[openstack-dev] [barbican] Secure Setup & HSM-plugin

Praktikant HSM Praktikant.HSM at utimaco.com
Tue Aug 16 13:22:47 UTC 2016 

Hi Douglas,

Thank you very much for your response.

When testing the usage of the generated MKEK, we ran into some problems. For clarification: we are testing the PKCS#11-based crypto plugin with a Utimaco HSM. The error messages are from Barbican's and Utimaco's log files.

When storing a secret, we get the following error: CKM_MECHANISM_INVALID (Mechanism 0x8000011c is invalid). Since this is a vendor specific AES-GCM mechanism by SafeNet[1], it is not supported by our HSMs.

In the p11_crypto.py file, the default algorithm is set to "VENDOR_SAFENET_CKM_AES_GCM"[2]. Thus, we specified "CKM_AES_GCM" in the barbican.conf file in the [p11_crypto_plugin] section to be used instead of the default mechanism. However, this gave us a "CKR_MECHANISM_PARAM_INVALID" error: mechanism length invalid (expected 40, provided 48).

Additionally, when trying other AES modes, e.g. CBC, there is an CryptoPluginNotFound error.

Is there currently a workaround which would allow us to use a Utimaco HSM? Also, are there any plans to natively support HSMs from other vendors in the near future?

Again, thank you for your support.

Best regards,

Manuel Roth

[1]: https://github.com/openstack/barbican/blob/306b2ac592c059c59be42c0420a08af0a9e34f6e/barbican/plugin/crypto/pkcs11.py#L131

[2]: https://github.com/openstack/barbican/blob/c2a7f426455232ed04d2ccef6b35c87a2a223977/barbican/plugin/crypto/p11_crypto.py#L63

-------------------------------
System Engineering HSM

Utimaco IS GmbH
Germanusstr. 4
52080 Aachen
Germany



-----Original Message-----
From: Douglas Mendizábal [mailto:douglas.mendizabal at rackspace.com]
Sent: Freitag, 12. August 2016 18:24
To: OpenStack Development Mailing List (not for usage questions) <openstack-dev at lists.openstack.org>
Cc: Ariano-Tim Donda <Ariano-Tim.Donda at utimaco.com>; Jiannis Papadakis <Jiannis.Papadakis at utimaco.com>
Subject: Re: [openstack-dev] Barbican: Secure Setup & HSM-plugin

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Hi Manuel,

I'm happy to hear about your interest in Barbican.  I assume your HSM has a PKCS#11 interface since the admin commands to generate the MKEK and HMAC keys worked for you.

The labels for the generated keys should be specified in the config file for the API process. [1]  The API process uses the MKEK and HMAC keys to encrypt and sign the secrets (keys) that are stored in Barbican by clients.

The PKCS#11 plugin was designed to use the SQL Database to store client keys (secrets) in the SQL database, so your API process must be configured to use "store_crypto" as the enabled_secretstore_plugins [2] in addition to specifing "p11_crypto" as the enabled_crypto_plguins [3].

When configured this way, Barbican uses the HSM to encrypt the client data (keys/secrets) before storing it in the DB.

The API itself does not currently support using keys stored by clients to do server-side encryption, but it's a feature that has been discussed in previous summits with some interest.  We've also had some discussions with the Designate team to add server-side signing that they could use to implement DNSSEC, but we don't yet have a blueprint for it.

Let me know if you have any more questions.

- - Douglas Mendizábal

[1]
http://git.openstack.org/cgit/openstack/barbican/tree/etc/barbican/barbi
can.conf#n278
[2]
http://git.openstack.org/cgit/openstack/barbican/tree/etc/barbican/barbi
can.conf#n255
[3]
http://git.openstack.org/cgit/openstack/barbican/tree/etc/barbican/barbi
can.conf#n260


On 8/12/16 7:51 AM, Praktikant HSM wrote:
> Hi all,
>
> As a member of Utimaco's pre-sales team I am currently testing an
> integration of Barbican with one of our HSMs.
>
>
>
> We were able to generate MKEKs and HMAC keys on the HSM with the
> 'pkcs11-key-generation' as well as 'barbican-manage hsm' commands.
> However, it is not fully clear to us how to use these keys to encrypt
> or sign data.
>
>
>
> Additionally, we would appreciate further information concerning the
> secure setup of Barbican with an HSM-plugin.
>
>
>
> Thank you in advance for your support.
>
>
>
> Best regards,
>
>
>
>
>
> Manuel Roth
>
>
>
> -------------------------------
>
> System Engineering HSM
>
>
>
> Utimaco IS GmbH
>
> Germanusstr. 4
>
> 52080 Aachen
>
> Germany
>
>
>
> www.utimaco.com <http://www.utimaco.com>
>
>
> ----------------------------------------------------------------------
- --
>
>  Utimaco IS GmbH Germanusstr. 4, D.52080 Aachen, Germany, Tel:
> +49-241-1696-0, www.utimaco.com Seat: Aachen – Registergericht
> Aachen HRB 18922 VAT ID No.: DE 815 496 496 Managementboard: Malte
> Pollmann (Chairman) CEO, Dr. Frank J. Nellissen CFO
>
> This communication is confidential. We only send and receive email on
> the basis of the terms set out at
> https://www.utimaco.com/en/e-mail-disclaimer/
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXrfg0AAoJEB7Z2EQgmLX7A08QAIpZqMKNDdT8MwM/iLmlDrMz
s/3wh+BErcQ8DHRHfwFijS6R+dm3/lZxzwTFszcRGgnXS90cKkZ0MGfuabne3Ul1
ZaFi7HvN64H34ujWTWBz5aD36yDOQB3bvv/gakI5CAxziQzL+3lAJqZmc7uQBlPA
p1/85zGYCi414ub62Je+DSJe0zW7p8UqfrCWXdTjEC23e00hguSFPuVDgLafkHIa
0HC059Cw4vC1RFyasOa96a5YlPtqGkuHzqJlZmeU14NZX0sSRxqSy4zqE210t8PT
FKp99xbIqWvlvHfcvjbvUN56SCIZUg1NeUAtlD2GP0RhO6/RBb4dMAQ61xy2OmuL
gKtWCJNOzjhqU0VB/pxip5yS/hXFtars1N/T3bmz91GoQXPisR3YF7xQHSoSVpdd
6lrIsQxZwiIP0IHMRKPxhrTgpSWzI9cZ9pquYpYX8YLuGkqYmQMGccD6aa1iaBC+
BMIYOpaS5a6sIIHFzvOeLi/9KpWDcRMIU5y5NG9Yt4jgNzVC5wfLKexmfIzzPztV
4ePECVHr+d5S2KcsP0upNW1dO8RTcFB0yKmGio3+VFJAdCMW7i5GP6+qi8rmYG3t
ZCbNTnU4KIPKb7aWV83m9L2gK2V2BHsznIQX19yQbAe4u3HtTHvrCxvl8mVNaD11
ejBi0uxDrn4zwEWeEVr1
=9c/C
-----END PGP SIGNATURE-----

__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


________________________________

Utimaco IS GmbH
Germanusstr. 4, D.52080 Aachen, Germany, Tel: +49-241-1696-0, www.utimaco.com
Seat: Aachen – Registergericht Aachen HRB 18922
VAT ID No.: DE 815 496 496
Managementboard: Malte Pollmann (Chairman) CEO, Dr. Frank J. Nellissen CFO

This communication is confidential. We only send and receive email on the basis of the terms set out at https://www.utimaco.com/en/e-mail-disclaimer/

More information about the OpenStack-dev mailing list