Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced Crypto Service Provider – cryptography...

Smart Coders
March 16, 2015
Technology
0
570

Advanced Crypto Service Provider – cryptography as a service

Data and information security is crucial and essential for most of the IT environments. As data is more often stored in the cloud securing it becomes a non trivial challenge.
IBM Advanced Crypto Service Provider (ACSP) is a solution that enables remote access to the IBM’s cryptographic coprocessors. Such approach allows for utilization of strong hardware based cryptography as a service (“cryptography as a service”) in distributed environments where data security cannot be guaranteed.
ACSP is a “network hardware security module (NetHSM)” that provides access to cryptographic resources via IBM Common Cryptographic Architecture (CCA) interface and the PKCS#11 standard.

More at https://ibm.box.com/v/acsp-vault-ibm-forum-2015

Video recording from that presentation can be found at https://vimeo.com/smartcoders/acsp-vault-ibm-forum-2015

Smart Coders

March 16, 2015
Tweet

More Decks by Smart Coders

See All by Smart Coders
Advanced Crypto Service Provider – kryptografia jako usługa
smartcoders
0
72

Other Decks in Technology

See All in Technology
[Ruby] Develop a Morse Code Learning Gem & Beep from Strings
oguressive
1
150
継続的にアウトカムを生み出し ビジネスにつなげる、 戦略と運営に対するタイミーのQUEST(探求)
zigorou
0
520
MLOps の現場から
asei
6
630
1等無人航空機操縦士一発試験 合格までの道のり ドローンミートアップ@大阪 2024/12/18
excdinc
0
150
KnowledgeBaseDocuments APIでベクトルインデックス管理を自動化する
iidaxs
1
260
LINEヤフーのフロントエンド組織・体制の紹介【24年12月】
lycorp_recruit_jp
0
530
第3回Snowflake女子会_LT登壇資料(合成データ)_Taro_CCCMK
tarotaro0129
0
180
Qiita埋め込み用スライド
naoki_0531
0
860
Turing × atmaCup #18 - 1st Place Solution
hakubishin3
0
470
マルチプロダクト開発の現場でAWS Security Hubを1年以上運用して得た教訓
muziyoshiz
2
2.2k
C++26 エラー性動作
faithandbrave
2
690
watsonx.ai Dojo #5 ファインチューニングとInstructLAB
oniak3ibm
PRO
0
160

Featured

See All Featured
Documentation Writing (for coders)
carmenintech
66
4.5k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
28
2.1k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
Into the Great Unknown - MozCon
thekraken
33
1.5k
Building an army of robots
kneath
302
44k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
The Cult of Friendly URLs
andyhume
78
6.1k
[RailsConf 2023] Rails as a piece of cake
palkan
53
5k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
330
21k
Git: the NoSQL Database
bkeepers
PRO
427
64k
Building a Scalable Design System with Sketch
lauravandoore
460
33k
Imperfection Machines: The Place of Print at Facebook
scottboms
266
13k

Transcript

  1. Advanced  Crypto  Service  Provider     –  Cryptography  as  a

     Service Warszawa,  16  marca  2015         Błażej  Pawlak   Crypto  Competence  Center,  Copenhagen  @  IBM  Denmark

  2. IBM  4765  PCIe  Cryptographic  Coprocessor

  3. Problem No  way  to  remotely  and  securely  access  strong  hardware

     cryptography   on  API  and  web  service  levels.

  4. Solution • System  in  client  –  server  architecture,  where  the

     server  on  behalf  of   the  client  communicates  with  the  cryptographic  coprocessor. ! ! ! ! ACSP  servers ACSP  client TLS

  5. Solution • RESTful  service  with  simple  API  –  “zCloud  ACSP

     REST  service” ! ! ! ! ! REST   client ACSP  client ACSP  servers TLS TLS

  6. ! ! ! ! ! ! INSECURE ZONE PUBLIC ZONE

    BLUE SECURE ZONE RED HTTPS TLS connection – Client & server mutual authentication iOS device with Touch ID – Touch ID on iOS 8 TCP TLS connection – Client & server mutual authentication ACSP REST Service – z/OS, AIX, Linux, Windows – Websphere Liberty Core profile – ACSP client ACSP Servers with cryptographic hardware – z/OS, AIX, Linux, z/Linux – ACSP server – CEX2, 4764, CEX3, CEX4S, CEX5S, 4765

  7. Key  features • Remote  access  to  strong  and  secure  hardware

     IBM  cryptography.   • Symmetric  key  cryptography  –  encryption  and  decryption  (in  this   demo  AES)   • Hash  generation  and  verification  (SHA  function).   • Generation  and  verification  of  a  digital  signature  (in  PoC)

  8. Benefits • Remote  access  to  strong  and  secure  hardware  IBM

     cryptography.   • Cost  efficient  use  of  existing  cryptographic  adapters.

