How TPM-protected SSH keys work

In my last blog post I described how to set up SSH with TPM-protected keys. This time I'll try to explain how it works.

SRK

The SRK is a public key pair that is the main secret inside the TPM chip. It is always generated by the chip, and the private key cannot be read or migrated.

In order to use the SRK key with any operation, the SRK password must be supplied. The SRK password is just an access password. It's not related to the key itself. The SRK password is usually set to the Well Known Secret (20 null characters), or sometimes the empty string, or something silly like "12345678".

There is not much point in having a good SRK password, since you probably have to store it on disk somewhere anyway, to allow TPM operations by daemons.

If you want a password then you probably want to set that per key, not chip-wide like the SRK password is.

Key generation

The stpm-keygen binary asks the TPM to generate a key, and the TPM hands back the public portion of the key, and a "blob" that has no meaning to anyone except the TPM. The blob is encrypted Continue reading

How TPM-protected SSH keys work

In my last blog post I described how to set up SSH with TPM-protected keys. This time I'll try to explain how it works.

SRK

The SRK is a public key pair that is the main secret inside the TPM chip. It is always generated by the chip, and the private key cannot be read or migrated.

In order to use the SRK key with any operation, the SRK password must be supplied. The SRK password is just an access password. It's not related to the key itself. The SRK password is usually set to the Well Known Secret (20 null characters), or sometimes the empty string, or something silly like "12345678".

There is not much point in having a good SRK password, since you probably have to store it on disk somewhere anyway, to allow TPM operations by daemons.

If you want a password then you probably want to set that per key, not chip-wide like the SRK password is.

Key generation

The stpm-keygen binary asks the TPM to generate a key, and the TPM hands back the public portion of the key, and a "blob" that has no meaning to anyone except the TPM. The blob is encrypted Continue reading

On Python, Networks and the py-junos-eznc library

python-powered-h-140x182One of my recent forays into Increasing the Awesome has involved learning about NETCONF and the Python programming language. I was lucky enough to spend some time with Jeremy Schulman during my trip to Sunnyvale for the Juniper Ambassadors Summit, and he introduced me to the new py-junos-eznc Python library he has been working on. I had spent a little bit of time earlier in the year looking at the original Ruby library, and I was amazed at how much thought had been put into this new library – obviously Jeremy’s learned a lot on the way!

 An Impatient Start

Let me make a couple of things clear right from the outset:

  1. I am not a programmer! Yes I have written the odd script here and there in the deep dark past, but I am by no means a programmer. All of my scripts have been about automating some task I had to do. As long as it worked, I didn’t care how efficient or pretty it was – it did what I needed.
  2. I have no intention of becoming a full time programmer! I like being a network architect and I like building and playing with Continue reading

Quiz #21 &#8211 EIGRP as CE-PE

You have just received a nice job at a big enterprise that has multiple sites connected over their own managed MPLS Core. Each site runs EIGRP as the CE - PE routing protocol. You get the task to route some traffic in a particular way, but you cannot make it. What is missing ?

A Bit of Irony…

There’s something terribly wrong about this… RUSH hour in Nairobi can be a nightmare. “Most motorists don’t follow traffic rules and small inconveniences like a minor traffic accident or even a sudden downpour can cause delays of up to an hour,” says John Kimani, a small business owner in the Kenyan capital. A text message […]

Author information

Russ White

Russ White
Principle Engineer at Ericsson

Russ White is a Network Architect who's scribbled a basket of books, penned a plethora of patents, written a raft of RFCs, taught a trencher of classes, and done a lot of other stuff you either already know about, or don't really care about. You want numbers and letters? Okay: CCIE 2635, CCDE 2007:001, CCAr, BSIT, MSIT (Network Design & Architecture, Capella University), MACM (Biblical Literature, Shepherds Theological Seminary). Russ is a Principal Engineer in the IPOS Team at Ericsson, where he works on lots of different stuff, serves on the Routing Area Directorate at the IETF, and is a cochair of the Internet Society Advisory Council. Russ will be speaking in November at the Ericsson Technology Day. he recently published The Art of Network Architecture, is currently working on a new book in the area Continue reading

Your Weak and Broken Heart

I can make you happy, I can give you everything you dreamed of. You already know that right? I’ve tried to make you understand this again and again; I’ll fall at your feet at a moments notice, but somehow I’m always here in the background,  a shadow. No matter your heart, somehow I’m always put […]

Author information

Steven Iveson

Steven Iveson

Steven Iveson, the last of four children of the seventies, was born in London and has never been too far from a shooting, bombing or riot. He's now grateful to live in a small town in East Yorkshire in the north east of England with his wife Sam and their four children.

