Re: Testing OCSP with openssl

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Michael,

Thanks for this concise review. I look at it as the "Big Bang theory of Security". i.e. what comes first.

And HOW DID we get those heavy metals beyond Iron?  :)

Bob

On 09/05/2017 09:10 AM, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf
Of Robert Moskowitz
Sent: Tuesday, September 05, 2017 08:43

Also he recommends password protecting the keypair.  That results in
needing to provide the password at responder startup.  Is this the
'normal' approach?  Is the password provided in some other file (like a
responder config file)?  I am use to putting SQL passwords into php
config files, not that I like that...
That's one of the oldest problems in IT security. Most approaches fall into one of three categories:

- Specialized hardware. This was one of the original intended uses for Sun's JavaButton hardware token, back in the '90s, but the JavaButton never really took off. These days we have various flavors of HSMs which act as key vaults and signing servers - though then you have the problem of authenticating to the signing server, or if you offload all crypto operations, authenticating to the crypto server. TPMs (which are essentially integrated HSMs), smartcard readers, etc can also hold keys, but typically require some authentication by a human at system startup.

- Attended startup with manual passphrase entry. The server can't start until someone enters the passphrase at the keyboard.

- Passphrase or private key in a file for unattended startup, hopefully protected as well as possible by filesystem permissions, filesystem encryption, etc. This is obviously the weakest choice for key protection, since it has a wider threat tree (more paths for an attacker to make use of the private key) than the other two options.

For general-purpose applications where you don't need particularly good performance, such as a moderate-volume web server, there are some very inexpensive hardware options. OpenSSL works well with the NitroKey HSM (via the PKCS#11 engine), for example. Things get tougher as you add requirements.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux