The question is pretty simple, is it possible to create a FIPS 140-2 compliant server in Perl? Especially, is it possible without modifying any of the C code for the modules? If it's not possible in straight Perl, what would be the easiest way to go about it from a C perspective?
I'm basically creating a mini-httpd that only serves up a single file, but due to security restrictions it needs to be served up on SSL under FIPS compliance.
I don't know all of the rules when it comes to FIPS 140-2. However, unlike HIPAA and PCI-DSS its a standard that governs the strength of cryptography and doesn't take the system as a whole into consideration. Parts of OpenSSL can be FIPS 140-2 compliant and this library is exposed to perl via the Crypt::OpenSSL module. You just have to make sure your key size is large enough for the level of FIPS certification you need and that you don't violate a one of the many Cryptographic Issues.
Take a look at Mozilla's FIPS strategy. Triple DES is most likely to be Open Source. I am unaware of any certified FIPS 140-2 solutions in Perl.
Most implementation approvals are very restrictive, such as being on a certain hardware platform, CPU, and OS version. If you are on one of those platforms, you can often piggyback on the OS approval, such as Windows 7, Redhat, etc.
Related
Is there any repository where one can find standard applets introduced in Global Platform or ETSI or other standards (e.g. Security Domain, Contactless Registry Service, etc.) ???
Unfortunately not. Usually these applets (Security Domains, USIM, RAM/RFM OTA, ...) require some native integration in the operating system because the standard JavaCard API is not sufficient here, e.g. think of the necessary Milenage or TUAK algorithm needed for the network authentication of an USIM - there is no JavaCard cryptographic support for this (OK, Milenage could leverage the AES as primitive).
Hence all the implementations are custom implementations by the vendors. Because SIMs/eUICCs are also in control of a mobile network operator there is also no use case why this could be useful to an individual developer which can another reason why nothing is available as OS here.
I'm wondering if for simply communicating with a PLC, like reading and writing tags, do I need all of the other heavy lifting that comes with an OPC-UA server?
I've tried writing a simple server in Python that talks to the PLC, but I get denied when requesting information from the PLC.
The Controllogix PLC I'm attempting to communicate with uses Ethernet/IP to communicate, so why doesn't a simple server/client script work? What is required exactly to communicate with an Allen Bradley PLC or PLC's in general?
There is quite a bit required to communicate with a PLC.
Each vendor has a driver, there are firmware compatibility considerations. Different protocols to think about.
OPC-UA makes it a bit more generic, but OPC-UA still has a set of things to work around when setting up communications.
Most of the OPC products I've worked with, needs to have their security adjusted to allow anonymous communication. It's generally bad practice to do this. (A network intrusion would be able to read/write to your automation layer) There is certificate signing and some encryption business that needs to be turned off if you're looking for simple communication. (Again, not a good practice but ok for learning)
After all that you have to have a notion of how your PLC is set up on your OPC server, there are channels, devices, namespaces etc. You'll point the OPC client to some opc.tcp://:
If you got this far you're almost done, I'm assuming your OPC server is running and has tags configured at this point. You can use your OPC-UA API to do a read. It can return just the value, or you can get an object back with tag health, timestamp, and a bunch of other data. Depends on the implementation. After that you can do subscriptions, writes...whatever else you need.
TLDR: OPC server not required, but may be the easiest method. Turn off security. (But turn it back on before exposing your control layer to the net)
I am also a little late to this conversation. If you are interested in coding your own solutions and don't want to use any of the commercially available standards, AdvancedHMI is a "mostly" open source solution written in VB.NET which is 100% free and provides communications to many different PLCs including the ControlLogix platform. Since I see you are programming in Python you may also be interested to know that the project does work under Mono on the Linux OS. I have used it to write gateways between EthernetIP and ModbusTCP and to pull data serially from OEM devices and push this data to a CLX PLC.
The forum is full of many helpful hints and is very active and supported.
Just trying to give you another option. DDE, NetDDE, FastDDE, OPC, DCOM, Suitelink.... These are all good, but mostly a pay to play adventure. As a programmer, it seems ridiculous to have to pay such an excessive amount of money just to talk to my hardware, IMHO. Sorry for the rant. Have Fun!
Update - Just wanted to also suggest the following open source project written in python:
https://github.com/dmroeder/pylogix
I have used this to write small programs for communicating with CompactLogix and ControlLogix. (Even to/from a RaspberryPi!)
Depends on several factors, if you want something simple to program you can opt for Modbus/TCP I think some AB PLC supports it without extra hardware.
However if you want something with more security for example for industrial use then OPC UA would be better choice but the programming has a complexity far higher than Modbus, even using the libraries of OPC Foundation or others. There is the option of using a commercial or free (if any) OPC UA server to save work, then you will need to program the client side only.
With Ethernet/IP it should also be possible, but the problem is that there is no clear specification and even different AB models talk different Ethernet/IP dialect ! , it is also far more complex to program than Modbus.
I am a little late to this discussion, but there are a couple commercial tools that make this a bit easier. The one that comes to mind for me when you say you are using python is Cogent's data hub. It is certainly not the cheapest tool out there, but they have already done all of the heavy lifting for PLC/PC communications & security.
If trying to read CLX data using Python, there are several open source implementations that will save you a lot of work. Such as this:
https://github.com/dmroeder/pylogix
If you use .NET and Visual Studio, you can use AdvancedHMI
to be able to read and write OPC Tags to ControlLogix platform is done via its communication Driver RSLinx. RSLinx acts as an OPC Server, it will need to be configured to communicate with the PLC and run on a networked PC on the same LAN. Several flavours of RSLinx are available (for WAN/VLAN also) but essentially this is the communications driver you need to talk to AB PLC's
Has anyone used CKO_VENDOR_DEFINED to create a key or a data object?
There is hardly any documentation (including the mother load from Oasis) about how to do it, or which attributes are applicable/not-applicable.
Unfortunately, but hopefully understandably, I can not describe exactly what I am trying to do.
But the gist of it is that I need to be able to have a bit more attribute<=>mechanism flexibility with our kind of keys and the ability to modify a key on the token.
I'd really appreciate any pointers or help.
You can take a look at OpenPGP extension to PKCS #11 where CKC_OPENPGP is defined as:
#define CKC_OPENPGP (CKC_VENDOR_DEFINED|0x00504750)
I've seen also commercial implementations introducing CK*_VENDOR_DEFINED extensions this way.
(AFAIK) vendor defined object types must be implemented inside the HSM unit firmware (in theory, the host-side cryptoki library could introduce some additional "virtual" object types, but this probably would not make any sense as the overall security model would stay the same -- because the host-side cryptoki code runs in an untrusted execution environment).
If you need more control than provided by the vanilla PKCS#11 you have some choices:
Use existing vendor extensions -- some vendors add their own extensions designed to solve common use-cases. Read your documentation or contact your vendor directly.
Implement a custom firmware -- some products allow the end-user to run a custom code inside the HSM device. You can implement your model this way.
SafeNet ProtectServer:
SafeNet ProtectServer HSMs offer a unique level of flexibility for
application developers to create their own firmware and execute it
within the secure confines of the HSM. Known as functionality modules,
the toolkits provide a comprehensive facility to develop and deploy
custom firmware.
Thales nShield:
Most nShield HSMs also support the unique ability to host critical
applications within the hardened security boundary, so you can
establish tamper-resistant business processes in addition to
protecting cryptographic operations.
Utimaco CryptoServer:
The CryptoServer Software Development Kit (SDK) is the professional
development environment for all Utimaco Hardware Security Modules. It
enables integrators and end-users to create specific applications,
e.g. proprietary algorithms, custom key derivation procedures or
complex protocols that run in the tamper-proof environment of the
CryptoServer Hardware Security Module. As the SDK provides full access
to the Utimaco base firmware, custom firmware modules can be developed
in a very short time frame.
Use some other technology -- do not use HSMs at all and leverage some other secure device. Specifically smartcards might be a viable alternative as some of them can be programmed (at least Java Card or MULTOS ones). On the other hand the performance and range of supported algorithms is quite limited here (depends on your use-case).
I need to implement a distributed XMPP MuC application on the lines of XEP-0289 minus some of the features, in essence I want to have a bare bones implementation of the plugin, my concern is to address fault-tolerance and as of now I do not want to worry about the performance considerations as specified in 289.
I have looked into SleekXmpp as a tool to develop server side plugins, but don't know how comfortable it would be to use it for such an implementation, other options I have looked at are OpenFire , Tigase. I am comfortable with Python/Java and other key features to consider would be good documentation, ease of use etc keeping that in mind I would like to know what would be the preferred path to take for this development.
Any guidance will be appreciated.
you should be able to write a MUC component that includes FMUC (or similar). The general way to do this would be to use a library that supports XEP-0114 components (e.g. SleekXMPP (Python), Swiften (C++)) and implement MUC+FMUC through that. You haven't said what your concerns with SleekXMPP are, but it's a fairly well-respected library in the XMPP community, so seems a fair choice (I'd pick Swiften, but I'm biased as one of the authors).
Your second option (patching the server directly) isn't generally the XMPPish way of adding customisations (as it's vendor-specific), but should also work if you can find someone sufficiently familiar with the server code, or if you're willing to become so.
To achieve fault tolerance (assuming you mean resilience to server failures) you'd need to run your XMPP server clustered, and also cluster your FMUC implementation. With that done, the usual XMPP fail-over using SRV records in DNS should ensure other servers retry connections to another host.
On a side note, the next version of FMUC (XEP-0289) will have some of the features of the current revision stripped out, and a number of improvements made based on deployment experience, so if your work is not time-critical, it might be of benefit to you to read that when it's released. I also note that there exists at least one implementation of FMUC already (Isode's M-Link, on which I work), and there is interest from other vendors, so using the standard protocol might benefit you in terms of not re-inventing the wheel.
Are there any technical benefits to Windows/Microsoft as a platform to use while developing, over a Unix dialect such as Linux or Solaris?
I know that companies choose Microsoft at times because there's simply not enough programmers available that know Unix, or that these programmers are much more expensive to hire.
So assuming all developers knew Unix and Microsoft equally well, would there still be cases where you are better off developing in Windows?
To me there's only two arguments for using Windows as a dev platform:
You have to because you're doing .Net/Windows development (or because the company simply gives you no choice); or
The apps, specifically Microsoft Office/Exchange. I'm sorry but OpenOffice is dreadful in comparison to Word/Excel.
Apart from that imho Linux has every other advantage including:
MUCH faster filesystem (particularly important when dealing with lots of small files). Last year I went from a build time of 8-10 minutes to 2-3 just by this switch (ant build of same code base);
Typically your dev environment then matches your production environment (if you're production environment is Windows your dev environment will be Windows almost guaranteed), which can be useful. We've had issues with Java classpath visibility because of differences between JBoss on Windows and Linux; and
A much better set of command line tools (yes I knwo you can use Cygwin, etc but it's not as good).
That's one reason why I find the idea of a Mac as my next dev workstation so appealling: you can look it as either Unix with applications (ie Office) or Windows with a decent filesystem (will be even better if/when OSX adopts ZFS), either way it's a win. The only thing that's really put me off is that Apple does stupid things like delay Java 6 release by a year just so they can put the Leopard Look and Feel in.
Just off the top of my mind:
.NET (even though mono is really great)
Visual Studio - probably the best IDE around
Excellent documentation (The MSDN Library is way much more developer friendly than man pages in my opinion)
Huge userbase (that's more like a business thing but still it is a very important factor)
Binary compatability (it's much easier to support 4-5 kernels and standard C library versions than the infinite number of combinations you can find in Linux distros)
One of the best things you can do is keep your options open. Chopse a platform independant technology and you'll be able to have software for any O/S or implementation. From a technical standpoint, this makes a lot of sense as well as from a business one.
