[Cryptech Tech] Firewalls

[Peter Stuge]

Richard Thornton wrote:
> The use case I was thinking of would be key storage for a firewall
> like the Palo Alto Networks appliances, provided I could get support
> added for CrypTech to the PANOS software (for now lets assume PKCS#11
> works but is unsupported on anything but Thales or Safenet)
> 
> https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/certificate-management/set-up-connectivity-with-an-hsm

Why do you assume PKCS#11? I find no reference to it anywhere. On the
contrary,

https://www.paloaltonetworks.com/documentation/60/pan-os/newfeaturesguide/application-identification-features/support-for-hardware-security-modules

says:

"HSM clients are now integrated with PA-3000 Series, PA-4000 Series,
PA-5000 Series, PA-7050, and VM-Series firewalls and on Panorama
(virtual appliance and M-100 appliance) for use with the following HSMs:

SafeNet Luna SA 5.2.1 or later
Thales Nshield Connect 11.62 or later"

"HSM client" has nothing to do with PKCS#11.


To use any other HSM you would have to develop a compatibility layer
for that HSM to make it usable with one of the two proprietary
protocols supported by the firewall. This requires first reverse
engineering either of the protocols, and then developing a software to
translate from that protocol to whatever your desired HSM uses. In
the CrypTech that could be PKCS#11, or the CrypTech RPC protocol
directly.


> What would I do, use something with ethernet and two USB like an RPi
> (or maybe x86?) and run a TCPIP server on there (any ideas, OpenSSL?)
> that talks to cryptech_muxd?

Not that simple.


> So with all the info should I grab an Alpha from Crowd Supply or wait
> for a newer board from you?

Unless good documentation for those proprietary protocols is
available I wouldn't expect that the CrypTech design will ever
support them, because that reverse engineering effort is probably
a lot of work, and it is unclear how much real benefit there is...


//Peter