[Cryptech Tech] CrypTech parallel-signatures.py

Dominique Douglas douglas at dkey.org
Mon Mar 11 19:16:57 UTC 2019


Resolved. As Rob mentioned, I pulled the latest changes to libhal and rebuilt the firmware. This fixes the error I was getting.

Thanks
________________________________
From: Tech <tech-bounces at cryptech.is> on behalf of Dominique Douglas <douglas at dkey.org>
Sent: Saturday, March 9, 2019 9:07 AM
To: Rob Austein
Cc: tech at cryptech.is
Subject: Re: [Cryptech Tech] CrypTech parallel-signatures.py

Thanks. I'll pull those changes and test. I'll post the results to this mailing list.

Dominque
________________________________
From: Rob Austein <sra at hactrn.net>
Sent: Friday, March 8, 2019 7:44 PM
To: Dominique Douglas
Cc: tech at cryptech.is
Subject: Re: [Cryptech Tech] CrypTech parallel-signatures.py

On Fri, 08 Mar 2019 16:41:49 -0500, Dominique Douglas wrote:
>
> I've been running performance test using a single alpha. To do this,
> I've been using the parallel-signatures.py script that's in
> libhal. It works well with one or two clients for 1024 and 2048 bit
> RSA keys. However, it crashes whenever I try to use 3+ clients. This
> includes the default 4 clients. Libhal is returning
> HAL_ERROR_ASN1_PARSE_FAILED. The failure is being returned from
> RPC_FUNC_PKEY_SIGN.

That's almost certainly the mkmif driver bug Paul mentioned having
fixed recently when we were all in Amsterdam a few weeks ago.

It's "obviously" a locking problem, because it's affected by the
number of (pseudo) threads running.  That driver bug (since corrected)
causes mkmif to return garbage under load instead of the MKM KEK
value; unwrapping anything with garbage returns garbage, and garbage
fails to parse as valid PKCS #8, so this shows up as an ASN.1 error.

===

In which context, and it being a Friday evening, I feel compelled to
share the following (totally off-topic) tale from days of yore.

Date: Fri, 16 Dec 1994 23:43:33 -0500
From: Alan Bawden <Alan at epilogue.com>
Cc: Unix-Haters at mc.lcs.mit.edu
Subject: passwd -l

   From: Rob Austein <sra at epilogue.com>
   Date: Fri, 16 Dec 94 17:56:44 -0500

      Date: Fri, 16 Dec 1994 17:39:46 -0500
      From: Alan Bawden <Alan at epilogue.com>
      ...
      it says "passwd: connect: Connection refused".
      It would be nice to be able to set my passwd, what's going on here?

   Kerberos gets its fingers into the password changing stuff.  The way
   to change a password just on the local machine is "passwd -l".

Oh, of course, I should have guessed.  "Connection refused".  What else
could it mean?  Obviously this means that Kerberos wants me to give the
"-l" argument to the "passwd" command.  What could be more plain?  Silly
me.  Unix really isn't all that hard if only people would learn to -read-
the error messages.

It's perfectly straightforward -- "Connection refused" clearly means that
something -bad- happened (that's why the error message uses the negative
word "refused"), and it has something to do with -networks- (because the
error message uses the word "connection").  Put this together with the fact
that I was trying to change my password (-security-), and what do you get?
Let's see...  "Bad" + "Network" + "Security"...  Bad Network Security...
Hmm...  Baaad Network Security.  Bad.  Bad dog!  Bad!  (Grrrrr.)  Down boy.
(Grrr!!)  Down!  BAD!  No!  (GGRRRRAWWGGGRRRRRR!)  Down!  Bad dog!  Stop
that!  Eaiiii!...  Right!  Kerberos!  The Network Security Dog From Hell!
What else could it be?  The error message couldn't have been clearer.

Sorry for bothering you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.cryptech.is/archives/tech/attachments/20190311/6c2230bf/attachment.html>


More information about the Tech mailing list