Information security has hundreds of variables that we can implement to optimize the integrity of data and information in each operating system, we have from passwords to firewall solutions designed for this purpose and today we will focus on an important level of security and security. great impact such as HSM (Hardware Security Modules) which is a method to be used with various applications in order to store cryptographic and certified keys..
One of the applications focused on this environment is SoftHSM and today we will analyze how to use it and implement it in Linux.
What is SoftHSM?
SoftHSM has been developed by OpenDNSSEC to be used as an implementation of a cryptographic store that can be accessed through a PKCS # 11 interface.
Now, what is PKCS #? Well, each of the public key cryptographic standards (PKCS) comprises a group of cryptographic standards designed to offer application programming interfaces and APIs for the use of cryptographic methods..
By implementing SoftHSM, we will be able to thoroughly analyze PKCS # 11 without requiring the use of hardware security modules. SoftHSM is part of the project led by OpenDNSSEC using Botan for the entire cryptography issue. OpenDNSSEC is implemented with the objective of centrally and correctly managing all cryptographic keys that are generated through the PKCS # 11 interface.
The purpose of the interface is to allow optimal communication with HSM devices (Hardware Security Modules), and these devices fulfill the function of generating various cryptographic keys and signing the relevant information without it being known by third parties. thus increasing your privacy and security..
To enter a bit in context, the PKCS # 11 protocol has been designed as a cryptographic standard using an API interface that is called Cryptoki, and thanks to this API, each application will be able to manage various cryptographic elements such as they are the tokens and carry out the actions that they must fulfill at the security level.
Currently PKCS # 11 is recognized as a standard opened by the OASIS PKCS 11 technical committee who is behind it.
SoftHSM features
When using SoftHSM we have a number of advantages such as:
- It can be integrated into an existing system without reviewing all existing infrastructure thus avoiding wasting time and resources.
- It can be configured to sign zone files or to sign zones transferred through AXFR.
- Automatic, since once configured, no manual intervention is needed.
- Allows manual key change (emergency key change).
- It is able to sign areas that contain as few as millions of records.
- A single instance of OpenDNSSEC can be configured to sign one or more zones.
- The keys can be shared between zones to be able to save space in the HSM.
- It allows defining the zone signature policy (key duration, key duration, signature interval, etc.); It allows us to configure the system for multiple actions as a policy to cover all zones to one policy per zone.
- Compatible with all different versions of the Unix operating system
- SoftHSM can verify if HSMs are compatible with OpenDNSSEC
- It includes an audit function that compares the unsigned incoming zone with the signed outgoing zone, so you can verify that no zone data has been lost and that the zone signatures are correct.
- Supports RSA / SHA1 and SHA2 signatures
- Denial of existence using NSEC or NSEC3
With these features of SoftHSM we will now see how to install it on Linux, in this case Ubuntu Server 17.10.
Dependencies Botan or OpenSSL cryptographic libraries can be used with the SoftHSM project. If Botan is used with SoftHSM, we must ensure that it is compatible with GNU MP (--with-gnump), as this verification will improve performance during public key operations.
1. SoftHSM installation
The SoftHSM utility is available from the OpenDNSSEC website, and can be downloaded using the wget command like this:
wget https://dist.opendnssec.org/source/softhsm-2.3.0.tar.gz
Next, we will extract the downloaded package using the tar command as follows:
tar -xzf softhsm-2.3.0.tar.gz
Later we will access the directory where said package has been extracted:
cd softhsm-2.3.0
Login Join up!
