DreamFactory and hardware security modules (HSM)


#1

We work for companies in the financial sector. One of the various security requirements that these companies claim is the use of devices HSM (Hardware Security Module - https://en.wikipedia.org/wiki/Hardware_security_module).

That is … All cryptographic operations will be performed in the HSM.

(That the databases are encrypted and private keys are secure in the HSM)

Amazon Web Services has a special module HSM (CloudHSM) for its customers Who Want to meet strict regulatory and compliance requirements ( https://aws.amazon.com/cloudhsm/ )

Now

Is there any possibility that Dreamfactory use CloudHSM for encryption / decryption (JWT, passwords, Tokens, etc …) in his internal security procedures…?

Thanks in advance

Polgar


#2

@Polgarmx I’ll need to read in to this a bit more and speak with engineering team. Thanks for posting.


#3

@mattschaer Thank you for speak with the engineering team. We want to introduce the Dreamfactory in some critical (financial) projects.


#4

@Polgarmx can you tell me how you will have DreamFactory installed for use in these projects, will it be installed from GitHub or using one of the BItnami images? DreamFactory uses the [AWSSDKforPHP] (https://docs.aws.amazon.com/aws-sdk-php/v3/api/index.html) which comes with the class CloudHSMclient and [class CloudHSMexception] (https://docs.aws.amazon.com/aws-sdk-php/v3/api/class-Aws.CloudHsm.Exception.CloudHsmException.html). I imagine using some custom scripting and leveraging the client included in the SDK you could talk to the cloudHSM for key management and cryptographic operations in DreamFactory to meet these strict regulatory/compliance requirements. Alternatively, Chef has capabilities for key management using what they call [data bags] (https://docs.chef.io/data_bags.html) as well as a [compliance server] (https://docs.chef.io/compliance.html) for audit controls/invoking audits on your infrastructure. Is there a specific regulatory requirement to which you have to adhere to in order to be compliant?


#5

@mattschaer Thank you for the answer.

To be Compliant we need to use a Dedicated HSM Module. (CloudHSM – SafeNet, Inc , HSM Luna SA 7000-- ) and use this device for Cryptographic Operations (“All the operations”).

In the HSM we can do the following:

Act as the root of trust that protects the cryptographic key (Private Keys) lifecycle (Creation, Deployment, Backup, Rotation, Expiration, etc…)

This method ensures that your keys always benefit from both physical and logical protections


We can use the HSM for Cryptographic Support:

Full Suite B support

Asymmetric: RSA (1024-8192), DSA (1024-3072), Diffie-Hellman, KCDSA, Elliptic Curve Cryptography (ECDSA, ECDH, ECIES) with named, user-defined and Brainpool curves

Symmetric: AES, RC2, RC4, RC5, CAST, DES, Triple DES, ARIA, SEED
Hash/Message Digest/HMAC: SHA-1, SHA-2 (224-512), SSL3-MD5-MAC, SSL3-SHA-1-MAC, SM3

Random Number Generation: FIPS 140-2 approved DRBG (SP 800-90 CTR mode)


If DreamFactory do any of mentioned Cryptographic Operations (Session, API Key Genration, etc.). We will need to make these operations with the HSM.

Now We can integrate Apache (OpenSSL) with the HSM (http://www.safenet-inc.com/resources/integration-guide/data-protection/Apache_HTTP_Server_Integration_Guide_with_Luna_SA/?langtype=1033)

If i want use Dreamfactory. I need to prove that are compliance.

We use a Bitnami Image on AWS for Dreamfactory.

The Database is Oracle11g .- CloudHSM for Amazon RDS Oracle TDE enables Transparent Data Encryption, a standard feature of Oracle 11g, for encrypting the database in a way that is transparent to our applications.

Thank you in advance and sorry for my English.

Polgar