PARSEC: Introduction
PARSEC, the Platform AbstRaction for SECurity, is an open-source initiative to provide a common API to hardware security and cryptographic services in a platform-agnostic way.
PARSEC is a Cloud Native Compute Foundation Sandbox project, hosted on Github.
In this post I will give you an introduction of PARSEC and a demo of what PARSEC can do.
This article is (will be) among a series that cover following aspects of PARSEC:
- PARSEC Introduction (this one)
- PARSEC Architecture
- PARSEC Client & Interface
- PARSEC Server
- PARSEC Provider: Mbed Crypto
- PARSEC Provider: TPM
- PARSEC Provider: Trusted Services
- PARSEC Deployment
Why PARSEC
Nowadays, different platforms or components have been invented to enhance the security of the computing environment:
- Hardware-backed facilities, like Hardware Security Module (HSM) or Trusted Platform Module (TPM)
- Firmware services running in secure environment, like Trusted Execution Environments (TEE)
- Various cloud-based security services
There is inconvenience when people work with these platforms:
- Most of these platforms assume that the user is the owner or the administrator of the platform. But the actual user may be only an application program running in a container or virtual machine.
- The interface of using the platforms are not aligned. Different APIs have been made for these platforms.
- Most of these platforms are written in C language, which is not very friendly in cloud scenario.
- Working with a platform usually requires the specific knowledge of the target platform. It’s hard to write common code that can run across different platforms.
To mitigate the problems, PARSEC came around with the aims to:
- Provide common API of security primitives that is agnostic of the underlying platform
- Support multiple modern programming languages
- Support multiple client applications
The following diagram illustrates the concept of PARSEC:
Getting Started
In this section, I will show a very basic example of using PARSEC, including:
- Build and run PARSEC server
- Build and use
parsec-tool - Generating a RSA key pair
- Encrypt and decrypt
PARSEC Server
PARSEC is deployed in a Client-Server architecture. The PARSEC Server is a daemon program that should be launched on the host. It handles the service requests from the clients applications and reply the responses.
Follow the instructions to build and run a PARSEC server:
> # Install prerequisites
> sudo apt install llvm-dev libclang-dev clang cmake
> # Clone the source code of PARSEC server
> git clone https://github.com/parallaxsecond/parsec.git
> # Build
> cd parsec
> cargo build --features "mbed-crypto-provider,direct-authenticator"
> # Run with a minimal and simple configuration
> RUST_LOG=info ./target/debug/parsec -c e2e_tests/provider_cfg/mbed-crypto/config.tomlIf everything goes well, you should be able to see the printing [INFO parsec] Parsec is ready.
A UNIX socket /tmp/parsec.sock has been opened. The server listens to the socket and waits for service requests from client.
parsec-tool
PARSEC provides a command line tool — parsec-tool. You can use the tool to test PARSEC. parsec-tool talks to the PARSEC server via the UNIX socket.
Here comes the instructions to build and to show the help message:
> # Clone source code
> git clone https://github.com/parallaxsecond/parsec-tool.git
> # Build
> cd parsec-tool
> cargo build
> # Print the help text
> ./target/debug/parsec-tool --helpEncrypt & Decrypt
Now I will show how to use parsec-tool for asymmetric encryption-decryption. A typical usage of the asymmetric algorithm is to encrypt the messages in communication.
Generate RSA Key Pair
As one peer of the communication, I created a RSA key pair:
> # Create a RSA key pair named `abc`
> ./target/debug/parsec-tool create-rsa-key --key-name abc
[INFO ] Creating RSA encryption key...
[INFO ] Key "abc" created.
> # List all the keys, now you can see the key pair `abc`
> ./target/debug/parsec-tool list-keys
[INFO ] Available keys:
* abc (Mbed Crypto provider, RsaKeyPair, 2048 bits, permitted algorithm: AsymmetricEncryption(RsaPkcs1v15Crypt))
> # Export the public key of `abc`
> ./target/debug/parsec-tool export-public-key --key-name abc
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjB+BTN51Ge+OwC8+VZmW
+ZEdtCTdfd0w/CRKHmoHWCqNEmT0S+AIHR4GBgC5GNo07Hja75mkrr9/Nz1k2fX6
+vafUHvX0/7rm7g5RfYOb0EvpBtICQXbDGmtekhOoGnL/kgKyESbY+kASrx6GIxS
S7HkauegqOU7c+28aUrm/KClxdv/O7ni4DQ7nb+6iO9ax6aCrS97E7PHvNqHyukV
49jyf9p2oC4gc39FM2DbhjkPwTCJfhL+yHvU+n/3a3fBbCJ5C+HbYckeX+85OEUg
l3TWeiRqspbV3K5dGHe846Xpjm4M+WO446j5xdSSkU/waqXCn5p4auMXsnJo4H9j
JwIDAQAB
-----END PUBLIC KEY-----The exported public key can be sent to the other peer of the communication for message encryption.
Encryption
Now, as the other peer of the communication, I have received the public key. I will use it to encrypt a hello message.
I used a webpage tool to encrypt my text: https://8gwifi.org/rsafunctions.jsp
In the Public Key textbox I pasted the public key that I have received. In the ClearText Message box I input the text hello. Then the encrypted text were generated in the output textbox.
In the real life usage of asymmetric cyphering, it’s safe to send the encrypted text in an unsafe environment. Because the cypher text can only be decrypted with the private key.
Decryption
Now I become again the peer who has created the key pair and owned the private key. I have received the cypher text somehow (maybe via email or instant message).
To decrypt the cypher text with parsec-tool:
> ./target/debug/parsec-tool decrypt --key-name abc MNUqaa/nkIogHrBTnVA1n1nnzy43WyYVrGut7C5jBz2reJcwPX5iUOF1RAaA2k/h5vN+wFryZYkfD0WH6DGWNhXYDAik3Ip9wKKDVn16POzJa3Vh85xcguKrSSBW0GtliNy9Etnh0xyTje1ETpARCeUDCQokkNZbT/QbgZeaAlOm1ejHL4DsaNjz49x7/InQfq2nA/t0bCB5wKa+Xu85ZMIN59kvu4ETBWGNmYxjJeFRAk/A6u1mQ1isII0oX/m/b26EfIkg10bqdwgdt6uszqqvJ7Vx5yqcl8dokw3ZC+EkvmUrsKn66SIy0SnI2m1hXEFaiyhXv8vaVxeqJGR1hQ==
[INFO ] Decrypting data with RsaPkcs1v15Crypt...
helloNow I get the original text that the peer side wanted to send.
