[Cryptech Tech] "ksng" branch of Cryptech Alpha firmware now available as a binary package

Rob Austein sra at hactrn.net
Fri Dec 23 22:12:53 UTC 2016


At Fri, 23 Dec 2016 22:27:49 +0100, Yuri Schaeffer wrote:
> 
> While having 68 keys 'keystore show keys' enumerates the keys except
> after 49 it wraps to 0 again. (But yay for more than 10 objects! which
> was kind of a blocker)

Silly bug in show_keys() (code displays index of inner loop instead of
a separate "key number" counter -- guess how many blocks of key
meta-data the inner loop retrieves at a time?).

> The enforcer daemon will not start (blocks, presumably on opening the
> HSM) when the signer daemon is running and the other way around.

That would be this change:

https://wiki.cryptech.is/changeset/0166b1b370862ab34335af3d5710304dc3546499/sw/libhal

The RPC mechanism is designed to allow multiplexing of many clients
over the same RPC connection, but having multiple clients trying to
read and write the same UART without talking to each other ends badly
for all concerned.

We actually wrote the multiplexer daemon for this before the Berlin
workshop, but ended up disabling it because it doesn't run on OSX (it
uses PF_UNIX SOCK_SEQPACKET, which OSX doesn't support).  Sounds like
we ought to dust that off and get it running.

> Generating RSA keys works but neither daemon is able to later retrieve
> the objects using their locator. So I can't get to the signing part yet.

That's surprising.  I would have expected something like that to show
up in the PKCS #11 unit tests.  More details, please, when convenient.

> And it seems that every interaction OpenDNSSEC has with the HSM is super
> slow. Logging in to the mgmt console is also slow. Like a 10 second
> pause after typing in your password. I feel these two are probably related?

C_Login() (and the underlying hal_rpc_login() which implements it) are
slow, to make brute force attacks on PINs unproductive.  Exactly how
slow login should be is a good question.  The assumption (perhaps
incorrect) was that an application logs in once then performs a lot of
operations; it sounds like OpenDNSSEC is doing more of a log in once
per operation.  Advice welcome (hi, Jakob...).

> As said, nothing in depth till the new year. But at least some feedback
> from me for 2016.

Yup.  Thanks!


More information about the Tech mailing list