{"id":970,"date":"2013-02-13T16:47:15","date_gmt":"2013-02-14T00:47:15","guid":{"rendered":"http:\/\/blog.mozilla.org\/security\/?p=970"},"modified":"2013-05-16T15:26:44","modified_gmt":"2013-05-16T22:26:44","slug":"using-cryptostick-as-an-hsm","status":"publish","type":"post","link":"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/","title":{"rendered":"Using CryptoStick as an HSM"},"content":{"rendered":"<p>Mozilla maintains a wide range of services which are secured using different solutions.\u00a0 For internal repositories, our Operations Security team has chosen to use the low-cost, open source and open hardware <a href=\"http:\/\/www.crypto-stick.org\/\">CryptoStick<\/a> from the <a href=\"http:\/\/www.privacyfoundation.de\/\">German Privacy Foundation<\/a>.<\/p>\n<p><strong>Advantages of using an HSM<\/strong><br \/>\nAn HSM is a Hardware Security Module. It\u2019s a hardware card, stick, device able to perform crypto operations. In general, it stores private keys which are used to sign, encrypt or authenticate.<br \/>\nThe key itself never leaves the hardware, thus attackers cannot steal the key (i.e., if the hardware is disconnected, the key cannot be used anymore.)<\/p>\n<p><em><strong>Note<\/strong>: In the event the system is compromised, the connected key can still be used. Thus, the access to the system should be otherwise secured and the key should be removed when not in use.<br \/>\n<\/em><\/p>\n<p style=\"text-align: center;\"><a href=\"https:\/\/blog.mozilla.org\/security\/files\/2013\/02\/jpg\"><img decoding=\"async\" loading=\"lazy\" class=\" wp-image-971 aligncenter\" alt=\"\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2013\/02\/jpg-600x471.\" width=\"366\" height=\"291\" \/><\/a><\/p>\n<p><strong>Our use case<\/strong><br \/>\nInternal package repositories, such as RPM or Deb. all use GnuPG for package signing.<br \/>\nMozilla\u2019s architecture is however broad and different teams use different platforms, at different places, in different networks.<br \/>\nWe want to ensure that the packages they install are signed by us, and while we\u2019re at it, have a good level of assurance that the key used for signing cannot be compromised or stolen.<br \/>\nWe also need redundancy.<\/p>\n<p>Many community-owned projects, such as Linux distributions have to deal with the exact same issue. Often, the signing machine has no HSM. This is one of the possible solutions.<\/p>\n<p><strong>About the CryptoStick<\/strong><br \/>\nThe choice was driven by:<\/p>\n<ul>\n<li dir=\"ltr\">The \u00a0openness of the project<\/li>\n<li dir=\"ltr\">The size and connectivity (USB)<\/li>\n<li dir=\"ltr\">No real smart card, yet easy to physically disconnect<\/li>\n<li dir=\"ltr\">The integration with GnuPG (OpenPGP Smart card, <a href=\"http:\/\/en.wikipedia.org\/wiki\/ISO\/IEC_7816\">ISO 7816-4<\/a>)<\/li>\n<li dir=\"ltr\">Low price and ease of getting additional sticks<\/li>\n<li dir=\"ltr\">Speed, support and certifications were not a requirement<\/li>\n<\/ul>\n<p>The major point being, that the CryptoStick operates without any smart card, but emulates one instead.<\/p>\n<p><em><strong>Note<\/strong>: while we focus here on using OpenPGP for signing, the stick also supports other standards, such as x509 certificates and SSH authentication.<br \/>\n<\/em><\/p>\n<p><a href=\"https:\/\/blog.mozilla.org\/security\/files\/2013\/02\/cstick2.jpg\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone  wp-image-972\" alt=\"cstick2\" src=\"https:\/\/blog.mozilla.org\/security\/files\/2013\/02\/cstick2-600x471.jpg\" width=\"600\" height=\"471\" srcset=\"https:\/\/blog.mozilla.org\/security\/files\/2013\/02\/cstick2-600x471.jpg 600w, https:\/\/blog.mozilla.org\/security\/files\/2013\/02\/cstick2-252x198.jpg 252w, https:\/\/blog.mozilla.org\/security\/files\/2013\/02\/cstick2.jpg 1600w\" sizes=\"(max-width: 600px) 100vw, 600px\" \/><\/a><\/p>\n<p><strong>Our setup<\/strong><br \/>\nWe use BL460c blade servers which have an internal USB port. Dimensions are perfect for the CryptoStick.<\/p>\n<p>We have decided on having two repository machines for redundancy, signing with the same keys.<br \/>\nWe also needed to be able to replace the hardware easily (both machines and the CryptoStick) in case of failure, which involves backing up the private key off-site. Finally, we needed the signing to happen automatically.<\/p>\n<p>Some modifications were needed in order to make this work:<\/p>\n<p><strong>Custom PIN-entry program<\/strong><br \/>\nAs the OpenPGP smart card standard requires entering a user PIN upon signing, we needed this user PIN to be entered automatically. Consequently, we assume the user PIN adds no security in our setup.<\/p>\n<p>A simple script is used as pinentry program: <a href=\"https:\/\/github.com\/gdestuynder\/pinentry-auto\">https:\/\/github.com\/gdestuynder\/pinentry-auto<\/a><\/p>\n<p><em><strong>Note<\/strong>: the non-enforcing user PIN option only allows for caching the user PIN upon successfully entering the user PIN a first time, which would defeat the purpose of automatic signing in case of system reboot, process restart, etc.