Hello,
Right now I'm working on my thesis, see http://www.uia.ac.be/u/s985456/ for
some basic info.
One of the things I'm researching is how key components are found in
physical (RAM) memory on a Windows NT/2000/XP system after using the
corresponding certificate.
Let me give an example from a "Microsoft point of view":
Suppose we're visiting a secure, SSL-aware website (https://) using Internet
Explorer. Or signing an email using Outlook Express. All cryptographic
operations, performed by these applications, are carried out by a
Cryptographic Service Provider (CSP). By default this is the Microsoft Base
CSP. This CSP will 'open' and 'use' the RSA-based client certificate.
I have made a PhysicalMemoryScanner-with-RSA-knowledge. This tool is able to
extract the private exponent ("private key") of a client certificate out of
the RAM memory of a computer after the client certificate was used. As said,
I tested some Microsoft tools like Internet Explorer, Outlook Express and
the Windows 2000 Encrypting File System (EFS). These are all vulnerable: the
private key is found plain-text in memory.
Also non-CSP-based applications like the new Opera 6.01 browser for Windows
leave the private key plain-text in memory after Opera has used the
corresponding certificate.
My question is how Netscape 6.2.* handles this kind of stuff. At first sight
Netscape 6.2.1 passes the test: I have imported a self generated client
certificate into Netscape 6.2.1 and use it to visit my test-webserver which
requires both server and client authentication. After that, my
PhysicalMemoryScanner doesn't seem to find the private key. So I would like
to ask you all if special care was taken to avoid that the private key shows
up plain-text in memory ?
Some security measures attempting to disable this kind of attacks, or make
it at least harder are:
* key masquerading (surely don't store the key plain-text in memory)
* mathematical protection using an alternative but mathematically identical
private exponent
* smart cards storing the key on a device (this is not the case in my
example)
* ...
Please note that I'm not that familiar with Mozilla-specific structures like
Network Security Services (NSS) or Personal Security Manager (PSM).
Any help on this would be greatly appreciated.
Thanks in advance.
Sincerely, Tom
