Security Basics mailing list archives
AW: Securing an encryption key within software.
From: Christian.Assfalg () bc boehringer-ingelheim com
Date: Wed, 21 Jun 2006 07:57:07 +0200
Which should of course also provide a malcious user with possible ways to extract such a key from a TPM secured system along with the software itself. If a trojan is in place, say, or the attacker has physical access to the machine. This could be made more difficult if the user using the Software is no administrator on the machine, or if the TPM key is extracted at system setup and the software is uninstalled afterwards (Trojan, physical access means you're probably lost anyway, given enough time). However, all of this adds quite some complexity to the software, and more importantly to the environement the software has to be in. For me, it is not clear - why and if you really need to store the data locally and - why and if you really need to be able to decrypt the passwords. If you don't need one or both of those points, you can make password recovery that much more difficult without the complexities of TPM. In this case, you can either store the data on a server which is physically hard to tamper with and which can be heavily guarded against attacks, or you can use a one-way hash function, forcing an atacker to brute-force attack the passwords, one by one. Regards, Christian Assfalg -----Ursprüngliche Nachricht----- Von: Saqib Ali [mailto:docbook.xml () gmail com] Gesendet: Dienstag, 20. Juni 2006 22:32 An: Assfalg,Christian (APER) BIP-DE-B Cc: delliott () eluse co uk; security-basics () securityfocus com Betreff: Re: Securing an encryption key within software. Hello Christian,
As for using TPM - forget it. Shure, TPM would give you features to bind your software, or certain data, to one particular machine. But what in case of a hardware Failure? You would loose all your data, unless there are some ways to backup that stuff. I guess there have to be some ways to do that, but still - way too risky and complicated for my taste. But TPM is
Yup most vendors, that are shipping TPMs with their system, are also bundling solution for key escrow (PKI or otherwise) or some other method of key recovery. Dell systems, for e.g. is including Wave Sys' Security center. See: http://www.wavesys.com/products/esc.html -- Saqib Ali, CISSP, ISSAP Support http://www.capital-punishment.net ----------- "I fear, if I rebel against my Lord, the retribution of an Awful Day (The Day of Resurrection)" Al-Quran 6:15 -----------
Current thread:
- AW: Securing an encryption key within software. Christian . Assfalg (Jun 20)
- Re: Securing an encryption key within software. Saqib Ali (Jun 20)
- <Possible follow-ups>
- AW: Securing an encryption key within software. Christian . Assfalg (Jun 21)