Implement session recreate when using YubiKey5 for Yubihsm2 authentication in PKCS11 #268
Comments
|
This is nice work, and a feature that has been considered but not yet implemented. The situation is rather complicated because session recreation is performed in yh_send_secure_msg, and currently depends on having long-term SCP03 keys key_enc and key_mac available in the library. yubihsm-auth is specifically designed so that no long-term secrets are leaked outside the YubiKey and YubiHSM. Hence you need to store all the parameters for all the yubihsmauth calls in the yh_session, and essentially duplicate the functionality you have already implemented there as well. So that would be the reader name, slot name and password for that slot. You could skip the reader name as you are doing now, but that may bite you if someone has two yubihsm-auth-capable YubiKeys attached. It would also require the YubiKey to be kept attached for the duration of the HSM session (at least if it becomes idle at any point). |
|
As an alternative you could consider keepalives, for example sending some simple message every few seconds. yubihsm-shell uses that technique, sending an 1-byte ECHO command every 10 seconds. The timeout is 30 seconds, so 25 seconds would also work. See timer_handler in main.c |
|
I'd also point out that keeping the password for a yubihsm-auth slot in memory kind of negates the security achieved by using it in the first place, so please consider if this is really the right path to take. |
Hi,
We have implement the authentication of the Yubihsm2 using the Yubikey-auth in PKCS11.
The problem is that after 30 seconds of inactivity, the session is closed/pause. We don't know have to recreate the session is this case.
Without the Yubikey, this is working properly with the original code (lib/yubihsm.c).
yh_rc yh_send_secure_msg(yh_session *session, yh_cmd cmd, const uint8_t *data,
size_t data_len, yh_cmd *response_cmd,
uint8_t *response, size_t *response_len) {
size_t saved_len = *response_len;
yh_rc yrc = send_encrypted_msg(&session->s, cmd, data, data_len, response_cmd,
response, response_len);
if ((yrc == YHR_DEVICE_INVALID_SESSION ||
yrc == YHR_DEVICE_AUTHENTICATION_FAILED) &&
session->authkey_id) {
DBG_INFO("Recreating session");
yrc = yh_create_session(session->s.parent, session->authkey_id,
session->key_enc, SCP_KEY_LEN, session->key_mac,
SCP_KEY_LEN, true, &session);
if (yrc != YHR_SUCCESS) {
return yrc;
}
}
return yrc;
}
Our code for the Yubikey session open is the following (pkcs11/yubihsm_pkcs11.c):
CK_DEFINE_FUNCTION(CK_RV, C_Login)
(CK_SESSION_HANDLE hSession, CK_USER_TYPE userType, CK_UTF8CHAR_PTR pPin,
CK_ULONG ulPinLen) {
DIN;
if (g_yh_initialized == false) {
DBG_ERR("libyubihsm is not initialized or already finalized");
return CKR_CRYPTOKI_NOT_INITIALIZED;
}
if (userType != CKU_USER) {
DBG_ERR("Inalid user type, only regular user allowed");
return CKR_USER_TYPE_INVALID;
}
CK_UTF8CHAR prefix = *pPin;
if (prefix == '@' || prefix =='#') {
pPin++;
ulPinLen--;
}
if (ulPinLen < YUBIHSM_PKCS11_MIN_PIN_LEN ||
ulPinLen > YUBIHSM_PKCS11_MAX_PIN_LEN) {
DBG_ERR("Wrong PIN length, must be [%d, %d] got %lu",
YUBIHSM_PKCS11_MIN_PIN_LEN, YUBIHSM_PKCS11_MAX_PIN_LEN, ulPinLen);
return CKR_ARGUMENTS_BAD;
}
uint16_t key_id = 0;
size_t key_id_len = sizeof(key_id);
char tmpPin[5] = {0};
memcpy(tmpPin, pPin, 4);
if (hex_decode((const char *) tmpPin, (uint8_t *) &key_id, &key_id_len) ==
false ||
key_id_len != sizeof(key_id)) {
DBG_ERR(
"PIN contains invalid characters, first four digits must be [0-9A-Fa-f]");
return CKR_PIN_INCORRECT;
}
key_id = ntohs(key_id);
pPin += 4;
ulPinLen -= 4;
yubihsm_pkcs11_session *session = 0;
CK_RV rv = get_session(&g_ctx, hSession, &session, SESSION_NOT_AUTHENTICATED);
if (rv != CKR_OK) {
DBG_ERR("Invalid session ID: %lu", hSession);
return rv;
}
yh_rc yrc = YHR_SUCCESS;
if (prefix == '@') { // Asymmetric authentication
} else if (prefix == '#') { // Yubico Key auhtentication
} else { // Symmetric authentication
yrc =
yh_create_session_derived(session->slot->connector, key_id, pPin,
ulPinLen, true, &session->slot->device_session);
if (yrc != YHR_SUCCESS) {
DBG_ERR("Failed to create session: %s", yh_strerror(yrc));
if (yrc == YHR_CRYPTOGRAM_MISMATCH) {
rv = CKR_PIN_INCORRECT;
} else {
rv = CKR_FUNCTION_FAILED;
}
goto c_l_out;
}
}
list_iterate(&session->slot->pkcs11_sessions, login_sessions);
DOUT;
c_l_out:
release_session(&g_ctx, session);
return rv;
}
But parameters given in PKCS#11 are not available in the lib/yubihsm.c.
So how to recreate the session after 30secs of inactivity.
Thanks in advance,
Youssiph
The text was updated successfully, but these errors were encountered: