Re: Where to store client PEM certificates for an application

Fri, 26 Dec 2008 05:58:17 -0800 

David Schwartz wrote:

Kyle Hamilton wrote:
If your company hires a security consultant, s/he will state the same thing. 

-Kyle H


The fundamental problem is this:

You have one door. Every customer must walk through it. However, you don't want 
a customer to run amuck once he gets through the door. Your solution is to put 
more and more locks on the door, and give the customer the key to each one.

All of these locks only keep people from going through the door. But the very 
people who you need to let through the door are the same ones you need to keep 
from running amuck once they get through the door.

No amount of additional locks on the door will do this.

You cannot give a person a credential that allows them to do things you must 
prevent them from doing. You must make it so that their credentials only allow 
them to do things you would like them to be able to do.

It is unfortunate that you are in the position you are in, as it is a nearly 
hopeless one. Security cannot be added as an afterthought. It must be designed 
in from the very beginning. You must construct a threat model, state security 
requirements, and build into the design a way to meet those requirements and 
defeat all plausible threat models.

Honestly, the type of schemes you are considering as band-aids are unlikely to 
slow down a determined attacker very long. I would bet dollars to donuts that 
the end result will take less than a day to break.

Your scheme requires you to put the credentials where an attacker can get them 
in unencrypted form. All an attacker need do is terminate your process as soon 
as it attempts a network connection (or intercept its filesystem calls and 
snapshot every file before it is deleted or overwritten). Your scheme requires 
these credentials to be sufficient for someone to do harm. Bluntly, your scheme 
is hopeless from a security standpoint.
So any scheme which relies on client-server certificates (aka private-public key encryption) and encrypted data is "hopeless from a security standpoint" ?
Care to suggest what is not "hopeless from a security standpoint", which is actually programmable ? 

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to