Dopo altri #mesi, questo è l'aggiornamento sulla vicenda...

#firefox #cns #snap #canonical #ubuntu #PKCS11

While exploring use of PKCS #11 devices in #OpenPGP contexts, I stumbled over a bug (and potential security issue) in the yubihsm_pkcs11.so driver for #YubiHSM devices.

Long form text by Christian Reitter (who walked me through the coordinated disclosure process with #Yubico, and did amazing work analyzing and writing up the issue):
https://blog.inhq.net/posts/yubico-yubihsm-pkcs-vuln/

Yubico advisory: https://www.yubico.com/support/security-advisories/ysa-2023-01/

#CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39908

(Thanks again to @sovtechfund for funding my #PKCS11 work)

Over the last half year, I've spent time with PKCS #11 and PIV hardware security devices. In particular, using such devices in the #OpenPGP context.

Entry points for results of this work:

- https://codeberg.org/heiko/openpgp-pkcs11
- https://codeberg.org/heiko/openpgp-piv
- https://codeberg.org/heiko/pkcs11-openpgp-notes

One particular focus was building CI testing infrastructure (including https://gitlab.com/hkos/virtual-piv/), to make future work on these codebases easier (and hopefully fun).

#PKCS11 #PIV #HSM

[This work was funded by @sovtechfund]

What are good #opensource #certificate authorities which allows #PKCS11? #PKI #CA This need to be deployed for smaller orgs.

@filippo any tips?

Any #PKCS11 experts who want to chime in on this discussion, whether or not to mark private keys as unmodifiable? #cryptography #HSM #security #BestPractices https://github.com/NLnetLabs/krill/issues/1018

As the adoption of Delegated and Hybrid #RPKI grows, so are the number of Hardware Security Modules (HSMs) out in the field that people store Krill's key material on.

Especially #PKCS11 can be quite finicky, so we're keeping a public list of interoperability information. #BGP #OpenSource #interop #rustlang https://github.com/NLnetLabs/krill/issues?q=label%3A%22interop+testing%22+label%3A%22hsm%22

Learn more about the option to use HSMs here: https://krill.docs.nlnetlabs.nl/en/stable/hsm.html

When playing with my #Yubi 5 key, I have hit a wall. OTP keys were not straight forward, but worked. #PKCS11 works fine. But moving secret key from #gpg to the key became blocker. It just doesn't work! Gitlab's or GitHub's #fido works like charm though.

I wrote A Thing about how to use #SSH #certificates for authenticating hosts to users and users to hosts. Most of what seems to exist doesn’t always cover the full process from key generation to installing and using certificates on hosts, so I tried to cover it all.

One thing we should all be doing is to protect private keys by storing them in some kind of secure hardware, like a TPM, HSM, smart card, or similar. Fortunately, #OpenSSH can work with a #PKCS11 library. I didn't see anything that included how to do the SSH #certificate process using PKCS#11, so I included how to each step with the private key stored in secure hardware using a PKCS#11 module and the private key stored on disk. Honestly, it's harder to enable your TPM than it is to use PKCS#11 with OpenSSH but it looks so complex and unfriendly that if you don't know your way around PKCS#11 already it's hard to know where to begin. Hopefully this helps break down that barrier a bit and helps encourage people to start using secure storage for private keys more often.

One last thing, I included some extra things you can do with OpenSSH, with certificates or not, that I find interesting or helpful in various ways. Things like enforcing SSH options via certificate options, using a bastion host, and allowing logging in as different users on a subset of machines.

https://jgoguen.ca/posts/2022/12/07/ssh-certificates/