WebApp Sec mailing list archives
RE: SSL keys
From: "Dimitris Petropoulos" <D.Petropoulos () encode-sec com>
Date: Thu, 29 Jan 2004 11:44:01 +0200
AFAIK -for IIS 5- noone can access the private key. The key lives inside a CSP (Cryptographic Service Provider) key container which does not allow direct manipulation, therefore viewing and editing cannot be performed. As far as exporting is concerned, the key generation takes place without using the CryptoAPI CRYPT_EXPORTABLE flag and therefore the private key cannot be exported from the CSP key container (even if it did it would be bundled in an encrypted key blob). Hope this helps, ----------------------- Dimitrios Petropoulos MSc InfoSec, CISSP Director, Security Research & Development ENCODE S.A. 3, R.Melodou Str 151 25 Maroussi Athens, Greece Tel: +30210-6178410 Fax: +30210-6109579 web: www.encode-sec.com ------------------------
-----Original Message----- From: VolkanPekince () hsbc com tr [mailto:VolkanPekince () hsbc com tr] Sent: Wednesday, January 28, 2004 5:23 PM To: webappsec () securityfocus com Subject: Re: SSL keys Hi list, A basic question. Who can obtain or copy the private key of a web server (ISS)? Thanks Volkan
****************************************************************** Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of ENCODE S.A. ******************************************************************
Current thread:
- Re: SSL keys VolkanPekince (Jan 28)
- RE: SSL keys Auri Rahimzadeh (Jan 29)
- <Possible follow-ups>
- RE: SSL keys Dimitris Petropoulos (Jan 29)
- RE: SSL keys Dimitris Petropoulos (Jan 29)