External Security Audit Completed

The Cryptech project is proud to announce the completion of the third
party security audit by Cure53. The Cryptech team is grateful for the
feedback provided by the auditors on the code, design and security of
the Cryptech Open HSM. The Cryptech core team have reviewed the issues
and agree with the auditors’ conclusions.

The Cryptech core team has begun updating the design and implemention
in accordance with the recommendations in the audit report. Furthermore, the core team is reviewing and updating our development process and how to augment the toolchain to ensure that an even higher, and more consistent quality and level of security will be reached. It is expected that there will be
incremental updates to address the identified issues, and these will be finished by
the end of year.

 

CT-01-report

CrypTech version 3 firmware and software now available

This post is from Rob Austein:

The Cryptech Project is pleased to announce that version 3 of our
firmware and software package is now available. Like version 2, this
runs on the Alpha board. For those who have been following, this is
the code that until last week was the “ksng” branch.

Major new features:

* New keystore implementation which supports thousands of keys instead
of six. 🙂

* Support for multiple clients (eg, the OpenDNSSEC “enforcer” and
“signer” daemons) talking to the HSM in parallel.

* Key backup.

* Verilog support for (much) faster key generation and signing on the
ECDSA P-256 and P-384 curves.

See https://wiki.cryptech.is/wiki/ReleaseNotes for more details.

See https://wiki.cryptech.is/wiki/BinaryPackages and
https://wiki.cryptech.is/wiki/Upgrading for information on how to
download the new packages and upgrade the HSM firmware.

Please read the upgrade instructions BEFORE attempting to update the
firmware. The upgrade is a multi-step process, and the keystore
format change triggers a bug in the old bootloader which can brick
your HSM if you perform the upgrade steps in the wrong order.

If you ignored the above or managed to brick your HSM anyway, see
https://wiki.cryptech.is/wiki/DisasterRecovery and
https://wiki.cryptech.is/wiki/UsingSTLink .

Thank you for your patience with how long this has taken. We spent
far more time than we would have liked in a twisty maze of RTOS bugs
(eventually solved by removing the RTOS, see the release notes).

Special thanks to Yuri Schaeffer for help testing both the upgrade
process and the multi-client support with OpenDNSSEC.