Hi Kyle, Thanks, I was wondering about the folloing scenario. I have a single public key for all apps. Hoever no apps knows the pub key, and all i do is SSH port forwarding. DOes this have any significant problems?
Thanks, Sudharsan On 6/6/06, Kyle Hamilton <[EMAIL PROTECTED]> wrote:
Every application has its opportunity to be stupid and reveal the private key. This is one reason that wildcard certificates are generally frowned on as a "worse practice" -- any single one of the softwares that use the private key can reveal it. (The mantra of security is: "You have to succeed every time. The attacker only has to succeed once.") There's another issue: It makes more sense to keep one copy of the private key on the system, with one passphrase that multiple applications share. (I may be in the minority with this thinking...) The reason why is that multiple copies of the private key, encrypted with different passphrases, can be subjected to a "differential ciphertext" attack. (The other alternative is to give multiple applications different copies of the key and different passphrases. This isn't, in my view, optimal, because if the passphrase for any software, and the location of its key file -- or the enencrypted private key itself -- is revealed by any software, the key is compromised regardless.) But there is no technical reason it cannot be done. -Kyle H On 6/5/06, Sudharsan Rangarajan <[EMAIL PROTECTED]> wrote: > Hi all, > I am just wondering if i could have multiple applications on a end > host share the same public key. Can this cause a pbm in the sense > there are more applications to target and a stupid one can reveal the > private key? > Or can there be other attacks posssible > > Thanks, > Sudharsan > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
