The Distributed Threshold Cryptography library is mainly a PKCS#11 distributed implementation using the threshold library, both libraries conform the Threshold Cryptography HSM project.
It contains two APIs, the PKCS#11 standard and our own API described at dtc.h. It also includes a node implementation, which is a daemon the library connects to in order to perform the cryptographic operations.
The project intends to be an alternative to a HSM and to other availables software options like SofthHSM. The main idea behind is to provide security by using Threshold Cryptography. This allows to store the private key as many different key shares, distributed among nodes (possibly) at different locations, reducing the risk of key compromise, both physically and digitally.
This project is in its early development stage, be aware of this as security issues and bugs are likely to be there.
We do provide a few Dockerfiles you can use directly or see how the software is installed.
Once the requirements are met you can install the software by following the next steps.
git clone https://github.com/niclabs/tchsm-libdtc.git cd tchsm-libdtc mkdir build cd build cmake .. make install
To perform authenticated and encrypted communication between the library and the nodes an offline configuration process must be done to configure the communication keys. We do provide a python script to generate the keys and the files with the configuration for the library and the nodes. In order to generate the files you just need to define the address and two ports available to use by the node:
python scripts/create_config.py <addr-node-1>:<p1_node-1>:<p2_node-1> .. <addr-node-n>:<p1_node-n>:<p2_node-n>
This will generate n + 2 configuration files, we'll use n + 1 of them. First all the nodei.conf files are the node configuration and cryptoki.conf is the library configuration file.
Inside the cryptoki.conf file there is a path to the database to be used by the library, change it as you need. (you can also set the
-cdb flag in the script to set the variable.
There is a built in help in the script, python scripts/create_config.py --help will print it to the stderr.
Once you have installed the library and got the configuration files you need to run the nodes and the libray. To run the node:
$ tchsm_node -c <path_to_the_nodei.conf>
The library however is not being run directly, so in order to make its configuration file reachable to it you need to set the TCHSM_CONFIG environment variable to the path of the cryptoki.conf file just generated.
We also provide an easy to deploy demo using docker containers, you can choose a demo implemented with KNOT or BIND and OpenDNSSEC.
Currently we do support the following PKCS#11 mechanisms:
The development is being done mainly by engineers and interns at NIC Research Labs Chile, suggestion, improvements and/or questions are appreciatted.
Beside install requirements, you will need: check to run unit testing and openssl and python3 with some libraries listed at ./test/system_test/requirements.txt to run System Test.