<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<pre class="moz-signature" cols="72">
</pre>
<div class="moz-cite-prefix">On 03-Jun-18 02:00, Ondřej Surý wrote:<br>
</div>
<blockquote type="cite"
cite="mid:%3C5A2081AA-7BF7-48E9-B602-9FD814651852@isc.org%3E">
<pre wrap="">Hi all,
BIND 9 currently supports two major cryptography provider libraries - OpenSSL[1] and PKCS#11.
The PKCS#11 interface is very fragile, as the different vendors implement different parts of the
standard, and BIND needs to be compiled with a specific PKCS#11 provider defined at the
compile time. This is certainly suboptimal, and we are looking at ways how to improve that.
So, if you are running BIND with PKCS#11 HSM, or you are thinking about such setup,
I would be interested to hear answer to couple of questions:
1. What functions of PKCS#11 do you care
1a) getting entropy?
1b) message digests?
1c) HMAC?
1d) symmetric crypto (meaning AES)
1e) public-key cryptography (aka DNSSEC keys)
(Background: PKCS#11 as currently used in BIND uses PKCS#11 exclusively
for anything related to crypto.)
2. Would you be fine if BIND double linked with OpenSSL and PKCS#11?
(Background: if some of the answers to previous question were NO, BIND would
have to use OpenSSL as a provider for these functions and it would make
the code more slimmer, and easier to test.)
3. Would you care if BIND wouldn’t link directly to PKCS#11 library and used
OpenSSL engine: <a class="moz-txt-link-freetext" href="https://github.com/OpenSC/libp11#openssl-engines">https://github.com/OpenSC/libp11#openssl-engines</a>
(Background: the PKCS#11 is full of #ifdefs, for full picture see [1], and it
doesn’t really make sense to develop the same work-arounds at two different
places.)
~~~
There are three possible course of actions we might take:
1. Convert the PKCS#11 usage to OpenSSL PKCS#11 engine. That would
save us from most of the headaches with PKCS#11, but it might require some
configuration changes for existing deployments.
2. Convert the non public-key cryptography parts to OpenSSL. This would
allow people to keep the DNSSEC private keys inside the HSMs, but all
the other crypto would come from OpenSSL. (OpenSSL itself has FIPS
140-2 validation if that means anything to you.)
3. Keep the status quo
There are some options to these three:
A. Improve the PKCS#11 handling to runtime detection of HSM capabilities
B. Support OpenSSL and PKCS#11 DNSSEC keys at the same time, say
to store KSKs in PKCS#11 and ZSK on disk...
The A is non-issue for 1., likely to happen with 2., and unlikely to happen with 3.
The B will happen with 1., likely to happen with 2., and impossible to happen with 3.
As usual, the goal is to balance the time we have to spend on improving BIND,
and our development resources are limited, so any resources saved by reducing
the code we need to maintain would free our hands to do something else (like A or B).
Also please note that this is not going to affect any previously released version of BIND,
just future releases.
1. <a class="moz-txt-link-freetext" href="https://gitlab.isc.org/isc-projects/bind9/blob/master/lib/isc/include/pk11/site.h">https://gitlab.isc.org/isc-projects/bind9/blob/master/lib/isc/include/pk11/site.h</a>
2. <a class="moz-txt-link-freetext" href="https://www.openssl.org/docs/fips.html#background">https://www.openssl.org/docs/fips.html#background</a>
Ondrej
--
Ondřej Surý
<a class="moz-txt-link-abbreviated" href="mailto:ondrej@isc.org">ondrej@isc.org</a>
</pre>
</blockquote>
With the caveat that I don't currently use PKCS#11 with BIND:<br>
<br>
#1 - use OpenSSL's engine seems the most reasonable. Puts most of
the maintenance burden on them.<br>
Perhaps you can have a script that recommends the necessary
configuration changes - presumably<br>
this is a one-time thing.<br>
<br>
It seems to me that the biggest pain for users is having to compile
against a specific provider. This makes life hard for packagers (and
end users who compile bind). If nothing else, it would be useful to
(I guess this is option 4):<br>
a) specify the provider at runtime - e.g. load the right DLL<br>
b) be able to separately compile that (those) dll(s) for whatever
provider, generating a unique name.<br>
This would allow packagers to pre-compile whatever set of
providers their customers want, and<br>
allow specifying which one in the config file. It would be
minimal change to your code - mostly Makefile<br>
magic. Essentially, the BIND version of OpenSSL engines...<br>
<br>
Put another way: in configure one does something like
--build-pkcs11=(hsm1, hsm2, hsm3, softhsm, ...)<br>
and you get hsm1.so, hsm2.so, hsm3.so, softhsm.so ... and a
BIND that knows how to load/call whichever<br>
one is loaded, but no provider-dependent code. Then the bind
config file has 'pkcs11-provider "hsm2";'<br>
<br>
The BIND code -with whatever ugliness - remains unchanged
until, and unless you decide to refactor it.<br>
That could be incremental - and transparent to users.<br>
<br>
In fact, one of the providers could be OpenSSL (or its
engines) under a BIND interface wrapper...<br>
<br>
Also, this is a static choice - not "runtime detection of
capabilities". You could do that eventually, of course, as<br>
part of refactoring to consolidate some/all of the
libraries. But the end user just configures one<br>
name for his/her provider. The idea is to keep things simple
- for the user, and for development.<br>
<br>
On the other hand, if I have multiple machines with different
providers, I don't have to compile<br>
a unique BIND for each. I build it once with (at least) the
union of all the required providers, and<br>
deploy the same image everywhere. Better yet, with luck my
distribution ships with all the provider libraries that I need, and
I don't compile anything! The config file is the only variant.<br>
<br>
So, if you can switch to OpenSSL, it seems the best long-run
option. If you can't, (or are encouraged not to by other
customers), you could solve a lot of the customer pain by making the
provider loadable.<br>
<br>
For entropy, I use a mixture of USB keys and CPU hardware
generators. As I may have mentioned, I use EntropyBroker to
distribute the entropy securely - this keeps cost reasonable,
especially with many VMs (some of which don't naturally generate a
lot of entropy...). See <a class="moz-txt-link-freetext" href="https://www.vanheusden.com/entropybroker/">https://www.vanheusden.com/entropybroker/</a>
& <a class="moz-txt-link-freetext" href="https://github.com/flok99/entropybroker">https://github.com/flok99/entropybroker</a>. <br>
<br>
Hope this helps.<br>
<br>
<br>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. </pre>
</body>
</html>