Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced Crypto Service Provider – cryptography as a service

Smart Coders
March 16, 2015
Technology
0
510

Advanced Crypto Service Provider – cryptography as a service

Data and information security is crucial and essential for most of the IT environments. As data is more often stored in the cloud securing it becomes a non trivial challenge.
IBM Advanced Crypto Service Provider (ACSP) is a solution that enables remote access to the IBM’s cryptographic coprocessors. Such approach allows for utilization of strong hardware based cryptography as a service (“cryptography as a service”) in distributed environments where data security cannot be guaranteed.
ACSP is a “network hardware security module (NetHSM)” that provides access to cryptographic resources via IBM Common Cryptographic Architecture (CCA) interface and the PKCS#11 standard.

More at https://ibm.box.com/v/acsp-vault-ibm-forum-2015

Video recording from that presentation can be found at https://vimeo.com/smartcoders/acsp-vault-ibm-forum-2015

Smart Coders

March 16, 2015
Tweet

More Decks by Smart Coders

See All by Smart Coders
Advanced Crypto Service Provider – kryptografia jako usługa
smartcoders
0
67

Other Decks in Technology

See All in Technology
Google Cloud Next '24 Recap(Cloud Run/k8s)
mokocm
0
170
ワールドカフェI /チューターを改良する / World Café I and Improving the Tutors
ks91
PRO
0
120
DevOpsメトリクスとアウトカムの接続にトライ!開発プロセスを通して計測できるメトリクスの活用方法
ham0215
2
240
地理空間データ可視化・解析・活用ソリューション Pacific Spatial Solutions (PSS)
pacificspatialsolutions
0
260
ここが嬉しいABAC ここが辛いよABAC #再解説+補足編
masahirokawahara
1
270
Vertex AI を中心に 生成AIのアップデートを共有します
kaz1437
0
310
自己改善からチームを動かす! 「セルフエンジニアリングマネージャー」のすゝめ
shoota
6
480
Postman v10リリース後を振り返る / Looking back at Postman v10 after release
yokawasa
1
160
VS CodeでAWSを操作しよう
smt7174
8
1.6k
Java EE/Jakarta EEの現状と将来 ―クラウドネイティブ時代にJava EEは対応できるのか?―
takakiyo
1
150
KubeConにproposalを送りたい人へのアドバイス
sat
PRO
3
250
GraphQL 成熟度モデルの紹介と、プロダクトに当てはめた事例 / GraphQL maturity model
mh4gf
7
1.3k

Featured

See All Featured
Unsuck your backbone
ammeep
663
57k
StorybookのUI Testing Handbookを読んだ
zakiyama
13
4.6k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
9
8.3k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
21
1.6k
KATA
mclloyd
15
12k
Stop Working from a Prison Cell
hatefulcrawdad
266
19k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
244
20k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
78
42k
The Mythical Team-Month
searls
216
42k
Teambox: Starting and Learning
jrom
128
8.4k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
20
1.9k
Being A Developer After 40
akosma
57
580k

Transcript

  1. Advanced  Crypto  Service  Provider     –  Cryptography  as  a

     Service Warszawa,  16  marca  2015         Błażej  Pawlak   Crypto  Competence  Center,  Copenhagen  @  IBM  Denmark

  2. IBM  4765  PCIe  Cryptographic  Coprocessor

  3. Problem No  way  to  remotely  and  securely  access  strong  hardware

     cryptography   on  API  and  web  service  levels.

  4. Solution • System  in  client  –  server  architecture,  where  the

     server  on  behalf  of   the  client  communicates  with  the  cryptographic  coprocessor. ! ! ! ! ACSP  servers ACSP  client TLS

  5. Solution • RESTful  service  with  simple  API  –  “zCloud  ACSP

     REST  service” ! ! ! ! ! REST   client ACSP  client ACSP  servers TLS TLS

  6. ! ! ! ! ! ! INSECURE ZONE PUBLIC ZONE

    BLUE SECURE ZONE RED HTTPS TLS connection – Client & server mutual authentication iOS device with Touch ID – Touch ID on iOS 8 TCP TLS connection – Client & server mutual authentication ACSP REST Service – z/OS, AIX, Linux, Windows – Websphere Liberty Core profile – ACSP client ACSP Servers with cryptographic hardware – z/OS, AIX, Linux, z/Linux – ACSP server – CEX2, 4764, CEX3, CEX4S, CEX5S, 4765

  7. Key  features • Remote  access  to  strong  and  secure  hardware

     IBM  cryptography.   • Symmetric  key  cryptography  –  encryption  and  decryption  (in  this   demo  AES)   • Hash  generation  and  verification  (SHA  function).   • Generation  and  verification  of  a  digital  signature  (in  PoC)

  8. Benefits • Remote  access  to  strong  and  secure  hardware  IBM

     cryptography.   • Cost  efficient  use  of  existing  cryptographic  adapters.

  9. iOS  ACSP  REST  Demo
 Message  encryption  with   iPhone  6

  10. ! ! ! ! ! ! INSECURE ZONE PUBLIC ZONE

    BLUE SECURE ZONE RED HTTPS TLS connection – Client & server mutual authentication iOS device with Touch ID – Touch ID on iOS 8 TCP TLS connection – Client & server mutual authentication ACSP REST Service – z/OS, AIX, Linux, Windows – Websphere Liberty Core profile – ACSP client ACSP Servers with cryptographic hardware – z/OS, AIX, Linux, z/Linux – ACSP server – CEX2, 4764, CEX3, CEX4S, CEX5S, 4765 5 4 3 2 1

  11. Key  features • Remote  access  to  strong  and  secure  hardware

     IBM  cryptography.   • Symmetric  key  cryptography  –  encryption  and  decryption  (in  this   demo  AES)   • Hash  generation  and  verification  (SHA  function).   • Generation  and  verification  of  a  digital  signature  (in  PoC)

  12. Q&A?

  13. None

  14. 1. Client protocol [cca] instantiated 2. Connecting [ssl on 127.0.0.1:-1]

    to [192.168.77.200:8994] 3. ACSP01250I Created TLS/SSL connection to [192.168.77.200:8994] using cipher suite [SSL_RSA_WITH_AES_128_CBC_SHA] with protocols [[TLSv1.2]]
 4. Connected for transport [ssl] protocol [cca] from own socket [ssl on 127.0.0.1:54211] to [192.168.77.200:8994]
 5. ACSP01110I Connected to [ssl:cca] on host [192.168.77.200] using service [$$acp-serv] 6. Connection [1] to [192.168.77.200] with transport [ssl] and protocol [cca] has been created 7. The connection pool now holds [1] connections. REST  client  –  server  connection

  15. POST  /zCloud-­‐JaxRS/crypto/cipher  HTTP/1.1   Content-­‐Type:  application/json   Host:  rest.cccc.dk.bal.ibm.com:29443  

    Connection:  close   User-­‐Agent:  Curl/2.1.1  (Macintosh;  OS  X/10.10.2)  GCDHTTPRequest   Content-­‐Length:  274   {          "cipherRequest":  {                  "operation":  "ENCRYPT",                  "text":  {                          "textType":  "BASE64",                          "textValue":  "QUNTUC5BRVMxMjguS0VZ"                  },                  "key":  {                          "keyLabel":  "ACSP.AES256.KEY",                          "keyType":  "AES"                  }          }   } REST  client  –  server.  JSON  request.

  16. 1.        Submitting  [34]  bytes  for  [CSNBRNGL]  to

     host  [192.168.77.200]  using  connection  [1]   2.        Submitting  [217]  bytes  for  [CSNBSAE]  to  host  [192.168.77.200]  using  connection  [1]   REST  –  AES  Encryption

  17. ACSP  client  –  server  connection 1.      extracting  user

     from  certificate  DN=CN=client1,OU=IWP  Operations,O=Internet  Widgits  Pty  Ltd,ST=Copenhagen,C=DK  using  SAN:  ACSP:CLIENT1   2.      extracting  user  from  certificate  DN=CN=client1,OU=IWP  Operations,O=Internet  Widgits  Pty  Ltd,ST=Copenhagen,C=DK  using  SAN:  ACSP:CLIENT1   3.      Incoming  connect  for  [cca]  on  port  [8994]  from  client  [192.168.77.200:54247]   4.      ACSP01196I  Client  [192.168.77.200  /  192.168.77.200]  connect  to  port  8994  using  ssl  for  protocol  cca   5.      Socket  receive/send  buffer  sizes  [87379/330075]  with  Nagle's  algorithm  used  [false]   6.      ACSP01190I  Awaiting  connect  -­‐  name[ssl-­‐cca]  transport[ssl]  protocol[cca]  port[8994]  -­‐  Count[1]  Sessions[1]   7.      Identified  handler  of  class  [com.ibm.acsp.cca.ProtocolCcaServer]  for  port  number  [8994]   8.      Protocol  handler  [cca  on  layer  tcp  on  127.0.0.1:8994]  waiting  for  peer  [cca  at  192.168.77.200:54247]  

  18. ACSP  server  –  AES  Encryption 1.      Received  JCCA

     call  for  verb  [CSNBRNGL]   2.      Adding  rule  [RANDOM]   3.      Flushing  [cca  on  layer  tcp  on  127.0.0.1:8994]  output  stream  to  [cca  at  192.168.77.200:54247]   4.      Number  of  connects  [1]  -­‐  requests  [1]]  -­‐  responses  [1]   5.      Protocol  handler  [cca  on  layer  tcp  on  127.0.0.1:8994]  waiting  for  peer  [cca  at  192.168.77.200:54247]   6.      Received  JCCA  call  for  verb  [CSNBSAE]   7.      Adding  rule  [AES]   8.      Adding  rule  [PKCS-­‐PAD]   9.      Adding  rule  [KEYIDENT]   10.    Adding  rule  [INITIAL]   11.    Flushing  [cca  on  layer  tcp  on  127.0.0.1:8994]  output  stream  to  [cca  at  192.168.77.200:54247]   12.    Number  of  connects  [1]  -­‐  requests  [2]]  -­‐  responses  [2]   13.    Protocol  handler  [cca  on  layer  tcp  on  127.0.0.1:8994]  waiting  for  peer  [cca  at  192.168.77.200:54247]   14.    ACSP01195I  Closed  scheme  [tcp:cca]  on  port  [8997]  with  name  [tcp-­‐cca]  
  19. None

  20. Q&A?