Vulnerability Development mailing list archives

Re: Apache ap_getpass vulnerability

From: "Michael H. Warfield" <mhw () WITTSEND COM>
Date: Mon, 6 Nov 2000 00:53:04 -0500

On Sun, Nov 05, 2000 at 08:40:24PM -0800, Carson Gaspar wrote:

--On Sunday, November 05, 2000 11:25 AM -0800 "Jon Paul, Nollmann"
<sinster () DARKWATER COM> wrote:

It's a choice that's been made technologically: it's unworkable to
have the private key encrypted, so its left unencrypted.  If you have
the key encrypted and arrange for some other mechanism for the server
to automagically get the passphrase at startup, then that's equivalent
to having the private key unencrypted on the hard disk: all the data
is there on the machine that's necessary to unencrypt the private key.

Who said anything about it happening automatically, much less
automagically? Someone (or ones, if you use secret sharing) ethers a
passphrase every time the web server is restarted. As I said you trade off
operational complexity against security.

It's unavoidable.


        Or maybe you use a smartcard that's installed in the server?
You can't copy the private key from the smartcard (and since you don't
have physical posession of the card you can't even try the esoteric
tricks like current signature analysis or thermionic analysis).

        I can think of three or four other schemes involving coupled
servers, single user mode, and other such tricks for decrypting a
secret key at initialization but protecting it or prohibiting access
to it after boot up.

        I will concede that there is also the problem of kmem attacks
and other ways of getting to the key, if someone gets superuser access
to the system and can extract key material from the running system.  That's
a different problem (which could STILL be addressed by a smartcard or
one-way coupled systems).

        The statement "It's unavoidable" is simply not true.  It is
avoidable, it all depends upon the trouble and effort you wish to go to
and how high you wish to raise the bar to cracking it.

See above.

--
Carson Gaspar -- carson () taltos org
Queen Trapped in a Butch Body


        Mike
--
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

Current thread:

Re: Apache ap_getpass vulnerability, (continued)
- - Re: Apache ap_getpass vulnerability Simon Tamás (Nov 03)
    - Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 04)
    - Re: Apache ap_getpass vulnerability Pavel Kankovsky (Nov 05)
    - Re: Apache ap_getpass vulnerability Simon Tamás (Nov 07)
    - Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
    - Re: Apache ap_getpass vulnerability Simon Tamás (Nov 04)
    - Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
    - Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
    - Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 06)
    - Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
    - Re: Apache ap_getpass vulnerability Michael H. Warfield (Nov 07)
    - Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 07)
    - Re: Apache ap_getpass vulnerability Lincoln Yeoh (Nov 08)
    - Re: Apache ap_getpass vulnerability Bluefish (P.Magnusson) (Nov 10)
    - Re: Apache ap_getpass vulnerability Bluefish (P.Magnusson) (Nov 06)