NSS modutil: Adding a PKCS#11 module with a PIN and storing PIN in nssdb

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

NSS modutil: Adding a PKCS#11 module with a PIN and storing PIN in nssdb

Mike Gerow
I'm trying to add  opencryptoki's PKCS#11 module to Chrome/Firefox's nssdb. I'm able to add it, and it seems to work as expected:

$ modutil -dbdir sql:$HOME/.pki/nssdb -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. TPM
        library name: /usr/lib/x86_64-linux-gnu/opencryptoki/libopencryptoki.so.0
         slots: 1 slot attached
        status: loaded

         slot: OpenCryptoki Software Backend
        token: IBM OS PKCS#11
-----------------------------------------------------------

The only issue is that the first time the application tries to use the module it asks me for a PIN. I'm more interested in using a PKCS#11 token for privilege separation than anything so I have this PIN set to an easy/insecure value. Is there some way I can store the PIN in the nssdb so that I can avoid having the browser ask the user for it?
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: NSS modutil: Adding a PKCS#11 module with a PIN and storing PIN in nssdb

Anders Rundgren-2
On Friday, November 7, 2014 7:57:49 PM UTC+1, Mike Gerow wrote:

> I'm trying to add  opencryptoki's PKCS#11 module to Chrome/Firefox's nssdb. I'm able to add it, and it seems to work as expected:
>
> $ modutil -dbdir sql:$HOME/.pki/nssdb -list
>
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
>   1. NSS Internal PKCS #11 Module
> slots: 2 slots attached
> status: loaded
>
> slot: NSS Internal Cryptographic Services
> token: NSS Generic Crypto Services
>
> slot: NSS User Private Key and Certificate Services
> token: NSS Certificate DB
>
>   2. TPM
> library name: /usr/lib/x86_64-linux-gnu/opencryptoki/libopencryptoki.so.0
> slots: 1 slot attached
> status: loaded
>
> slot: OpenCryptoki Software Backend
> token: IBM OS PKCS#11
> -----------------------------------------------------------
>
> The only issue is that the first time the application tries to use the module it asks me for a PIN. I'm more interested in using a PKCS#11 token for privilege separation than anything so I have this PIN set to an easy/insecure value. Is there some way I can store the PIN in the nssdb so that I can avoid having the browser ask the user for it?

Mozilla's key architecture was essentially created 1995 (by Netscape).  Improving it would be a waste of time and resources, it must be rebuilt from scratch

-- Anders
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: NSS modutil: Adding a PKCS#11 module with a PIN and storing PIN in nssdb

Hubert Kario
On Saturday 08 November 2014 22:51:49 Anders Rundgren wrote:

> On Friday, November 7, 2014 7:57:49 PM UTC+1, Mike Gerow wrote:
> > I'm trying to add  opencryptoki's PKCS#11 module to Chrome/Firefox's
> > nssdb. I'm able to add it, and it seems to work as expected:
> >
> > $ modutil -dbdir sql:$HOME/.pki/nssdb -list
> >
> > Listing of PKCS #11 Modules
> > -----------------------------------------------------------
> >
> >   1. NSS Internal PKCS #11 Module
> >  
> > slots: 2 slots attached
> >
> > status: loaded
> >
> > slot: NSS Internal Cryptographic Services
> >
> > token: NSS Generic Crypto Services
> >
> > slot: NSS User Private Key and Certificate Services
> >
> > token: NSS Certificate DB
> >
> >   2. TPM
> >
> > library name: /usr/lib/x86_64-linux-
gnu/opencryptoki/libopencryptoki.so.0

> >
> > slots: 1 slot attached
> >
> > status: loaded
> >
> > slot: OpenCryptoki Software Backend
> >
> > token: IBM OS PKCS#11
> >
> > -----------------------------------------------------------
> >
> > The only issue is that the first time the application tries to use the
> > module it asks me for a PIN. I'm more interested in using a PKCS#11 token
> > for privilege separation than anything so I have this PIN set to an
> > easy/insecure value. Is there some way I can store the PIN in the nssdb
> > so that I can avoid having the browser ask the user for it?
> Mozilla's key architecture was essentially created 1995 (by Netscape).
> Improving it would be a waste of time and resources, it must be rebuilt
> from scratch

Linux kernel was created even earlier, and yet you can run applications from
that era on current kernel.

