Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Advanced Crypto Service Provider – cryptography as a service

Advanced Crypto Service Provider – cryptography as a service

Data and information security is crucial and essential for most of the IT environments. As data is more often stored in the cloud securing it becomes a non trivial challenge.
IBM Advanced Crypto Service Provider (ACSP) is a solution that enables remote access to the IBM’s cryptographic coprocessors. Such approach allows for utilization of strong hardware based cryptography as a service (“cryptography as a service”) in distributed environments where data security cannot be guaranteed.
ACSP is a “network hardware security module (NetHSM)” that provides access to cryptographic resources via IBM Common Cryptographic Architecture (CCA) interface and the PKCS#11 standard.

More at https://ibm.box.com/v/acsp-vault-ibm-forum-2015

Video recording from that presentation can be found at https://vimeo.com/smartcoders/acsp-vault-ibm-forum-2015

27b9145d6164b06cb4b789d9928d451f?s=128

Smart Coders

March 16, 2015
Tweet

Transcript

  1. Advanced  Crypto  Service  Provider     –  Cryptography  as  a

     Service Warszawa,  16  marca  2015         Błażej  Pawlak   Crypto  Competence  Center,  Copenhagen  @  IBM  Denmark
  2. IBM  4765  PCIe  Cryptographic  Coprocessor

  3. Problem No  way  to  remotely  and  securely  access  strong  hardware

     cryptography   on  API  and  web  service  levels.
  4. Solution • System  in  client  –  server  architecture,  where  the

     server  on  behalf  of   the  client  communicates  with  the  cryptographic  coprocessor. ! ! ! ! ACSP  servers ACSP  client TLS
  5. Solution • RESTful  service  with  simple  API  –  “zCloud  ACSP

     REST  service” ! ! ! ! ! REST   client ACSP  client ACSP  servers TLS TLS
  6. ! ! ! ! ! ! INSECURE ZONE PUBLIC ZONE

    BLUE SECURE ZONE RED HTTPS TLS connection – Client & server mutual authentication iOS device with Touch ID – Touch ID on iOS 8 TCP TLS connection – Client & server mutual authentication ACSP REST Service – z/OS, AIX, Linux, Windows – Websphere Liberty Core profile – ACSP client ACSP Servers with cryptographic hardware – z/OS, AIX, Linux, z/Linux – ACSP server – CEX2, 4764, CEX3, CEX4S, CEX5S, 4765
  7. Key  features • Remote  access  to  strong  and  secure  hardware

     IBM  cryptography.   • Symmetric  key  cryptography  –  encryption  and  decryption  (in  this   demo  AES)   • Hash  generation  and  verification  (SHA  function).   • Generation  and  verification  of  a  digital  signature  (in  PoC)
  8. Benefits • Remote  access  to  strong  and  secure  hardware  IBM

     cryptography.   • Cost  efficient  use  of  existing  cryptographic  adapters.
  9. iOS  ACSP  REST  Demo
 Message  encryption  with   iPhone  6

  10. ! ! ! ! ! ! INSECURE ZONE PUBLIC ZONE

    BLUE SECURE ZONE RED HTTPS TLS connection – Client & server mutual authentication iOS device with Touch ID – Touch ID on iOS 8 TCP TLS connection – Client & server mutual authentication ACSP REST Service – z/OS, AIX, Linux, Windows – Websphere Liberty Core profile – ACSP client ACSP Servers with cryptographic hardware – z/OS, AIX, Linux, z/Linux – ACSP server – CEX2, 4764, CEX3, CEX4S, CEX5S, 4765 5 4 3 2 1
  11. Key  features • Remote  access  to  strong  and  secure  hardware

     IBM  cryptography.   • Symmetric  key  cryptography  –  encryption  and  decryption  (in  this   demo  AES)   • Hash  generation  and  verification  (SHA  function).   • Generation  and  verification  of  a  digital  signature  (in  PoC)
  12. Q&A?

