In this part, we are going to introduce the company i work for and the need we had for a PKI, and talk a bit about EJBCA, the software we’re going to install and Nitrokey, the featured HSM in this tutorial.
PKI and HSM in a SME pages are currently under writing.
Small introduction about this *really big* thing i’m working on…
You can expect to discover how to setup a PKI platform online, and how to host major private keys offline using some tools and hardware.
A bit long to setup it up, but it’s worth the pain all along upon completion 🙂
This will be based on what i’ve done at KeeeX, the SME i’m employed in.
It will be presented in on the 11 or 12 of october 2018 in AMUSEC 2018 (a cybersecurity conference), located in Marseille, France; then this article will be made public.
See details about this cybersecurity event by clicking the logo below (French only)
What is KeeeX?
The KeeeX company was founded in December 2014 by Laurent Henocque, an engineer from Ecole Polytechnique (X82), lecturer researcher at Aix Marseille University, CNRS, with a focus on constraint programming, and semantic web expertise.
KeeeX was an answer to a number of questions:
- how to warrant the authenticity of digital information independently of any web service, dedicated infrastructure?
- how to preserve the oganisation and links between files across multiple storage locations?
- how to find files instantly whichever their location on the internet or a disk?
What is KeeeX doing?
KeeeX injects trusted metadata into your files without changing the format and readability of your documents and data. They are timestamped in real time and their unique hash is anchored by default on the Bitcoin Blockchain to prove the existence of the file on a given date.
By sealing proofs of integrity and authenticity in your documents, you can be sure that the document (+250 file formats supported) is an unmodified original and that you are the author of it. KeeeX also adds tags to facilitate search and allows cryptographic linking between files (versioning, appendix …).
What are you doing there?
I’m a IT engineer with many roles: multi-tasking developer (mobile apps, some backends and services), sysadmin and Data Protection Officer (in accordance to GDPR).
To cryptographers/infosec comrades: Did you wrote “blockchain”?
We are using Bitcoin Blockchain for time proofs. Only for time proofs. And it works fine.
And anyway if you don’t believe, we’re using stadard RFC3161 Timestamping (and this is one of the reasons we need a PKI).
Why do you need a PKI?
As a part-time sysadmin at KeeeX, it was clear to me that we needed to use a PKI for many reasons:
- to have a Trusted Timestamping infrastructure with reliable X509 certificates and in accordance to RFC3161;
- to ensure employees identities when authenticating through our Virtual Private Networks;
- to protect KeeeX internal services and infrastructure with TLS certificates, and TLS client authentication.
What is EJBCA?
EJBCA® is a PKI Certificate Authority software, built using Java (JEE) technology. There are two versions: the Community one, licensed LGPL; and the Enterprise one, with more features and support.
What is the license of this software?
This software is licensed as LGPL.
Why EJBCA? Why not <insert name here>? Are you working at EJBCA/PrimeKey?
EJBCA because it was advised by a friend of mine (hello Frédéric 🙂 ), i don’t have the same knowledge in <insert name here>, and i’m not at all working for PrimeKey.
Where can i find EJBCA support for Community Edition?
Their official support forum is here: https://sourceforge.net/p/ejbca/discussion/
These people are very nice, and answer within few days, which is great.
Hello to Tomas and EJBCA team if they read this. 😉
What is Nitrokey?
Nitrokey is an USB key to enable highly secure encryption and signing of emails and data, as well as login to the Web, networks and computers. Their Nitrokey HSM product is very interesting: Nitrokey HSM secures cryptographic keys of your own PKI and your server.
What can I do with this?
Nitrokey HSM features:
- Up to 31 ECC GF(p) 256-bit keys storage,
- Up to 20 RSA 2048-bit keys storage,
- Based on SmartCard-HSM,
- Both hardware and software are open-source and free software. All development tools are available as open source and for free.
- Your secret keys are stored in the tamper-resistant and PIN-protected device and are secured against computer viruses, loss and theft.
- The device is PIN-protected and is secured against hardware attacks.
- Backups protect against loss.
- It’s 60€. Yes.
We’re gonna use it to store critical private keys with EJBCA. You can get a detailed fact sheet here.
Are you working at Nitrokey?
I’m not at all working for Nitrokey.