Vulnerability Development mailing list archives
Re: Apache ap_getpass vulnerability
From: "Michael H. Warfield" <mhw () WITTSEND COM>
Date: Mon, 6 Nov 2000 00:53:04 -0500
On Sun, Nov 05, 2000 at 08:40:24PM -0800, Carson Gaspar wrote:
--On Sunday, November 05, 2000 11:25 AM -0800 "Jon Paul, Nollmann" <sinster () DARKWATER COM> wrote:
It's a choice that's been made technologically: it's unworkable to have the private key encrypted, so its left unencrypted. If you have the key encrypted and arrange for some other mechanism for the server to automagically get the passphrase at startup, then that's equivalent to having the private key unencrypted on the hard disk: all the data is there on the machine that's necessary to unencrypt the private key.
Who said anything about it happening automatically, much less automagically? Someone (or ones, if you use secret sharing) ethers a passphrase every time the web server is restarted. As I said you trade off operational complexity against security.
It's unavoidable.
Or maybe you use a smartcard that's installed in the server? You can't copy the private key from the smartcard (and since you don't have physical posession of the card you can't even try the esoteric tricks like current signature analysis or thermionic analysis). I can think of three or four other schemes involving coupled servers, single user mode, and other such tricks for decrypting a secret key at initialization but protecting it or prohibiting access to it after boot up. I will concede that there is also the problem of kmem attacks and other ways of getting to the key, if someone gets superuser access to the system and can extract key material from the running system. That's a different problem (which could STILL be addressed by a smartcard or one-way coupled systems). The statement "It's unavoidable" is simply not true. It is avoidable, it all depends upon the trouble and effort you wish to go to and how high you wish to raise the bar to cracking it.
See above.
-- Carson Gaspar -- carson () taltos org Queen Trapped in a Butch Body
Mike -- Michael H. Warfield | (770) 985-6132 | mhw () WittsEnd com (The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
Current thread:
- Re: Apache ap_getpass vulnerability, (continued)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 03)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 04)
- Re: Apache ap_getpass vulnerability Pavel Kankovsky (Nov 05)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 07)
- Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 04)
- Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
- Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 06)
- Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
- Re: Apache ap_getpass vulnerability Michael H. Warfield (Nov 07)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 07)
- Re: Apache ap_getpass vulnerability Lincoln Yeoh (Nov 08)
- Re: Apache ap_getpass vulnerability Bluefish (P.Magnusson) (Nov 10)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 03)
- Re: Apache ap_getpass vulnerability Bluefish (P.Magnusson) (Nov 06)