt Use P#11 token to increase security of VeraCrypt password SettingsSecurity tokensSelect library Point to softhsm2-x64.dll Important: at least one private object must exists on token VeraCrypt will search for private objects on token and fail with GENERIC_ERROR if not found Use private object “VeraCrypt secret1” VolumesCreate new volume (Set standard volume info in wizard) Volume PasswordUse keyfilesKeyfiles Add token files New volume should be created and PIN required on mount | PV204: Hardware Security Modules

| PV204: Hardware Security Modules

Homework – RSA with PKCS#11 token Create application capable to decrypt with RSA private key stored on PKCS#11 token Private key will stay on a token after application end Decryption key (RSA-2048b) is generated on-token C_GenerateKeyPair() Public key is exported into file Private key is usable only after PIN verification (CKU_USER) Token will decrypt only after login with user PIN PKCS#1 format for RSA will be used (CKM_RSA_PKCS) Use SoftHSM as PKCS#11 token for testing Produce short (1xA4) text description of solution Steps and principal usage difference to Signature applet from HW02 | PV204 Security technologies - Labs

Homework – RSA with PKCS#11 token Provide code that will demonstrate: RSA keypair generation Search for object with private key and successful decryption of data Failure of decryption when user PIN is not supplied Destruction of keypair object on token You may use existing code as inspiration, but you can’t cut&paste! https://www.ibm.com/support/knowledgecenter/SSLTBW_2.1.0/com.ibm.zos.v2r1.csfba00/testpkcs11_code.htm%23testpkcs11_code Be aware – this code doesn’t search for key objects Submit before: 8.3. 6am (full number of points) Every additional started day (24h) means 1.5 points penalization | PV204: Hardware Security Modules