<\/em><\/p>\n<p><strong>One private signing key, multiple sticks<\/strong><br \/>\nThe OpenPGP smart card standard also require the private keys generated on the HSM to contain the card\u2019s serial number. While it allows for a software backup at creation time, the backup also contains the card\u2019s serial number. The hardware will refuse to load those keys on a CryptoStick with a different serial number.<\/p>\n<p>There is a different way to work around this issue. The stick also supports importing private keys. By using an offline machine, it is possible to generate the signing key in software using traditional GnuPG commands, and import it on the stick.<br \/>\nThis allowed us to import the signing key on different sticks, and to keep an off-site backup.<\/p>\n<p>This is also the most significant difference with traditional HSMs, which requires a set of smart cards to protect and import the key backup. In our use case, we decided that the trade-off was acceptable.<\/p>\n<p><em><strong>Note<\/strong>: when possible, it\u2019s recommended to keep a master signing key offline, and create software signing GnuPG sub-keys. In the unlikely event of HSM compromise, it is then possible to revoke the sub-keys while retaining the trust of the master key, which then is simply used to issue new signing sub-keys. Not all package repositories support this feature.<\/em><\/p>\n<p><strong>Advanced usage, some commands<\/strong><br \/>\nHere are some sample commands that are commonly used with the CryptoStick.<\/p>\n<p><em><strong>Note<\/strong>: it\u2019s generally more convenient to have the gpg-agent running, for speed,and for PIN caching. General usage, such as encryption, signing and authentication work with the exact same commands as with a regular GnuPG or SSH key.<\/em><\/p>\n<p><strong>Get card info:<\/strong><br \/>\n$ gpg &#8211;card-status<\/p>\n<p><code><br \/>\nscdaemon[10692]: updating slot 0 status: 0x0000-&gt;0x0007 (0-&gt;1)<br \/>\nApplication ID ...: D2760001240102000005000014731337<br \/>\nVersion ..........: 2.0<br \/>\nManufacturer .....: ZeitControl<br \/>\nSerial number ....: 00001478<br \/>\nName of cardholder: Mozilla<br \/>\nLanguage prefs ...: en<br \/>\nSex ..............: unspecified<br \/>\nURL of public key : [not set]<br \/>\nLogin data .......: [not set]<br \/>\nSignature PIN ....: [not set]<br \/>\nKey attributes ...: 2048R 2048R 2048R<br \/>\nMax. PIN lengths .: 32 32 32<br \/>\nPIN retry counter : 3 0 3<br \/>\nSignature counter : 16<br \/>\nSignature key ....: 067A A494 9B64 347D FA2E EEEE 9B3C 64F9 8006 EEEE<br \/>\ncreated ....: 2013-01-17 22:40:53<br \/>\nEncryption key....: 3C00 DA66 554D 67FE 8607 1AAB AAAA C9F2 AAAA 1D67<br \/>\ncreated ....: 2013-01-17 22:40:53<br \/>\nAuthentication key: 1AF9 988A 0EAB 6F10 D69C 2DFC EF3B CCCC 784E A733<br \/>\ncreated ....: 2013-01-17 22:40:53<br \/>\nGeneral key info..: [none]<br \/>\n<\/code><\/p>\n<p><strong>Set User and Admin PIN<\/strong>. Defaults are 123456 and 12345678 respectively:<br \/>\n<code><br \/>\n$ gpg --card-edit<br \/>\nCommand&gt; admin<br \/>\nAdmin commands are allowed<br \/>\nCommand&gt; passwd<br \/>\n<\/code><\/p>\n<p><strong>Generate keys<\/strong> (you need to have setup the PINs above first):<br \/>\n<code><br \/>\n$ gpg --card-edit<br \/>\nCommand&gt; admin<br \/>\nAdmin commands are allowed<br \/>\nCommand&gt; generate<br \/>\n<\/code><\/p>\n<p>Import existing key (only recommended if the original keys were generated on a trusted machine, such as an offline machine that has never been connected to the network):<br \/>\n<em><strong>Note<\/strong>: this will erase the key from disk during the import. If necessary, make an extra backup of the key first.<\/em><\/p>\n<p><code><br \/>\n$ gpg --edit-key<br \/>\ngpg&gt; toggle<br \/>\ngpg&gt; keytocard<br \/>\n(say yes)<br \/>\ngpg&gt; save<br \/>\ngpg&gt; quit<br \/>\n<\/code><\/p>\n<p><strong>Reset to factory defaults<\/strong>:<br \/>\nMake sure GnuPG agent is started, if not:<br \/>\n<code><br \/>\n$ eval $(gpg-agent --daemon)<br \/>\n<\/code><\/p>\n<p>Send the reset commands:<br \/>\n<code><br \/>\n$ gpg-connect-agent &lt; file<br \/>\n<\/code><\/p>\n<p>Where &#8220;file&#8221; contains:<br \/>\n<code><br \/>\nhex<br \/>\nscd serialno<br \/>\nscd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40<br \/>\nscd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40<br \/>\nscd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40<br \/>\nscd apdu 00 20 00 81 08 40 40 40 40 40 40 40 40<br \/>\nscd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40<br \/>\nscd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40<br \/>\nscd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40<br \/>\nscd apdu 00 20 00 83 08 40 40 40 40 40 40 40 40<br \/>\nscd apdu 00 e6 00 00<br \/>\nscd apdu 00 44 00 00<br \/>\n\/echo Reset complete<br \/>\n<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mozilla maintains a wide range of services which are secured using different solutions.