WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SSL keys

From: "Dimitris Petropoulos" <D.Petropoulos () encode-sec com>
Date: Thu, 29 Jan 2004 11:44:01 +0200
AFAIK -for IIS 5- noone can access the private key. The key lives inside
a CSP (Cryptographic Service Provider) key container which does not
allow direct manipulation, therefore viewing and editing cannot be
performed. As far as exporting is concerned, the key generation takes
place without using the CryptoAPI CRYPT_EXPORTABLE flag and therefore
the private key cannot be exported from the CSP key container (even if
it did it would be bundled in an encrypted key blob). 

Hope this helps,

-----------------------
Dimitrios Petropoulos
MSc InfoSec, CISSP

Director, Security Research & Development
 
ENCODE S.A.
3, R.Melodou Str
151 25 Maroussi
Athens, Greece
Tel: +30210-6178410
Fax: +30210-6109579
web: www.encode-sec.com
------------------------




-----Original Message-----
From: VolkanPekince () hsbc com tr [mailto:VolkanPekince () hsbc com tr] 
Sent: Wednesday, January 28, 2004 5:23 PM
To: webappsec () securityfocus com
Subject: Re: SSL keys



Hi list,

A basic question. Who can obtain or copy the private key of a 
web server (ISS)?

Thanks


Volkan






******************************************************************
Any views expressed in this message are those of the
individual sender, except where the sender specifically
states them to be the views of ENCODE S.A.
******************************************************************
Previous By Date Next
Previous By Thread Next

Current thread: