Raspberry Pi arrived…

… so finally after nearly 4 months waiting time (and some silence on this blog). The Pi arrive

Houston, we’ve made contact – OpenCT iKey 4000 driver

I was able to create an OpenCT driver for the iKey 4000, after some fiddling with the build environm

Get the Keepass database really secure and portable

Keepass has been a great tool to store, generate and manage credentials in a nice way. But securing

 

Raspberry Pi arrived…

June 1, 2012 in general

… so finally after nearly 4 months waiting time (and some silence on this blog). The Pi arrived. So its time to get it up and running and see how much crypto performance it achieves. There seems some potential by abusing the GPU, but we will see.

Houston, we’ve made contact – OpenCT iKey 4000 driver

January 28, 2012 in Cryptography, Token's & Smart Card's

I was able to create an OpenCT driver for the iKey 4000, after some fiddling with the build environment. But that thing did not want to answer as I wanted to. It always gave a protocol error and returned some strange data. Surely the protocol had to be T=1, but the solution was as simple as configuring the parameter to deal with a maximum data size of 254 bytes.

Now the token was responding, however the ATR response was unusual with a total of 32 bytes, reason for that is that the iKey 4000 seems always to return data with a minimum size of 32 bytes.

So finally:

root@troja:# /opt/openct/bin/openct-tool -r 0 atr
Detected Rainbow iKey 4000
Card present, status changed
ATR: 3b ff 18 00 00 81 31 fe 4d 80 25 a0 00 00 00 56 57 44 4b 34 30 30 06 00 dd

So just a bit of cleaning up left an then we go to the next level: OpenSC support.

Get the Keepass database really secure and portable

January 12, 2012 in IT security, Token's & Smart Card's

Keepass has been a great tool to store, generate and manage credentials in a nice way. But securing the password database with just a password adds nothing more than another layer to the onion. Do not get me wrong. It is nice, to have a tool that allows to use different, quite secure and strong credentials across multiple systems. That does not only limit the chance of your complete internet identity being hacked while one account is broken. But it also offers a good strong password generator.

But how secure is that when it is just protected using a easy-to-remember single password? Even worse, the password database is stored as a flat file somewhere on a system. Easy to reach for administrators, trojans or other nasty attackers. Last to mention, how to maintain security in an small to medium enterprise, where employees typically or obliged to use secure passwords, do not share them and so on. What happens after the employee leaves? Large enterprises can afford good Identity and Access Management Solutions (IAM) that will take care of that, but what about the smaller ones? Surely their overworked, underpaid IT Support Staff just goes from system to system to remove that user. Well at least we hope so.

Read the rest of this entry →

Connect a Hardware Security Module to openSSL

January 12, 2012 in Cryptography, Hardware Security Module, IT security

openSSL is a great software based solution to offer basic cryptographic and certificate services. In most cases its just used to provide the backend for SSL enhanced protocols like https or ssh. But it also offers a standarised API to other solutions like gSOAP.

The only lack of openSSL as a security suite is its tight strings to keys that are stored in software. This might become a huge security conern, as in most cases anyone with access to the system can just grab the key files and walk away. If openSSL is used to encrypt some important data, then the attacker has all time in the world to sit down and decrypt the data. That’s typically without anyone notifying that the keys and data have been stolen.

Read the rest of this entry →

Raspberry Pi – Credit Card Size Linux Box

January 11, 2012 in general

Finally Raspberry Pi have started production of a credit card size, ARM based system. That runs on GNU/Linux and offers a nice variety of interfaces. The original intend was to get a US$ 25 product. However production started with the “Modell B” which will be about US$ 35.

I do not care so much about the price but rather the size. But also its ARM based design, which reminds me of some security devices, that used the same architecture. I will definitively get one  to have a play with it. In particular the performance it delivers in RSA X9.19 compliant key generation and Triple-DES encryption with various blocksizes. A similar design I tested in the past was able to do up to 15MB/s DES3 encryption (depending on the block-size fed) and two 1024 bit RSA keys (X9.19 takes a lot more time due to its additional test’s especially Rabin-Miller)

This device might have the potential for a new generation of open source, embedded Hardware Security Modules.

iKey 4000 OpenCT support

December 30, 2011 in IT security, Token's & Smart Card's

As my commercial projects allow for some additional time, I had the thought to actively participate in some open source development again. A project I had in mind for some time now is to get OpenCT to support  the Rainbow iKey 4000 (later acquired by SafeNet and now called eToken 5000) which is a high-secure USB token. That is also available in a SmartCard form-factor where it is called SafeNet Smart Card 400, which is essentially the same chip as the eToken 5000, just without all the USB stuff.

With that it should be possible to hook up the token to openSSL for further use of other modules or applications. To get an idea how, have a look at my openSSL – HSM integration. For the token it should be similar, just configure openSSL to use OpenSC’s PKCS#11 library.

The biggest challenge in the past was to get a driver with the correct APDU commands, but that shouldn’t be an issue anymore. So it will end up in understand the vanilla driver templates and modify them so the USB token will work.

SHA-1 broken – but still used

December 28, 2011 in Cryptography, IT security

It’s the same story again, a hash algorithm supposted to create no collissions and to produce just one-way results has been broken. Actually Bruce Schneier already blogged about that in 2005. So one result was probably the recommendation to use algorithms out of the SHA-2 family, like SHA-256, SHA 385 and so on.

However now, more than 6 years later, SHA-1 is still widely deployed. Somehow MD5 got replaced much more quicker.

So whats the issue about it? Well, lets look at two examples:

Read the rest of this entry →

Accelerate apache SSL traffic using a security device

December 16, 2011 in general

-placeholder, coming soon-

History of go-LAN

December 2, 2011 in general, network

Welcome to go-LAN. This is the first post to start blogging!

First of all lets talk a little about the history of go-LAN. The name was founded in 2000, where we officially connected the so called “ilmenau network” to the Forschungsgemeinschaft elektronische Medien (study group for electronic media). The name was derived from the Golan Heights due to the similarity of the geological foundations in Ilmenau. As the campus was based in the valley and we on one side of the surrounding hills and mountains. It was also a little play with the words “go” and “LAN”.

We were a small group of students and trainees. Whose goal it was to connect students living off the universities campus to the student network. Prior that we had just started to interconnect people using “old-school”  Thin Wire Ethernet (also called Thinnet or Cheapernet). Now we were in the fortunate position to use high-speed twisted pair cable with 100 MBit/s (later 1Gbit/s) bandwith.

To get a connection to FeM’s backbone we started with a quite expensive Point-to-Point wireless network Link, labeled at around 11Mbit/s, but even in optimal condition we did not get more than 6Mbit/s out. After some time we hooked up a second link to load balance the traffic. Because we noted that separating up- and downstream over two links gains more bandwith each, instead of running both via one link.

Since mid of 2004 the domain go-LAN.net was just used privately, with its main task y to provide domain (hostnames), eMail and web services.

The official end of the go-LAN network came in 2010, where the owners of the house we were based in, decided to do some substantial rework to the building. That included to remove the two top floors.

In 2011 the TLD .com got added after the previous owners left it to expire. Due to some mistake people also started using to send emails to go-lan.ch, therefore this domain also got added in late 2011.

Today go-LAN is a platform to represent my interests, skills and to provide non-commercial services to the community. The is a chance that some commercial services got added, but that’s a topic for the future.