You can rewrite the software without starting from scratch.
--
Regards,
Hubert Kario
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: NSS modutil: Adding a PKCS#11 module with a PIN and storing PIN in nssdb

ianG-2
On 13/11/2014 12:19 pm, Hubert Kario wrote:
> On Saturday 08 November 2014 22:51:49 Anders Rundgren wrote:
>> On Friday, November 7, 2014 7:57:49 PM UTC+1, Mike Gerow wrote:
>>> The only issue is that ...
>> Mozilla's key architecture was essentially created 1995 (by Netscape).
>> Improving it would be a waste of time and resources, it must be rebuilt
>> from scratch
>
> Linux kernel was created even earlier, and yet you can run applications from
> that era on current kernel.

Indeed.  That's because the Linux kernel was a copy of another system
called (variously) Unix that had to that point about 20 years track
record in establishing a good pattern and establishing a demand industry
of people who actually wanted to use it to solve their problems.

No such with this key architecture.  It was written in those times
according to a commercially inspired (i.e. property rights driven) model
that had zero track record in the wild.

And, the model turned out to be wrong.  Yes you could build it, but it
solved the wrong problems in the wrong ways.  By the time you strip away
the disproven assumptions, you're left with an empty shell full of
invested parties who keep saying, next year will be the year of the
thingummybob, whatever it is labelled today.  TEE?  Echo is a serious
issue in the secure token field.

> You can rewrite the software without starting from scratch.


The problem is, as soon as you get in there, you realise how broken it
is.  OP's question was "how to store the PIN in the device" which is
reasonable from an app developers pov, but is totally /verboten/ from
the security model's pov.  Change that and the dam breaks.

Sadly, at some stage, the dam will crack of its own accord and Mozilla
will have to figure out how to rebuild it.



iang
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security
Reply | Threaded
Open this post in threaded view
|

Re: NSS modutil: Adding a PKCS#11 module with a PIN and storing PIN in nssdb

Anders Rundgren-2
In reply to this post by Hubert Kario
On Thursday, November 13, 2014 1:49:03 PM UTC+1, ianG wrote:

> On 13/11/2014 12:19 pm, Hubert Kario wrote:
> > On Saturday 08 November 2014 22:51:49 Anders Rundgren wrote:
> >> On Friday, November 7, 2014 7:57:49 PM UTC+1, Mike Gerow wrote:
> >>> The only issue is that ...
> >> Mozilla's key architecture was essentially created 1995 (by Netscape).
> >> Improving it would be a waste of time and resources, it must be rebuilt
> >> from scratch
> >
> > Linux kernel was created even earlier, and yet you can run applications from
> > that era on current kernel.
>
> Indeed.  That's because the Linux kernel was a copy of another system
> called (variously) Unix that had to that point about 20 years track
> record in establishing a good pattern and establishing a demand industry
> of people who actually wanted to use it to solve their problems.
>
> No such with this key architecture.  It was written in those times
> according to a commercially inspired (i.e. property rights driven) model
> that had zero track record in the wild.
>
> And, the model turned out to be wrong.  Yes you could build it, but it
> solved the wrong problems in the wrong ways.  By the time you strip away
> the disproven assumptions, you're left with an empty shell full of
> invested parties who keep saying, next year will be the year of the
> thingummybob, whatever it is labelled today.  TEE?  Echo is a serious
> issue in the secure token field.
>
> > You can rewrite the software without starting from scratch.
>
>
> The problem is, as soon as you get in there, you realise how broken it
> is.  OP's question was "how to store the PIN in the device" which is
> reasonable from an app developers pov, but is totally /verboten/ from
> the security model's pov.  Change that and the dam breaks.
>
> Sadly, at some stage, the dam will crack of its own accord and Mozilla
> will have to figure out how to rebuild it.
>
>
>
> iang

One of numerous things missing from the current plot:
http://webpki.org/papers/key-access.pdf

This is BTW outside of PKCS #11 as well.  PKCS #11 was designed in another time and for another purpose.

I'm mainly thinking about Firefox OS; the PC seems to be a thing for Microsoft.

Anders
_______________________________________________
dev-security mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-security