David Schwartz wrote:
Kyle Hamilton wrote:
If your company hires a security consultant, s/he will state the
same thing.
-Kyle H
The fundamental problem is this:
You have one door. Every customer must walk through it. However, you don't want
a customer to run amuck once he gets through the door. Your solution is to put
more and more locks on the door, and give the customer the key to each one.
All of these locks only keep people from going through the door. But the very
people who you need to let through the door are the same ones you need to keep
from running amuck once they get through the door.
No amount of additional locks on the door will do this.
You cannot give a person a credential that allows them to do things you must
prevent them from doing. You must make it so that their credentials only allow
them to do things you would like them to be able to do.
It is unfortunate that you are in the position you are in, as it is a nearly
hopeless one. Security cannot be added as an afterthought. It must be designed
in from the very beginning. You must construct a threat model, state security
requirements, and build into the design a way to meet those requirements and
defeat all plausible threat models.
Honestly, the type of schemes you are considering as band-aids are unlikely to
slow down a determined attacker very long. I would bet dollars to donuts that
the end result will take less than a day to break.
Your scheme requires you to put the credentials where an attacker can get them
in unencrypted form. All an attacker need do is terminate your process as soon
as it attempts a network connection (or intercept its filesystem calls and
snapshot every file before it is deleted or overwritten). Your scheme requires
these credentials to be sufficient for someone to do harm. Bluntly, your scheme
is hopeless from a security standpoint.
So any scheme which relies on client-server certificates (aka
private-public key encryption) and encrypted data is "hopeless from a
security standpoint" ?
Care to suggest what is not "hopeless from a security standpoint", which
is actually programmable ?
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org