He's worked in the IT industry for over 15 years in a variety of roles, predominantly in data centre environments. Working with switches and routers pretty much from the start he now also has a thirst for application delivery, SDN, virtualisation and related products and technologies. He's published a number of F5 Networks related books and is a regular contributor at DevCentral.

The post Your Weak and Broken Heart appeared first on Packet Pushers Podcast and was written by Steven Iveson.

Show 169 – Cisco FabricPath Deep Dive Part 1

Cisco FabricPath is a TRILL-based layer 2 forwarding technology that can take the place of spanning-tree. Allowing a fully-meshed layer 2 network to forward traffic across all links, FabricPath helps customers to make the most of their expensive 10GbE and 40GbE interconnects. In this show, Jamie Caesar, Colby Glass, and Ed Diaz discuss real-world FabricPath […]

Author information

Ethan Banks

Ethan Banks, CCIE #20655, has been managing networks for higher ed, government, financials and high tech since 1995. Ethan co-hosts the Packet Pushers Podcast, which has seen over 2M downloads and reaches over 10K listeners. With whatever time is left, Ethan writes for fun & profit, studies for certifications, and enjoys science fiction. @ecbanks

The post Show 169 – Cisco FabricPath Deep Dive Part 1 appeared first on Packet Pushers Podcast and was written by Ethan Banks.

TPM chip protecting SSH keys – properly

Not long after getting my TPM chip to protect SSH keys in a recent blog post, it started to become obvious that OpenCryptoKi was not the best solution. It's large, complicated, and, frankly, insecure. I dug in to see if I could fix it, but there was too much I wanted to fix, and too many features I didn't need.

So I wrote my own. It's smaller, simpler, and more secure. This post is about this new solution.

Why not Opencryptoki?

  • It generates at least some keys in software. As I've explained earlier, I want to generate the keys in hardware.
  • It generates migratable keys. This is hardcoded, and some people obviously want migratable keys (for backup purposes). So a fix would have to involve supporting both.
  • Opencryptoki has no way to send such parameters from the command line key generator to the PKCS11 library. So not only would I have to implement the setting, but the whole settings subsystem.
  • The code is big, because it supports a lot of features. Features I don't need or want. They get in the way of me as a user, and of me fixing the other issues.
  • The code is of Continue reading

Installing OpenStack ML2 Neutron Plugin with DevStack on Fedora

OpenStack networking is tricky. This is primarily because programmable distributed systems are relatively new beyond the rigid L2/L3 control protocols we have used for the past 20 years. What I am consistently impressed with about OpenStack networking is the innovative network services that systems programmers are developing using APIs and virtual switching. Of course most vendors have a plugin for ...

...

Should I generate my keys in software or hardware?

A Hardware Security Module (HSM) is any hardware that you can use for crypto operations without revealing the crypto keys. Specifically I'm referring to the Yubikey NEO and TPM chips, but it should apply to other kinds of special hardware that does crypto operations. I'll refer to this hardware as the "device" as the general term, below.

Some background

When describing the Yubikey NEO I'm specifically referring to its public key crypto features that I've previously blogged about, that enable using Yubikey NEO for GPG and SSH, not its OTP generating features.

To generate keys for these devices you have two options. Either you tell the device to generate a key using a built in random number generator, or generate the key yourself and "import" it to the device. In either case you end up with some handle to the key, so that you command the device to do a crypto operation using the key with a given handle.

This "handle" is often the key itself, but encrypted with a key that has never existed outside the device, and never will. For TPMs they are encrypted (wrapped) with the SRK key. The SRK is always generated inside Continue reading

Introduction to Segment Routing

When I read the latest posts about Fast ReRoute from Russ White and as I had an introduction from a coworker contributing to some drafts, I thought it was the right time to write my first article on PacketPushers. And here it is the Introduction to Segment Routing! What is it? It is a new […]

Author information

Youssef El Fathi

Youssef El Fathi

Youssef is a network engineer working for a french service provider. He is also a dual CCIE (RS, SP). You can find him on Twitter.

The post Introduction to Segment Routing appeared first on Packet Pushers Podcast and was written by Youssef El Fathi.

