Regarding the security of the keys

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Securing a system against this kind of attack can be done in several ways,
depending on the level of assurance you desire.  You might start out with
Tripwire:

https://en.wikipedia.org/wiki/Open_Source_Tripwire
http://www.tripwire.org/

You could also implement mandatory access control and ACLs using either
grsecurity or SELinux:

http://grsecurity.net/
http://www.cs.virginia.edu/~jcg8f/SELinux%20grsecurity%20paper.pdf
https://en.wikipedia.org/wiki/Security-Enhanced_Linux

Personally I prefer grsecurity, but it is not supported in mainline by any
major distribution that I am aware of.  You'll have to patch, build, and
and support your own kernel image in order to use it.  SELinux is supported
out of the box on CentOS 6 and 7, so it would probably be a good place to
start.

If your concern is solely in the realm of protecting your RSA keys, you
might consider some HSM product from e.g. Yubico:

https://www.yubico.com/
https://en.wikipedia.org/wiki/Hardware_security_module

These tiny USB keys store the RSA keys on a secure element which is
physically tamper-resistant.  The key material never leaves the hardware
token.  However, you'd probably have to write a custom provider for
OpenSSL, and the throughput would probably only be sufficient for a very
small amount of traffic.  If you need something that can handle a higher
load, you might consider purchasing one of Cavium's cards:

http://www.cavium.com/overview.html

However, they are 10 gigabit passthrough devices and will unwrap / re-wrap
the SSL session in hardware.  They are not cheap.

Good luck!


On Mon, Jul 20, 2015 at 11:46 PM, James <james.arivazhagan at gmail.com> wrote:

> Hi there,
> I have a concern regarding the private keys we use in the https (say
> apache) server.
> The https server links with openssl.so file, and uses the APIs provided by
> it.
> If some one build their own openssl and add few lines to print the keys
> during encrypt and decrypt and put in the library in the LD_LIBRARY_PATH,
> may result in compromising the security of the keys.
>
> Does any of you faced this problem and if you could share the solution it
> would be helpful.
>
> regards,
> James Arivazhagan Ponnusamy
>
> _______________________________________________
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20150721/f599c79e/attachment-0001.html>


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux