Yubico Forum

...visit our web-store at store.yubico.com
It is currently Tue Jan 30, 2018 11:18 am

All times are UTC + 1 hour




Post new topic Reply to topic  [ 4 posts ] 
Author Message
PostPosted: Tue Apr 29, 2014 12:50 pm 
Offline

Joined: Tue Apr 29, 2014 12:30 pm
Posts: 3
Hi

I'm setting up my own validation service complete with yubiHSM based KSMs. The plan is to use two KSMs, so I'll need a total of 3 yubiHSMs, (I think).

But I'm struggling with the yubiHSM part. I understand that I should use a separate yubiHSM for generating AEADs with only the minimum permissions set.

Section 5.1 from the YubiHSM reference manual states
'In the case above, devices 1-3 will then have the YSM_AEAD_YUBIKEY_OTP_DECODE flag enabled only whereas the device 4 will have any combination of the generation flags set only.'

Which combination should I be setting? So far, I've tried just YSM_BUFFER_AEAD_GENERATE with YSM_BUFFER_LOAD (the flags listed in the first row of the table on page 11, section 2.4 AEAD generation)
But this doesn't seem to be enough. After leaving configuration mode, I've tried generating keys with yhsm-generate-keys, but this fails with
pyhsm.exception.YHSM_CommandFailed: <YHSM_CommandFailed instance at 0x1dc2a00: Command YSM_BUFFER_AEAD_GENERATE failed: YSM_FUNCTION_DISABLED>

I've doubled checked, and the YSM_BUFFER_AEAD_GENERATE is definitely set, so why is it coming back YSM_FUNCTION_DISABLED?

Many thanks for your help,
Alex


Top
 Profile  
Reply with quote  

Share On:

Share on Facebook FacebookShare on Twitter TwitterShare on Tumblr TumblrShare on Google+ Google+

PostPosted: Tue Apr 29, 2014 2:14 pm 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Hello,

To generate aeads from user input those two flags are enough, though there's a gotcha in there namely the YSM_USER_NONCE flag. If the key can be supplied outside of the hsm (with YSM_BUFFER_LOAD) YSM_USER_NONCE should definately not be set and --random-nonce must be given to yhsm-generate-keys. To make matters more complicated there's a bug in all released versions of the yhsm-generate-keys script that makes the --random-nonce flag a noop: https://github.com/Yubico/python-pyhsm/ ... 29ff087691

Hopefully this clears things up a bit..

/klas


Top
 Profile  
Reply with quote  
PostPosted: Tue Apr 29, 2014 2:57 pm 
Offline

Joined: Tue Apr 29, 2014 12:30 pm
Posts: 3
Hi Klas

Thanks for your help. With the git version, yhsm-generate-keys now works (with the --random-nonce option).
I had actually already tried the --random-nonce option, but was obviously hitting the bug.

Having generated the keys, the next step is to run
yhsm-decrypt-aead --format yubikey-csv /var/cache/yubikey-ksm/aeads --aes-key $AEAD_AES_KEY ?

This generates a csv that can be used for programming the yubikeys.

Isn't it an issue that the aes-key has to be supplied on the commandline?

Or perhaps there is a better way of provisioning our yubikeys (small site ~100 yubikeys)?
I could use the personalization tool to generate keys during the programming of the yubikeys instead? (and then use yhsm-import-keys to create the AEADs?)

I'm finding it all a bit confusing, but am anxious to get it right and not invalid the security.

Thanks,
Alex


Top
 Profile  
Reply with quote  
PostPosted: Tue Apr 29, 2014 3:12 pm 
Offline
Site Admin
Site Admin

Joined: Thu Apr 19, 2012 1:45 pm
Posts: 148
Good, one thing out of the way!

The decrypt-aead script should only be run on a disconnected machine, otherwise you have no benefit of generating the keys inside the HSM in the first step.

If you don't want to setup a disconnected station where you decrypt aeads and program the YubiKeys (which is the highest security you get) you could well program the keys first and then import with yhsm-import-keys.

/klas


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC + 1 hour


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group