Why I Use MediaWiki for Taking Notes

I was prompted to write this when I observed someone the other day who was sitting in the same training as me taking notes in a self-addressed email. No offense to people who do this, but W. T. F. How are you going to keep track of that email among the dozens/hundreds you receive every single day?

I take a lot of notes for research, certification study, and training. I use MediaWiki for almost all of these notes. Here’s why.

What is MediaWiki?

First off, MediaWiki is not a text editor. This may seem strange but after reading this whole article, I hope you’ll understand why that doesn’t matter and in fact, why that makes it more powerful. As the name implies, MediaWiki is actually software for running a wiki. In fact, it’s the same software that runs the most famous wiki, Wikipedia.

MediaWiki runs on UNIX (including OS X) and Windows machines. It’s written in PHP and runs under almost any web server (Apache, lighttpd, nginx, IIS). By its very nature, it’s web-based, which plays nicely into one of the reasons I like using it so much.

Simple Markup Language With Rich Rendering

When I’m taking study notes or Continue reading

Conduit.com search browser hijack on OSX

Just spent a half hour sorting out some irritating search toolbar and browser hijack that my mum’s Mac seemed to have got from somewhere.  Most of what I read on the internet seemed to be out of date or inaccurate maybe, so I’m posting my steps to getting rid of this here in case it is of use.

Environment:  OSX 10.6.8 with Firefox 25.0.1

Symptoms:  Normal home page has been replaced by some odd search engine. URL box shows “search.conduit.com/?ctid=CT3299872&SearchSource=13″.
The search box to the right of the URL box is showing “Installl [sic] converter customized web search” instead of Google.
Setting home page back to normal is overridden next time Firefox starts.

Resolution steps:  Clicked Tools | Add-Ons and removed something not expected called “Youtube video downloader”.  Clicked the top-right box’s dropdown and removed the search provider, setting it back to Google.

Home page was reset back to conduit.com on restarting Firefox still, so this needed further investigation.  In the end, I removed the following two directories (the path may not be quite the same on your Mac):
Users/<user>/Library/Application Support/Firefox/Profiles/4ka1hno1.default/conduitCommon
Users/<user>/Library/Application Support/Firefox/Profiles/4ka1hno1.default/CT3299872

Restarted Firefox Continue reading

Distributed virtual and physical routing in VMware NSX for vSphere

This post is intended to be a primer on the distributed routing in VMware NSX for vSphere, using a basic scenario of L3 forwarding between both virtual and physical subnets. I’m not going to bore you with all of the laborious details, just the stuff that matters for the purpose of this discussion.

In VMware NSX for vSphere there are two different types of NSX routers you can deploy in your virtual network.

  • The NSX Edge Services Router (ESR)
  • The NSX Distributed Logical Router (DLR)

Both the ESR and DLR can run dynamic routing protocols, or not. They can just have static/default routes if you like. The ESR is a router in a VM (it also does other L4-L7 services like FW, LB, NAT, VPN, if you want). Both the control and data plane of the ESR router are in the VM. This VM establishes routing protocol sessions with other routers and all of the traffic flows through this VM. It’s like a router, but in a VM. This should be straight forward, not requiring much explanation.

The ESR is unique because it’s more than a just router. It’s also a feature rich firewall, load balancer, Continue reading

Distributed virtual and physical routing in VMware NSX for vSphere

This post is intended to be a primer on the distributed routing in VMware NSX for vSphere, using a basic scenario of L3 forwarding between both virtual and physical subnets. I’m not going to bore you with all of the laborious details, just the stuff that matters for the purpose of this discussion. In VMware NSX for vSphere there are two different types of NSX routers you can deploy in […]

Preventing Information Overload

Man, did I pick a tumultuous time to start a career in technology - there are so many great debates going on right now, with vendors working around the clock churning out new products for the general populace to chew on and talk about. I’m becoming more and more involved with the community nowadays, and top of that, I’m a big nerd to start with. So it’s easy for me to suffer from information overload, and I’d be lying if I said it didn’t happen just about every week.

The New Face of the Access Layer

The role, and the features of the access layer in the datacenter has changed dramatically in such a short time. Prior to virtualization, the DC access layer was still relatively simple. Now that the majority of workloads are virtualized, we’re seeing some pretty crazy shifts. Many simple network functions like routing and security, as well as some advanced functions like load balancing are moving into software. This follows the general best practice of applying policy as close to the edge of your network as possible.