PKCS11 Smart Card and TPM DNSSEC
Demo Training Material
Richard Lamb and Luis Espinoza 20120927
SMARTCARD HSM UPDATERichard Lamb 20130819


We have 5 demo examples:

Note: The PKCS11 standard allows for a simplified upgrade path to HSMs. Smartcards and TPMs do on the order of 1 1024 RSA signature per second while an HSM can do greater than 1000/s. Although key backup and inialization strategies vary across devices, the C_Sign function call to generate RSA signatures is consistent across all. The examples on the demo DVD use BIND 9.9 tools with the modification of one file - bind/lib/dns/opensslrsa_link.c - to natively support PKCS11. The modified single bind-9.9.1-P2 file and the rest of the source is on the DVD.

For smart cards:

Note: If not using the Aventra MyEID PKI smart card 2012, replace PKCS11_LIBRARY_PATH="/opt/dccom/lib/opensc-pkcs11.so" with different pkcs11 library in various scripts such as the ones below. I have tried Athena SCS IDProtect LASER, Feitian PKI, and a few other cards and unfortunately each card vendor have very different techniques for initializing and formatting cards so all the routines will have to be customized for each vendor. The Aventra cards are easy to purchase in small quantities. However, the smallest vendor change (e.g., ATR,..) can render the OpenSC PKCS11 driver useless (this is a case in favor of proprietary driver+card like Athena SCS). So there is no guarentee that this setup will work if any element is changed.

Routines that also depend on Aventra card:

Offline Smart Card KSK + Online software ZSKs

* If using Feitian PKI card, use "carderase-ft" instead of "carderase". The rest of the instructions remain the same.

See the contents of various comands found in /opt/dccom and output in demo directory /tmp/namedb for details (e.g., signemd.out). "signemd" will automatically maintain the signed zone using software ZSKs and KSK signed DNSKEY RRsets created by "cardsign" above. This parallels the pre-generated DNSKEY RRset approach used at the root. For security, do not place all pre-signed RRsets on the online signer machine.

Here is a sample DPS and Key Ceremony documentation corresponding to this demo. Other training material can be found here and here.

Doing "dig +dnssec -t soa yourdomain @127.0.0.1" should show you the signed zone SOA as it automatically gets updated.

If you would like a persistent demo, run "startx" from root prompt and use "install" icon from desktop. Study signzone and create own startup script, separating out key generation (to maintain separately), changing the /tmp directory to something more appropriate, and configuring a system to get unsigned zone updates. Your startup script "startup" might look like:

export PKCS11_LIBRARY_PATH="/opt/dccom/lib/opensc-pkcs11.so"
read -s -p "HSM PIN: " PKCS11_LIBRARY_PIN
echo ""
export PKCS11_LIBRARY_PIN
cd /tmp/namedb
/opt/dccom/signemd yourdomain
/opt/dccom/named -c /tmp/namedb/named.conf

Offline HSM KSK + Online software ZSKs using fake HSM

Follow exactly same steps as previous example but add "-n" to each command,e.g., "carderase-n" instead of "carderase"...and of course you do not have a second optional card. This example uses the software token that is included in the opencryptoki packedge. If you are curious, the demo key material is kept in /var/lib/opencryptoki/swtok.

Offline Smart Card KSK + Online Smart Card ZSKs

* If using Feitian PKI card, use "carderase-ft" instead of "carderase". The rest of the instructions remain the same.

See the contents of various comands found in /opt/dccom and output in demo directory /tmp/namedb for details (e.g., signemd-sc.out). "signemd-sc" will automatically maintain the signed zone using smartcard ZSKs and KSK signed DNSKEY RRsets created by "cardsign-sc" above. This parallels the pre-generated DNSKEY RRset approach used at the root. For security, do not place all pre-signed RRsets on the online signer machine. Since the keys are generated inside the cards and most cards do not support key export, there is no backup.

Doing "dig +dnssec -t soa yourdomain @127.0.0.1" should show you the signed zone SOA as it automatically gets updated.

If you would like a persistent demo, run "startx" from root prompt and use "install" icon from desktop. Study signzone-sc and create own startup script, separating out key generation (to maintain separately), changing the /tmp directory to something more appropriate, and configuring a system to get unsigned zone updates. Your startup script "startup" might look like:

export PKCS11_LIBRARY_PATH="/opt/dccom/lib/opensc-pkcs11.so"
read -s -p "HSM PIN: " PKCS11_LIBRARY_PIN
echo ""
export PKCS11_LIBRARY_PIN
cd /tmp/namedb
/opt/dccom/signemd-sc yourdomain
/opt/dccom/named -c /tmp/namedb/named.conf

Online Smart Card KSK + ZSKs + BIND 9.9 in-line signing

* If using Feitian PKI card, use "carderase-ft" instead of "carderase". The rest of the instructions remain the same.

See the contents of /opt/dccom/signzone-99 and demo directory /tmp/namedb for details (e.g., /tmp/namedb/log/runlog). "named" with /tmp/namedb/named.conf will automatically maintain the signed zone using KSK and ZSK in the smartcard. An excellent BIND 9.9 basic example using software keys is here.

Doing "dig +dnssec -t soa yourdomain @127.0.0.1" should show you the signed zone SOA as it automatically gets updated. The "Activate:" field in the keys/*.private files indicates when named will start using the corresponding key. The SOA serial should increment then. "rndc signing -list yourdomain" shows signing status. "rndc sign yourdomain" forces a recalculation of signatures. For a key rollover, you can manually add and remove keys from the "keys/" directory after a new key has been introduced and published or could use the "Activate:" and other meta fields to effect a complete rollover.

If you would like a persistent demo, run "startx" from root prompt and use "install" icon from desktop. Study signzone-sc and create own startup script, separating out key generation (to maintain separately), changing the /tmp directory to something more appropriate, and configuring a system to get unsigned zone updates. Your startup script "startup" might look like:

export PKCS11_LIBRARY_PATH="/opt/dccom/lib/opensc-pkcs11.so"
read -s -p "HSM PIN: " PKCS11_LIBRARY_PIN
echo ""
export PKCS11_LIBRARY_PIN
/opt/dccom/named -c /tmp/namedb/named.conf

TPM Work

For TPM demo:

Note: trousers, opencrptoki, tpm-tools are very finicky and building a local version for debugging requires pulling in a lot of cruft. Opencryptoki is a moving target but version 2.4 seems to have attained some stability but beware of old TPM systems that will fail after a few thousand executions of PKCS11 C_Sign. This is an excellent description of how opencryptoki implements PKCS11 using a TPM and how keys can be backed up.

Versions for this demo on Centos 6.0:

 tpm-tools-1.3.4-2.el6.i686.rpm
 tpm-tools-pkcs11-1.3.4-2.el6.i686.rpm
 opencryptoki-2.4.2-2. el6.i686.rpm
 opencryptoki-libs-2.4.2-2. el6.i686.rpm
 trousers-0.3.4-4. el6.i686.rpm

Online TPM KSK + ZSKs + BIND 9.9 in-line signing

See the contents of /opt/dccom/signzone-tpm and demo directory /tmp/namedb for details (e.g., /tmp/namedb/log/runlog and look for "C_Sign" mesages indicating PKCS11/TPM use). "named" with /tmp/namedb/named.conf will automatically maintain the signed zone using keys in /var/lib/opencryptoki/tpm/root protected by the TPM SRK.

Doing "dig +dnssec -t soa yourdomain @127.0.0.1" should show you the signed zone SOA as it automatically gets updated. The "Activate:" field in the keys/*.private files indicates when named will start using the corresponding key. The SOA serial should increment then. "rndc signing -list yourdomain" shows signing status. "rndc sign yourdomain" forces a recalculation of signatures. For a key rollover, you can manually add and remove keys from the "keys/" directory after a new key has been introduced and published and use the "Activate:" and other meta fields to effect a complete rollover. There should be plenty of BIND 9.9 documentation on how to do this.

Yes...since the demo DVD always starts fresh you need to CLEAR the TPM each time. Alternatively you may elect to install the LiveDVD onto a blank drive (or flash drive)* so that data structures created by "tpm_takeownership" are maintained across re-boots.

*Run "startx" from root prompt and use "install" icon from desktop. Before rebooting the new system, CLEAR and ACTIVATE TPM again and follow instructions from above:

UPDATE 19 August 2013

New work based on OpenSC 0.13.0 and Smartcard HSM by http://www.cardcontact.de/products/SmartCard-HSM_V1.0.pdf. These have many more HSM features such as the ability to securely export/import private key material between cards i.e., make backups. See
this for more information. Updated DVD (1G ISO) file for complete bootable Smartcard HSM is here sha256=27cbaeb7f0aef5b7c82360ae8a410bb0d74af2231c0462d751ee11cf8f3daa79
NEW FILES

First card:
  hcarderase
  hmakeshares
  himportshare

Other cards:
  hcarderase
  himportshare

Gen KSK (on any card):
  hgenksk
  hwrapkey

Backup cards:
  hunwrapkey

Show contents:
  hcardshow

Delete item:
  hcarddel

Misc:
  hcardrng
  hgenzsk
  hcardsign
  hsignzone

Updated PKCS11 BIND modification (for dnssec-signzone):
  opensslrsa_link.c

Offline Smart Card HSM KSK + Online software ZSKs

Making Smartcard HSM Backup cards:

With current card: Insert new card

END