\u00a0 For internal repositories, our Operations Security team has chosen to use the low-cost, open source and open &hellip; <a class=\"go\" href=\"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/\">Read more<\/a><\/p>\n","protected":false},"author":406,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[69],"tags":[],"coauthors":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v22.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Using CryptoStick as an HSM - Mozilla Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Guillaume Destuynder\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/\",\"url\":\"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/\",\"name\":\"Using CryptoStick as an HSM - Mozilla Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2013\/02\/jpg-600x471.\",\"datePublished\":\"2013-02-14T00:47:15+00:00\",\"dateModified\":\"2013-05-16T22:26:44+00:00\",\"author\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/c278d6498b715fd3fb414f2ac325fdbc\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/#primaryimage\",\"url\":\"https:\/\/blog.mozilla.org\/security\/files\/2013\/02\/jpg-600x471.\",\"contentUrl\":\"https:\/\/blog.mozilla.org\/security\/files\/2013\/02\/jpg-600x471.\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.mozilla.org\/security\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Using CryptoStick as an HSM\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#website\",\"url\":\"https:\/\/blog.mozilla.org\/security\/\",\"name\":\"Mozilla Security Blog\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/c278d6498b715fd3fb414f2ac325fdbc\",\"name\":\"Guillaume Destuynder\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/0de446c53eb8368872d481e18d363d39\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/2a206335017e99ed8b868d931b802f95?s=96&d=identicon&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/2a206335017e99ed8b868d931b802f95?s=96&d=identicon&r=g\",\"caption\":\"Guillaume Destuynder\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Using CryptoStick as an HSM - Mozilla Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/","twitter_misc":{"Written by":"Guillaume Destuynder","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/","url":"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/","name":"Using CryptoStick as an HSM - Mozilla Security Blog","isPartOf":{"@id":"https:\/\/blog.mozilla.org\/security\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/#primaryimage"},"image":{"@id":"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/#primaryimage"},"thumbnailUrl":"https:\/\/blog.mozilla.org\/security\/files\/2013\/02\/jpg-600x471.","datePublished":"2013-02-14T00:47:15+00:00","dateModified":"2013-05-16T22:26:44+00:00","author":{"@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/c278d6498b715fd3fb414f2ac325fdbc"},"breadcrumb":{"@id":"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/#primaryimage","url":"https:\/\/blog.mozilla.org\/security\/files\/2013\/02\/jpg-600x471.","contentUrl":"https:\/\/blog.mozilla.org\/security\/files\/2013\/02\/jpg-600x471."},{"@type":"BreadcrumbList","@id":"https:\/\/blog.mozilla.org\/security\/2013\/02\/13\/using-cryptostick-as-an-hsm\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.mozilla.org\/security\/"},{"@type":"ListItem","position":2,"name":"Using CryptoStick as an HSM"}]},{"@type":"WebSite","@id":"https:\/\/blog.mozilla.org\/security\/#website","url":"https:\/\/blog.mozilla.org\/security\/","name":"Mozilla Security Blog","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.mozilla.org\/security\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/c278d6498b715fd3fb414f2ac325fdbc","name":"Guillaume Destuynder","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.mozilla.org\/security\/#\/schema\/person\/image\/0de446c53eb8368872d481e18d363d39","url":"https:\/\/secure.gravatar.com\/avatar\/2a206335017e99ed8b868d931b802f95?s=96&d=identicon&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/2a206335017e99ed8b868d931b802f95?s=96&d=identicon&r=g","caption":"Guillaume Destuynder"}}]}},"_links":{"self":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/970"}],"collection":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/users\/406"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/comments?post=970"}],"version-history":[{"count":0,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/posts\/970\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/media?parent=970"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/categories?post=970"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/tags?post=970"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/blog.mozilla.org\/security\/wp-json\/wp\/v2\/coauthors?post=970"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}