As for specific technical advantages to the Windows platform, other than the large developer community and development information store and widely supported IDE's like Visual Studio, I'd say you'll be hard pressed to find one. Even there, Eclipse can do just as good a job with a platform independant technology.
Microsoft systems tend to have much better integration between different parts - there's a lot less heterogeneity to worry about if you're using binary-only software (x86 and comctl3d is a lot easier to support than everything *nix runs on).
The learning curve on Windows is shallow to begin with but has a longer overall distance. On Unix/Linux the beginning is a struggle but getting stuff done becomes easier later on, when the inner workings of the OS begin to make sense.
At least that's been my experience with them. Windows for quick payoff, Linux if you're going to be doing something much longer-term. And virtual machines if you can't decide :)
I think this question presents a false dichotomy. There's no reason you have to choose windows over unix or vice versa. Virtualization is free and easy. It's the best of both worlds!
One reason we have Windows development platforms (even though our production is on Linux or Solaris) is common environment for all.
That means all the different populations involved in the realization of a softwares:
are not all developers (business, functional people are also concerned with a working environment)
are all on the same platform (Windows)
use all the same tools to write/communicate (as in Word, PowerPoint)
can have their same environment on laptop
In short: uniformity of environment for all (developers and non-developers alike).
The other reason is depreciation: it is easy to manage depreciation for PCs, where the services are lighter than a full-scale Unix server (like a Sun Fire, a F15K or F50K, ...): the latter needs some expensive assistance service contracts (like "bronze", "silver" or "gold" depending on the level needed). A PC is easier to fix/replace, and is not as critical is a developer "mess up" on it and crash it utterly ;)
That being said, the downside of this is you do not change PC every day: it means managing a large parc of desktops, you cannot just decide to upgrade like that (and that goes for Os too).
So where the other answers are all about "virtual machine" whereas your set of PCs is from 2003, with only 40Go of hard-drive and 1, may be 2Go of memory..., you realize "virtualization" is not always an obvious solution.
Hence, some Unix "integration" server are required for developers to test their products in an environment closer to the target. In a way, this is better, since those integration servers are managed in a uniformed way, avoiding the syndrome of "it works for meTM", as opposed to virtual machine, where each developer is the own root/administrator of one's own little world/server ;).
I can give you a common arguments that Windows folks might make, though not one I necessarily agree with.
People sometimes think that Windows boxes at production time are easier to maintain and deploy. That is because there are a lot of visual tools available to the admin. Therefore they prefer .Net or a Windows-specific development language for easy integration.
If your customers or internal clients use all windows desktop computers, some would argue that its less legwork to do stuff with Windows servers. This includes stuff for Microsoft Office document sharing (i.e. sharepoint) or stuff with Windows File Sharing. Obviously its easier to write a .Net application to deal with such Microsoft-specific constraints.
I can't really think of any other reasons. The latter one is probably the most valid -- there just might be some microsoft-specific technology that is hard to integrate with unless you use MSFT development tools.
Peripheral reasons for some specific kinds of development:
you need to see how things look in both firefox and explorer
you're working with flash (which AFAIK you can't develop on linux, and the players are terrible).
you're working on a project that involved MS office integration
you're office has some godawful mail or notes system that you can't log into any other way. ditto for some vpn setups.
I consider all of these things to be regrettable.
Why not use both?
In either scenario, you could use a virtual machine in either Windows or Linux/Unix for basically nothing using Virtual Box or Vmware player. Or you could remote desktop/vnc to the other platform from your development box. If you develop in .net you would probably be better off on Windows for dev. If you develop for LAMP, either Windows/*nix would be fine.
give me apache mysql (ok postgres in a pinch) php and eclipse .. who cares about the OS ..