  9. iOS  ACSP  REST  Demo
 Message  encryption  with   iPhone  6

  10. ! ! ! ! ! ! INSECURE ZONE PUBLIC ZONE

    BLUE SECURE ZONE RED HTTPS TLS connection – Client & server mutual authentication iOS device with Touch ID – Touch ID on iOS 8 TCP TLS connection – Client & server mutual authentication ACSP REST Service – z/OS, AIX, Linux, Windows – Websphere Liberty Core profile – ACSP client ACSP Servers with cryptographic hardware – z/OS, AIX, Linux, z/Linux – ACSP server – CEX2, 4764, CEX3, CEX4S, CEX5S, 4765 5 4 3 2 1

  11. Key  features • Remote  access  to  strong  and  secure  hardware

     IBM  cryptography.   • Symmetric  key  cryptography  –  encryption  and  decryption  (in  this   demo  AES)   • Hash  generation  and  verification  (SHA  function).   • Generation  and  verification  of  a  digital  signature  (in  PoC)

  12. Q&A?

  13. None

  14. 1. Client protocol [cca] instantiated 2. Connecting [ssl on 127.0.0.1:-1]

    to [192.168.77.200:8994] 3. ACSP01250I Created TLS/SSL connection to [192.168.77.200:8994] using cipher suite [SSL_RSA_WITH_AES_128_CBC_SHA] with protocols [[TLSv1.2]]
 4. Connected for transport [ssl] protocol [cca] from own socket [ssl on 127.0.0.1:54211] to [192.168.77.200:8994]
 5. ACSP01110I Connected to [ssl:cca] on host [192.168.77.200] using service [$$acp-serv] 6. Connection [1] to [192.168.77.200] with transport [ssl] and protocol [cca] has been created 7. The connection pool now holds [1] connections. REST  client  –  server  connection

  15. POST  /zCloud-­‐JaxRS/crypto/cipher  HTTP/1.1   Content-­‐Type:  application/json   Host:  rest.cccc.dk.bal.ibm.com:29443  

    Connection:  close   User-­‐Agent:  Curl/2.1.1  (Macintosh;  OS  X/10.10.2)  GCDHTTPRequest   Content-­‐Length:  274   {          "cipherRequest":  {                  "operation":  "ENCRYPT",                  "text":  {                          "textType":  "BASE64",                          "textValue":  "QUNTUC5BRVMxMjguS0VZ"                  },                  "key":  {                          "keyLabel":  "ACSP.AES256.KEY",                          "keyType":  "AES"                  }          }   } REST  client  –  server.  JSON  request.

  16. 1.        Submitting  [34]  bytes  for  [CSNBRNGL]  to

     host  [192.168.77.200]  using  connection  [1]   2.        Submitting  [217]  bytes  for  [CSNBSAE]  to  host  [192.168.77.200]  using  connection  [1]   REST  –  AES  Encryption

  17. ACSP  client  –  server  connection 1.      extracting  user

     from  certificate  DN=CN=client1,OU=IWP  Operations,O=Internet  Widgits  Pty  Ltd,ST=Copenhagen,C=DK  using  SAN:  ACSP:CLIENT1   2.      extracting  user  from  certificate  DN=CN=client1,OU=IWP  Operations,O=Internet  Widgits  Pty  Ltd,ST=Copenhagen,C=DK  using  SAN:  ACSP:CLIENT1   3.      Incoming  connect  for  [cca]  on  port  [8994]  from  client  [192.168.77.200:54247]   4.      ACSP01196I  Client  [192.168.77.200  /  192.168.77.200]  connect  to  port  8994  using  ssl  for  protocol  cca   5.      Socket  receive/send  buffer  sizes  [87379/330075]  with  Nagle's  algorithm  used  [false]   6.      ACSP01190I  Awaiting  connect  -­‐  name[ssl-­‐cca]  transport[ssl]  protocol[cca]  port[8994]  -­‐  Count[1]  Sessions[1]   7.      Identified  handler  of  class  [com.ibm.acsp.cca.ProtocolCcaServer]  for  port  number  [8994]   8.      Protocol  handler  [cca  on  layer  tcp  on  127.0.0.1:8994]  waiting  for  peer  [cca  at  192.168.77.200:54247]  

  18. ACSP  server  –  AES  Encryption 1.      Received  JCCA

     call  for  verb  [CSNBRNGL]   2.      Adding  rule  [RANDOM]   3.      Flushing  [cca  on  layer  tcp  on  127.0.0.1:8994]  output  stream  to  [cca  at  192.168.77.200:54247]   4.      Number  of  connects  [1]  -­‐  requests  [1]]  -­‐  responses  [1]   5.      Protocol  handler  [cca  on  layer  tcp  on  127.0.0.1:8994]  waiting  for  peer  [cca  at  192.168.77.200:54247]   6.      Received  JCCA  call  for  verb  [CSNBSAE]   7.      Adding  rule  [AES]   8.      Adding  rule  [PKCS-­‐PAD]   9.      Adding  rule  [KEYIDENT]   10.    Adding  rule  [INITIAL]   11.    Flushing  [cca  on  layer  tcp  on  127.0.0.1:8994]  output  stream  to  [cca  at  192.168.77.200:54247]   12.    Number  of  connects  [1]  -­‐  requests  [2]]  -­‐  responses  [2]   13.    Protocol  handler  [cca  on  layer  tcp  on  127.0.0.1:8994]  waiting  for  peer  [cca  at  192.168.77.200:54247]   14.    ACSP01195I  Closed  scheme  [tcp:cca]  on  port  [8997]  with  name  [tcp-­‐cca]  
  19. None

  20. Q&A?