  13. None
  14. 1. Client protocol [cca] instantiated 2. Connecting [ssl on 127.0.0.1:-1]

    to [192.168.77.200:8994] 3. ACSP01250I Created TLS/SSL connection to [192.168.77.200:8994] using cipher suite [SSL_RSA_WITH_AES_128_CBC_SHA] with protocols [[TLSv1.2]]
 4. Connected for transport [ssl] protocol [cca] from own socket [ssl on 127.0.0.1:54211] to [192.168.77.200:8994]
 5. ACSP01110I Connected to [ssl:cca] on host [192.168.77.200] using service [$$acp-serv] 6. Connection [1] to [192.168.77.200] with transport [ssl] and protocol [cca] has been created 7. The connection pool now holds [1] connections. REST  client  –  server  connection
  15. POST  /zCloud-­‐JaxRS/crypto/cipher  HTTP/1.1   Content-­‐Type:  application/json   Host:  rest.cccc.dk.bal.ibm.com:29443  

    Connection:  close   User-­‐Agent:  Curl/2.1.1  (Macintosh;  OS  X/10.10.2)  GCDHTTPRequest   Content-­‐Length:  274   {          "cipherRequest":  {                  "operation":  "ENCRYPT",                  "text":  {                          "textType":  "BASE64",                          "textValue":  "QUNTUC5BRVMxMjguS0VZ"                  },                  "key":  {                          "keyLabel":  "ACSP.AES256.KEY",                          "keyType":  "AES"                  }          }   } REST  client  –  server.  JSON  request.
  16. 1.        Submitting  [34]  bytes  for  [CSNBRNGL]  to

     host  [192.168.77.200]  using  connection  [1]   2.        Submitting  [217]  bytes  for  [CSNBSAE]  to  host  [192.168.77.200]  using  connection  [1]   REST  –  AES  Encryption
  17. ACSP  client  –  server  connection 1.      extracting  user

     from  certificate  DN=CN=client1,OU=IWP  Operations,O=Internet  Widgits  Pty  Ltd,ST=Copenhagen,C=DK  using  SAN:  ACSP:CLIENT1   2.      extracting  user  from  certificate  DN=CN=client1,OU=IWP  Operations,O=Internet  Widgits  Pty  Ltd,ST=Copenhagen,C=DK  using  SAN:  ACSP:CLIENT1   3.      Incoming  connect  for  [cca]  on  port  [8994]  from  client  [192.168.77.200:54247]   4.      ACSP01196I  Client  [192.168.77.200  /  192.168.77.200]  connect  to  port  8994  using  ssl  for  protocol  cca   5.      Socket  receive/send  buffer  sizes  [87379/330075]  with  Nagle's  algorithm  used  [false]   6.      ACSP01190I  Awaiting  connect  -­‐  name[ssl-­‐cca]  transport[ssl]  protocol[cca]  port[8994]  -­‐  Count[1]  Sessions[1]   7.      Identified  handler  of  class  [com.ibm.acsp.cca.ProtocolCcaServer]  for  port  number  [8994]   8.      Protocol  handler  [cca  on  layer  tcp  on  127.0.0.1:8994]  waiting  for  peer  [cca  at  192.168.77.200:54247]  
  18. ACSP  server  –  AES  Encryption 1.      Received  JCCA

     call  for  verb  [CSNBRNGL]   2.      Adding  rule  [RANDOM]   3.      Flushing  [cca  on  layer  tcp  on  127.0.0.1:8994]  output  stream  to  [cca  at  192.168.77.200:54247]   4.      Number  of  connects  [1]  -­‐  requests  [1]]  -­‐  responses  [1]   5.      Protocol  handler  [cca  on  layer  tcp  on  127.0.0.1:8994]  waiting  for  peer  [cca  at  192.168.77.200:54247]   6.      Received  JCCA  call  for  verb  [CSNBSAE]   7.      Adding  rule  [AES]   8.      Adding  rule  [PKCS-­‐PAD]   9.      Adding  rule  [KEYIDENT]   10.    Adding  rule  [INITIAL]   11.    Flushing  [cca  on  layer  tcp  on  127.0.0.1:8994]  output  stream  to  [cca  at  192.168.77.200:54247]   12.    Number  of  connects  [1]  -­‐  requests  [2]]  -­‐  responses  [2]   13.    Protocol  handler  [cca  on  layer  tcp  on  127.0.0.1:8994]  waiting  for  peer  [cca  at  192.168.77.200:54247]   14.    ACSP01195I  Closed  scheme  [tcp:cca]  on  port  [8997]  with  name  [tcp-­‐cca]  
  19. None
  20. Q&A?