Re: Proposal: always handle keys in separate process

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



How about using the existing OpenSSH client's PKCS#11 support to
isolate keying material in a dedicated process?

A similar approach, "Practical key privilege separation using Caml
Crush", was discussed at FOSDEM'15 with a focus on
Heatbleed [1][2] but the ideas and principles are the same.

Now this is easily done using the following available components:
  - SoftHSM to store the crypto keys
  - Caml-Crush server components load the SoftHSM middleware (access
the keys) in a dedicated process
  - SSH client loads Caml-Crush PKCS#11 middleware that connects to
its daemon and allows to sign SSH exchange to authenticate

No patch needed.

Hope this helps,

Thomas

[1] https://archive.fosdem.org/2015/schedule/event/caml_crush/
[2] https://github.com/ANSSI-FR/caml-crush


On Fri, Jan 15, 2016 at 9:30 AM, Loganaden Velvindron
<loganaden@xxxxxxxxx> wrote:
> On Thu, Jan 14, 2016 at 7:12 PM, Alexander Wuerstlein <arw@xxxxxxxxx> wrote:
>> Hello,
>>
>> in light of the recent CVE-2016-0777, I came up with the following idea,
>> that would have lessened its impact. Feel free to ignore or flame me,
>> maybe its stupid or I missed something :)
>>
>
> Feel free to come up with a patch. In OpenSSH, it's a good idea to
> follow-up with a patch :)
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev@xxxxxxxxxxx
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux