|
Posted by dirbb on March 11, 2006, 10:20 am
If you were Registered and logged in, you could reply and use other advanced thread options
why is there this feature in certificate creation? can it really stop
someone determined from exporting his/her private key?
thx
|
|
Posted by Alun Jones on March 12, 2006, 11:41 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>why is there this feature in certificate creation? can it really stop
>someone determined from exporting his/her private key?
It at least makes it "hard", in the sense that they have to spend hours trying
to figure out where the key is stored, and to debug the process that decrypts
data, looking for the moment when the private key is being used. This is not
an automatable process, as far as I know.
In some cases, when the certificate is stored on a hardware device that does
the encryption, it can make it "impossible" to discover the key.
"hard" and "impossible" are relative values of difficulty that are difficult
to gauge.
Alun.
~~~~
[Please don't email posters, if a Usenet response is appropriate.]
--
Texas Imperial Software | Find us at http://www.wftpd.com or email
23921 57th Ave SE | alun@wftpd.com.
Washington WA 98072-8661 | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(425)807-1787 | Try our NEW client software, WFTPD Explorer.
|
|
Posted by Eric Lalitte on March 14, 2006, 5:41 pm
If you were Registered and logged in, you could reply and use other advanced thread options > why is there this feature in certificate creation?
Because they like to lie a lot to sell more products ?
Anyway, if the system can have access to the certificate without giving
any passphrase, then you can do exactly the same.
The only reason why it is hard to do it is the it is not(badly)
documented.
> can it really stop someone determined from exporting his/her private
> key?
No, and it can't stop any worm or virus to get and mail it anywhere.
Aurelien Bordes just made the poc in a french security magazine.
You can get the slides from the presentation of Aurelien Bordes and
Eric Detoisien presenting the flaw in hacklu meeting:
<http://www.hack.lu/wiki/images/b/ba/Hacklu_catch_the_key.ppt>
Anyway, this doesn't seem to afraid anybody more than that. Many
companies can use a PKI based on the principle that their private
keys aren't exportable, because it is just written in the software...
It is a chance that my anti-virus blocks 100% of known and unknown
virus, if not, I could have my private keys stolen ! ;-))
--
Posted via Mailgate.ORG Server - http://www.Mailgate.ORG
|
| Similar Threads | Posted | | Generating non-exportable private keys with OpenSSL ? | May 26, 2008, 5:43 am |
| How keys should be distributed? | May 8, 2007, 11:29 pm |
| How do I export only private keys in PGP? | August 6, 2005, 7:45 am |
| hiding encryption keys | August 12, 2005, 3:32 pm |
| registry keys for virus scanners | February 3, 2005, 2:59 pm |
| what are 16- or 25-digit license keys and how to create? | April 7, 2005, 10:56 am |
| how to send data using crypto keys? | May 6, 2005, 7:15 pm |
| Are the (exported) keys of PGP and GnuPG compatible? | July 17, 2005, 5:25 pm |
| SSL certs - all private keys in one hand? | June 2, 2006, 8:51 am |
| typical approach for encryption using keys? | June 27, 2007, 6:20 am |
|
XML site map