> If you need a lot of hits/sec (a smart card can't handle
> many) you can use a hardware accelerator like the Ncipher
> (what I'm using) or Rainbow accelerators
and now I'm lost again. Surely the certificate only needs to
be loaded (and therefore the passphrase needs to be entered)
*once* after Apache startup ? Are you saying it has to be
loaded every time the server gets a hit from a browser!!???!?!
The server has to use the secret key to decrypt the user packet
every time an SSL connection starts. There are three levels of
securing the secret key:
1. Just store it on the server, unencrypted, so the server can
restart unattended. Someone who can get a backup tape of the
server now has the private key.
2. Don't store it unencrypted on the server, but load it into the
server on startup, either from external hardware or by decrypting
an encrypted file with a password. Once the server is running,
it has the private key in memory and can use it to start SSL
connections. Someone who can modify the server software, etc.,
can get the key out. That means you have to trust the site operators.
3. Don't ever let the server see the secret key. The secret key is
encapsulated in tamper resistant hardware that does the whole
RSA calculation. That means the secure hardware has to be fast
enough to process all the hits. This is what I'm talking about
w.r.t. the Ncipher and similar devices. They use special purpose
hardware to do the secret key much faster than most computers can.
Even if someone steals the hardware (you'll know right away that
they did this because your server can't run without it), they won't
be able to get the keys out without extremely sophisticated laboratory
attacks.
For many applications, level 1 or level 2 is good enough. It's a
cost versus security decision you have to make depending on what
you're trying to protect, how vulnerable your site is, how motivated
the attackers you're expecting are, etc. Typical web retailers don't
have to worry this too much, but some parts of the financial sector
are VERY paranoid about these things.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
