SoftHSM2: What crypto mechanisms and ciphers are supported?

SoftHSM2 is free and easy o install or compile. But if you search how to use SoftHSM2 for symmetric and asymmetric cryptography or hashing you will notice that the OpenDNSSEC Wiki will not have any hint what mechanisms are supportet. This post will show how to view all SoftHSM mechanisms using pkcs11-tool. This references are based on version 2.6.1 and can be downloaded from OpenDNSSEC website.

To repeat the following steps you need to install or compile the following packages:

  • OpenSC (includes pkcs11-tool binary)
  • SoftHSM2

List all SoftHSM2 mechanisms (AES, DES, DH, DSA, ECDH, ECDSA, HASHES, RSA)

SoftHSM2: What crypto mechanisms and ciphers are supported? weiterlesen

Simple start with Yubico PKCS#11 library

In this demo I will use a fresh installed YubiKey 5 NFC token, using YubiKey Manager for Windows you easily can change token settings and modify the configuration of the token.

With the same tool you can change the PIN and PUK of the token. The default PIN is „123456“ and the default PUK for YubiKey PIV token is „12345678“. In this demo I will not change the default values.

Simple start with Yubico PKCS#11 library weiterlesen

Export a RSA / ECC public key with OpenSC pkcs11-tool

Whenever you generate a public/private key pair in hardware over PKCS#11 you need export the public key to generate an X.509v3 vertificate. pkcs11-tool is a command line tool to test functions and perform crypto operations using a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.

Export a RSA / ECC public key with OpenSC pkcs11-tool weiterlesen

SoftHSM2 view slot info and objects on a specific slot

Whenever you need to work with SoftHSM2 there is a need to view all your configured slots and the objects saved on these slots. As softhsm2-util is not very well documented I decided to support the cryptographic community by offering working usage examples of the main tool of SoftHSM2. This post will show how to view all SoftHSM slots and examine all objects on a specific SoftHSM slots. This working examples are based on version 2.6.1 and can be downloaded from OpenDNSSEC website.

List all SoftHSM2 slots

After installation of SoftHSM2 and once you created a few slots you can check your slot configuration with softhsm2-util and its option „–show-slots“

SoftHSM2 view slot info and objects on a specific slot weiterlesen

Generate RSA, ECC and AES keys with OpenSC pkcs11-tool

How to generate RSA, ECC and AES keys: pkcs11-tool is a command line tool to test functions and perform crypto operations using a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.

This post is part of #CryptoCorner my contribution to open source cryptography and secure hardware key storage to reduce risks from misunderstood and unsecure implemented key management.

Generate RSA, ECC and AES keys with OpenSC pkcs11-tool weiterlesen

Show slot and token info with OpenSC pkcs11-tool

Show slot and token info: pkcs11-tool is a command line tool to test functions and perform operations of a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.

PKCS#11 is a standard interface to create symmetric and asymmetric keys and perform cryptographic operations. It is mainly used to access smart card type of key media or Hardware Security Modules (HSM). Today the interface is implemented in many different applications to use hardware cryptography. PKCS#11 based on the PKCS#11 (Cryptoki) specifications. The complete specifications are available at oasis-open.org.

Show slot and token info with OpenSC pkcs11-tool weiterlesen

SoftHSM2 first steps to create slots

As softhsm2-util is not very well documented I decided to support the cryptographic community by offering working usage examples of the main tool of SoftHSM2. This post will show how to initialize a SoftHSM slot and to view your SoftHSM slots. This working examples are based on version 2.6.1 and can be downloaded from OpenDNSSEC website.

After installation of SoftHSM2 you can check your slot configuration with option –show-slots

$ softhsm2-util --show-slots
SoftHSM2 first steps to create slots weiterlesen

Configuration of OpenSC pkcs11-tool

Configuration example for: pkcs11-tool is a command line tool to test functions and perform operations of a PKCS#11 library in Linux. It always requires a local available working P11 module (.so in Linux or .DLL in Windows) and allows various cryptographic action. pkcs11tool is part of the OpenSC package.

PKCS#11 is a standard interface to create symmetric and asymmetric keys and perform cryptographic operations. It is mainly used to access smart card type of key media or Hardware Security Modules (HSM). Today the interface is implemented in many different applications to use hardware cryptography. PKCS#11 based on the PKCS#11 (Cryptoki) specifications. The complete specifications are available at oasis-open.org.

Configuration of OpenSC pkcs11-tool weiterlesen

Unboxing: Sematicon se.SAM N200 Crypto-Appliance

Bei einer Internetrecherche habe ich entdeckt, dass die Sematicon in München eine kostengünstige Krypto Appliance entwickelt hat, die für eine Vielzahl an IT und Industrie Anwendungen geeignet ist. Als Spezialist für Hardware Security Module (HSM) habe ich mich natürlich sofort dafür interessiert und Kontakt mit sematicon aufgenommen, um diese Appliance zu testen.

Die Hardware

Der Vertrieb hat sofort positiv geantwortet und bereits 5 Tage später war die Appliance im Haus. Hier ein Bild der 1HE Appliance gleich nach dem Auspacken.

Sematicon N-Series N200 Crypto-Appliance. Kostengünstige HSM Appliance - Made in Germany
sematicon se.SAM N200 Crypto-Appliance
Unboxing: Sematicon se.SAM N200 Crypto-Appliance weiterlesen

Cold Boot Angriff: Hacken von Microsoft BitLocker

Cold Boot Angriff erfolgreich durchgeführt! Dies ist ein Gastartikel von Herrn Trotha, der gerne seine Erfahrung mit dem BitLocker Cold Boot Hack teilen möchte:

Die Ausgangssituation

Primäre Situation: Der BitLocker mit TPM und PIN ist eingerichtet, jedoch fährt der Laptop nur noch bis zum Anmeldebildschirm hoch und friert dann ein. Maus und Tastatur sind nicht mehr bedienbar, auch ist der Zugriff über LAN oder WLAN nicht mehr möglich. Reparaturen sind nur mit dem Recovery-Key möglich. Dieser ist nicht mehr auffindbar. Warum kann nicht geklärt werden.

Alternative Situation: Ein Notebook ist mit BitLocker verschlüsselt (mit TPM Schutz oder auch TPM + PIN Schutz) und es gibt ein Problem bei der Windows Anmeldung, z.B. durch ein vergessenes Windows Passwort. Auch in dieser Situation würde ein Wiederherstellungsschlüssel helfen, jedoch ist dieser dem Anwender nicht bekannt oder er wurde verloren.

Cold Boot Angriff: Hacken von Microsoft BitLocker weiterlesen