...
HTML |
---|
<iframe width="560" height="315" src="https://www.youtube.com/embed/59csB3jiOeQ" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> |
PlayBook
Key data
Key types:
- RSA 4096bit
- ECC 384bits
Key Subjects:
- O=GEANT, CN=eduGAIN RSA Signer CA 2022
- O=GEANT, CN=eduGAIN ECC Signer CA 2022
Keys duration:
- 20 Years
Key generation
- Prepare key storage computer for use.
- Connect and verify RNG.
- Use the RNG to create and set a static password in the two yubikeys.
- Generate RSA 4096 bits and ECC 384 bits keypairs , encrypt using yubikey in static mode.
- Decrypt RSA private key using yubikey in static mode, temporarily stored in /dev/shm.
- Issue self-signed certificate using keypair.
- Copy the keys to two USB sticks.
- Generate sha1 and sha256 fingerprint of certificate.
- Copy the RSA certificate to a USB stick and send it to the eduGAIN OT.
- Shutdown key storage computer.
Key storage
- Put the two pairs of USB stick and yubikey in its own tamper bag.
- Record the tamper bags serial numbers.
- Key storage computer goes in its tamper bag along with paper record of the commands.
Key deployment to Luna HSM
- Prepare key storage computer for use.
- Connect ethernet interface to secondary ethernet of HSM in the cluster.
- Configure HSM for providing NTLS service on secondary ethernet port.
- Decrypt RSA private key using yubikey in static mode, temporarily stored in /dev/shm.
- Using pkcs11 client on key storage computer, transfer private key to HSM.
Key backup displacement
- One tamper bag containing the USB pendrive and yubikey goes to a safe in the GEANT Amsterdam office.
- One tamper bag containing the USB pendrive and yubikey goes to a safe in the GARR Rome office.
Key generation command sequence
Code Block | ||||||||
---|---|---|---|---|---|---|---|---|
| ||||||||
#Check correct date on the box date alias getCode='/usr/local/keykeeper/bin/getCode.py' # Plug in generator # Start random genrator rc-service rngd start ps auxww | grep '[r]ngd' # Check entropy strength dd if=/dev/ttyUSB0 bs=4000 count=250 iflag=fullblock | ent # Enter secure directory. Will be cleaned after reboot. cd /dev/shm # Configure teh Yubikey into " Static Password Mode." # Create a random " Secret Key" openssl rand -hex 16 | awk '{printf "%s", $1}' > /dev/shm/SecretKey ls -la /dev/shm/SecretKey wc -m /dev/shm/SecretKey # Insert 1 Yubikey ykpersonalize -y -1 -oappend-cr -ostatic-ticket -ostrong-pw1 -ostrong-pw2 -oman-update -a$(cat /dev/shm/SecretKey) >/dev/null || echo FAIL # Insert 2 Yubikey ykpersonalize -y -1 -oappend-cr -ostatic-ticket -ostrong-pw1 -ostrong-pw2 -oman-update -a$(cat /dev/shm/SecretKey) >/dev/null || echo FAIL #Remove SecretKey rm /dev/shm/SecretKey && echo Key removed || echo FAIL # Create a openssl.conf to get CA flag into cert cat > openssl.cnf << EOF [ v3_ca ] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints = critical,CA:true EOF # Create RSA key getCode | openssl genpkey -aes-256-cbc -pass stdin -algorithm rsa -pkeyopt rsa_keygen_bits:4096 -out /dev/shm/edugain_rsa.key && echo Key created || echo FAIL # Create RSA cert-request getCode | openssl req -new -passin stdin -key /dev/shm/edugain_rsa.key -out edugain_rsa.req -subj "/O=GEANT/CN=eduGAIN RSA Signer CA 2022" && echo Request created || echo FAIL # Sign RSA Cert getCode | openssl x509 -req -passin stdin -days 7305 -in edugain_rsa.req -signkey /dev/shm/edugain_rsa.key -out edugain_rsa.crt -extfile openssl.cnf -extensions v3_ca && echo Certificate created || echo FAIL # Create EC key getCode | openssl genpkey -aes-256-cbc -pass stdin -algorithm ed25519 -out /dev/shm/edugain_ecc.key && echo Key created || echo FAIL # Create EC cert-request getCode | openssl req -new -passin stdin -key /dev/shm/edugain_ecc.key -out edugain_ecc.req -subj "/O=GEANT/CN=eduGAIN ECC Signer CA 2022" && echo Request created || echo FAIL # Create EC cert-request getCode | openssl x509 -req -passin stdin -days 7305 -in edugain_ecc.req -signkey /dev/shm/edugain_ecc.key -out edugain_ecc.crt -extfile openssl.cnf -extensions v3_ca && echo Certificate created || echo FAIL # Verify Keys / Certs openssl x509 -noout -modulus -in /dev/shm/edugain_rsa.crt | openssl sha256 getCode | openssl rsa -passin stdin -noout -modulus -in /dev/shm/edugain_rsa.key | openssl sha256 openssl x509 -noout -text -in /dev/shm/edugain_ecc.crt | egrep -A 4 "ED25519 Public-Key" | sed 's/^ *//g' getCode | openssl pkey -passin stdin -noout -in /dev/shm/edugain_ecc.key -text_pub | sed 's/^ *//g' # Show that the Keys are encrypted grep -- "-" *.key #Show RSA cert openssl x509 -in /dev/shm/edugain_rsa.crt echo -e "\nFingerprint" && \ openssl x509 -noout -in /dev/shm/edugain_rsa.crt -fingerprint -sha256 && \ echo -e "\nSubject" && \ openssl x509 -noout -in /dev/shm/edugain_rsa.crt -issuer -subject && \ echo "" && \ openssl x509 -noout -in /dev/shm/edugain_rsa.crt -text | grep -A2 Valid # Same thing with EC openssl x509 -in edugain_ecc.crt echo -e "\nFingerprint" && \ openssl x509 -noout -in edugain_ecc.crt -fingerprint -sha256 && \ echo -e "\nSubject" && \ openssl x509 -noout -in edugain_ecc.crt -issuer -subject && \ echo "" && \ openssl x509 -noout -in edugain_ecc.crt -text | grep -A2 Valid # Show checksum before copy sha256sum edugain_rsa.crt edugain_rsa.key edugain_ecc.crt edugain_ecc.key #Mount and copy mkfs.ext4 /dev/sdb1 mount /dev/sdb1 /mnt || echo "Fail to mount" cp edugain_rsa.crt edugain_rsa.key edugain_ecc.crt edugain_ecc.key /mnt || echo "Fail to copy files" sha256sum /mnt/edugain_rsa.crt /mnt/edugain_rsa.key /mnt/edugain_ecc.crt /mnt/edugain_ecc.key umount /mnt || echo "Fail to umount" # Next USB #Mount and copy in one step mkfs.ext4 /dev/sdb1 && \ mount /dev/sdb1 /mnt || echo "Fail to mount" cp edugain_rsa.crt edugain_rsa.key edugain_ecc.crt edugain_ecc.key /mnt || echo "Fail to copy files" && \ sha256sum /mnt/edugain_rsa.crt /mnt/edugain_rsa.key /mnt/edugain_ecc.crt /mnt/edugain_ecc.key && \ umount /mnt || echo "Fail to umount" # Next USB #Mount and copy in one step mkfs.ext4 /dev/sdb1 && \ mount /dev/sdb1 /mnt || echo "Fail to mount" cp edugain_rsa.crt edugain_ecc.crt /mnt || echo "Fail to copy files" && \ sha256sum /mnt/edugain_rsa.crt /mnt/edugain_ecc.crt && \ umount /mnt || echo "Fail to umount" # Check that /mnt is empty ant nothing got copied here by mistake ls /mnt #Boot outside serverhall #Setup getCode again alias getCode='/usr/local/keykeeper/bin/getCode.py' #Move into /dev/shm cd /dev/shm # remount usbstick with key on it mount /dev/sdb1 /mnt || echo "Fail to mount" # export cleartext into /dev/shm/edugain_rsa.clear to be able to import getCode |openssl rsa -passin stdin -in /mnt/edugain_rsa.key -out /dev/shm/edugain_rsa.clear #Import key /usr/safenet/lunaclient/bin/cmu importkey -in /dev/shm/edugain_rsa.clear -keyalg RSA -setkeyattr CKA_SIGN #Import cert /usr/safenet/lunaclient/bin/cmu import -inputFile /mnt/edugain_rsa.crt -label edugain_rsa # list handles /usr/safenet/lunaclient/bin/cmu list |
...
Yubikey code reader: