Hi,
On Mon, 22 Nov 1999, Michael Robinson wrote:
> Everyone says that, but I've never seen anyone elucidate on the so-called
> "obvious" reasons.
>
> The key file is protected by root-read-only permissions. Only someone with
> root access can read the file. If someone has root access, they can gcore
> your running daemon and extract your private key from the core dump with just
> a little more work.
well there's a couple of reasons to consider the use (or not as the case
may be) of passphrases. An obvious one is that the web-server may not get
started as root, so (a) the private key can't be only root-readable, and
(b) the web-server can't be (straightfowardly) switched to different user
priviledges that would prevent any vulnerability (or misconfiguration)
from accessing the key-file.
The other obvious (well, common) reason is that a password protected
key-file "requires" two attacks (ignoring key-scanning which I'll mention
after). On one hand you need to obtain the file (which could be possible
if you can get root access, or compromise a process/service that is
running as root). One the other hand one also needs to obtain the
passphrase which tends to require a different "attack" - eg. suckering an
admin into providing it remotely across an insecure network, etc etc
(password hacking is discussed at length elsewhere). If you protect keys
with passphrases you essentially cover a potential for one kind of attack
(getting the file) by requiring a corresponding attack of the other kind
(getting the passphrase).
Many people who run multi-purpose servers, or must (for whatever reason)
start servers without root-priviledges, choose to password protect the
keys. For dedicated web-servers for whom security is a primary
consideration, it is ironically more common not to use passphrases (my
impression unsubstantiated by any stats). The reason for this is that the
servers generally are started as root so that after initialisation, even
they don't have access to the key file. Often the servers are also tied
down with no straightforward access by which an admin could provide a
password so the servers must be able to (re)start unattended.
Regarding key-scanning and as a side note, starting web-servers as root
happens to foil a number of other attacks - on most systems this prevents
a class of key-scanning attacks that have recently been considerably
improved by Nicko van Someran and Ali Shamir (where as you rightly pointed
out, the decrypted key has to be in RAM at run-time and so could be
vulnerable to scanning). Modern operating systems generally make memory
scanning a lot more difficult in a process that has setuid()'d from root
to something else. Apache's setuid prevents core-dumping. Some
implementations also have other mechanisms for performing key operations
well away from the area of "concern".
> >From my point of view, the key passphrase gives people a false sense of
> security (as well as added inconvenience).
This is very true also - but one hopes that these considerations are
weighed on their merits and relevance rather than their "false senses of
security" by admins and architects who must run critical systems. If not
... well it's Darwinism I suppose.
Cheers,
Geoff
----------------------------------------------------------------------
Geoff Thorpe Email: [EMAIL PROTECTED]
Cryptographic Software Engineer, C2Net Europe http://www.int.c2.net
----------------------------------------------------------------------
May I just take this opportunity to say that of all the people I have
EVER emailed, you are definitely one of them.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
